use of org.forgerock.openam.sts.TokenType in project OpenAM by OpenRock.
the class SoapSTSInstanceModule method processSecurityPolicyTokenValidatorConfiguration.
/*
This method will plug-in the set of TokenValidator for the SupportingTokens specified in the SecurityPolicy bindings
specified for this sts instance. These configurations are achieved by plugging-in object instances corresponding to
specific keys in the webServicesProperties map.
Note that the set of TokenValidators plugged-in to handle the authN of the SupportingTokens defined in any SecurityPolicy
bindings will be determined by the SoapSTSInstanceConfig#getSecurityPolicyValidatedTokenConfiguration. Note however, that the
cxf/wss4j support for plugging-in custom assertions requires that the context validating the OpenAM session tokens
must be plugged-in at the bus level, which happens globally for all soap-sts instances for a given realm. See
SoapSTSLifecycleImpl#registerCustomPolicyInterceptors for details. This means that the OPENAM tokens will not be
handled in this method, as they are registered globally.
*/
private void processSecurityPolicyTokenValidatorConfiguration(Map<String, Object> webServiceProperties, WSSValidatorFactory wssValidatorFactory, Logger logger) throws WSSecurityException {
for (TokenValidationConfig tokenValidationConfig : stsInstanceConfig.getSecurityPolicyValidatedTokenConfiguration()) {
TokenType tokenType = tokenValidationConfig.getValidatedTokenType();
switch(tokenType) {
case USERNAME:
webServiceProperties.put(SecurityConstants.USERNAME_TOKEN_VALIDATOR, wssValidatorFactory.getValidator(TokenType.USERNAME, ValidationInvocationContext.SOAP_SECURITY_POLICY, tokenValidationConfig.invalidateInterimOpenAMSession()));
break;
case X509:
webServiceProperties.put(SecurityConstants.SIGNATURE_TOKEN_VALIDATOR, wssValidatorFactory.getValidator(TokenType.X509, ValidationInvocationContext.SOAP_SECURITY_POLICY, tokenValidationConfig.invalidateInterimOpenAMSession()));
break;
case OPENAM:
//OPENAM session tokens are handled by the PolicyInterceptors registered with the cxf bus.
break;
default:
String message = "Unexpected TokenType in processSecurityPolicyTokenValidatorConfiguration: " + tokenType;
logger.error(message);
throw new WSSecurityException(message);
}
}
/*
By default, if the sts did not specify an X500 token in the ValidatedTokenConfiguration, the
org.apache.ws.security.validate.SignatureTrustValidator will be the default SecurityConstants.SIGNATURE_TOKEN_VALIDATOR
Validator instance. If the user does specify x509 tokens as part of the ValidatedTokenConfiguration, the
SoapCertificateTokenValidator will be plugged in as the SecurityConstants.SIGNATURE_TOKEN_VALIDATOR (in the X509 case above).
Note that this class extends the SignatureTrustValidator. It is not clear whether symmetric and asymmetric binding
enforcement requires the SignatureTrustValidator. TODO - investigate and determine.
See comments in the SoapCertificateTokenValidator for details.
*/
}
use of org.forgerock.openam.sts.TokenType in project OpenAM by OpenRock.
the class TokenValidateOperationProvider method getFunctionalValidateOperation.
private ValidateOperation getFunctionalValidateOperation() {
TokenValidateOperation tokenValidateOperation = new TokenValidateOperation();
tokenValidateOperation.setStsProperties(stsPropertiesMBean);
tokenValidateOperation.setTokenStore(tokenStore);
try {
List<TokenValidator> tokenValidators = new ArrayList<>();
for (TokenType tokentype : validatedTokens) {
tokenValidators.add(operationFactory.getSimpleTokenValidator(tokentype));
}
tokenValidateOperation.setTokenValidators(tokenValidators);
} catch (STSInitializationException e) {
throw new RuntimeException(e);
}
return new TokenValidateOperationWrapper(tokenValidateOperation, threadLocalAMTokenCache);
}
use of org.forgerock.openam.sts.TokenType in project OpenAM by OpenRock.
the class TokenIssueOperationProvider method get.
public IssueOperation get() {
//TODO: migrate to throwing providers
try {
TokenIssueOperation tokenIssueOperation = new TokenIssueOperation();
/*
The STS will not encrypt the issued tokens - the TokenGenerationService already offers functionality to
encrypt issued SAML assertions.
