Please wait. This can take some minutes ...
Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $
You can buy this project and download/modify it how often you want.
com.sun.xml.ws.security.trust.impl.IssueSamlTokenContract Maven / Gradle / Ivy
package com.sun.xml.ws.security.trust.impl;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.security.cert.X509Certificate;
import javax.xml.namespace.QName;
import javax.security.auth.Subject;
import com.sun.xml.ws.api.security.trust.Claims;
import com.sun.xml.ws.api.security.trust.STSAttributeProvider;
import com.sun.xml.ws.api.security.trust.STSAuthorizationProvider;
import com.sun.xml.ws.api.security.trust.WSTrustException;
import com.sun.xml.ws.api.security.trust.config.STSConfiguration;
import com.sun.xml.ws.api.security.trust.config.TrustSPMetadata;
import com.sun.xml.ws.policy.impl.bindings.AppliesTo;
import com.sun.xml.ws.security.IssuedTokenContext;
import com.sun.xml.ws.security.trust.elements.str.SecurityTokenReference;
import com.sun.xml.ws.security.Token;
import com.sun.xml.ws.security.trust.WSTrustConstants;
import com.sun.xml.ws.security.trust.WSTrustElementFactory;
import com.sun.xml.ws.security.trust.WSTrustFactory;
import com.sun.xml.ws.security.trust.WSTrustVersion;
import com.sun.xml.ws.security.trust.elements.BaseSTSRequest;
import com.sun.xml.ws.security.trust.elements.BaseSTSResponse;
import com.sun.xml.ws.security.trust.elements.BinarySecret;
import com.sun.xml.ws.security.trust.elements.Entropy;
import com.sun.xml.ws.security.trust.elements.Lifetime;
import com.sun.xml.ws.security.trust.elements.OnBehalfOf;
import com.sun.xml.ws.security.trust.elements.RequestedProofToken;
import com.sun.xml.ws.security.trust.elements.RequestedAttachedReference;
import com.sun.xml.ws.security.trust.elements.RequestedUnattachedReference;
import com.sun.xml.ws.security.trust.elements.RequestSecurityToken;
import com.sun.xml.ws.security.trust.elements.RequestSecurityTokenResponse;
import com.sun.xml.ws.security.trust.elements.RequestedSecurityToken;
import com.sun.xml.ws.security.trust.elements.SecondaryParameters;
import com.sun.xml.ws.security.trust.elements.UseKey;
import com.sun.xml.ws.security.trust.util.WSTrustUtil;
import com.sun.xml.wss.impl.MessageConstants;
import com.sun.xml.wss.impl.misc.SecurityUtil;
import java.util.logging.Level;
import java.util.logging.Logger;
import com.sun.xml.ws.security.trust.logging.LogDomainConstants;
import com.sun.xml.ws.security.trust.logging.LogStringsMessages;
import java.util.ArrayList;
import org.w3c.dom.Element;
public abstract class IssueSamlTokenContract implements com .sun .xml .ws .api .security .trust .IssueSamlTokenContract {
private static final Logger log =
Logger.getLogger(
LogDomainConstants.TRUST_IMPL_DOMAIN,
LogDomainConstants.TRUST_IMPL_DOMAIN_BUNDLE);
protected static final String SAML_HOLDER_OF_KEY_1_0 = "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key" ;
protected static final String SAML_HOLDER_OF_KEY_2_0 = "urn:oasis:names:tc:SAML:2.0:cm:holder-of-key" ;
protected static final String SAML_BEARER_1_0 = "urn:oasis:names:tc:SAML:1.0:cm:bearer" ;
protected static final String SAML_BEARER_2_0 = "urn:oasis:names:tc:SAML:2.0:cm:bearer" ;
protected static final String SAML_SENDER_VOUCHES_1_0 = "urn:oasis:names:tc:SAML:1.0:cm::sender-vouches" ;
protected static final String SAML_SENDER_VOUCHES_2_0 = "urn:oasis:names:tc:SAML:2.0:cm:sender-vouches" ;
protected STSConfiguration stsConfig;
protected WSTrustVersion wstVer;
protected String authnCtxClass;
protected WSTrustElementFactory eleFac =
WSTrustElementFactory.newInstance(WSTrustVersion.WS_TRUST_10);
private static final int DEFAULT_KEY_SIZE = 256 ;
protected IssueSamlTokenContract () {}
@Override
public void init (final STSConfiguration stsConfig) {
