Search in sources :

Example 1 with TokenType

use of org.forgerock.openam.sts.TokenType in project OpenAM by OpenRock.

the class SoapSTSInstanceModule method processSecurityPolicyTokenValidatorConfiguration.

/*
     This method will plug-in the set of TokenValidator for the SupportingTokens specified in the SecurityPolicy bindings
     specified for this sts instance. These configurations are achieved by plugging-in object instances corresponding to
     specific keys in the webServicesProperties map.
     Note that the set of TokenValidators plugged-in to handle the authN of the SupportingTokens defined in any SecurityPolicy
     bindings will be determined by the SoapSTSInstanceConfig#getSecurityPolicyValidatedTokenConfiguration. Note however, that the
     cxf/wss4j support for plugging-in custom assertions requires that the context validating the OpenAM session tokens
     must be plugged-in at the bus level, which happens globally for all soap-sts instances for a given realm. See
     SoapSTSLifecycleImpl#registerCustomPolicyInterceptors for details. This means that the OPENAM tokens will not be
     handled in this method, as they are registered globally.
     */
private void processSecurityPolicyTokenValidatorConfiguration(Map<String, Object> webServiceProperties, WSSValidatorFactory wssValidatorFactory, Logger logger) throws WSSecurityException {
    for (TokenValidationConfig tokenValidationConfig : stsInstanceConfig.getSecurityPolicyValidatedTokenConfiguration()) {
        TokenType tokenType = tokenValidationConfig.getValidatedTokenType();
        switch(tokenType) {
            case USERNAME:
                webServiceProperties.put(SecurityConstants.USERNAME_TOKEN_VALIDATOR, wssValidatorFactory.getValidator(TokenType.USERNAME, ValidationInvocationContext.SOAP_SECURITY_POLICY, tokenValidationConfig.invalidateInterimOpenAMSession()));
                break;
            case X509:
                webServiceProperties.put(SecurityConstants.SIGNATURE_TOKEN_VALIDATOR, wssValidatorFactory.getValidator(TokenType.X509, ValidationInvocationContext.SOAP_SECURITY_POLICY, tokenValidationConfig.invalidateInterimOpenAMSession()));
                break;
            case OPENAM:
                //OPENAM session tokens are handled by the PolicyInterceptors registered with the cxf bus.
                break;
            default:
                String message = "Unexpected TokenType in processSecurityPolicyTokenValidatorConfiguration: " + tokenType;
                logger.error(message);
                throw new WSSecurityException(message);
        }
    }
/*
        By default, if the sts did not specify an X500 token in the ValidatedTokenConfiguration, the
        org.apache.ws.security.validate.SignatureTrustValidator will be the default SecurityConstants.SIGNATURE_TOKEN_VALIDATOR
        Validator instance. If the user does specify x509 tokens as part of the ValidatedTokenConfiguration, the
        SoapCertificateTokenValidator will be plugged in as the SecurityConstants.SIGNATURE_TOKEN_VALIDATOR (in the X509 case above).
        Note that this class extends the SignatureTrustValidator. It is not clear whether symmetric and asymmetric binding
        enforcement requires the SignatureTrustValidator. TODO - investigate and determine.
        See comments in the SoapCertificateTokenValidator for details.
         */
}
Also used : TokenType(org.forgerock.openam.sts.TokenType) WSSecurityException(org.apache.ws.security.WSSecurityException) TokenValidationConfig(org.forgerock.openam.sts.soap.config.user.TokenValidationConfig)

Example 2 with TokenType

use of org.forgerock.openam.sts.TokenType in project OpenAM by OpenRock.

the class TokenValidateOperationProvider method getFunctionalValidateOperation.

private ValidateOperation getFunctionalValidateOperation() {
    TokenValidateOperation tokenValidateOperation = new TokenValidateOperation();
    tokenValidateOperation.setStsProperties(stsPropertiesMBean);
    tokenValidateOperation.setTokenStore(tokenStore);
    try {
        List<TokenValidator> tokenValidators = new ArrayList<>();
        for (TokenType tokentype : validatedTokens) {
            tokenValidators.add(operationFactory.getSimpleTokenValidator(tokentype));
        }
        tokenValidateOperation.setTokenValidators(tokenValidators);
    } catch (STSInitializationException e) {
        throw new RuntimeException(e);
    }
    return new TokenValidateOperationWrapper(tokenValidateOperation, threadLocalAMTokenCache);
}
Also used : TokenValidator(org.apache.cxf.sts.token.validator.TokenValidator) TokenType(org.forgerock.openam.sts.TokenType) RequestSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType) ArrayList(java.util.ArrayList) TokenValidateOperation(org.apache.cxf.sts.operation.TokenValidateOperation) STSInitializationException(org.forgerock.openam.sts.STSInitializationException)

Example 3 with TokenType

use of org.forgerock.openam.sts.TokenType in project OpenAM by OpenRock.

the class TokenIssueOperationProvider method get.

