Example 1 with SecurityContextToken
use of org.apache.wss4j.dom.message.token.SecurityContextToken in project cxf by apache.
the class SCTCanceller method cancelToken.
/**
* Cancel a Token using the given TokenCancellerParameters.
*/
public TokenCancellerResponse cancelToken(TokenCancellerParameters tokenParameters) {
LOG.fine("Trying to cancel a SecurityContextToken");
TokenCancellerResponse response = new TokenCancellerResponse();
ReceivedToken cancelTarget = tokenParameters.getToken();
if (tokenParameters.getTokenStore() == null) {
LOG.log(Level.FINE, "A cache must be configured to use the SCTCanceller");
return response;
}
if (cancelTarget == null) {
LOG.log(Level.FINE, "Cancel Target is null");
return response;
}
cancelTarget.setState(STATE.NONE);
response.setToken(cancelTarget);
if (cancelTarget.isDOMElement()) {
try {
Element cancelTargetElement = (Element) cancelTarget.getToken();
SecurityContextToken sct = new SecurityContextToken(cancelTargetElement);
String identifier = sct.getIdentifier();
SecurityToken token = tokenParameters.getTokenStore().getToken(identifier);
if (token == null) {
LOG.fine("Identifier: " + identifier + " is not found in the cache");
return response;
}
if (verifyProofOfPossession && !matchKey(tokenParameters, token.getSecret())) {
throw new STSException("Failed to verify the proof of possession of the key associated with the " + "security context. No matching key found in the request.", STSException.INVALID_REQUEST);
}
tokenParameters.getTokenStore().remove(token.getId());
cancelTarget.setState(STATE.CANCELLED);
LOG.fine("SecurityContextToken successfully cancelled");
} catch (WSSecurityException ex) {
LOG.log(Level.WARNING, "", ex);
}
}
return response;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityContextToken(org.apache.wss4j.dom.message.token.SecurityContextToken)
Element(org.w3c.dom.Element)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
Example 2 with SecurityContextToken
use of org.apache.wss4j.dom.message.token.SecurityContextToken in project cxf by apache.
the class NegotiationUtils method parseSCTResult.
/**
* Return true on successfully parsing a SecurityContextToken result
*/
static boolean parseSCTResult(SoapMessage message) {
List<WSHandlerResult> results = CastUtils.cast((List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
if (results == null) {
// Try Streaming results
@SuppressWarnings("unchecked") final List<SecurityEvent> incomingEventList = (List<SecurityEvent>) message.getExchange().get(SecurityEvent.class.getName() + ".in");
if (incomingEventList != null) {
for (SecurityEvent incomingEvent : incomingEventList) {
if (WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN == incomingEvent.getSecurityEventType()) {
return true;
}
}
}
return false;
}
for (WSHandlerResult rResult : results) {
List<WSSecurityEngineResult> sctResults = rResult.getActionResults().get(WSConstants.SCT);
if (sctResults != null) {
for (WSSecurityEngineResult wser : sctResults) {
SecurityContextToken tok = (SecurityContextToken) wser.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
SecurityToken token = TokenStoreUtils.getTokenStore(message).getToken(tok.getIdentifier());
if (token == null || token.isExpired()) {
byte[] secret = (byte[]) wser.get(WSSecurityEngineResult.TAG_SECRET);
if (secret != null) {
token = new SecurityToken(tok.getIdentifier());
token.setToken(tok.getElement());
token.setSecret(secret);
token.setTokenType(tok.getTokenType());
TokenStoreUtils.getTokenStore(message).add(token);
}
}
if (token != null) {
final SecurityContext sc = token.getSecurityContext();
if (sc != null) {
message.put(SecurityContext.class, sc);
}
return true;
}
}
}
}
return false;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
SecurityContextToken(org.apache.wss4j.dom.message.token.SecurityContextToken)
SecurityContext(org.apache.cxf.security.SecurityContext)
List(java.util.List)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 3 with SecurityContextToken
use of org.apache.wss4j.dom.message.token.SecurityContextToken in project cxf by apache.
the class STSInvoker method findCancelOrRenewToken.
private SecurityToken findCancelOrRenewToken(Exchange exchange, Element el) throws WSSecurityException {
Element childElement = DOMUtils.getFirstElement(el);
String uri = "";
if ("SecurityContextToken".equals(childElement.getLocalName())) {
SecurityContextToken sct = new SecurityContextToken(childElement);
uri = sct.getIdentifier();
} else {
SecurityTokenReference ref = new SecurityTokenReference(childElement, new BSPEnforcer());
uri = ref.getReference().getURI();
}
TokenStore store = (TokenStore) exchange.getEndpoint().getEndpointInfo().getProperty(TokenStore.class.getName());
return store.getToken(uri);
}
Also used :
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
SecurityContextToken(org.apache.wss4j.dom.message.token.SecurityContextToken)
Element(org.w3c.dom.Element)
BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer)
TokenStore(org.apache.cxf.ws.security.tokenstore.TokenStore)
Example 4 with SecurityContextToken
use of org.apache.wss4j.dom.message.token.SecurityContextToken in project cxf by apache.
the class RequestParser method fetchTokenElementFromReference.
