Examples with TokenCreationException org.forgerock.openam.sts.TokenCreationException used on opensource projects

Example 11 with TokenCreationException

use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method encryptNameID.

private void encryptNameID(Assertion assertion, SAML2Config saml2Config, STSInstanceState stsInstanceState) throws TokenCreationException {
    /*
        The null checks below model IDPSSOUtil#signAndEncryptResponseComponents. The Subject and NameID will
        never be null when generated by the DefaultSubjectProvider, but when generated by a custom provider, this
        invariant is not assured.
         */
    Subject subject = assertion.getSubject();
    if (subject == null) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, saml2Config specifies encryption of NameID, but " + "encapsulating subject is null.");
    }
    NameID nameID = subject.getNameID();
    if (nameID == null) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, saml2Config specifies encryption of NameID, but " + "NameID in subject is null.");
    }
    try {
        EncryptedID encryptedNameID = nameID.encrypt(stsInstanceState.getSAML2CryptoProvider().getSPX509Certificate(saml2Config.getEncryptionKeyAlias()).getPublicKey(), saml2Config.getEncryptionAlgorithm(), saml2Config.getEncryptionAlgorithmStrength(), saml2Config.getSpEntityId());
        if (encryptedNameID == null) {
            throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "In SAML2TokenGenerationImpl, the EncryptedID returned from NameID#encrypt is null.");
        }
        subject.setEncryptedID(encryptedNameID);
        // reset NameID
        subject.setNameID(null);
        assertion.setSubject(subject);
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception thrown encrypting NameID in SAML2TokenGenerationImpl: " + e, e);
    }
}

Example 12 with TokenCreationException

use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.

the class SAML2TokenGenerationImpl method setVersionAndId.

private void setVersionAndId(Assertion assertion) throws TokenCreationException {
    try {
        assertion.setVersion("2.0");
        assertion.setID(SAML2SDKUtils.generateID());
    } catch (SAML2Exception e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Exception caught setting version and/or id in SAML2TokenGenerationImpl: " + e, e);
    }
}

Example 13 with TokenCreationException

use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.

the class TokenServiceConsumerImpl method parseTokenServiceResponse.

private String parseTokenServiceResponse(String response) throws TokenCreationException {
    /*
            This is how the Crest HttpServletAdapter ultimately constitutes a JsonValue from a json string. See the
            org.forgerock.json.resource.servlet.HttpUtils.parseJsonBody (called from HttpServletAdapter.getJsonContent)
            for details.
        */
    JsonValue responseContent;
    try {
        responseContent = JsonValueBuilder.toJsonValue(response);
    } catch (JsonException e) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "Could not map the response from the TokenService to a json object. The response: " + response + "; The exception: " + e);
    }
    JsonValue assertionJson = responseContent.get(AMSTSConstants.ISSUED_TOKEN);
    if (!assertionJson.isString()) {
        throw new TokenCreationException(ResourceException.INTERNAL_ERROR, "The json response returned from the TokenService did not have " + "a non-null string element for the " + AMSTSConstants.ISSUED_TOKEN + " key. The json: " + responseContent.toString());
    }
    return assertionJson.asString();
}

Example 14 with TokenCreationException

use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.

the class AMSessionInvalidatorImpl method invalidateAMSessions.

@Override
public void invalidateAMSessions(Set<String> sessionIds) throws TokenCreationException {
    TokenCreationException tokenCreationException = null;
    for (String sessionId : sessionIds) {
        try {
            Map<String, String> headerMap = new HashMap<>();
            headerMap.put(AMSTSConstants.CONTENT_TYPE, AMSTSConstants.APPLICATION_JSON);
            headerMap.put(AMSTSConstants.CREST_VERSION_HEADER_KEY, crestVersionSessionService);
            headerMap.put(amSessionCookieName, sessionId);
            HttpURLConnectionWrapper.ConnectionResult connectionResult = connectionWrapperFactory.httpURLConnectionWrapper(logoutUrl).setRequestHeaders(headerMap).setRequestMethod(AMSTSConstants.POST).makeInvocation();
            final int responseCode = connectionResult.getStatusCode();
            if (responseCode != HttpURLConnection.HTTP_OK) {
                throw new TokenCreationException(responseCode, "Non-200 response from invalidating session " + sessionId + "against url " + logoutUrl + " : " + connectionResult.getResult());
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("Invalidated session " + sessionId);
                }
            }
        } catch (IOException e) {
            String message = "Exception caught invalidating session: " + sessionId + " against Url " + logoutUrl + ". Exception: " + e;
            logger.error(message);
            tokenCreationException = new TokenCreationException(org.forgerock.json.resource.ResourceException.INTERNAL_ERROR, message, e);
        }
    }
    /*
        This approach only causes us to throw the last exception, but these exceptions will almost certainly only result
        from a network failure, where the last exception is the same as the first.
         */
    if (tokenCreationException != null) {
        throw tokenCreationException;
    }
}

Example 15 with TokenCreationException

use of org.forgerock.openam.sts.TokenCreationException in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImpl method asymmetricSign.

private SignedJwt asymmetricSign(STSOpenIdConnectToken openIdConnectToken, JwsAlgorithm jwsAlgorithm, KeyPair keyPair, OpenIdConnectTokenPublicKeyReferenceType publicKeyReferenceType) throws TokenCreationException {
    if (!JwsAlgorithmType.RSA.equals(jwsAlgorithm.getAlgorithmType())) {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "Exception in " + "OpenIdConnectTokenGenerationImpl#symmetricSign: algorithm type not RSA but " + jwsAlgorithm.getAlgorithmType());
    }
    final SigningHandler signingHandler = new SigningManager().newRsaSigningHandler(keyPair.getPrivate());
    JwsHeaderBuilder jwsHeaderBuilder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
    JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(openIdConnectToken.asMap()).build();
    RSAPublicKey rsaPublicKey;
    try {
        rsaPublicKey = (RSAPublicKey) keyPair.getPublic();
    } catch (ClassCastException e) {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "Could not sign jwt with algorithm " + jwsAlgorithm + " because the PublicKey not of type RSAPublicKey but rather " + (keyPair.getPublic() != null ? keyPair.getPublic().getClass().getCanonicalName() : null));
    }
    handleKeyIdentification(jwsHeaderBuilder, publicKeyReferenceType, rsaPublicKey, jwsAlgorithm);
    return jwsHeaderBuilder.done().claims(claimsSet).asJwt();
}