use of org.forgerock.openam.sts.user.invocation.ProofTokenState in project OpenAM by OpenRock.
the class SoapSamlTokenProvider method createToken.
/**
* @see org.apache.cxf.sts.token.provider.TokenProvider
*/
@Override
public TokenProviderResponse createToken(TokenProviderParameters tokenProviderParameters) {
try {
final TokenProviderResponse tokenProviderResponse = new TokenProviderResponse();
final SAML2SubjectConfirmation subjectConfirmation = determineSubjectConfirmation(tokenProviderParameters);
final SoapTokenProviderBase.AuthenticationContextMapperState mapperState = getAuthenticationContextMapperState(tokenProviderParameters);
String authNContextClassRef;
if (mapperState.isDelegatedContext()) {
authNContextClassRef = authnContextMapper.getAuthnContextForDelegatedToken(mapperState.getSecurityPolicyBindingTraversalYield(), mapperState.getDelegatedToken());
} else {
authNContextClassRef = authnContextMapper.getAuthnContext(mapperState.getSecurityPolicyBindingTraversalYield());
}
ProofTokenState proofTokenState = null;
if (SAML2SubjectConfirmation.HOLDER_OF_KEY.equals(subjectConfirmation)) {
proofTokenState = getProofTokenState(tokenProviderParameters);
}
String assertion;
try {
assertion = getAssertion(authNContextClassRef, subjectConfirmation, proofTokenState);
} catch (TokenCreationException e) {
throw new AMSTSRuntimeException(e.getCode(), e.getMessage(), e);
}
Document assertionDocument = xmlUtilities.stringToDocumentConversion(assertion);
if (assertionDocument == null) {
logger.error("Could not turn assertion string returned from TokenGenerationService into DOM Document. " + "The assertion string: " + assertion);
throw new AMSTSRuntimeException(ResourceException.INTERNAL_ERROR, "Could not turn assertion string returned from TokenGenerationService into DOM Document.");
}
final Element assertionElement = assertionDocument.getDocumentElement();
tokenProviderResponse.setToken(assertionElement);
final String tokenId = assertionElement.getAttributeNS(null, "ID");
/*
The tokenId cannot be null or empty because a reference to the issued token is created using this id in the wss
security header in the RequestSecurityTokenResponse. A null or empty id will generate a cryptic error in the cxf
runtime. And if we are dealing with an encrypted assertion, there is no ID attribute, so in this case,
a random uuid should be generated, as I believe the id serves only to refer to the token within the
security header, and does not have to be connected to the token itself. An encrypted SAML2 assertion only
contains some information on the encryption method, the symmetric key used for encryption, itself encrypted
with the recipient's public key, and the encrypted assertion. So if no ID attribute is present, we are dealing
with an encrypted assertion, and will generate a random UUID to serve as the key id.
*/
if (StringUtils.isEmpty(tokenId)) {
tokenProviderResponse.setTokenId(UUID.randomUUID().toString());
} else {
tokenProviderResponse.setTokenId(tokenId);
}
return tokenProviderResponse;
} finally {
try {
amSessionInvalidator.invalidateAMSessions(threadLocalAMTokenCache.getToBeInvalidatedAMSessionIds());
} catch (Exception e) {
String message = "Exception caught invalidating interim AMSession in SoapSamlTokenProvider: " + e;
logger.warn(message, e);
/*
The fact that the interim OpenAM session was not invalidated should not prevent a token from being issued, so
I will not throw a AMSTSRuntimeException
*/
}
}
}
use of org.forgerock.openam.sts.user.invocation.ProofTokenState in project OpenAM by OpenRock.
the class ProofTokenStateTest method testJsonRoundTrip.
@Test
public void testJsonRoundTrip() throws Exception {
ProofTokenState proofTokenState = ProofTokenState.builder().x509Certificate(getCertificate()).build();
assertEquals(proofTokenState, ProofTokenState.fromJson(proofTokenState.toJson()));
}
use of org.forgerock.openam.sts.user.invocation.ProofTokenState in project OpenAM by OpenRock.
the class TokenRequestMarshallerImpl method createSAML2TokenProviderParameters.
private RestTokenProviderParameters<Saml2TokenCreationState> createSAML2TokenProviderParameters(final TokenTypeId inputTokenType, final JsonValue inputToken, final JsonValue desiredToken) throws TokenMarshalException {
final SAML2SubjectConfirmation subjectConfirmation = getSubjectConfirmation(desiredToken);
if (SAML2SubjectConfirmation.HOLDER_OF_KEY.equals(subjectConfirmation)) {
final ProofTokenState proofTokenState = getProofTokenState(desiredToken);
final Saml2TokenCreationState saml2TokenCreationState = new Saml2TokenCreationState(subjectConfirmation, proofTokenState);
return new Saml2RestTokenProviderParameters(saml2TokenCreationState, inputTokenType, inputToken);
} else {
final Saml2TokenCreationState saml2TokenCreationState = new Saml2TokenCreationState(subjectConfirmation);
return new Saml2RestTokenProviderParameters(saml2TokenCreationState, inputTokenType, inputToken);
}
}
use of org.forgerock.openam.sts.user.invocation.ProofTokenState in project OpenAM by OpenRock.
the class TokenRequestMarshallerImpl method getProofTokenState.
private ProofTokenState getProofTokenState(JsonValue token) throws TokenMarshalException {
final SAML2TokenCreationState tokenState = SAML2TokenCreationState.fromJson(token);
final ProofTokenState proofTokenState = tokenState.getProofTokenState();
if (proofTokenState == null) {
throw new TokenMarshalException(ResourceException.BAD_REQUEST, "No ProofTokenState specified in the" + " SAML2TokenCreationState. The JsonValue: " + token);
} else {
return proofTokenState;
}
}
use of org.forgerock.openam.sts.user.invocation.ProofTokenState in project OpenAM by OpenRock.
the class DefaultSubjectProviderTest method testBearerStateSettings.
@Test
public void testBearerStateSettings() throws TokenCreationException {
SubjectProvider subjectProvider = new DefaultSubjectProvider(Guice.createInjector(new MyModule()).getInstance(KeyInfoFactory.class));
Date issueInstant = new Date();
//must be set only when SubjectConfirmation is HoK
ProofTokenState proof = null;
Subject subject = subjectProvider.get(SUBJECT_ID, AUDIENCE_ID, createSAML2Config(), SAML2SubjectConfirmation.BEARER, issueInstant, proof);
assertTrue(SUBJECT_ID.equals(subject.getNameID().getValue()));
assertTrue(NAME_ID_FORMAT.equals(subject.getNameID().getFormat()));
SubjectConfirmation subjectConfirmation = (SubjectConfirmation) subject.getSubjectConfirmation().get(0);
assertTrue(SAML2Constants.SUBJECT_CONFIRMATION_METHOD_BEARER.equals(subjectConfirmation.getMethod()));
SubjectConfirmationData subjectConfirmationData = subjectConfirmation.getSubjectConfirmationData();
assertTrue((issueInstant.getTime() + (TOKEN_LIFETIME_SECONDS * 1000)) == subjectConfirmationData.getNotOnOrAfter().getTime());
}
Aggregations