use of org.forgerock.openam.sts.CTSTokenPersistenceException in project OpenAM by OpenRock.
the class CTSTokenPersistenceImpl method persistToken.
@Override
public void persistToken(String stsId, TokenType tokenType, String tokenString, String subjectId, long issueInstantMillis, long tokenLifetimeSeconds) throws CTSTokenPersistenceException {
try {
final String tokenId = ctsTokenIdGenerator.generateTokenId(tokenType, tokenString);
final Token ctsToken = generateToken(stsId, tokenString.getBytes(AMSTSConstants.UTF_8_CHARSET_ID), tokenId, subjectId, issueInstantMillis, tokenLifetimeSeconds, tokenType);
ctsPersistentStore.create(ctsToken);
} catch (TokenIdGenerationException e) {
throw new CTSTokenPersistenceException(e.getCode(), "Exception caught generating id for CTS-persisted " + tokenType + " token: " + e.getMessage(), e);
} catch (UnsupportedEncodingException e) {
throw new CTSTokenPersistenceException(ResourceException.INTERNAL_ERROR, "Exception caught getting byte[] " + "representation of issued " + tokenType + " token for CTS persistence: " + e, e);
} catch (CoreTokenException e) {
throw new CTSTokenPersistenceException(ResourceException.INTERNAL_ERROR, "Exception caught persisting issued " + tokenType + " token in the CTS: " + e.getMessage(), e);
}
}
use of org.forgerock.openam.sts.CTSTokenPersistenceException in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImpl method generate.
@Override
public String generate(SSOToken subjectToken, STSInstanceState stsInstanceState, TokenGenerationServiceInvocationState invocationState) throws TokenCreationException {
final OpenIdConnectTokenConfig tokenConfig = stsInstanceState.getConfig().getOpenIdConnectTokenConfig();
final long issueInstant = System.currentTimeMillis();
final String subject = ssoTokenIdentity.validateAndGetTokenPrincipal(subjectToken);
STSOpenIdConnectToken openIdConnectToken = buildToken(subjectToken, tokenConfig, invocationState.getOpenIdConnectTokenGenerationState(), issueInstant / 1000, subject);
final JwsAlgorithm jwsAlgorithm = tokenConfig.getSignatureAlgorithm();
final JwsAlgorithmType jwsAlgorithmType = jwsAlgorithm.getAlgorithmType();
String tokenString;
if (JwsAlgorithmType.HMAC.equals(jwsAlgorithmType)) {
final SignedJwt signedJwt = symmetricSign(openIdConnectToken, jwsAlgorithm, tokenConfig.getClientSecret());
tokenString = signedJwt.build();
} else if (JwsAlgorithmType.RSA.equals(jwsAlgorithmType)) {
final SignedJwt signedJwt = asymmetricSign(openIdConnectToken, jwsAlgorithm, getKeyPair(stsInstanceState.getOpenIdConnectTokenPKIProvider(), tokenConfig.getSignatureKeyAlias(), tokenConfig.getSignatureKeyPassword()), determinePublicKeyReferenceType(tokenConfig));
tokenString = signedJwt.build();
} else {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Unknown JwsAlgorithmType: " + jwsAlgorithmType);
}
if (stsInstanceState.getConfig().persistIssuedTokensInCTS()) {
try {
ctsTokenPersistence.persistToken(invocationState.getStsInstanceId(), TokenType.OPENIDCONNECT, tokenString, subject, issueInstant, tokenConfig.getTokenLifetimeInSeconds());
} catch (CTSTokenPersistenceException e) {
throw new TokenCreationException(e.getCode(), e.getMessage(), e);
}
}
return tokenString;
}
use of org.forgerock.openam.sts.CTSTokenPersistenceException in project OpenAM by OpenRock.
the class SAML2TokenGenerationImpl method generate.
