use of org.gluu.util.security.StringEncrypter.EncryptionException in project oxTrust by GluuFederation.
the class BaseUmaProtectionService method retrievePatToken.
private void retrievePatToken() throws UmaProtectionException {
this.umaPat = null;
if (umaMetadata == null) {
return;
}
String umaClientKeyStoreFile = getClientKeyStoreFile();
String umaClientKeyStorePassword = getClientKeyStorePassword();
if (StringHelper.isEmpty(umaClientKeyStoreFile) || StringHelper.isEmpty(umaClientKeyStorePassword)) {
throw new UmaProtectionException("UMA JKS keystore path or password is empty");
}
if (umaClientKeyStorePassword != null) {
try {
umaClientKeyStorePassword = encryptionService.decrypt(umaClientKeyStorePassword);
} catch (EncryptionException ex) {
log.error("Failed to decrypt UmaClientKeyStorePassword password", ex);
}
}
try {
this.umaPat = UmaClient.requestPat(umaMetadata.getTokenEndpoint(), umaClientKeyStoreFile, umaClientKeyStorePassword, getClientId(), getClientKeyId());
if (this.umaPat == null) {
this.umaPatAccessTokenExpiration = 0l;
} else {
this.umaPatAccessTokenExpiration = computeAccessTokenExpirationTime(this.umaPat.getExpiresIn());
}
} catch (Exception ex) {
throw new UmaProtectionException("Failed to obtain valid UMA PAT token", ex);
}
if ((this.umaPat == null) || (this.umaPat.getAccessToken() == null)) {
throw new UmaProtectionException("Failed to obtain valid UMA PAT token");
}
}
use of org.gluu.util.security.StringEncrypter.EncryptionException in project oxTrust by GluuFederation.
the class AuthenticationFilter method getOAuthRedirectUrl.
public String getOAuthRedirectUrl(final HttpServletRequest request, final HttpServletResponse response) throws Exception {
String authorizeUrl = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_AUTHORIZE_URL, null);
String clientScopes = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_CLIENT_SCOPE, null);
String clientId = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_CLIENT_ID, null);
String clientSecret = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_CLIENT_PASSWORD, null);
if (clientSecret != null) {
try {
clientSecret = StringEncrypter.defaultInstance().decrypt(clientSecret, Configuration.instance().getCryptoPropertyValue());
} catch (EncryptionException ex) {
log.error("Failed to decrypt property: " + Configuration.OAUTH_PROPERTY_CLIENT_PASSWORD, ex);
}
}
String redirectUri = constructRedirectUrl(request);
List<String> scopes = Arrays.asList(clientScopes.split(StringUtils.SPACE));
List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE);
String nonce = UUID.randomUUID().toString();
String rfp = UUID.randomUUID().toString();
String jti = UUID.randomUUID().toString();
// Lookup for relying party ID
final String key = request.getParameter(ExternalAuthentication.CONVERSATION_KEY);
request.getSession().setAttribute(SESSION_CONVERSATION_KEY, key);
ProfileRequestContext prc = ExternalAuthentication.getProfileRequestContext(key, request);
String relyingPartyId = "";
final RelyingPartyContext relyingPartyCtx = prc.getSubcontext(RelyingPartyContext.class);
if (relyingPartyCtx != null) {
relyingPartyId = relyingPartyCtx.getRelyingPartyId();
log.info("relyingPartyId found: " + relyingPartyId);
} else
log.warn("No RelyingPartyContext was available");
// JWT
OxAuthCryptoProvider cryptoProvider = new OxAuthCryptoProvider();
JwtState jwtState = new JwtState(SignatureAlgorithm.HS256, clientSecret, cryptoProvider);
jwtState.setRfp(rfp);
jwtState.setJti(jti);
if (relyingPartyId != null && !"".equals(relyingPartyId)) {
String additionalClaims = String.format("{relyingPartyId: '%s'}", relyingPartyId);
jwtState.setAdditionalClaims(new JSONObject(additionalClaims));
} else
log.warn("No relyingPartyId was available");
String encodedState = jwtState.getEncodedJwt();
AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
authorizationRequest.setState(encodedState);
Cookie currentShibstateCookie = getCurrentShibstateCookie(request);
if (currentShibstateCookie != null) {
String requestUri = decodeCookieValue(currentShibstateCookie.getValue());
log.debug("requestUri = \"" + requestUri + "\"");
String authenticationMode = determineAuthenticationMode(requestUri);
if (StringHelper.isNotEmpty(authenticationMode)) {
log.debug("acr_values = \"" + authenticationMode + "\"");
authorizationRequest.setAcrValues(Arrays.asList(authenticationMode));
updateShibstateCookie(response, currentShibstateCookie, requestUri, "/" + Configuration.OXAUTH_ACR_VALUES + "/" + authenticationMode);
}
}
// Store for validation in session
final HttpSession session = request.getSession(false);
session.setAttribute(Configuration.SESSION_AUTH_STATE, encodedState);
session.setAttribute(Configuration.SESSION_AUTH_NONCE, nonce);
return authorizeUrl + "?" + authorizationRequest.getQueryString();
}
use of org.gluu.util.security.StringEncrypter.EncryptionException in project oxTrust by GluuFederation.
