Example 1 with AMSTSRuntimeException
use of org.forgerock.openam.sts.AMSTSRuntimeException in project OpenAM by OpenRock.
the class SoapOpenIdConnectTokenProvider method createToken.
@Override
public TokenProviderResponse createToken(TokenProviderParameters tokenProviderParameters) {
try {
final TokenProviderResponse tokenProviderResponse = new TokenProviderResponse();
final SoapTokenProviderBase.AuthenticationContextMapperState mapperState = getAuthenticationContextMapperState(tokenProviderParameters);
String authNContextClassRef;
Set<String> authNMethodsReferences;
final List<WSHandlerResult> securityPolicyBindingTraversalYield = mapperState.getSecurityPolicyBindingTraversalYield();
if (mapperState.isDelegatedContext()) {
final ReceivedToken delegatedToken = mapperState.getDelegatedToken();
authNContextClassRef = authnContextMapper.getAuthnContextForDelegatedToken(securityPolicyBindingTraversalYield, delegatedToken);
authNMethodsReferences = methodsReferencesMapper.getAuthnMethodsReferencesForDelegatedToken(securityPolicyBindingTraversalYield, delegatedToken);
} else {
authNContextClassRef = authnContextMapper.getAuthnContext(securityPolicyBindingTraversalYield);
authNMethodsReferences = methodsReferencesMapper.getAuthnMethodsReferences(securityPolicyBindingTraversalYield);
}
String token;
try {
token = getAssertion(getValidationInvocationContext(tokenProviderParameters), authNContextClassRef, authNMethodsReferences, System.currentTimeMillis() / 1000, NULL_NONCE);
Element tokenElement = buildTokenElement(token);
tokenProviderResponse.setToken(tokenElement);
tokenProviderResponse.setTokenId(getTokenId(token));
return tokenProviderResponse;
} catch (TokenCreationException e) {
throw new AMSTSRuntimeException(e.getCode(), e.getMessage(), e);
}
} finally {
try {
amSessionInvalidator.invalidateAMSessions(threadLocalAMTokenCache.getToBeInvalidatedAMSessionIds());
} catch (Exception e) {
String message = "Exception caught invalidating interim AMSession in SoapOpenIdConnectTokenProvider: " + e;
logger.warn(message, e);
/*
The fact that the interim OpenAM session was not invalidated should not prevent a token from being issued, so
I will not throw a AMSTSRuntimeException
*/
}
}
}
Also used :
Element(org.w3c.dom.Element)
AMSTSRuntimeException(org.forgerock.openam.sts.AMSTSRuntimeException)
TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
SoapTokenProviderBase(org.forgerock.openam.sts.soap.token.provider.SoapTokenProviderBase)
WSHandlerResult(org.apache.ws.security.handler.WSHandlerResult)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
JwtReconstructionException(org.forgerock.json.jose.exceptions.JwtReconstructionException)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
AMSTSRuntimeException(org.forgerock.openam.sts.AMSTSRuntimeException)
JsonValueException(org.forgerock.json.JsonValueException)
ResourceException(org.forgerock.json.resource.ResourceException)
Example 2 with AMSTSRuntimeException
use of org.forgerock.openam.sts.AMSTSRuntimeException in project OpenAM by OpenRock.
the class CustomDelegationHandlerWrapper method isDelegationAllowed.
