IssueSamlTokenContractpublic abstract class IssueSamlTokenContract extends Object implements com.sun.xml.ws.api.security.trust.IssueSamlTokenContract
Fields Summary |
---|
private static final Logger | log | protected com.sun.xml.ws.api.security.trust.config.STSConfiguration | stsConfig | protected static final com.sun.xml.ws.security.trust.WSTrustElementFactory | eleFac | protected static final SimpleDateFormat | calendarFormatter | private static final int | DEFAULT_KEY_SIZE | private long | currentTime |
Methods Summary |
---|
public com.sun.xml.ws.security.trust.elements.RequestSecurityTokenResponse | cancel(com.sun.xml.ws.security.trust.elements.RequestSecurityToken request, com.sun.xml.ws.security.IssuedTokenContext context, java.util.Map issuedTokenCtxMap)Cancel a Token
throw new UnsupportedOperationException("Unsupported operation: cancel");
| private com.sun.xml.ws.security.trust.elements.Lifetime | createLifetime()
final Calendar cal = new GregorianCalendar();
int offset = cal.get(Calendar.ZONE_OFFSET);
if (cal.getTimeZone().inDaylightTime(cal.getTime())) {
offset += cal.getTimeZone().getDSTSavings();
}
synchronized (calendarFormatter) {
calendarFormatter.setTimeZone(cal.getTimeZone());
// always send UTC/GMT time
final long beforeTime = cal.getTimeInMillis();
currentTime = beforeTime - offset;
cal.setTimeInMillis(currentTime);
final AttributedDateTime created = new AttributedDateTime();
created.setValue(calendarFormatter.format(cal.getTime()));
final AttributedDateTime expires = new AttributedDateTime();
cal.setTimeInMillis(currentTime + stsConfig.getIssuedTokenTimeout());
expires.setValue(calendarFormatter.format(cal.getTime()));
final Lifetime lifetime = eleFac.createLifetime(created, expires);
return lifetime;
}
| public abstract com.sun.xml.ws.security.Token | createSAMLAssertion(java.lang.String appliesTo, java.lang.String tokenType, java.lang.String keyType, java.lang.String assertionId, java.lang.String issuer, java.util.Map claimedAttrs, com.sun.xml.ws.security.IssuedTokenContext context)
| private com.sun.xml.ws.security.trust.elements.str.SecurityTokenReference | createSecurityTokenReference(java.lang.String id, java.lang.String tokenType)
String valueType = null;
if (WSTrustConstants.SAML10_ASSERTION_TOKEN_TYPE.equals(tokenType)||
WSTrustConstants.SAML11_ASSERTION_TOKEN_TYPE.equals(tokenType)){
valueType = MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE;
} else if (WSTrustConstants.SAML20_ASSERTION_TOKEN_TYPE.equals(tokenType)){
valueType = MessageConstants.WSSE_SAML_v2_0_KEY_IDENTIFIER_VALUE_TYPE;
}
final KeyIdentifier ref = eleFac.createKeyIdentifier(valueType, null);
ref.setValue(id);
return eleFac.createSecurityTokenReference(ref);
| public void | handleUnsolicited(com.sun.xml.ws.security.trust.elements.RequestSecurityTokenResponse rstr, com.sun.xml.ws.security.IssuedTokenContext context)handle an unsolicited RSTR like in the case of
Client Initiated Secure Conversation.
