Examples with TokenValidationException org.forgerock.openam.sts.TokenValidationException used on opensource projects

Example 1 with TokenValidationException

use of org.forgerock.openam.sts.TokenValidationException in project OpenAM by OpenRock.

the class SoapSTSAccessTokenProviderImpl method getAccessToken.

@Override
public String getAccessToken() throws ResourceException {
    Map<String, String> headerMap = new HashMap<>();
    headerMap.put(AMSTSConstants.CONTENT_TYPE, AMSTSConstants.APPLICATION_JSON);
    headerMap.put(AMSTSConstants.CREST_VERSION_HEADER_KEY, authNServiceVersion);
    headerMap.put(AMSTSConstants.AM_REST_AUTHN_USERNAME_HEADER, credentialsAccess.getAgentUsername());
    headerMap.put(AMSTSConstants.AM_REST_AUTHN_PASSWORD_HEADER, credentialsAccess.getAgentPassword());
    try {
        HttpURLConnectionWrapper.ConnectionResult connectionResult = httpURLConnectionWrapperFactory.httpURLConnectionWrapper(authenticateUrl).setRequestHeaders(headerMap).setRequestMethod(AMSTSConstants.POST).makeInvocation();
        final int responseCode = connectionResult.getStatusCode();
        if (responseCode != HttpURLConnection.HTTP_OK) {
            throw ResourceException.getException(responseCode, "Non-200 response authenticating against " + authenticateUrl + " : " + connectionResult.getResult());
        } else {
            try {
                return amTokenParser.getSessionFromAuthNResponse(connectionResult.getResult());
            } catch (TokenValidationException e) {
                throw new InternalServerErrorException("Exception caught obtaining the soap-sts-agent token " + e, e);
            }
        }
    } catch (IOException ioe) {
        throw new InternalServerErrorException("IOException caught obtaining the soap-sts-agent token: " + ioe, ioe);
    }
}

Example 2 with TokenValidationException

use of org.forgerock.openam.sts.TokenValidationException in project OpenAM by OpenRock.

the class OpenAMSessionTokenServerInterceptor method validateToken.

/**
     * @param tokenElement the BinarySecurityToken representing the OpenAMSessionToken. The OpenAM session id is the text
     *                     content of this Element.
     * @return a List with a single WSSecurityEngineResult with information concerning the successful validation.
     * @throws WSSecurityException if the OpenAM session cannot be validated successfully.
     */
private List<WSSecurityEngineResult> validateToken(Element tokenElement) throws WSSecurityException {
    final boolean bspComliant = true;
    final BinarySecurity bst = new BinarySecurity(tokenElement, bspComliant);
    bst.setValueType(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_BST_VALUE_TYPE);
    final X509Certificate[] certs = null;
    WSSecurityEngineResult result = new WSSecurityEngineResult(WSConstants.BST, bst, certs);
    try {
        final String sessionId = tokenElement.getTextContent();
        final Principal principal = principalFromSession.getPrincipalFromSession(sessionId);
        //because we are dealing with an OpenAM session which was not created as part of TokenValidation, but
        //rather pre-existed this validation, it should not be invalidated.
        threadLocalAMTokenCache.cacheSessionIdForContext(ValidationInvocationContext.SOAP_SECURITY_POLICY, sessionId, false);
        result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE);
        result.put(WSSecurityEngineResult.TAG_PRINCIPAL, principal);
    } catch (TokenValidationException e) {
        throw new WSSecurityException(e.getMessage(), e);
    }
    return Collections.singletonList(result);
}

Example 3 with TokenValidationException

use of org.forgerock.openam.sts.TokenValidationException in project OpenAM by OpenRock.

the class CustomDelegationHandlerWrapper method isDelegationAllowed.

@Override
public TokenDelegationResponse isDelegationAllowed(TokenDelegationParameters tokenParameters) {
    final TokenDelegationResponse tokenDelegationResponse = customHandler.isDelegationAllowed(tokenParameters);
    if (tokenDelegationResponse.isDelegationAllowed()) {
        final Map<String, Object> additionalProperties = tokenDelegationResponse.getAdditionalProperties();
        if ((additionalProperties != null) && additionalProperties.get(AMSTSConstants.CUSTOM_DELEGATION_HANDLER_AM_SESSION_ID) instanceof String) {
            boolean invalidateInterimSession = true;
            Object invalidateSessionObject = additionalProperties.get(AMSTSConstants.CUSTOM_DELEGATION_HANDLER_INVALIDATE_AM_SESSION);
            if (invalidateSessionObject instanceof Boolean) {
                invalidateInterimSession = (Boolean) invalidateSessionObject;
            }
            try {
                threadLocalAMTokenCache.cacheSessionIdForContext(ValidationInvocationContext.SOAP_TOKEN_DELEGATION, (String) additionalProperties.get(AMSTSConstants.CUSTOM_DELEGATION_HANDLER_AM_SESSION_ID), invalidateInterimSession);
            } catch (TokenValidationException e) {
                throw new AMSTSRuntimeException(e.getCode(), e.getMessage(), e);
            }
        } else {
            if (!delegationValidatorsSpecified) {
                String message = "In a custom TokenDelegationHandler, the delegated token is allowed, no delegation " + "validators have been specified, and the AM Session Id was not specified in the " + "DelegationHandlerResponse#getAdditionalProperties keyed by " + AMSTSConstants.CUSTOM_DELEGATION_HANDLER_AM_SESSION_ID + ". This means the " + "TokenGenerationService cannot issue an assertion corresponding to the delegated token.";
                logger.error(message);
                throw new AMSTSRuntimeException(ResourceException.UNAVAILABLE, message);
            }
        }
    }
    return tokenDelegationResponse;
}