@Override
public TokenDelegationResponse isDelegationAllowed(TokenDelegationParameters tokenParameters) {
final TokenDelegationResponse tokenDelegationResponse = customHandler.isDelegationAllowed(tokenParameters);
if (tokenDelegationResponse.isDelegationAllowed()) {
final Map<String, Object> additionalProperties = tokenDelegationResponse.getAdditionalProperties();
if ((additionalProperties != null) && additionalProperties.get(AMSTSConstants.CUSTOM_DELEGATION_HANDLER_AM_SESSION_ID) instanceof String) {
boolean invalidateInterimSession = true;
Object invalidateSessionObject = additionalProperties.get(AMSTSConstants.CUSTOM_DELEGATION_HANDLER_INVALIDATE_AM_SESSION);
if (invalidateSessionObject instanceof Boolean) {
invalidateInterimSession = (Boolean) invalidateSessionObject;
}
try {
threadLocalAMTokenCache.cacheSessionIdForContext(ValidationInvocationContext.SOAP_TOKEN_DELEGATION, (String) additionalProperties.get(AMSTSConstants.CUSTOM_DELEGATION_HANDLER_AM_SESSION_ID), invalidateInterimSession);
} catch (TokenValidationException e) {
throw new AMSTSRuntimeException(e.getCode(), e.getMessage(), e);
}
} else {
if (!delegationValidatorsSpecified) {
String message = "In a custom TokenDelegationHandler, the delegated token is allowed, no delegation " + "validators have been specified, and the AM Session Id was not specified in the " + "DelegationHandlerResponse#getAdditionalProperties keyed by " + AMSTSConstants.CUSTOM_DELEGATION_HANDLER_AM_SESSION_ID + ". This means the " + "TokenGenerationService cannot issue an assertion corresponding to the delegated token.";
logger.error(message);
throw new AMSTSRuntimeException(ResourceException.UNAVAILABLE, message);
}
}
}
return tokenDelegationResponse;
}
Also used :
AMSTSRuntimeException(org.forgerock.openam.sts.AMSTSRuntimeException)
TokenDelegationResponse(org.apache.cxf.sts.token.delegation.TokenDelegationResponse)
TokenValidationException(org.forgerock.openam.sts.TokenValidationException)
Example 3 with AMSTSRuntimeException
use of org.forgerock.openam.sts.AMSTSRuntimeException in project OpenAM by OpenRock.
the class SoapSamlTokenProvider method createToken.
/**
* @see org.apache.cxf.sts.token.provider.TokenProvider
*/
@Override
public TokenProviderResponse createToken(TokenProviderParameters tokenProviderParameters) {
try {
final TokenProviderResponse tokenProviderResponse = new TokenProviderResponse();
final SAML2SubjectConfirmation subjectConfirmation = determineSubjectConfirmation(tokenProviderParameters);
final SoapTokenProviderBase.AuthenticationContextMapperState mapperState = getAuthenticationContextMapperState(tokenProviderParameters);
String authNContextClassRef;
if (mapperState.isDelegatedContext()) {
authNContextClassRef = authnContextMapper.getAuthnContextForDelegatedToken(mapperState.getSecurityPolicyBindingTraversalYield(), mapperState.getDelegatedToken());
} else {
authNContextClassRef = authnContextMapper.getAuthnContext(mapperState.getSecurityPolicyBindingTraversalYield());
}
ProofTokenState proofTokenState = null;
if (SAML2SubjectConfirmation.HOLDER_OF_KEY.equals(subjectConfirmation)) {
proofTokenState = getProofTokenState(tokenProviderParameters);
}
String assertion;
try {
assertion = getAssertion(authNContextClassRef, subjectConfirmation, proofTokenState);
} catch (TokenCreationException e) {
throw new AMSTSRuntimeException(e.getCode(), e.getMessage(), e);
}
Document assertionDocument = xmlUtilities.stringToDocumentConversion(assertion);
if (assertionDocument == null) {
logger.error("Could not turn assertion string returned from TokenGenerationService into DOM Document. " + "The assertion string: " + assertion);
throw new AMSTSRuntimeException(ResourceException.INTERNAL_ERROR, "Could not turn assertion string returned from TokenGenerationService into DOM Document.");
}
final Element assertionElement = assertionDocument.getDocumentElement();
tokenProviderResponse.setToken(assertionElement);
final String tokenId = assertionElement.getAttributeNS(null, "ID");
/*
The tokenId cannot be null or empty because a reference to the issued token is created using this id in the wss
security header in the RequestSecurityTokenResponse. A null or empty id will generate a cryptic error in the cxf
runtime. And if we are dealing with an encrypted assertion, there is no ID attribute, so in this case,
a random uuid should be generated, as I believe the id serves only to refer to the token within the
security header, and does not have to be connected to the token itself. An encrypted SAML2 assertion only
contains some information on the encryption method, the symmetric key used for encryption, itself encrypted
with the recipient's public key, and the encrypted assertion. So if no ID attribute is present, we are dealing
with an encrypted assertion, and will generate a random UUID to serve as the key id.