throw new UnsupportedOperationException("Unsupported operation: handleUnsolicited");
| public void | init(com.sun.xml.ws.api.security.trust.config.STSConfiguration stsConfig)
this.stsConfig = stsConfig;
| public com.sun.xml.ws.security.trust.elements.RequestSecurityTokenResponse | issue(com.sun.xml.ws.security.trust.elements.RequestSecurityToken rst, com.sun.xml.ws.security.IssuedTokenContext context)Issue a Token
// Get AppliesTo
final AppliesTo applies = rst.getAppliesTo();
String appliesTo = null;
if(applies != null){
appliesTo = WSTrustUtil.getAppliesToURI(applies);
}
TrustSPMetadata spMd = stsConfig.getTrustSPMetadata(appliesTo);
if (spMd == null){
// Only used for testing purpose; default should not documented
spMd = stsConfig.getTrustSPMetadata("default");
}
if (spMd == null){
log.log(Level.SEVERE,
LogStringsMessages.WST_0004_UNKNOWN_SERVICEPROVIDER(appliesTo));
throw new WSTrustException(LogStringsMessages.WST_0004_UNKNOWN_SERVICEPROVIDER(appliesTo));
}
// Get TokenType
String tokenType = null;
final URI tokenTypeURI = rst.getTokenType();
if (tokenTypeURI != null){
tokenType = tokenTypeURI.toString();
}else{
tokenType = spMd.getTokenType();
}
if (tokenType == null){
tokenType = WSTrustConstants.SAML11_ASSERTION_TOKEN_TYPE;
}
// Get KeyType
String keyType = null;
final URI keyTypeURI = rst.getKeyType();
if (keyTypeURI != null){
keyType = keyTypeURI.toString();
}else{
keyType = spMd.getKeyType();
}
if (keyType == null){
keyType = WSTrustConstants.SYMMETRIC_KEY;
}
// Get authenticaed client Subject
final Subject subject = context.getRequestorSubject();
if(subject == null){
log.log(Level.SEVERE,
LogStringsMessages.WST_0030_REQUESTOR_NULL());
throw new WSTrustException(LogStringsMessages.WST_0030_REQUESTOR_NULL());
}
// Check if the client is authorized to be issued the token
final STSAuthorizationProvider authzProvider = WSTrustFactory.getSTSAuthorizationProvider();
if (!authzProvider.isAuthorized(subject, appliesTo, tokenType, keyType)){
String user = subject.getPrincipals().iterator().next().getName();
log.log(Level.SEVERE,
LogStringsMessages.WST_0015_CLIENT_NOT_AUTHORIZED(
user, tokenType, appliesTo));
throw new WSTrustException(LogStringsMessages.WST_0015_CLIENT_NOT_AUTHORIZED(
user, tokenType, appliesTo));
}
// Get claimed attributes
final Claims claims = rst.getClaims();
final STSAttributeProvider attrProvider = WSTrustFactory.getSTSAttributeProvider();
final Map<QName, List<String>> claimedAttrs = attrProvider.getClaimedAttributes(subject, appliesTo, tokenType, claims);
RequestedProofToken proofToken = null;
Entropy serverEntropy = null;
int keySize = 0;
if (WSTrustConstants.SYMMETRIC_KEY.equals(keyType)){
//============================
// Create required secret key
//============================
proofToken = eleFac.createRequestedProofToken();
// Get client entropy
byte[] clientEntr = null;
final Entropy clientEntropy = rst.getEntropy();
if (clientEntropy != null){
final BinarySecret clientBS = clientEntropy.getBinarySecret();
if (clientBS == null){
if(log.isLoggable(Level.FINE)) {
log.log(Level.FINE,
LogStringsMessages.WST_1009_NULL_BINARY_SECRET());
}
}else {
clientEntr = clientBS.getRawValue();
}
}
keySize = (int)rst.getKeySize();
if (keySize < 1){
keySize = DEFAULT_KEY_SIZE;
}
if(log.isLoggable(Level.FINE)) {
log.log(Level.FINE,
LogStringsMessages.WST_1010_KEY_SIZE(keySize, DEFAULT_KEY_SIZE));
}
byte[] key = WSTrustUtil.generateRandomSecret(keySize/8);
final BinarySecret serverBS = eleFac.createBinarySecret(key, BinarySecret.NONCE_KEY_TYPE);
serverEntropy = eleFac.createEntropy(serverBS);
proofToken.setProofTokenType(RequestedProofToken.COMPUTED_KEY_TYPE);
// compute the secret key
try {
proofToken.setComputedKey(URI.create(WSTrustConstants.CK_PSHA1));
key = SecurityUtil.P_SHA1(clientEntr, key, keySize/8);
} catch (Exception ex){
log.log(Level.SEVERE,
LogStringsMessages.WST_0013_ERROR_SECRET_KEY(WSTrustConstants.CK_PSHA1, keySize, appliesTo), ex);