this .stsConfig = stsConfig;
this .wstVer = (WSTrustVersion)stsConfig.getOtherOptions().get(WSTrustConstants.WST_VERSION);
this .authnCtxClass = (String)stsConfig.getOtherOptions().get(WSTrustConstants.AUTHN_CONTEXT_CLASS);
eleFac = WSTrustElementFactory.newInstance(wstVer);
}
@Override
public BaseSTSResponse issue (final BaseSTSRequest request, final IssuedTokenContext context) throws WSTrustException {
RequestSecurityToken rst = (RequestSecurityToken)request;
SecondaryParameters secParas = null ;
if (wstVer.getNamespaceURI().equals(WSTrustVersion.WS_TRUST_13_NS_URI)){
secParas = rst.getSecondaryParameters();
}
final AppliesTo applies = rst.getAppliesTo();
String appliesTo = null ;
X509Certificate serCert = null ;
if (applies != null ){
List at = WSTrustUtil.parseAppliesTo(applies);
for (int i = 0 ; i < at.size(); i++){
Object obj = at.get(i);
if (obj instanceof String){
appliesTo = (String)obj;
}else if (obj instanceof X509Certificate){
serCert = (X509Certificate)obj;
}
}
}
if (serCert != null ){
context.getOtherProperties().put(IssuedTokenContext.TARGET_SERVICE_CERTIFICATE, serCert);
}
TrustSPMetadata spMd = stsConfig.getTrustSPMetadata(appliesTo);
if (spMd == null ){
spMd = stsConfig.getTrustSPMetadata("default" );
}
if (spMd == null ){
log.log(Level.SEVERE,
LogStringsMessages.WST_0004_UNKNOWN_SERVICEPROVIDER(appliesTo));
throw new WSTrustException(LogStringsMessages.WST_0004_UNKNOWN_SERVICEPROVIDER(appliesTo));
}
String tokenType = null ;
URI tokenTypeURI = rst.getTokenType();
if (tokenTypeURI == null && secParas != null ){
tokenTypeURI = secParas.getTokenType();
}
if (tokenTypeURI != null ){
tokenType = tokenTypeURI.toString();
}else {
tokenType = spMd.getTokenType();
}
if (tokenType == null ){
tokenType = WSTrustConstants.SAML11_ASSERTION_TOKEN_TYPE;
}
String keyType = null ;
URI keyTypeURI = rst.getKeyType();
if (keyTypeURI == null && secParas != null ){
keyTypeURI = secParas.getKeyType();
}
if (keyTypeURI != null ){
keyType = keyTypeURI.toString();
}else {
keyType = spMd.getKeyType();
}
if (keyType == null ){
keyType = wstVer.getSymmetricKeyTypeURI();
}
String encryptionAlgorithm = null ;
URI encryptionAlgorithmURI = rst.getEncryptionAlgorithm();
if (encryptionAlgorithmURI == null && secParas != null ){
encryptionAlgorithmURI = secParas.getEncryptionAlgorithm();
}
if (encryptionAlgorithmURI != null ){
encryptionAlgorithm = encryptionAlgorithmURI.toString();
}
context.setEncryptionAlgorithm(encryptionAlgorithm);
String signatureAlgorithm = null ;
URI signatureAlgorithmURI = rst.getSignatureAlgorithm();
if (signatureAlgorithmURI == null && secParas != null ){
signatureAlgorithmURI = secParas.getSignatureAlgorithm();
}
if (signatureAlgorithmURI != null ){
signatureAlgorithm = signatureAlgorithmURI.toString();
}
context.setSignatureAlgorithm(signatureAlgorithm);
String canonicalizationAlgorithm = null ;
URI canonicalizationAlgorithmURI = rst.getCanonicalizationAlgorithm();
if (canonicalizationAlgorithmURI == null && secParas != null ){
canonicalizationAlgorithmURI = secParas.getCanonicalizationAlgorithm();
}
if (canonicalizationAlgorithmURI != null ){
canonicalizationAlgorithm = canonicalizationAlgorithmURI.toString();
}
context.setCanonicalizationAlgorithm(canonicalizationAlgorithm);
URI keyWrapAlgorithmURI = null ;
if (secParas != null ){
keyWrapAlgorithmURI = secParas.getKeyWrapAlgorithm();
}
if (keyWrapAlgorithmURI != null ){
context.getOtherProperties().put(IssuedTokenContext.KEY_WRAP_ALGORITHM, keyWrapAlgorithmURI.toString());
}
Subject subject = context.getRequestorSubject();
if (subject == null ){
AccessControlContext acc = AccessController.getContext();
subject = Subject.getSubject(acc);
}
if (subject == null ){
log.log(Level.SEVERE,
LogStringsMessages.WST_0030_REQUESTOR_NULL());