public IssueOperation get() {
    //TODO: migrate to throwing providers
    try {
        TokenIssueOperation tokenIssueOperation = new TokenIssueOperation();
        /*
            The STS will not encrypt the issued tokens - the TokenGenerationService already offers functionality to
            encrypt issued SAML assertions.
             */
        tokenIssueOperation.setEncryptIssuedToken(false);
        tokenIssueOperation.setStsProperties(stsPropertiesMBean);
        tokenIssueOperation.setTokenStore(tokenStore);
        /*
            Set the tokenValidators which will be called to validate the tokens presented as ActAs or OnBehalfOf
            elements
             */
        tokenIssueOperation.setTokenValidators(getDelegationTokenValidators());
        /*
            Set the TokenDelegationHandlers (either empty if this sts instance will not process ActAs or OnBehalfOf elements,
            or with the DefaultTokenDelegationHandler, or with user-specified custom handlers.
             */
        tokenIssueOperation.setDelegationHandlers(tokenDelegationHandlers);
        List<TokenProvider> tokenProviders = new ArrayList<TokenProvider>();
        for (TokenType tokenType : issueTokenTypes) {
            tokenProviders.add(operationFactory.getTokenProvider(tokenType));
        }
        tokenIssueOperation.setTokenProviders(tokenProviders);
        return new TokenIssueOperationWrapper(tokenIssueOperation, threadLocalAMTokenCache);
    } catch (STSInitializationException e) {
        logger.error("Exception caught initializing a IssueOperation: " + e, e);
        throw new RuntimeException(e);
    }
}
Also used : TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider) TokenType(org.forgerock.openam.sts.TokenType) RequestSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType) TokenIssueOperation(org.apache.cxf.sts.operation.TokenIssueOperation) ArrayList(java.util.ArrayList) STSInitializationException(org.forgerock.openam.sts.STSInitializationException)

Example 4 with TokenType

use of org.forgerock.openam.sts.TokenType in project OpenAM by OpenRock.

the class SoapSTSInstanceConfig method marshalToAttributeMap.

/*
    This method will marshal this state into the Map<String>, Set<String>> required for persistence in the SMS. The intent
    is to leverage the toJson functionality, as a JsonValue is essentially a map, with the following exceptions:
    1. the non-complex objects are not Set<String>, but rather <String>, and thus must be marshaled to a Set<String>. It seems
    like I could go through all of the values in the map, and if any entry is simply a String, I could marshal it to a Set<String>
    2. the complex objects (e.g. deploymentConfig, saml2Config, supportedTokenTransforms, etc) are themselves maps, and
    thus must be 'flattened' into a single map. This is done by calling each of these encapsulated objects to provide a
    map representation, and then insert these values into the top-level map.
    Note also, that the SMS Map<String, Set<String>> representations of optional, null objects should be set to the empty
    values. This is to support the update operation invoked from the Admin UI when an existing rest-sts instance is
    edited. In this case, it could be that the SAML2Config of a published rest-sts instance is removed, as it should no
    longer issue SAML2 assertions. When the updated RestSTSInstanceConfig is marshalled from the Map<String, Set<String>>
    dispatched from the AdminUI (necessary to generate good error messages, and necessary to create the Injector necessary
    for rest-sts instance creation), the SAML2Config instance will be null, and thus when this method is called, to get
    the SMS persistence state, no SAML2-related attributes will be written, thereby leaving the previous, non-empty values
    unchanged. Thus this method should be sure to create empty Set<String> entries for all attributes defined for all
    complex, optional, but null objects. This applies to the SAML2Config and OpenIdConnectTokenConfig objects.
     */
public Map<String, Set<String>> marshalToAttributeMap() {
    /*
        The intent is to leverage the toJson functionality, as a JsonValue is essentially a map, with the following exceptions:
        1. the non-complex objects are not Set<String>, but rather <String>, and thus must be marshaled to a Set<String>. It seems
        like I could go through all of the values in the map, and if any entry is simply a String, I could marshal it to a Set<String>
        2. the complex objects (e.g. deploymentConfig, saml2Config, supportedTokenTranslations, etc) are themselves maps, and
       thus must be 'flattened' into a single map. This is done by calling each of these encapsulated objects to provide a
       map representation, and then insert these values into the top-level map.
         */
    Map<String, Set<String>> interimMap = MapMarshallUtils.toSmsMap(toJson().asMap());
    interimMap.remove(DEPLOYMENT_CONFIG);
    interimMap.putAll(deploymentConfig.marshalToAttributeMap());
    /*
        Here the values are already contained in a set. I want to remove the referenced complex-object, but
        then add each of the TokenTransformConfig instances in the supportTokenTranslationsSet to a Set<String>, obtaining
        a string representation for each TokenTransformConfig instance, and adding it to the Set<String>
         */
    interimMap.remove(SECURITY_POLICY_VALIDATED_TOKEN_CONFIG);
    Set<String> validatedTokenConfig = new HashSet<>();
    interimMap.put(SECURITY_POLICY_VALIDATED_TOKEN_CONFIG, validatedTokenConfig);
    for (TokenValidationConfig tvc : securityPolicyValidatedTokenConfiguration) {
        validatedTokenConfig.add(tvc.toSMSString());
    }
    interimMap.remove(ISSUE_TOKEN_TYPES);
    Set<String> tokenTypes = new HashSet<>();
    interimMap.put(ISSUE_TOKEN_TYPES, tokenTypes);
    for (TokenType tt : issueTokenTypes) {
        tokenTypes.add(tt.toString());
    }
    interimMap.remove(SAML2_CONFIG);
    if (saml2Config != null) {
        interimMap.putAll(saml2Config.marshalToAttributeMap());
    } else {
        /*
            Generate empty values for all of the SAML2Config attribute keys, in case this method is called as part of
            an update, and previous values need to be over-written.
             */
        interimMap.putAll(SAML2Config.getEmptySMSAttributeState());
    }
    interimMap.remove(OIDC_ID_TOKEN_CONFIG);
    if (openIdConnectTokenConfig != null) {
        interimMap.putAll(openIdConnectTokenConfig.marshalToAttributeMap());
    } else {
        /*
            Generate empty values for all of the OpenIdConnectTokenConfig attribute keys, in case this method is called as part of
            an update, and previous values need to be over-written.
             */
        interimMap.putAll(OpenIdConnectTokenConfig.getEmptySMSAttributeState());
    }
    interimMap.remove(SOAP_KEYSTORE_CONFIG);
    if (keystoreConfig != null) {
        interimMap.putAll(keystoreConfig.marshalToAttributeMap());
    } else {
        /*
            Generate empty values for all of the SoapSTSKeystoreConfig attribute keys, in case this method is called as part of
            an update, and previous values need to be over-written.
             */
        interimMap.putAll(SoapSTSKeystoreConfig.getEmptySMSAttributeState());
    }
    interimMap.remove(SOAP_DELEGATION_CONFIG);
    if (soapDelegationConfig != null) {
        interimMap.putAll(soapDelegationConfig.marshalToAttributeMap());
    } else {
        /*
            Generate empty values for all of the SoapSTSKeystoreConfig attribute keys, in case this method is called as part of
            an update, and previous values need to be over-written.
             */
        interimMap.putAll(SoapDelegationConfig.getEmptySMSAttributeState());
    }
    return interimMap;
}
Also used : TokenType(org.forgerock.openam.sts.TokenType) Set(java.util.Set) HashSet(java.util.HashSet) EnumSet(java.util.EnumSet) HashSet(java.util.HashSet)