throw new WSTrustException(LogStringsMessages.WST_0013_ERROR_SECRET_KEY(WSTrustConstants.CK_PSHA1, keySize, appliesTo), ex);
}
context.setProofKey(key);
}else if(WSTrustConstants.PUBLIC_KEY.equals(keyType)){
final Set certs = context.getRequestorSubject().getPublicCredentials();
if(certs == null){
log.log(Level.SEVERE,
LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
throw new WSTrustException(
LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
}
boolean addedClientCert = false;
for(Object o : certs){
if(o instanceof X509Certificate){
final X509Certificate clientCert = (X509Certificate)o;
context.setRequestorCertificate(clientCert);
addedClientCert = true;
}
}
if(!addedClientCert){
log.log(Level.SEVERE,
LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
throw new WSTrustException(LogStringsMessages.WST_0034_UNABLE_GET_CLIENT_CERT());
}
}else{
log.log(Level.SEVERE,
LogStringsMessages.WST_0025_INVALID_KEY_TYPE(keyType, appliesTo));
throw new WSTrustException(LogStringsMessages.WST_0025_INVALID_KEY_TYPE(keyType, appliesTo));
}
//==================
// Create the RSTR
//==================
// get Context
URI ctx = null;
try {
final String rstCtx = rst.getContext();
if (rstCtx != null){
ctx = new URI(rst.getContext());
}
} catch (URISyntaxException ex) {
log.log(Level.SEVERE,
LogStringsMessages.WST_0014_URI_SYNTAX(), ex);
throw new WSTrustException(
LogStringsMessages.WST_0014_URI_SYNTAX() ,ex);
}
// Create RequestedSecurityToken with SAML assertion
final String assertionId = "uuid-" + UUID.randomUUID().toString();
final RequestedSecurityToken reqSecTok = eleFac.createRequestedSecurityToken();
final Token samlToken = createSAMLAssertion(appliesTo, tokenType, keyType, assertionId, stsConfig.getIssuer(), claimedAttrs, context);
reqSecTok.setToken(samlToken);
// Create RequestedAttachedReference and RequestedUnattachedReference
final SecurityTokenReference samlReference = createSecurityTokenReference(assertionId, tokenType);
final RequestedAttachedReference raRef = eleFac.createRequestedAttachedReference(samlReference);
final RequestedUnattachedReference ruRef = eleFac.createRequestedUnattachedReference(samlReference);
// Create Lifetime
final Lifetime lifetime = createLifetime();
final RequestSecurityTokenResponse rstr =
eleFac.createRSTRForIssue(rst.getTokenType(), ctx, reqSecTok, applies, raRef, ruRef, proofToken, serverEntropy, lifetime);
if (keySize > 0){
rstr.setKeySize(keySize);
}
//String issuer = config.getIssuer();
// Token samlToken = createSAMLAssertion(appliesTo, tokenType, keyType, assertionId, issuer, claimedAttrs, context);
//rstr.getRequestedSecurityToken().setToken(samlToken);
// Populate IssuedTokenContext
context.setSecurityToken(samlToken);
context.setAttachedSecurityTokenReference(samlReference);
context.setUnAttachedSecurityTokenReference(samlReference);
context.setCreationTime(new Date(currentTime));
context.setExpirationTime(new Date(currentTime + stsConfig.getIssuedTokenTimeout()));
return rstr;
| public com.sun.xml.ws.security.trust.elements.RequestSecurityTokenResponseCollection | issueMultiple(com.sun.xml.ws.security.trust.elements.RequestSecurityToken request, com.sun.xml.ws.security.IssuedTokenContext context)Issue a Collection of Token(s) possibly for different scopes
throw new UnsupportedOperationException("Unsupported operation: issueMultiple");
| public com.sun.xml.ws.security.trust.elements.RequestSecurityTokenResponse | renew(com.sun.xml.ws.security.trust.elements.RequestSecurityToken request, com.sun.xml.ws.security.IssuedTokenContext context)Renew a Token
throw new UnsupportedOperationException("Unsupported operation: renew");
| public com.sun.xml.ws.security.trust.elements.RequestSecurityTokenResponse | validate(com.sun.xml.ws.security.trust.elements.RequestSecurityToken request, com.sun.xml.ws.security.IssuedTokenContext context)Validate a Token
throw new UnsupportedOperationException("Unsupported operation: validate");
|
|