Search in sources :

Example 16 with SubjectBean

use of org.apache.wss4j.common.saml.bean.SubjectBean in project cxf by apache.

the class SAML1CallbackHandler method handle.

public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    for (int i = 0; i < callbacks.length; i++) {
        if (callbacks[i] instanceof SAMLCallback) {
            SAMLCallback callback = (SAMLCallback) callbacks[i];
            callback.setIssuer("www.example.com");
            callback.setSamlVersion(Version.SAML_11);
            SubjectBean subjectBean = new SubjectBean(subjectName, subjectQualifier, confirmationMethod);
            if (SAML1Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
                try {
                    KeyInfoBean keyInfo = createKeyInfo();
                    subjectBean.setKeyInfo(keyInfo);
                } catch (Exception ex) {
                    throw new IOException("Problem creating KeyInfo: " + ex.getMessage());
                }
            }
            createAndSetStatement(subjectBean, callback);
            try {
                Crypto crypto = CryptoFactory.getInstance("outsecurity.properties");
                callback.setIssuerCrypto(crypto);
                callback.setIssuerKeyName("myalias");
                callback.setIssuerKeyPassword("myAliasPassword");
                callback.setSignAssertion(signAssertion);
            } catch (WSSecurityException e) {
                throw new IOException(e);
            }
        } else {
            throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
        }
    }
}
Also used : SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean) KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean) Crypto(org.apache.wss4j.common.crypto.Crypto) SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) IOException(java.io.IOException)

Example 17 with SubjectBean

use of org.apache.wss4j.common.saml.bean.SubjectBean in project cxf by apache.

the class SAMLTokenProvider method createCallbackHandler.

public SamlCallbackHandler createCallbackHandler(TokenProviderParameters tokenParameters, byte[] secret, RealmProperties samlRealm, Document doc) throws Exception {
    boolean statementAdded = false;
    // Parse the AttributeStatements
    List<AttributeStatementBean> attrBeanList = null;
    if (attributeStatementProviders != null && !attributeStatementProviders.isEmpty()) {
        attrBeanList = new ArrayList<>();
        for (AttributeStatementProvider statementProvider : attributeStatementProviders) {
            AttributeStatementBean statementBean = statementProvider.getStatement(tokenParameters);
            if (statementBean != null) {
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine("AttributeStatements " + statementBean.toString() + " returned by AttributeStatementProvider " + statementProvider.getClass().getName());
                }
                attrBeanList.add(statementBean);
                statementAdded = true;
            }
        }
    }
    // Parse the AuthenticationStatements
    List<AuthenticationStatementBean> authBeanList = null;
    if (authenticationStatementProviders != null && !authenticationStatementProviders.isEmpty()) {
        authBeanList = new ArrayList<>();
        for (AuthenticationStatementProvider statementProvider : authenticationStatementProviders) {
            AuthenticationStatementBean statementBean = statementProvider.getStatement(tokenParameters);
            if (statementBean != null) {
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine("AuthenticationStatement " + statementBean.toString() + " returned by AuthenticationStatementProvider " + statementProvider.getClass().getName());
                }
                authBeanList.add(statementBean);
                statementAdded = true;
            }
        }
    }
    // Parse the AuthDecisionStatements
    List<AuthDecisionStatementBean> authDecisionBeanList = null;
    if (authDecisionStatementProviders != null && !authDecisionStatementProviders.isEmpty()) {
        authDecisionBeanList = new ArrayList<>();
        for (AuthDecisionStatementProvider statementProvider : authDecisionStatementProviders) {
            AuthDecisionStatementBean statementBean = statementProvider.getStatement(tokenParameters);
            if (statementBean != null) {
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine("AuthDecisionStatement " + statementBean.toString() + " returned by AuthDecisionStatementProvider " + statementProvider.getClass().getName());
                }
                authDecisionBeanList.add(statementBean);
                statementAdded = true;
            }
        }
    }
    // Also handle "ActAs" via the ActAsAttributeStatementProvider
    if (!statementAdded) {
        attrBeanList = new ArrayList<>();
        AttributeStatementProvider attributeProvider;
        if (combineClaimAttributes) {
            attributeProvider = new CombinedClaimsAttributeStatementProvider();
        } else {
            attributeProvider = new ClaimsAttributeStatementProvider();
        }
        AttributeStatementBean attributeBean = attributeProvider.getStatement(tokenParameters);
        if (attributeBean != null && attributeBean.getSamlAttributes() != null && !attributeBean.getSamlAttributes().isEmpty()) {
            attrBeanList.add(attributeBean);
        } else {
            attributeProvider = new DefaultAttributeStatementProvider();
            attributeBean = attributeProvider.getStatement(tokenParameters);
            attrBeanList.add(attributeBean);
        }
        attributeProvider = new ActAsAttributeStatementProvider();
        attributeBean = attributeProvider.getStatement(tokenParameters);
        if (attributeBean != null && attributeBean.getSamlAttributes() != null && !attributeBean.getSamlAttributes().isEmpty()) {
            attrBeanList.add(attributeBean);
        }
    }
    // Get the Subject and Conditions
    SubjectProviderParameters subjectProviderParameters = new SubjectProviderParameters();
    subjectProviderParameters.setProviderParameters(tokenParameters);
    subjectProviderParameters.setDoc(doc);
    subjectProviderParameters.setSecret(secret);
    subjectProviderParameters.setAttrBeanList(attrBeanList);
    subjectProviderParameters.setAuthBeanList(authBeanList);
    subjectProviderParameters.setAuthDecisionBeanList(authDecisionBeanList);
    SubjectBean subjectBean = subjectProvider.getSubject(subjectProviderParameters);
    ConditionsBean conditionsBean = conditionsProvider.getConditions(tokenParameters);
    // Set all of the beans on the SamlCallbackHandler
    SamlCallbackHandler handler = new SamlCallbackHandler();
    handler.setTokenProviderParameters(tokenParameters);
    handler.setSubjectBean(subjectBean);
    handler.setConditionsBean(conditionsBean);
    handler.setAttributeBeans(attrBeanList);
    handler.setAuthenticationBeans(authBeanList);
    handler.setAuthDecisionStatementBeans(authDecisionBeanList);
    if (samlRealm != null) {
        handler.setIssuer(samlRealm.getIssuer());
    }
    return handler;
}
Also used : ClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider) CombinedClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.CombinedClaimsAttributeStatementProvider) AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean) AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean) CombinedClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.CombinedClaimsAttributeStatementProvider) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider) CombinedClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.CombinedClaimsAttributeStatementProvider) SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean) AuthDecisionStatementBean(org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean)