Example 5 with TokenType

use of org.forgerock.openam.sts.TokenType in project OpenAM by OpenRock.

the class AuthTargetMapping method marshalFromAttributeMap.

public static AuthTargetMapping marshalFromAttributeMap(Map<String, Set<String>> attributes) {
    Set<String> authTargetMappings = attributes.get(AUTH_TARGET_MAPPINGS);
    if (authTargetMappings != null) {
        AuthTargetMappingBuilder builder = AuthTargetMapping.builder();
        for (String entry : authTargetMappings) {
            TokenType tokenType = TokenType.valueOf(entry.substring(0, entry.indexOf(AMSTSConstants.PIPE)));
            AuthTarget authTarget = AuthTarget.fromSmsString(entry.substring(entry.indexOf(AMSTSConstants.PIPE) + 1));
            builder.addMapping(tokenType, authTarget.getAuthIndexType(), authTarget.getAuthIndexValue(), authTarget.getContext());
        }
        return builder.build();
    } else {
        throw new IllegalStateException("No value in attribute map corresponding to key " + AUTH_TARGET_MAPPINGS);
    }
}
Also used : TokenType(org.forgerock.openam.sts.TokenType)

Aggregations

TokenType (org.forgerock.openam.sts.TokenType)7 ArrayList (java.util.ArrayList)3 RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)3 STSInitializationException (org.forgerock.openam.sts.STSInitializationException)3 EnumSet (java.util.EnumSet)1 HashSet (java.util.HashSet)1 Set (java.util.Set)1 TokenCancelOperation (org.apache.cxf.sts.operation.TokenCancelOperation)1 TokenIssueOperation (org.apache.cxf.sts.operation.TokenIssueOperation)1 TokenValidateOperation (org.apache.cxf.sts.operation.TokenValidateOperation)1 TokenCanceller (org.apache.cxf.sts.token.canceller.TokenCanceller)1 TokenProvider (org.apache.cxf.sts.token.provider.TokenProvider)1 TokenValidator (org.apache.cxf.sts.token.validator.TokenValidator)1 WSSecurityException (org.apache.ws.security.WSSecurityException)1 JsonValue (org.forgerock.json.JsonValue)1 TokenValidationConfig (org.forgerock.openam.sts.soap.config.user.TokenValidationConfig)1