Example 4 with TokenValidationException

use of org.forgerock.openam.sts.TokenValidationException in project OpenAM by OpenRock.

the class CertificateAuthenticationRequestDispatcher method postCertInHeader.

private String postCertInHeader(URL url, X509Certificate certificate, AuthTargetMapping.AuthTarget target) throws TokenValidationException {
    final String base64Certificate;
    try {
        base64Certificate = Base64.encode(certificate.getEncoded());
    } catch (CertificateEncodingException e) {
        throw new TokenValidationException(org.forgerock.json.resource.ResourceException.BAD_REQUEST, "Could not obtain the base64-encoded representation of the client certificate: " + e, e);
    }
    if (target == null) {
        throw new TokenValidationException(org.forgerock.json.resource.ResourceException.BAD_REQUEST, "When validatating X509 Certificates, an AuthTarget needs to be configured with a Map containing a String " + "entry referenced by key" + AMSTSConstants.X509_TOKEN_AUTH_TARGET_HEADER_KEY + " which specifies the header name which will reference the client's X509 Certificate.");
    }
    Object headerKey = target.getContext().get(AMSTSConstants.X509_TOKEN_AUTH_TARGET_HEADER_KEY);
    if (!(headerKey instanceof String)) {
        //checks both for null and String
        throw new TokenValidationException(org.forgerock.json.resource.ResourceException.BAD_REQUEST, "When validatating X509 Certificates, an AuthTarget needs to be configured with a Map containing a String " + "entry referenced by key" + AMSTSConstants.X509_TOKEN_AUTH_TARGET_HEADER_KEY + " which specifies the header name which will reference the client's X509 Certificate.");
    }
    try {
        Map<String, String> headerMap = new HashMap<>();
        headerMap.put(AMSTSConstants.CONTENT_TYPE, AMSTSConstants.APPLICATION_JSON);
        headerMap.put(AMSTSConstants.CREST_VERSION_HEADER_KEY, crestVersionAuthNService);
        headerMap.put((String) headerKey, base64Certificate);
        HttpURLConnectionWrapper.ConnectionResult connectionResult = httpURLConnectionWrapperFactory.httpURLConnectionWrapper(url).setRequestHeaders(headerMap).setRequestMethod(AMSTSConstants.POST).makeInvocation();
        final int responseCode = connectionResult.getStatusCode();
        if (responseCode != HttpURLConnection.HTTP_OK) {
            throw new TokenValidationException(responseCode, "Non-200 response from posting x509 token " + "to rest authN: " + connectionResult.getResult());
        } else {
            return connectionResult.getResult();
        }
    } catch (IOException e) {
        throw new TokenValidationException(org.forgerock.json.resource.ResourceException.INTERNAL_ERROR, "Exception caught posting x509 token to rest authN: " + e, e);
    }
}

Example 5 with TokenValidationException

use of org.forgerock.openam.sts.TokenValidationException in project OpenAM by OpenRock.

the class TokenServiceConsumerImpl method isTokenPresent.

private boolean isTokenPresent(String tokenId, String callerSSOTokenString) throws TokenValidationException {
    try {
        Map<String, String> headerMap = makeCommonHeaders(callerSSOTokenString);
        HttpURLConnectionWrapper.ConnectionResult connectionResult = httpURLConnectionWrapperFactory.httpURLConnectionWrapper(new URL(urlConstituentCatenator.catenateUrlConstituents(tokenServiceEndpoint, tokenId))).setRequestHeaders(headerMap).setRequestMethod(AMSTSConstants.GET).makeInvocation();
        final int responseCode = connectionResult.getStatusCode();
        if (responseCode == HttpURLConnection.HTTP_OK) {
            return true;
        } else if (responseCode == HttpURLConnection.HTTP_NOT_FOUND) {
            return false;
        } else {
            throw new TokenValidationException(responseCode, connectionResult.getResult());
        }
    } catch (IOException e) {
        throw new TokenValidationException(ResourceException.INTERNAL_ERROR, "Exception caught invoking TokenService to verify token: " + e);
    }
}