Example 18 with SubjectBean

use of org.apache.wss4j.common.saml.bean.SubjectBean in project cxf by apache.

the class DefaultSubjectProvider method getSubject.

/**
 * Get a SubjectBean object.
 */
public SubjectBean getSubject(SubjectProviderParameters subjectProviderParameters) {
    // 1. Get the principal
    Principal principal = getPrincipal(subjectProviderParameters);
    if (principal == null) {
        LOG.fine("Error in getting principal");
        throw new STSException("Error in getting principal", STSException.REQUEST_FAILED);
    }
    // 2. Create the SubjectBean using the principal
    SubjectBean subjectBean = createSubjectBean(principal, subjectProviderParameters);
    // 3. Create the KeyInfoBean and set it on the SubjectBean
    KeyInfoBean keyInfo = createKeyInfo(subjectProviderParameters);
    subjectBean.setKeyInfo(keyInfo);
    return subjectBean;
}
Also used : SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean) KeyInfoBean(org.apache.wss4j.common.saml.bean.KeyInfoBean) STSException(org.apache.cxf.ws.security.sts.provider.STSException) X500Principal(javax.security.auth.x500.X500Principal) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Principal(java.security.Principal) UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal)

Example 19 with SubjectBean

use of org.apache.wss4j.common.saml.bean.SubjectBean in project cxf by apache.

the class DefaultSubjectProvider method createSubjectBean.

