Java Code Examples for org.apache.cxf.ws.security.tokenstore.SecurityToken#getProperties()

The following examples show how to use org.apache.cxf.ws.security.tokenstore.SecurityToken#getProperties() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: DefaultSTSTokenCacher.java    From cxf with Apache License 2.0 6 votes vote down vote up
public SecurityToken retrieveToken(Message message, Element delegationToken, String cacheKey)
        throws TokenStoreException {
    if (delegationToken == null) {
        return null;
    }
    TokenStore tokenStore = TokenStoreUtils.getTokenStore(message);

    // See if the token corresponding to the delegation Token is stored in the cache
    // and if it points to an issued token
    String id = getIdFromToken(delegationToken);
    SecurityToken cachedToken = tokenStore.getToken(id);
    if (cachedToken != null) {
        Map<String, Object> properties = cachedToken.getProperties();
        if (properties != null && properties.containsKey(cacheKey)) {
            String associatedToken = (String)properties.get(cacheKey);
            SecurityToken issuedToken = tokenStore.getToken(associatedToken);
            if (issuedToken != null) {
                return issuedToken;
            }
        }
    }

    return null;
}
 
Example 2
Source File: SCTValidator.java    From cxf with Apache License 2.0 4 votes vote down vote up
/**
 * Validate a Token using the given TokenValidatorParameters.
 */
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOG.fine("Validating SecurityContextToken");

    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(STATE.INVALID);
    response.setToken(validateTarget);

    if (tokenParameters.getTokenStore() == null) {
        LOG.log(Level.FINE, "A cache must be configured to use the SCTValidator");
        return response;
    }

    if (validateTarget.isDOMElement()) {
        try {
            Element validateTargetElement = (Element)validateTarget.getToken();
            SecurityContextToken sct = new SecurityContextToken(validateTargetElement);
            String identifier = sct.getIdentifier();
            SecurityToken token = tokenParameters.getTokenStore().getToken(identifier);
            if (token == null) {
                LOG.fine("Identifier: " + identifier + " is not found in the cache");
                return response;
            }
            if (token.isExpired()) {
                validateTarget.setState(STATE.EXPIRED);
                LOG.fine("Token: " + identifier + " is in the cache but expired");
                return response;
            }
            byte[] secret = token.getSecret();
            Map<String, Object> properties = new HashMap<>(1);
            properties.put(SCT_VALIDATOR_SECRET, secret);
            response.setAdditionalProperties(properties);
            response.setPrincipal(token.getPrincipal());

            Map<String, Object> props = token.getProperties();
            if (props != null) {
                String realm = (String)props.get(STSConstants.TOKEN_REALM);
                response.setTokenRealm(realm);
            }
            validateTarget.setState(STATE.VALID);
            LOG.fine("SecurityContextToken successfully validated");
        } catch (WSSecurityException ex) {
            LOG.log(Level.WARNING, "", ex);
        }
    }
    return response;
}
 
Example 3
Source File: SAMLTokenRenewer.java    From cxf with Apache License 2.0 4 votes vote down vote up
private void validateAssertion(
    SamlAssertionWrapper assertion,
    ReceivedToken tokenToRenew,
    SecurityToken token,
    TokenRenewerParameters tokenParameters
) throws WSSecurityException {
    // Check the cached renewal properties
    Map<String, Object> props = token.getProperties();
    if (props == null) {
        LOG.log(Level.WARNING, "Error in getting properties from cached token");
        throw new STSException(
            "Error in getting properties from cached token", STSException.REQUEST_FAILED
        );
    }
    String isAllowRenewal = (String)props.get(STSConstants.TOKEN_RENEWING_ALLOW);
    String isAllowRenewalAfterExpiry =
        (String)props.get(STSConstants.TOKEN_RENEWING_ALLOW_AFTER_EXPIRY);

    if (isAllowRenewal == null || !Boolean.valueOf(isAllowRenewal)) {
        LOG.log(Level.WARNING, "The token is not allowed to be renewed");
        throw new STSException("The token is not allowed to be renewed", STSException.REQUEST_FAILED);
    }

    // Check to see whether the token has expired greater than the configured max expiry time
    if (tokenToRenew.getState() == STATE.EXPIRED) {
        if (!allowRenewalAfterExpiry || isAllowRenewalAfterExpiry == null
            || !Boolean.valueOf(isAllowRenewalAfterExpiry)) {
            LOG.log(Level.WARNING, "Renewal after expiry is not allowed");
            throw new STSException(
                "Renewal after expiry is not allowed", STSException.REQUEST_FAILED
            );
        }
        DateTime expiryDate = getExpiryDate(assertion);
        DateTime currentDate = new DateTime();
        if ((currentDate.getMillis() - expiryDate.getMillis()) > (maxExpiry * 1000L)) {
            LOG.log(Level.WARNING, "The token expired too long ago to be renewed");
            throw new STSException(
                "The token expired too long ago to be renewed", STSException.REQUEST_FAILED
            );
        }
    }

    // Verify Proof of Possession
    ProofOfPossessionValidator popValidator = new ProofOfPossessionValidator();
    if (verifyProofOfPossession) {
        STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
        Crypto sigCrypto = stsProperties.getSignatureCrypto();
        CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
        RequestData requestData = new RequestData();
        requestData.setSigVerCrypto(sigCrypto);
        WSSConfig wssConfig = WSSConfig.getNewInstance();
        requestData.setWssConfig(wssConfig);

        WSDocInfo docInfo = new WSDocInfo(((Element)tokenToRenew.getToken()).getOwnerDocument());
        requestData.setWsDocInfo(docInfo);
        // Parse the HOK subject if it exists

        assertion.parseSubject(
            new WSSSAMLKeyInfoProcessor(requestData), sigCrypto, callbackHandler
        );

        SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
        if (keyInfo == null) {
            keyInfo = new SAMLKeyInfo((byte[])null);
        }
        if (!popValidator.checkProofOfPossession(tokenParameters, keyInfo)) {
            throw new STSException(
                "Failed to verify the proof of possession of the key associated with the "
                + "saml token. No matching key found in the request.",
                STSException.INVALID_REQUEST
            );
        }
    }

    // Check the AppliesTo address
    String appliesToAddress = tokenParameters.getAppliesToAddress();
    if (appliesToAddress != null) {
        if (assertion.getSaml1() != null) {
            List<AudienceRestrictionCondition> restrConditions =
                assertion.getSaml1().getConditions().getAudienceRestrictionConditions();
            if (!matchSaml1AudienceRestriction(appliesToAddress, restrConditions)) {
                LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
                throw new STSException(
                    "The AppliesTo address does not match the Audience Restriction",
                    STSException.INVALID_REQUEST
                );
            }
        } else {
            List<AudienceRestriction> audienceRestrs =
                assertion.getSaml2().getConditions().getAudienceRestrictions();
            if (!matchSaml2AudienceRestriction(appliesToAddress, audienceRestrs)) {
                LOG.log(Level.WARNING, "The AppliesTo address does not match the Audience Restriction");
                throw new STSException(
                    "The AppliesTo address does not match the Audience Restriction",
                    STSException.INVALID_REQUEST
                );
            }
        }
    }

}