*/
if (StringUtils.isEmpty(tokenId)) {
tokenProviderResponse.setTokenId(UUID.randomUUID().toString());
} else {
tokenProviderResponse.setTokenId(tokenId);
}
return tokenProviderResponse;
} finally {
try {
amSessionInvalidator.invalidateAMSessions(threadLocalAMTokenCache.getToBeInvalidatedAMSessionIds());
} catch (Exception e) {
String message = "Exception caught invalidating interim AMSession in SoapSamlTokenProvider: " + e;
logger.warn(message, e);
/*
The fact that the interim OpenAM session was not invalidated should not prevent a token from being issued, so
I will not throw a AMSTSRuntimeException
*/
}
}
}
Also used :
SAML2SubjectConfirmation(org.forgerock.openam.sts.token.SAML2SubjectConfirmation)
Element(org.w3c.dom.Element)
AMSTSRuntimeException(org.forgerock.openam.sts.AMSTSRuntimeException)
TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse)
SoapTokenProviderBase(org.forgerock.openam.sts.soap.token.provider.SoapTokenProviderBase)
ProofTokenState(org.forgerock.openam.sts.user.invocation.ProofTokenState)
Document(org.w3c.dom.Document)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
AMSTSRuntimeException(org.forgerock.openam.sts.AMSTSRuntimeException)
TokenMarshalException(org.forgerock.openam.sts.TokenMarshalException)
ResourceException(org.forgerock.json.resource.ResourceException)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
Example 4 with AMSTSRuntimeException
use of org.forgerock.openam.sts.AMSTSRuntimeException in project OpenAM by OpenRock.
the class SoapSamlTokenProvider method getProofTokenState.
/**
*
* @param tokenProviderParameters The TokenProviderParameters corresponding to the RST invocation
* @return The ProofTokenState necessary for HoK assertions.
* @throws AMSTSRuntimeException if the ProofTokenState cannot be obtained from the request, or the X509Certificate
* state cannot be successfully constructed.
*/
private ProofTokenState getProofTokenState(TokenProviderParameters tokenProviderParameters) throws AMSTSRuntimeException {
ReceivedKey receivedKey = tokenProviderParameters.getKeyRequirements().getReceivedKey();
X509Certificate certificate = receivedKey.getX509Cert();
if (certificate == null) {
String exceptionMessage = "The ReceivedKey instance in the KeyRequirements has a null X509Cert. Thus the " + "ProofTokenState necessary to consume the TokenGenerationService cannot be created.";
logger.error(exceptionMessage + " PublicKey in the ReceivedToken: " + receivedKey.getPublicKey());
throw new AMSTSRuntimeException(ResourceException.BAD_REQUEST, exceptionMessage);
}
try {
return ProofTokenState.builder().x509Certificate(certificate).build();
} catch (TokenMarshalException e) {
String message = "In SoapSamlTokenProvider#getAssertion, could not marshal X509Cert in ReceivedKey " + "into ProofTokenState: " + e;
logger.error(message, e);
throw new AMSTSRuntimeException(ResourceException.BAD_REQUEST, message);
}
}
Also used :
TokenMarshalException(org.forgerock.openam.sts.TokenMarshalException)
AMSTSRuntimeException(org.forgerock.openam.sts.AMSTSRuntimeException)
ReceivedKey(org.apache.cxf.sts.request.ReceivedKey)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
AMSTSRuntimeException (org.forgerock.openam.sts.AMSTSRuntimeException)4
TokenProviderResponse (org.apache.cxf.sts.token.provider.TokenProviderResponse)2
ResourceException (org.forgerock.json.resource.ResourceException)2
TokenCreationException (org.forgerock.openam.sts.TokenCreationException)2
TokenMarshalException (org.forgerock.openam.sts.TokenMarshalException)2
SoapTokenProviderBase (org.forgerock.openam.sts.soap.token.provider.SoapTokenProviderBase)2
Element (org.w3c.dom.Element)2
X509Certificate (java.security.cert.X509Certificate)1
ReceivedKey (org.apache.cxf.sts.request.ReceivedKey)1
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)1
TokenDelegationResponse (org.apache.cxf.sts.token.delegation.TokenDelegationResponse)1
WSHandlerResult (org.apache.ws.security.handler.WSHandlerResult)1
JsonValueException (org.forgerock.json.JsonValueException)1
JwtReconstructionException (org.forgerock.json.jose.exceptions.JwtReconstructionException)1
TokenValidationException (org.forgerock.openam.sts.TokenValidationException)1
SAML2SubjectConfirmation (org.forgerock.openam.sts.token.SAML2SubjectConfirmation)1
ProofTokenState (org.forgerock.openam.sts.user.invocation.ProofTokenState)1
Document (org.w3c.dom.Document)1
