Search in sources :

Example 6 with EncryptionException

use of org.gluu.util.security.StringEncrypter.EncryptionException in project oxTrust by GluuFederation.

the class BaseUmaProtectionService method retrievePatToken.

private void retrievePatToken() throws UmaProtectionException {
    this.umaPat = null;
    if (umaMetadata == null) {
        return;
    }
    String umaClientKeyStoreFile = getClientKeyStoreFile();
    String umaClientKeyStorePassword = getClientKeyStorePassword();
    if (StringHelper.isEmpty(umaClientKeyStoreFile) || StringHelper.isEmpty(umaClientKeyStorePassword)) {
        throw new UmaProtectionException("UMA JKS keystore path or password is empty");
    }
    if (umaClientKeyStorePassword != null) {
        try {
            umaClientKeyStorePassword = encryptionService.decrypt(umaClientKeyStorePassword);
        } catch (EncryptionException ex) {
            log.error("Failed to decrypt UmaClientKeyStorePassword password", ex);
        }
    }
    try {
        this.umaPat = UmaClient.requestPat(umaMetadata.getTokenEndpoint(), umaClientKeyStoreFile, umaClientKeyStorePassword, getClientId(), getClientKeyId());
        if (this.umaPat == null) {
            this.umaPatAccessTokenExpiration = 0l;
        } else {
            this.umaPatAccessTokenExpiration = computeAccessTokenExpirationTime(this.umaPat.getExpiresIn());
        }
    } catch (Exception ex) {
        throw new UmaProtectionException("Failed to obtain valid UMA PAT token", ex);
    }
    if ((this.umaPat == null) || (this.umaPat.getAccessToken() == null)) {
        throw new UmaProtectionException("Failed to obtain valid UMA PAT token");
    }
}
Also used : UmaProtectionException(org.gluu.oxtrust.exception.UmaProtectionException) EncryptionException(org.gluu.util.security.StringEncrypter.EncryptionException) EncryptionException(org.gluu.util.security.StringEncrypter.EncryptionException) UmaProtectionException(org.gluu.oxtrust.exception.UmaProtectionException)

Example 7 with EncryptionException

use of org.gluu.util.security.StringEncrypter.EncryptionException in project oxTrust by GluuFederation.

the class AuthenticationFilter method getOAuthRedirectUrl.

public String getOAuthRedirectUrl(final HttpServletRequest request, final HttpServletResponse response) throws Exception {
    String authorizeUrl = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_AUTHORIZE_URL, null);
    String clientScopes = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_CLIENT_SCOPE, null);
    String clientId = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_CLIENT_ID, null);
    String clientSecret = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_CLIENT_PASSWORD, null);
    if (clientSecret != null) {
        try {
            clientSecret = StringEncrypter.defaultInstance().decrypt(clientSecret, Configuration.instance().getCryptoPropertyValue());
        } catch (EncryptionException ex) {
            log.error("Failed to decrypt property: " + Configuration.OAUTH_PROPERTY_CLIENT_PASSWORD, ex);
        }
    }
    String redirectUri = constructRedirectUrl(request);
    List<String> scopes = Arrays.asList(clientScopes.split(StringUtils.SPACE));
    List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE);
    String nonce = UUID.randomUUID().toString();
    String rfp = UUID.randomUUID().toString();
    String jti = UUID.randomUUID().toString();
    // Lookup for relying party ID
    final String key = request.getParameter(ExternalAuthentication.CONVERSATION_KEY);
    request.getSession().setAttribute(SESSION_CONVERSATION_KEY, key);
    ProfileRequestContext prc = ExternalAuthentication.getProfileRequestContext(key, request);
    String relyingPartyId = "";
    final RelyingPartyContext relyingPartyCtx = prc.getSubcontext(RelyingPartyContext.class);
    if (relyingPartyCtx != null) {
        relyingPartyId = relyingPartyCtx.getRelyingPartyId();
        log.info("relyingPartyId found: " + relyingPartyId);
    } else
        log.warn("No RelyingPartyContext was available");
    // JWT
    OxAuthCryptoProvider cryptoProvider = new OxAuthCryptoProvider();
    JwtState jwtState = new JwtState(SignatureAlgorithm.HS256, clientSecret, cryptoProvider);
    jwtState.setRfp(rfp);
    jwtState.setJti(jti);
    if (relyingPartyId != null && !"".equals(relyingPartyId)) {
        String additionalClaims = String.format("{relyingPartyId: '%s'}", relyingPartyId);
        jwtState.setAdditionalClaims(new JSONObject(additionalClaims));
    } else
        log.warn("No relyingPartyId was available");
    String encodedState = jwtState.getEncodedJwt();
    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(encodedState);
    Cookie currentShibstateCookie = getCurrentShibstateCookie(request);
    if (currentShibstateCookie != null) {
        String requestUri = decodeCookieValue(currentShibstateCookie.getValue());
        log.debug("requestUri = \"" + requestUri + "\"");
        String authenticationMode = determineAuthenticationMode(requestUri);
        if (StringHelper.isNotEmpty(authenticationMode)) {
            log.debug("acr_values = \"" + authenticationMode + "\"");
            authorizationRequest.setAcrValues(Arrays.asList(authenticationMode));
            updateShibstateCookie(response, currentShibstateCookie, requestUri, "/" + Configuration.OXAUTH_ACR_VALUES + "/" + authenticationMode);
        }
    }
    // Store for validation in session
    final HttpSession session = request.getSession(false);
    session.setAttribute(Configuration.SESSION_AUTH_STATE, encodedState);
    session.setAttribute(Configuration.SESSION_AUTH_NONCE, nonce);
    return authorizeUrl + "?" + authorizationRequest.getQueryString();
}
Also used : Cookie(javax.servlet.http.Cookie) AuthorizationRequest(org.gluu.oxauth.client.AuthorizationRequest) HttpSession(javax.servlet.http.HttpSession) ProfileRequestContext(org.opensaml.profile.context.ProfileRequestContext) ResponseType(org.gluu.oxauth.model.common.ResponseType) OxAuthCryptoProvider(org.gluu.oxauth.model.crypto.OxAuthCryptoProvider) RelyingPartyContext(net.shibboleth.idp.profile.context.RelyingPartyContext) JSONObject(org.json.JSONObject) EncryptionException(org.gluu.util.security.StringEncrypter.EncryptionException) JwtState(org.gluu.oxauth.client.model.JwtState)