throw new WSTrustException(LogStringsMessages.WST_0030_REQUESTOR_NULL());
}
OnBehalfOf obo = rst.getOnBehalfOf();
if (obo != null ){
Object oboToken = obo.getAny();
if (oboToken != null ){
subject.getPublicCredentials().add(eleFac.toElement(oboToken));
String confirMethod = null ;
if (tokenType.equals(WSTrustConstants.SAML10_ASSERTION_TOKEN_TYPE)||
tokenType.equals(WSTrustConstants.SAML11_ASSERTION_TOKEN_TYPE)){
confirMethod = SAML_SENDER_VOUCHES_1_0;
} else if (tokenType.equals(WSTrustConstants.SAML20_ASSERTION_TOKEN_TYPE)||
tokenType.equals(WSTrustConstants.SAML20_WSS_TOKEN_TYPE)){
confirMethod = SAML_SENDER_VOUCHES_2_0;
}
if (confirMethod != null ){
stsConfig.getOtherOptions().put(WSTrustConstants.SAML_CONFIRMATION_METHOD, confirMethod);
}
}
}
final STSAuthorizationProvider authzProvider = WSTrustFactory.getSTSAuthorizationProvider();
if (!authzProvider.isAuthorized(subject, appliesTo, tokenType, keyType)){
String user = subject.getPrincipals().iterator().next().getName();
log.log(Level.SEVERE,
LogStringsMessages.WST_0015_CLIENT_NOT_AUTHORIZED(
user, tokenType, appliesTo));
throw new WSTrustException(LogStringsMessages.WST_0015_CLIENT_NOT_AUTHORIZED(
user, tokenType, appliesTo));
}
Claims claims = rst.getClaims();
if (claims == null && secParas != null ){
claims = secParas.getClaims();
}
if (claims == null ){
claims = eleFac.createClaims();
}
final STSAttributeProvider attrProvider = WSTrustFactory.getSTSAttributeProvider();
final Map> claimedAttrs = attrProvider.getClaimedAttributes(subject, appliesTo, tokenType, claims);
RequestedProofToken proofToken = null ;
Entropy serverEntropy = null ;
int keySize = 0 ;
if (wstVer.getSymmetricKeyTypeURI().equals(keyType)){
proofToken = eleFac.createRequestedProofToken();
byte [] clientEntr = null ;
final Entropy clientEntropy = rst.getEntropy();
if (clientEntropy != null ){
final BinarySecret clientBS = clientEntropy.getBinarySecret();
if (clientBS == null ){
if (log.isLoggable(Level.FINE)) {
log.log(Level.FINE,
LogStringsMessages.WST_1009_NULL_BINARY_SECRET());
}
}else {
clientEntr = clientBS.getRawValue();
}
}
keySize = (int )rst.getKeySize();
if (keySize < 1 && secParas != null ){
keySize = (int ) secParas.getKeySize();
}
if (keySize < 1 ){
keySize = DEFAULT_KEY_SIZE;
}
if (log.isLoggable(Level.FINE)) {
log.log(Level.FINE,
LogStringsMessages.WST_1010_KEY_SIZE(keySize, DEFAULT_KEY_SIZE));
}
byte [] key = WSTrustUtil.generateRandomSecret(keySize/8 );
final BinarySecret serverBS = eleFac.createBinarySecret(key, wstVer.getNonceBinarySecretTypeURI());
serverEntropy = eleFac.createEntropy(serverBS);
try {
if (clientEntr != null && clientEntr.length > 0 ){
proofToken.setComputedKey(URI.create(wstVer.getCKPSHA1algorithmURI()));
proofToken.setProofTokenType(RequestedProofToken.COMPUTED_KEY_TYPE);
key = SecurityUtil.P_SHA1(clientEntr, key, keySize/8 );
}else {
proofToken.setProofTokenType(RequestedProofToken.BINARY_SECRET_TYPE);
proofToken.setBinarySecret(serverBS);
}
} catch (Exception ex){
log.log(Level.SEVERE,
LogStringsMessages.WST_0013_ERROR_SECRET_KEY(wstVer.getCKPSHA1algorithmURI(), keySize, appliesTo), ex);
throw new WSTrustException(LogStringsMessages.WST_0013_ERROR_SECRET_KEY(wstVer.getCKPSHA1algorithmURI(), keySize, appliesTo), ex);
}
context.setProofKey(key);
}else if (wstVer.getPublicKeyTypeURI().equals(keyType)){
UseKey useKey = rst.getUseKey();
if (useKey != null ){
Element keyInfo = eleFac.toElement(useKey.getToken().getTokenValue());
stsConfig.getOtherOptions().put("ConfirmationKeyInfo" , keyInfo);
}
final Set certs = subject.getPublicCredentials();
boolean addedClientCert = false ;
for (Object o : certs){
if (o instanceof X509Certificate){
final X509Certificate clientCert = (X509Certificate)o;
context.setRequestorCertificate(clientCert);
addedClientCert = true ;