*/
tokenIssueOperation.setEncryptIssuedToken(false);
tokenIssueOperation.setStsProperties(stsPropertiesMBean);
tokenIssueOperation.setTokenStore(tokenStore);
/*
Set the tokenValidators which will be called to validate the tokens presented as ActAs or OnBehalfOf
elements
*/
tokenIssueOperation.setTokenValidators(getDelegationTokenValidators());
/*
Set the TokenDelegationHandlers (either empty if this sts instance will not process ActAs or OnBehalfOf elements,
or with the DefaultTokenDelegationHandler, or with user-specified custom handlers.
*/
tokenIssueOperation.setDelegationHandlers(tokenDelegationHandlers);
List<TokenProvider> tokenProviders = new ArrayList<TokenProvider>();
for (TokenType tokenType : issueTokenTypes) {
tokenProviders.add(operationFactory.getTokenProvider(tokenType));
}
tokenIssueOperation.setTokenProviders(tokenProviders);
return new TokenIssueOperationWrapper(tokenIssueOperation, threadLocalAMTokenCache);
} catch (STSInitializationException e) {
logger.error("Exception caught initializing a IssueOperation: " + e, e);
throw new RuntimeException(e);
}
}
use of org.forgerock.openam.sts.TokenType in project OpenAM by OpenRock.
the class SoapSTSInstanceConfig method marshalToAttributeMap.
/*
This method will marshal this state into the Map<String>, Set<String>> required for persistence in the SMS. The intent
is to leverage the toJson functionality, as a JsonValue is essentially a map, with the following exceptions:
1. the non-complex objects are not Set<String>, but rather <String>, and thus must be marshaled to a Set<String>. It seems
like I could go through all of the values in the map, and if any entry is simply a String, I could marshal it to a Set<String>
2. the complex objects (e.g. deploymentConfig, saml2Config, supportedTokenTransforms, etc) are themselves maps, and
thus must be 'flattened' into a single map. This is done by calling each of these encapsulated objects to provide a
map representation, and then insert these values into the top-level map.
Note also, that the SMS Map<String, Set<String>> representations of optional, null objects should be set to the empty
values. This is to support the update operation invoked from the Admin UI when an existing rest-sts instance is
edited. In this case, it could be that the SAML2Config of a published rest-sts instance is removed, as it should no
longer issue SAML2 assertions. When the updated RestSTSInstanceConfig is marshalled from the Map<String, Set<String>>
dispatched from the AdminUI (necessary to generate good error messages, and necessary to create the Injector necessary
for rest-sts instance creation), the SAML2Config instance will be null, and thus when this method is called, to get
the SMS persistence state, no SAML2-related attributes will be written, thereby leaving the previous, non-empty values
unchanged. Thus this method should be sure to create empty Set<String> entries for all attributes defined for all
complex, optional, but null objects. This applies to the SAML2Config and OpenIdConnectTokenConfig objects.
*/
public Map<String, Set<String>> marshalToAttributeMap() {
/*
The intent is to leverage the toJson functionality, as a JsonValue is essentially a map, with the following exceptions:
1. the non-complex objects are not Set<String>, but rather <String>, and thus must be marshaled to a Set<String>. It seems
like I could go through all of the values in the map, and if any entry is simply a String, I could marshal it to a Set<String>
2. the complex objects (e.g. deploymentConfig, saml2Config, supportedTokenTranslations, etc) are themselves maps, and
thus must be 'flattened' into a single map. This is done by calling each of these encapsulated objects to provide a
map representation, and then insert these values into the top-level map.