/**
 * Create the SubjectBean using the specified principal.
 */
protected SubjectBean createSubjectBean(Principal principal, SubjectProviderParameters subjectProviderParameters) {
    TokenProviderParameters providerParameters = subjectProviderParameters.getProviderParameters();
    TokenRequirements tokenRequirements = providerParameters.getTokenRequirements();
    KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
    String tokenType = tokenRequirements.getTokenType();
    String keyType = keyRequirements.getKeyType();
    String confirmationMethod = getSubjectConfirmationMethod(tokenType, keyType);
    String subjectName = principal.getName();
    String localSubjectNameIDFormat = subjectNameIDFormat;
    if (SAML2Constants.NAMEID_FORMAT_UNSPECIFIED.equals(localSubjectNameIDFormat) && principal instanceof X500Principal) {
        // Just use the "cn" instead of the entire DN
        try {
            LdapName ln = new LdapName(principal.getName());
            for (Rdn rdn : ln.getRdns()) {
                if ("CN".equalsIgnoreCase(rdn.getType()) && (rdn.getValue() instanceof String)) {
                    subjectName = (String) rdn.getValue();
                    break;
                }
            }
        } catch (Throwable ex) {
            subjectName = principal.getName();
        // Ignore, not X500 compliant thus use the whole string as the value
        }
    } else if (!SAML2Constants.NAMEID_FORMAT_UNSPECIFIED.equals(localSubjectNameIDFormat)) {
        /* Set subjectNameIDFormat correctly based on type of principal
                unless already set to some value other than unspecified */
        if (principal instanceof UsernameTokenPrincipal) {
            localSubjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_PERSISTENT;
        } else if (principal instanceof X500Principal) {
            localSubjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_X509_SUBJECT_NAME;
        } else if (principal instanceof KerberosPrincipal) {
            localSubjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_KERBEROS;
        } else if (localSubjectNameIDFormat == null) {
            localSubjectNameIDFormat = SAML2Constants.NAMEID_FORMAT_UNSPECIFIED;
        }
    }
    SubjectBean subjectBean = new SubjectBean(subjectName, subjectNameQualifier, confirmationMethod);
    if (LOG.isLoggable(Level.FINE)) {
        LOG.fine("Creating new subject with principal name: " + principal.getName());
    }
    subjectBean.setSubjectNameIDFormat(localSubjectNameIDFormat);
    return subjectBean;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) UsernameTokenPrincipal(org.apache.wss4j.common.principal.UsernameTokenPrincipal) X500Principal(javax.security.auth.x500.X500Principal) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) Rdn(javax.naming.ldap.Rdn) LdapName(javax.naming.ldap.LdapName)

Example 20 with SubjectBean

use of org.apache.wss4j.common.saml.bean.SubjectBean in project cxf by apache.

the class CustomSubjectProvider method getSubject.

/**
 * Get a SubjectBean object.
 */
public SubjectBean getSubject(SubjectProviderParameters subjectProviderParameters) {
    TokenProviderParameters providerParameters = subjectProviderParameters.getProviderParameters();
    TokenRequirements tokenRequirements = providerParameters.getTokenRequirements();
    KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
    String tokenType = tokenRequirements.getTokenType();
    String keyType = keyRequirements.getKeyType();
    String confirmationMethod = getSubjectConfirmationMethod(tokenType, keyType);
    Principal principal = providerParameters.getPrincipal();
    return new SubjectBean(principal.getName(), subjectNameQualifier, confirmationMethod);
}
Also used : SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean) TokenRequirements(org.apache.cxf.sts.request.TokenRequirements) KeyRequirements(org.apache.cxf.sts.request.KeyRequirements) Principal(java.security.Principal)

Aggregations

SubjectBean (org.apache.wss4j.common.saml.bean.SubjectBean)23 SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)18 AttributeStatementBean (org.apache.wss4j.common.saml.bean.AttributeStatementBean)14 IOException (java.io.IOException)12 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)12 KeyInfoBean (org.apache.wss4j.common.saml.bean.KeyInfoBean)12 Crypto (org.apache.wss4j.common.crypto.Crypto)11 AttributeBean (org.apache.wss4j.common.saml.bean.AttributeBean)11 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)9 AuthenticationStatementBean (org.apache.wss4j.common.saml.bean.AuthenticationStatementBean)4 ConditionsBean (org.apache.wss4j.common.saml.bean.ConditionsBean)4 AuthDecisionStatementBean (org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean)3 Principal (java.security.Principal)2 ArrayList (java.util.ArrayList)2 List (java.util.List)2 Callback (javax.security.auth.callback.Callback)2 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)2 X500Principal (javax.security.auth.x500.X500Principal)2 Message (org.apache.cxf.message.Message)2 KeyRequirements (org.apache.cxf.sts.request.KeyRequirements)2