/**
* Method to fetch token from the SecurityTokenReference
*/
private static Element fetchTokenElementFromReference(Object targetToken, Map<String, Object> messageContext) {
// Get the reference URI
String referenceURI = null;
if (targetToken instanceof Element) {
Element tokenElement = (Element) targetToken;
NodeList refList = tokenElement.getElementsByTagNameNS(STSConstants.WSSE_EXT_04_01, "Reference");
if (refList.getLength() == 0) {
throw new STSException("Cannot find Reference element in the SecurityTokenReference.", STSException.REQUEST_FAILED);
}
referenceURI = refList.item(0).getNodeValue();
} else if (targetToken instanceof SecurityTokenReferenceType) {
Iterator<?> iterator = ((SecurityTokenReferenceType) targetToken).getAny().iterator();
while (iterator.hasNext()) {
JAXBElement<?> jaxbElement = (JAXBElement<?>) iterator.next();
if (jaxbElement.getValue() instanceof ReferenceType) {
referenceURI = ((ReferenceType) jaxbElement.getValue()).getURI();
}
}
}
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Reference URI found " + referenceURI);
}
if (referenceURI == null) {
LOG.log(Level.WARNING, "No Reference URI was received");
throw new STSException("An unknown element was received", STSException.BAD_REQUEST);
}
// Find processed token corresponding to the URI
referenceURI = XMLUtils.getIDFromReference(referenceURI);
final List<WSHandlerResult> handlerResults = CastUtils.cast((List<?>) messageContext.get(WSHandlerConstants.RECV_RESULTS));
if (handlerResults != null && !handlerResults.isEmpty()) {
WSHandlerResult handlerResult = handlerResults.get(0);
List<WSSecurityEngineResult> engineResults = handlerResult.getResults();
for (WSSecurityEngineResult engineResult : engineResults) {
Integer actInt = (Integer) engineResult.get(WSSecurityEngineResult.TAG_ACTION);
String id = (String) engineResult.get(WSSecurityEngineResult.TAG_ID);
if (referenceURI.equals(id)) {
Element tokenElement = (Element) engineResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
if (tokenElement == null) {
throw new STSException("Cannot retrieve token from reference", STSException.INVALID_REQUEST);
}
return tokenElement;
} else if (actInt == WSConstants.SCT) {
// Need to check special case of SecurityContextToken Identifier separately
SecurityContextToken sct = (SecurityContextToken) engineResult.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
if (referenceURI.equals(sct.getIdentifier())) {
return sct.getElement();
}
}
}
}
throw new STSException("Cannot retreive token from reference", STSException.REQUEST_FAILED);
}
Also used :
JAXBElement(javax.xml.bind.JAXBElement)
Element(org.w3c.dom.Element)
NodeList(org.w3c.dom.NodeList)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
JAXBElement(javax.xml.bind.JAXBElement)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
SecurityTokenReferenceType(org.apache.cxf.ws.security.sts.provider.model.secext.SecurityTokenReferenceType)
ReferenceType(org.apache.cxf.ws.security.sts.provider.model.secext.ReferenceType)
SecurityContextToken(org.apache.wss4j.dom.message.token.SecurityContextToken)
Iterator(java.util.Iterator)
SecurityTokenReferenceType(org.apache.cxf.ws.security.sts.provider.model.secext.SecurityTokenReferenceType)
Example 5 with SecurityContextToken
use of org.apache.wss4j.dom.message.token.SecurityContextToken in project cxf by apache.
the class SCTProvider method createToken.