*/
Map<String, Set<String>> interimMap = MapMarshallUtils.toSmsMap(toJson().asMap());
interimMap.remove(DEPLOYMENT_CONFIG);
interimMap.putAll(deploymentConfig.marshalToAttributeMap());
/*
Here the values are already contained in a set. I want to remove the referenced complex-object, but
then add each of the TokenTransformConfig instances in the supportTokenTranslationsSet to a Set<String>, obtaining
a string representation for each TokenTransformConfig instance, and adding it to the Set<String>
*/
interimMap.remove(SECURITY_POLICY_VALIDATED_TOKEN_CONFIG);
Set<String> validatedTokenConfig = new HashSet<>();
interimMap.put(SECURITY_POLICY_VALIDATED_TOKEN_CONFIG, validatedTokenConfig);
for (TokenValidationConfig tvc : securityPolicyValidatedTokenConfiguration) {
validatedTokenConfig.add(tvc.toSMSString());
}
interimMap.remove(ISSUE_TOKEN_TYPES);
Set<String> tokenTypes = new HashSet<>();
interimMap.put(ISSUE_TOKEN_TYPES, tokenTypes);
for (TokenType tt : issueTokenTypes) {
tokenTypes.add(tt.toString());
}
interimMap.remove(SAML2_CONFIG);
if (saml2Config != null) {
interimMap.putAll(saml2Config.marshalToAttributeMap());
} else {
/*
Generate empty values for all of the SAML2Config attribute keys, in case this method is called as part of
an update, and previous values need to be over-written.
*/
interimMap.putAll(SAML2Config.getEmptySMSAttributeState());
}
interimMap.remove(OIDC_ID_TOKEN_CONFIG);
if (openIdConnectTokenConfig != null) {
interimMap.putAll(openIdConnectTokenConfig.marshalToAttributeMap());
} else {
/*
Generate empty values for all of the OpenIdConnectTokenConfig attribute keys, in case this method is called as part of
an update, and previous values need to be over-written.
*/
interimMap.putAll(OpenIdConnectTokenConfig.getEmptySMSAttributeState());
}
interimMap.remove(SOAP_KEYSTORE_CONFIG);
if (keystoreConfig != null) {
interimMap.putAll(keystoreConfig.marshalToAttributeMap());
} else {
/*
Generate empty values for all of the SoapSTSKeystoreConfig attribute keys, in case this method is called as part of
an update, and previous values need to be over-written.
*/
interimMap.putAll(SoapSTSKeystoreConfig.getEmptySMSAttributeState());
}
interimMap.remove(SOAP_DELEGATION_CONFIG);
if (soapDelegationConfig != null) {
interimMap.putAll(soapDelegationConfig.marshalToAttributeMap());
} else {
/*
Generate empty values for all of the SoapSTSKeystoreConfig attribute keys, in case this method is called as part of
an update, and previous values need to be over-written.
*/
interimMap.putAll(SoapDelegationConfig.getEmptySMSAttributeState());
}
return interimMap;
}
use of org.forgerock.openam.sts.TokenType in project OpenAM by OpenRock.
the class AuthTargetMapping method marshalFromAttributeMap.
public static AuthTargetMapping marshalFromAttributeMap(Map<String, Set<String>> attributes) {
Set<String> authTargetMappings = attributes.get(AUTH_TARGET_MAPPINGS);
if (authTargetMappings != null) {
AuthTargetMappingBuilder builder = AuthTargetMapping.builder();
for (String entry : authTargetMappings) {
TokenType tokenType = TokenType.valueOf(entry.substring(0, entry.indexOf(AMSTSConstants.PIPE)));
AuthTarget authTarget = AuthTarget.fromSmsString(entry.substring(entry.indexOf(AMSTSConstants.PIPE) + 1));
builder.addMapping(tokenType, authTarget.getAuthIndexType(), authTarget.getAuthIndexValue(), authTarget.getContext());
}
return builder.build();
} else {
throw new IllegalStateException("No value in attribute map corresponding to key " + AUTH_TARGET_MAPPINGS);
}
}
Aggregations