}
}
if (!addedClientCert && useKey == null ){
log.log(Level.SEVERE,
LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
throw new WSTrustException(LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
}
}else if (wstVer.getBearerKeyTypeURI().equals(keyType)){
}else {
log.log(Level.SEVERE,
LogStringsMessages.WST_0025_INVALID_KEY_TYPE(keyType, appliesTo));
throw new WSTrustException(LogStringsMessages.WST_0025_INVALID_KEY_TYPE(keyType, appliesTo));
}
final String assertionId = "uuid-" + UUID.randomUUID();
final RequestedSecurityToken reqSecTok = eleFac.createRequestedSecurityToken();
final Token samlToken = createSAMLAssertion(appliesTo, tokenType, keyType, assertionId, stsConfig.getIssuer(), claimedAttrs, context);
reqSecTok.setToken(samlToken);
String valueType = null ;
if (WSTrustConstants.SAML10_ASSERTION_TOKEN_TYPE.equals(tokenType)||
WSTrustConstants.SAML11_ASSERTION_TOKEN_TYPE.equals(tokenType)){
valueType = MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE;
} else if (WSTrustConstants.SAML20_ASSERTION_TOKEN_TYPE.equals(tokenType)){
valueType = MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE;
}
final SecurityTokenReference samlReference = WSTrustUtil.createSecurityTokenReference(assertionId, valueType);
final RequestedAttachedReference raRef = eleFac.createRequestedAttachedReference(samlReference);
final RequestedUnattachedReference ruRef = eleFac.createRequestedUnattachedReference(samlReference);
URI ctx = null ;
try {
final String rstCtx = rst.getContext();
if (rstCtx != null ){
ctx = new URI(rst.getContext());
}
} catch (URISyntaxException ex) {
log.log(Level.SEVERE,
LogStringsMessages.WST_0014_URI_SYNTAX(), ex);
throw new WSTrustException(
LogStringsMessages.WST_0014_URI_SYNTAX() ,ex);
}
long currentTime = WSTrustUtil.getCurrentTimeWithOffset();
final Lifetime lifetime = WSTrustUtil.createLifetime(currentTime, stsConfig.getIssuedTokenTimeout(), wstVer);
final RequestSecurityTokenResponse rstr =
eleFac.createRSTRForIssue(rst.getTokenType(), ctx, reqSecTok, applies, raRef, ruRef, proofToken, serverEntropy, lifetime);
if (keySize > 0 ){
rstr.setKeySize(keySize);
}
context.setSecurityToken(samlToken);
context.setAttachedSecurityTokenReference(samlReference);
context.setUnAttachedSecurityTokenReference(samlReference);
context.setCreationTime(new Date(currentTime));
context.setExpirationTime(new Date(currentTime + stsConfig.getIssuedTokenTimeout()));
if (wstVer.getNamespaceURI().equals(WSTrustVersion.WS_TRUST_13.getNamespaceURI())){
List list = new ArrayList<>();
list.add(rstr);
return eleFac.createRSTRC(list);
}
return rstr;
}
public BaseSTSResponse issueMultiple (
final BaseSTSRequest request, final IssuedTokenContext context) {
throw new UnsupportedOperationException("Unsupported operation: issueMultiple" );
}
@Override
public BaseSTSResponse renew (
final BaseSTSRequest request, final IssuedTokenContext context) {
throw new UnsupportedOperationException("Unsupported operation: renew" );
}
@Override
public BaseSTSResponse cancel (
final BaseSTSRequest request, final IssuedTokenContext context, final Map issuedTokenCtxMap) {
throw new UnsupportedOperationException("Unsupported operation: cancel" );
}
@Override
public BaseSTSResponse validate (
final BaseSTSRequest request, final IssuedTokenContext context) {
throw new UnsupportedOperationException("Unsupported operation: validate" );
}
@Override
public void handleUnsolicited (
final BaseSTSResponse rstr, final IssuedTokenContext context) {
throw new UnsupportedOperationException("Unsupported operation: handleUnsolicited" );
}
@Override
public abstract Token createSAMLAssertion (String appliesTo, String tokenType, String keyType, String assertionId, String issuer, Map > claimedAttrs, IssuedTokenContext context) throws WSTrustException ;
}