/**
* Create a token given a TokenProviderParameters
*/
public TokenProviderResponse createToken(TokenProviderParameters tokenParameters) {
TokenRequirements tokenRequirements = tokenParameters.getTokenRequirements();
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Handling token of type: " + tokenRequirements.getTokenType());
}
if (tokenParameters.getTokenStore() == null) {
LOG.log(Level.FINE, "A cache must be configured to use the SCTProvider");
throw new STSException("Can't serialize SCT", STSException.REQUEST_FAILED);
}
SymmetricKeyHandler keyHandler = new SymmetricKeyHandler(tokenParameters);
keyHandler.createSymmetricKey();
try {
Document doc = DOMUtils.getEmptyDocument();
SecurityContextToken sct = new SecurityContextToken(getWSCVersion(tokenRequirements.getTokenType()), doc);
WSSConfig wssConfig = WSSConfig.getNewInstance();
sct.setID(wssConfig.getIdAllocator().createId("sctId-", sct));
TokenProviderResponse response = new TokenProviderResponse();
response.setTokenId(sct.getIdentifier());
if (returnEntropy) {
response.setEntropy(keyHandler.getEntropyBytes());
}
long keySize = keyHandler.getKeySize();
response.setKeySize(keySize);
response.setComputedKey(keyHandler.isComputedKey());
// putting the secret key into the cache
Instant created = Instant.now();
response.setCreated(created);
Instant expires = null;
if (lifetime > 0) {
expires = created.plusSeconds(lifetime);
response.setExpires(expires);
}
SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires);
token.setSecret(keyHandler.getSecret());
token.setPrincipal(tokenParameters.getPrincipal());
Map<String, Object> props = token.getProperties();
if (props == null) {
props = new HashMap<>();
}
token.setProperties(props);
if (tokenParameters.getRealm() != null) {
props.put(STSConstants.TOKEN_REALM, tokenParameters.getRealm());
}
// Handle Renewing logic
Renewing renewing = tokenParameters.getTokenRequirements().getRenewing();
if (renewing != null) {
props.put(STSConstants.TOKEN_RENEWING_ALLOW, String.valueOf(renewing.isAllowRenewing()));
props.put(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, String.valueOf(renewing.isAllowRenewingAfterExpiry()));
} else {
props.put(STSConstants.TOKEN_RENEWING_ALLOW, "true");
props.put(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY, "false");
}
tokenParameters.getTokenStore().add(token);
if (tokenParameters.isEncryptToken()) {
Element el = TokenProviderUtils.encryptToken(sct.getElement(), response.getTokenId(), tokenParameters.getStsProperties(), tokenParameters.getEncryptionProperties(), tokenParameters.getKeyRequirements(), tokenParameters.getMessageContext());
response.setToken(el);
} else {
response.setToken(sct.getElement());
}
// Create the references
TokenReference attachedReference = new TokenReference();
attachedReference.setIdentifier(sct.getID());
attachedReference.setUseDirectReference(true);
attachedReference.setWsseValueType(tokenRequirements.getTokenType());
response.setAttachedReference(attachedReference);
TokenReference unAttachedReference = new TokenReference();
unAttachedReference.setIdentifier(sct.getIdentifier());
unAttachedReference.setUseDirectReference(true);
unAttachedReference.setWsseValueType(tokenRequirements.getTokenType());
response.setUnattachedReference(unAttachedReference);
LOG.fine("SecurityContextToken successfully created");
return response;
} catch (Exception e) {
LOG.log(Level.WARNING, "", e);
throw new STSException("Can't serialize SCT", e, STSException.REQUEST_FAILED);
}
}
Also used :
Renewing(org.apache.cxf.sts.request.Renewing)
Instant(java.time.Instant)
Element(org.w3c.dom.Element)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
Document(org.w3c.dom.Document)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
TokenRequirements(org.apache.cxf.sts.request.TokenRequirements)
SecurityContextToken(org.apache.wss4j.dom.message.token.SecurityContextToken)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
Aggregations
SecurityContextToken (org.apache.wss4j.dom.message.token.SecurityContextToken)9
Element (org.w3c.dom.Element)6
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)4
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)4
TokenRequirements (org.apache.cxf.sts.request.TokenRequirements)3
STSException (org.apache.cxf.ws.security.sts.provider.STSException)3
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)3
Document (org.w3c.dom.Document)3
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)2
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)2
Instant (java.time.Instant)1
HashMap (java.util.HashMap)1
Iterator (java.util.Iterator)1
List (java.util.List)1
JAXBElement (javax.xml.bind.JAXBElement)1
SecurityContext (org.apache.cxf.security.SecurityContext)1
Renewing (org.apache.cxf.sts.request.Renewing)1
ReferenceType (org.apache.cxf.ws.security.sts.provider.model.secext.ReferenceType)1
SecurityTokenReferenceType (org.apache.cxf.ws.security.sts.provider.model.secext.SecurityTokenReferenceType)1
TokenStore (org.apache.cxf.ws.security.tokenstore.TokenStore)1
