Example 1 with WSSecurityException
use of org.apache.ws.security.WSSecurityException in project OpenAM by OpenRock.
the class SoapSTSInstanceModule method processSecurityPolicyTokenValidatorConfiguration.
/*
This method will plug-in the set of TokenValidator for the SupportingTokens specified in the SecurityPolicy bindings
specified for this sts instance. These configurations are achieved by plugging-in object instances corresponding to
specific keys in the webServicesProperties map.
Note that the set of TokenValidators plugged-in to handle the authN of the SupportingTokens defined in any SecurityPolicy
bindings will be determined by the SoapSTSInstanceConfig#getSecurityPolicyValidatedTokenConfiguration. Note however, that the
cxf/wss4j support for plugging-in custom assertions requires that the context validating the OpenAM session tokens
must be plugged-in at the bus level, which happens globally for all soap-sts instances for a given realm. See
SoapSTSLifecycleImpl#registerCustomPolicyInterceptors for details. This means that the OPENAM tokens will not be
handled in this method, as they are registered globally.
*/
private void processSecurityPolicyTokenValidatorConfiguration(Map<String, Object> webServiceProperties, WSSValidatorFactory wssValidatorFactory, Logger logger) throws WSSecurityException {
for (TokenValidationConfig tokenValidationConfig : stsInstanceConfig.getSecurityPolicyValidatedTokenConfiguration()) {
TokenType tokenType = tokenValidationConfig.getValidatedTokenType();
switch(tokenType) {
case USERNAME:
webServiceProperties.put(SecurityConstants.USERNAME_TOKEN_VALIDATOR, wssValidatorFactory.getValidator(TokenType.USERNAME, ValidationInvocationContext.SOAP_SECURITY_POLICY, tokenValidationConfig.invalidateInterimOpenAMSession()));
break;
case X509:
webServiceProperties.put(SecurityConstants.SIGNATURE_TOKEN_VALIDATOR, wssValidatorFactory.getValidator(TokenType.X509, ValidationInvocationContext.SOAP_SECURITY_POLICY, tokenValidationConfig.invalidateInterimOpenAMSession()));
break;
case OPENAM:
//OPENAM session tokens are handled by the PolicyInterceptors registered with the cxf bus.
break;
default:
String message = "Unexpected TokenType in processSecurityPolicyTokenValidatorConfiguration: " + tokenType;
logger.error(message);
throw new WSSecurityException(message);
}
}
/*
By default, if the sts did not specify an X500 token in the ValidatedTokenConfiguration, the
org.apache.ws.security.validate.SignatureTrustValidator will be the default SecurityConstants.SIGNATURE_TOKEN_VALIDATOR
Validator instance. If the user does specify x509 tokens as part of the ValidatedTokenConfiguration, the
SoapCertificateTokenValidator will be plugged in as the SecurityConstants.SIGNATURE_TOKEN_VALIDATOR (in the X509 case above).
Note that this class extends the SignatureTrustValidator. It is not clear whether symmetric and asymmetric binding
enforcement requires the SignatureTrustValidator. TODO - investigate and determine.
See comments in the SoapCertificateTokenValidator for details.
*/
}
Also used :
TokenType(org.forgerock.openam.sts.TokenType)
WSSecurityException(org.apache.ws.security.WSSecurityException)
TokenValidationConfig(org.forgerock.openam.sts.soap.config.user.TokenValidationConfig)
Example 2 with WSSecurityException
use of org.apache.ws.security.WSSecurityException in project OpenAM by OpenRock.
the class OpenAMSessionTokenServerInterceptor method validateToken.
/**
* @param tokenElement the BinarySecurityToken representing the OpenAMSessionToken. The OpenAM session id is the text
* content of this Element.
* @return a List with a single WSSecurityEngineResult with information concerning the successful validation.
* @throws WSSecurityException if the OpenAM session cannot be validated successfully.
*/
private List<WSSecurityEngineResult> validateToken(Element tokenElement) throws WSSecurityException {
final boolean bspComliant = true;
final BinarySecurity bst = new BinarySecurity(tokenElement, bspComliant);
bst.setValueType(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_BST_VALUE_TYPE);
final X509Certificate[] certs = null;
WSSecurityEngineResult result = new WSSecurityEngineResult(WSConstants.BST, bst, certs);
try {
final String sessionId = tokenElement.getTextContent();
final Principal principal = principalFromSession.getPrincipalFromSession(sessionId);
//because we are dealing with an OpenAM session which was not created as part of TokenValidation, but
//rather pre-existed this validation, it should not be invalidated.
threadLocalAMTokenCache.cacheSessionIdForContext(ValidationInvocationContext.SOAP_SECURITY_POLICY, sessionId, false);
result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE);
result.put(WSSecurityEngineResult.TAG_PRINCIPAL, principal);
} catch (TokenValidationException e) {
throw new WSSecurityException(e.getMessage(), e);
}
return Collections.singletonList(result);
}
Also used :
BinarySecurity(org.apache.ws.security.message.token.BinarySecurity)
WSSecurityException(org.apache.ws.security.WSSecurityException)
WSSecurityEngineResult(org.apache.ws.security.WSSecurityEngineResult)
X509Certificate(java.security.cert.X509Certificate)
Principal(java.security.Principal)
TokenValidationException(org.forgerock.openam.sts.TokenValidationException)
Example 3 with WSSecurityException
use of org.apache.ws.security.WSSecurityException in project OpenAM by OpenRock.