Example 8 with EncryptionException

use of org.gluu.util.security.StringEncrypter.EncryptionException in project oxTrust by GluuFederation.

the class OAuthValidationFilter method getOAuthData.

private OAuthData getOAuthData(HttpSession session, HttpServletRequest request, String authorizationCode) throws Exception {
    // Check state
    String authorizationState = request.getParameter(Configuration.OAUTH_STATE);
    final String stateSession = session != null ? (String) session.getAttribute(Configuration.SESSION_AUTH_STATE) : null;
    if (!StringHelper.equals(stateSession, authorizationState)) {
        log.error("Login failed, oxTrust wasn't allowed to access user data");
        return null;
    }
    String oAuthAuthorizeUrl = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_AUTHORIZE_URL, null);
    String oAuthHost = getOAuthHost(oAuthAuthorizeUrl);
    String oAuthTokenUrl = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_TOKEN_URL, null);
    String oAuthUserInfoUrl = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_USERINFO_URL, null);
    String oAuthClientId = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_CLIENT_ID, null);
    String oAuthClientPassword = getPropertyFromInitParams(null, Configuration.OAUTH_PROPERTY_CLIENT_PASSWORD, null);
    if (oAuthClientPassword != null) {
        try {
            oAuthClientPassword = StringEncrypter.defaultInstance().decrypt(oAuthClientPassword, Configuration.instance().getCryptoPropertyValue());
        } catch (EncryptionException ex) {
            log.error("Failed to decrypt property: " + Configuration.OAUTH_PROPERTY_CLIENT_PASSWORD, ex);
        }
    }
    String scopes = getParameter(request, Configuration.OAUTH_SCOPE);
    log.trace("scopes : " + scopes);
    // 1. Request access token using the authorization code
    log.trace("Getting access token");
    TokenClient tokenClient1 = new TokenClient(oAuthTokenUrl);
    String redirectURL = constructRedirectUrl(request);
    TokenResponse tokenResponse = tokenClient1.execAuthorizationCode(authorizationCode, redirectURL, oAuthClientId, oAuthClientPassword);
    if (tokenResponse == null) {
        log.error("Get empty token response. User can't log into application");
        return null;
    }
    log.trace("tokenResponse : " + tokenResponse);
    log.trace("tokenResponse.getErrorType() : " + tokenResponse.getErrorType());
    String accessToken = tokenResponse.getAccessToken();
    String idToken = tokenResponse.getIdToken();
    log.trace("accessToken : " + accessToken);
    log.trace("idToken : " + idToken);
    // Parse JWT
    Jwt jwt;
    try {
        jwt = Jwt.parse(idToken);
    } catch (InvalidJwtException ex) {
        log.error("Failed to parse id_token");
        return null;
    }
    // Check nonce
    String nonceResponse = (String) jwt.getClaims().getClaim(JwtClaimName.NONCE);
    final String nonceSession = session != null ? (String) session.getAttribute(Configuration.SESSION_AUTH_NONCE) : null;
    if (!StringHelper.equals(nonceSession, nonceResponse)) {
        log.error("User info response :  nonce is not matching.");
        return null;
    }
    log.info("Session validation successful. User is logged in");
    UserInfoClient userInfoClient = new UserInfoClient(oAuthUserInfoUrl);
    UserInfoResponse userInfoResponse = userInfoClient.execUserInfo(accessToken);
    if (userInfoResponse == null) {
        log.error("Get empty user info response. User can't log into application");
        return null;
    }
    OAuthData oAuthData = new OAuthData();
    oAuthData.setHost(oAuthHost);
    // Determine uid
    List<String> uidValues = userInfoResponse.getClaims().get(JwtClaimName.USER_NAME);
    if ((uidValues == null) || (uidValues.size() == 0)) {
        log.error("User infor response doesn't contains uid claim");
        return null;
    }
    oAuthData.setUserUid(uidValues.get(0));
    oAuthData.setAccessToken(accessToken);
    oAuthData.setAccessTokenExpirationInSeconds(tokenResponse.getExpiresIn());
    oAuthData.setScopes(scopes);
    oAuthData.setIdToken(idToken);
    log.trace("User uid: " + oAuthData.getUserUid());
    return oAuthData;
}
Also used : InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException) TokenResponse(org.gluu.oxauth.client.TokenResponse) Jwt(org.gluu.oxauth.model.jwt.Jwt) EncryptionException(org.gluu.util.security.StringEncrypter.EncryptionException) UserInfoResponse(org.gluu.oxauth.client.UserInfoResponse) TokenClient(org.gluu.oxauth.client.TokenClient) UserInfoClient(org.gluu.oxauth.client.UserInfoClient) OAuthData(org.gluu.oxauth.client.session.OAuthData)