public String generate(SSOToken subjectToken, STSInstanceState stsInstanceState, TokenGenerationServiceInvocationState invocationState) throws TokenCreationException {
final SAML2Config saml2Config = stsInstanceState.getConfig().getSaml2Config();
if (saml2Config == null) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Invocation targets a SAML2 token, but no SAML2Config was specified in the published sts!");
}
final String subjectId = ssoTokenIdentity.validateAndGetTokenPrincipal(subjectToken);
final Assertion assertion = AssertionFactory.getInstance().createAssertion();
setVersionAndId(assertion);
setIssuer(assertion, saml2Config);
final Date issueInstant = new Date();
setIssueInstant(assertion, issueInstant);
final SAML2TokenGenerationState tokenGenerationState = invocationState.getSaml2TokenGenerationState();
setConditions(assertion, saml2Config, issueInstant, tokenGenerationState.getSaml2SubjectConfirmation());
setSubject(assertion, subjectId, saml2Config.getSpAcsUrl(), saml2Config, invocationState.getSaml2TokenGenerationState().getSaml2SubjectConfirmation(), issueInstant, tokenGenerationState.getProofTokenState());
setAuthenticationStatements(assertion, saml2Config, tokenGenerationState.getAuthnContextClassRef());
setAttributeStatements(assertion, subjectToken, saml2Config);
setAuthzDecisionStatements(assertion, subjectToken, saml2Config);
/*
entering this branch handles both encryption and signing, as the encryption of the entire assertion must be
proceeded by signing.
*/
String assertionString;
if (saml2Config.encryptAssertion()) {
EncryptedAssertion encryptedAssertion = handleSingingAndEncryptionOfEntireAssertion(assertion, saml2Config, stsInstanceState);
try {
assertionString = encryptedAssertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
}
} else {
if (saml2Config.encryptAttributes()) {
encryptAttributeStatement(assertion, saml2Config, stsInstanceState);
}
if (saml2Config.encryptNameID()) {
encryptNameID(assertion, saml2Config, stsInstanceState);
}
if (saml2Config.signAssertion()) {
signAssertion(assertion, stsInstanceState);
}
try {
assertionString = assertion.toXMLString(ASSERTION_TO_STRING_INCLUDE_NAMESPACE_PREFIX, ASSERTION_TO_STRING_DECLARE_NAMESPACE_PREFIX);
} catch (SAML2Exception e) {
throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught calling Assertion.toXMLString: " + e, e);
}
}
if (stsInstanceState.getConfig().persistIssuedTokensInCTS()) {
try {
ctsTokenPersistence.persistToken(invocationState.getStsInstanceId(), TokenType.SAML2, assertionString, subjectId, issueInstant.getTime(), saml2Config.getTokenLifetimeInSeconds());
} catch (CTSTokenPersistenceException e) {
throw new TokenCreationException(e.getCode(), e.getMessage(), e);
}
}
return assertionString;
}
use of org.forgerock.openam.sts.CTSTokenPersistenceException in project OpenAM by OpenRock.
the class CTSTokenPersistenceImpl method listTokens.
@Override
public List<STSIssuedTokenState> listTokens(QueryFilter<CoreTokenField> queryFilter) throws CTSTokenPersistenceException {
Collection<PartialToken> partialTokens;
try {
partialTokens = ctsPersistentStore.attributeQuery(buildTokenFilter(queryFilter));
} catch (CoreTokenException e) {
throw new CTSTokenPersistenceException(ResourceException.INTERNAL_ERROR, e.getMessage(), e);
}
List<STSIssuedTokenState> issuedTokens = new ArrayList<>(partialTokens.size());
for (PartialToken partialToken : partialTokens) {
issuedTokens.add(marshalIssuedTokenState(partialToken));
}
return issuedTokens;
}
use of org.forgerock.openam.sts.CTSTokenPersistenceException in project OpenAM by OpenRock.
the class CTSTokenPersistenceImpl method marshalIssuedTokenState.
private STSIssuedTokenState marshalIssuedTokenState(PartialToken partialToken) throws CTSTokenPersistenceException {
try {
final Calendar timestamp = partialToken.getValue(CoreTokenField.EXPIRY_DATE);
final long unixTime = TimeUtils.toUnixTime(timestamp);
final String userId = partialToken.getValue(CoreTokenField.USER_ID);
final String tokenType = partialToken.getValue(CTS_TOKEN_FIELD_STS_TOKEN_TYPE);
final String stsId = partialToken.getValue(CTS_TOKEN_FIELD_STS_ID);
final String tokenId = partialToken.getValue(CoreTokenField.TOKEN_ID);
return STSIssuedTokenState.builder().tokenId(tokenId).stsId(stsId).expirationTimeInSecondsFromEpoch(unixTime).tokenType(tokenType).principalName(userId).build();
} catch (NullPointerException e) {
throw new CTSTokenPersistenceException(ResourceException.INTERNAL_ERROR, "Null field encountered in CTS " + "token query results: " + e.getMessage(), e);
}
}
Aggregations