the class SoapSTSConsumer method getSTSClient.
private STSClient getSTSClient(String wsdlAddress, QName serviceQName, QName portQName) throws SoapSTSConsumerException {
STSClient stsClient = new STSClient(bus);
if (logMessages) {
stsClient.getInInterceptors().add(new LoggingInInterceptor());
stsClient.getOutInterceptors().add(new LoggingOutInterceptor());
}
stsClient.setWsdlLocation(wsdlAddress);
stsClient.setServiceName(serviceQName.toString());
stsClient.setEndpointName(portQName.toString());
Map<String, Object> properties = new HashMap<>();
properties.put(SecurityConstants.USERNAME, usernameTokenSupportingTokenUsername);
properties.put(SecurityConstants.CALLBACK_HANDLER, callbackHander);
/*
In a asymmetric binding, the client encrypt messages with with the sts' public key.
Note that this trust (Public Key) keystore entry is not protected by a password, so the SoapSTSConsumerCallbackHandler is
not asked to provide the password corresponding to this entry.
*/
properties.put(SecurityConstants.ENCRYPT_USERNAME, stsPublicKeyAlias);
Crypto crypto;
try {
crypto = CryptoFactory.getInstance(getEncryptionProperties());
} catch (WSSecurityException e) {
throw new SoapSTSConsumerException(e.getMessage(), e);
}
/*
if the requested key is Public the STS_TOKEN_CRYPTO is used by the STSClient 'to send/process any
RSA/DSAKeyValue tokens' - from javadocs
*/
properties.put(SecurityConstants.STS_TOKEN_CRYPTO, crypto);
properties.put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
properties.put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
stsClient.setProperties(properties);
return stsClient;
}
Also used :
STSClient(org.apache.cxf.ws.security.trust.STSClient)
Crypto(org.apache.ws.security.components.crypto.Crypto)
HashMap(java.util.HashMap)
LoggingOutInterceptor(org.apache.cxf.interceptor.LoggingOutInterceptor)
LoggingInInterceptor(org.apache.cxf.interceptor.LoggingInInterceptor)
WSSecurityException(org.apache.ws.security.WSSecurityException)
Example 4 with WSSecurityException
use of org.apache.ws.security.WSSecurityException in project OpenAM by OpenRock.
the class OpenAMWSSUsernameTokenValidator method verifyPlaintextPassword.
@Override
protected void verifyPlaintextPassword(UsernameToken usernameToken, RequestData data) throws WSSecurityException {
try {
final String sessionId = authenticationHandler.authenticate(usernameToken, TokenType.USERNAME);
threadLocalAMTokenCache.cacheSessionIdForContext(validationInvocationContext, sessionId, invalidateOpenAMSession);
} catch (TokenValidationException e) {
String message = "Exception caught authenticating UsernameToken with OpenAM: " + e;
logger.error(message, e);
throw new WSSecurityException(message, e);
}
}
Also used :
WSSecurityException(org.apache.ws.security.WSSecurityException)
TokenValidationException(org.forgerock.openam.sts.TokenValidationException)
Example 5 with WSSecurityException
use of org.apache.ws.security.WSSecurityException in project OpenAM by OpenRock.
the class SoapCertificateTokenValidator method validate.
@Override
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
try {
final String sessionId = authenticationHandler.authenticate(credential.getCertificates(), TokenType.X509);
threadLocalAMTokenCache.cacheSessionIdForContext(validationInvocationContext, sessionId, invalidateAMSession);
return credential;
} catch (TokenValidationException e) {
logger.error("Exception caught authenticating X509Certificate with OpenAM: " + e, e);
throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION, e.getMessage());
}
}
Also used :
WSSecurityException(org.apache.ws.security.WSSecurityException)
TokenValidationException(org.forgerock.openam.sts.TokenValidationException)
Aggregations
WSSecurityException (org.apache.ws.security.WSSecurityException)7
TokenValidationException (org.forgerock.openam.sts.TokenValidationException)3
Principal (java.security.Principal)2
WSSecurityEngineResult (org.apache.ws.security.WSSecurityEngineResult)2
Crypto (org.apache.ws.security.components.crypto.Crypto)2
Provides (com.google.inject.Provides)1
X509Certificate (java.security.cert.X509Certificate)1
HashMap (java.util.HashMap)1
Inject (javax.inject.Inject)1
Singleton (javax.inject.Singleton)1
Header (org.apache.cxf.headers.Header)1
Fault (org.apache.cxf.interceptor.Fault)1
LoggingInInterceptor (org.apache.cxf.interceptor.LoggingInInterceptor)1
LoggingOutInterceptor (org.apache.cxf.interceptor.LoggingOutInterceptor)1
DefaultSecurityContext (org.apache.cxf.interceptor.security.DefaultSecurityContext)1
SecurityContext (org.apache.cxf.security.SecurityContext)1
StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)1
STSClient (org.apache.cxf.ws.security.trust.STSClient)1
WSHandlerResult (org.apache.ws.security.handler.WSHandlerResult)1
BinarySecurity (org.apache.ws.security.message.token.BinarySecurity)1