Example 9 with EncryptionException

use of org.gluu.util.security.StringEncrypter.EncryptionException in project oxTrust by GluuFederation.

the class ClientPasswordAction method update.

public String update() {
    OxAuthClient client = clientService.getClientByDn(updateClientAction.getClient().getDn());
    try {
        client.setOxAuthClientSecret(newPassword);
        client.setEncodedClientSecret(encryptionService.encrypt(newPassword));
    } catch (EncryptionException e) {
        log.error("Failed to encrypt password", e);
    }
    clientService.updateClient(client);
    updateClientAction.getClient().setEncodedClientSecret(client.getEncodedClientSecret());
    updateClientAction.getClient().setOxAuthClientSecret(newPassword);
    return OxTrustConstants.RESULT_SUCCESS;
}
Also used : OxAuthClient(org.gluu.oxtrust.model.OxAuthClient) EncryptionException(org.gluu.util.security.StringEncrypter.EncryptionException)

Aggregations

EncryptionException (org.gluu.util.security.StringEncrypter.EncryptionException)9 VelocityContext (org.apache.velocity.VelocityContext)2 ConfigurationException (org.gluu.util.exception.ConfigurationException)2 IOException (java.io.IOException)1 InvocationTargetException (java.lang.reflect.InvocationTargetException)1 Properties (java.util.Properties)1 Cookie (javax.servlet.http.Cookie)1 HttpSession (javax.servlet.http.HttpSession)1 RelyingPartyContext (net.shibboleth.idp.profile.context.RelyingPartyContext)1 FileConfiguration (org.gluu.orm.util.properties.FileConfiguration)1 AuthorizationRequest (org.gluu.oxauth.client.AuthorizationRequest)1 TokenClient (org.gluu.oxauth.client.TokenClient)1 TokenResponse (org.gluu.oxauth.client.TokenResponse)1 UserInfoClient (org.gluu.oxauth.client.UserInfoClient)1 UserInfoResponse (org.gluu.oxauth.client.UserInfoResponse)1 JwtState (org.gluu.oxauth.client.model.JwtState)1 OAuthData (org.gluu.oxauth.client.session.OAuthData)1 ResponseType (org.gluu.oxauth.model.common.ResponseType)1 CIBAEndUserNotificationConfig (org.gluu.oxauth.model.configuration.CIBAEndUserNotificationConfig)1 OxAuthCryptoProvider (org.gluu.oxauth.model.crypto.OxAuthCryptoProvider)1