the class OAuthValidationFilter method getOAuthData.
private OAuthData getOAuthData(HttpSession session, HttpServletRequest request, String authorizationCode) throws Exception {
// Check state
String authorizationState = request.getParameter(Configuration.OAUTH_STATE);
final String stateSession = session != null ? (String) session.getAttribute(Configuration.SESSION_AUTH_STATE) : null;
if (!StringHelper.equals(stateSession, authorizationState)) {
log.error("Login failed, oxTrust wasn't allowed to access user data");
return null;
}
String oAuthAuthorizeUrl = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_AUTHORIZE_URL, null);
String oAuthHost = getOAuthHost(oAuthAuthorizeUrl);
String oAuthTokenUrl = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_TOKEN_URL, null);
String oAuthUserInfoUrl = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_USERINFO_URL, null);
String oAuthClientId = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_CLIENT_ID, null);
String oAuthClientPassword = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_CLIENT_PASSWORD, null);
if (oAuthClientPassword != null) {
try {
oAuthClientPassword = StringEncrypter.defaultInstance().decrypt(oAuthClientPassword, Configuration.instance().getCryptoPropertyValue());
} catch (EncryptionException ex) {
log.error("Failed to decrypt property: " + Configuration.OAUTH_PROPERTY_CLIENT_PASSWORD, ex);
}
}
String scopes = getParameter(request, Configuration.OAUTH_SCOPE);
log.trace("scopes : " + scopes);
// 1. Request access token using the authorization code
log.trace("Getting access token");
TokenClient tokenClient1 = new TokenClient(oAuthTokenUrl);
String redirectURL = constructRedirectUrl(request);
TokenResponse tokenResponse = tokenClient1.execAuthorizationCode(authorizationCode, redirectURL, oAuthClientId, oAuthClientPassword);
if (tokenResponse == null) {
log.error("Get empty token response. User can't log into application");
return null;
}
log.trace("tokenResponse : " + tokenResponse);
log.trace("tokenResponse.getErrorType() : " + tokenResponse.getErrorType());
String accessToken = tokenResponse.getAccessToken();
String idToken = tokenResponse.getIdToken();
log.trace("accessToken : " + accessToken);
log.trace("idToken : " + idToken);
// Parse JWT
Jwt jwt;
try {
jwt = Jwt.parse(idToken);
} catch (InvalidJwtException ex) {
log.error("Failed to parse id_token");
return null;
}
// Check nonce
String nonceResponse = (String) jwt.getClaims().getClaim(JwtClaimName.NONCE);
final String nonceSession = session != null ? (String) session.getAttribute(Configuration.SESSION_AUTH_NONCE) : null;
if (!StringHelper.equals(nonceSession, nonceResponse)) {
log.error("User info response : nonce is not matching.");
return null;
}
log.info("Session validation successful. User is logged in");
UserInfoClient userInfoClient = new UserInfoClient(oAuthUserInfoUrl);
UserInfoResponse userInfoResponse = userInfoClient.execUserInfo(accessToken);
if (userInfoResponse == null) {
log.error("Get empty user info response. User can't log into application");
return null;
}
OAuthData oAuthData = new OAuthData();
oAuthData.setHost(oAuthHost);
// Determine uid
List<String> uidValues = userInfoResponse.getClaims().get(JwtClaimName.USER_NAME);
if ((uidValues == null) || (uidValues.size() == 0)) {
log.error("User infor response doesn't contains uid claim");
return null;
}
oAuthData.setUserUid(uidValues.get(0));
oAuthData.setAccessToken(accessToken);
oAuthData.setAccessTokenExpirationInSeconds(tokenResponse.getExpiresIn());
oAuthData.setScopes(scopes);
oAuthData.setIdToken(idToken);
log.trace("User uid: " + oAuthData.getUserUid());
return oAuthData;
}
use of org.gluu.util.security.StringEncrypter.EncryptionException in project oxTrust by GluuFederation.
the class ClientPasswordAction method update.
public String update() {
OxAuthClient client = clientService.getClientByDn(updateClientAction.getClient().getDn());
try {
client.setOxAuthClientSecret(newPassword);
client.setEncodedClientSecret(encryptionService.encrypt(newPassword));
} catch (EncryptionException e) {
log.error("Failed to encrypt password", e);
}
clientService.updateClient(client);
updateClientAction.getClient().setEncodedClientSecret(client.getEncodedClientSecret());
updateClientAction.getClient().setOxAuthClientSecret(newPassword);
return OxTrustConstants.RESULT_SUCCESS;
}
Aggregations