Package org.apache.cxf.fediz.core.exception

Examples of org.apache.cxf.fediz.core.exception.ProcessingException


            return new LifeTime(created, expires);

        } catch (ParseException e) {
            LOG.error("Failed to parse lifetime element in wresult: " + e.getMessage());
            throw new ProcessingException(TYPE.BAD_REQUEST);
        }
    }
View Full Code Here


            .append(URLEncoder.encode(wct, "UTF-8"));
           
            redirectURL = redirectURL + "?" + sb.toString();
        } catch (Exception ex) {
            LOG.error("Failed to create SignInRequest", ex);
            throw new ProcessingException("Failed to create SignInRequest");
        }       
        return redirectURL;
    }
View Full Code Here

        sts.setAddressingNamespace(HTTP_WWW_W3_ORG_2005_08_ADDRESSING);
       
        ServiceConfig serviceConfig = idpConfig.getServices().get(wtrealm);
        if (serviceConfig == null) {
            LOG.warn("No service config found for " + wtrealm);
            throw new ProcessingException(TYPE.BAD_REQUEST);
        }
       
        if (serviceConfig.getTokenType() != null && serviceConfig.getTokenType().length() > 0) {
            sts.setTokenType(serviceConfig.getTokenType());
        } else {
            sts.setTokenType(getTokenType());
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("TokenType " + sts.getTokenType() + " set for " + wtrealm);
        }
       
        sts.setKeyType(keyType);
        if (HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_PUBLICKEY.equals(keyType)) {
            HttpServletRequest servletRequest = WebUtils.getHttpServletRequest(context);
            if (servletRequest != null) {
                X509Certificate certs[] =
                    (X509Certificate[])servletRequest.getAttribute("javax.servlet.request.X509Certificate");
                if (certs != null && certs.length > 0) {
                    sts.setUseCertificateForConfirmationKeyInfo(true);
                    sts.setUseKeyCertificate(certs[0]);
                } else {
                    LOG.info("Can't send a PublicKey KeyType as no client certs are available");
                    sts.setKeyType(HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512_BEARER);
                }
            }
        }

        processWsdlLocation(context);
        sts.setWsdlLocation(wsdlLocation);
        sts.setServiceQName(new QName(
                HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512,
                SECURITY_TOKEN_SERVICE));
        sts.setEndpointQName(new QName(
                HTTP_DOCS_OASIS_OPEN_ORG_WS_SX_WS_TRUST_200512, wsdlEndpoint));

        if (serviceConfig.getRequestedClaims() != null && serviceConfig.getRequestedClaims().size() > 0) {
            addClaims(sts, serviceConfig.getRequestedClaims());
            if (LOG.isDebugEnabled()) {
                LOG.debug("Requested claims set for " + wtrealm);
            }
        }
       
        sts.setEnableLifetime(true);
        if (serviceConfig.getLifeTime() != null && serviceConfig.getLifeTime().length() > 0) {
            try {
                int lifetime = Integer.parseInt(serviceConfig.getLifeTime());
                sts.setTtl(lifetime);
                sts.setEnableLifetime(lifetime > 0);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Lifetime set to " + serviceConfig.getLifeTime() + " seconds for " + wtrealm);
                }
            } catch (NumberFormatException ex) {
                LOG.warn("Invalid lifetime configured for service provider " + wtrealm);
                sts.setTtl(this.ttl);
                sts.setEnableLifetime(this.ttl > 0);
            }
        } else {
            sts.setTtl(this.ttl);
            sts.setEnableLifetime(this.ttl > 0);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Lifetime set to " + this.ttl + " seconds for " + wtrealm);
            }
        }
       
       
        sts.setOnBehalfOf(idpToken.getToken());
        if (!(serviceConfig.getProtocol() == null
            || FederationConstants.WS_FEDERATION_NS.equals(serviceConfig.getProtocol()))) {
            LOG.error("Protocol " + serviceConfig.getProtocol() + " not supported for " + wtrealm);
            throw new ProcessingException(TYPE.BAD_REQUEST);
        }
       
        String rpToken = sts.requestSecurityTokenResponse(wtrealm);
       
        InputStream is = new ByteArrayInputStream(rpToken.getBytes());
View Full Code Here

                            + "] successfully retrieved from cache for home realm ["
                            + whr + "]");
                }
            } else {
                LOG.error("IDP_TOKEN not found");
                throw new ProcessingException(TYPE.BAD_REQUEST);
            }
        } else {
            LOG.error("Home realm not found");
            throw new ProcessingException(TYPE.BAD_REQUEST);
        }
        return idpToken;
    }
View Full Code Here

            // PasswordCallbackHandler(password));

            AssertionWrapper assertion = new AssertionWrapper(token);
            if (!assertion.isSigned()) {
                LOG.warn("Assertion is not signed");
                throw new ProcessingException(TYPE.TOKEN_NO_SIGNATURE);
            }
            // Verify the signature
            WSDocInfo docInfo = new WSDocInfo(token.getOwnerDocument());
            assertion.verifySignature(requestData, docInfo);
           
            // Parse the HOK subject if it exists
            assertion.parseHOKSubject(requestData, docInfo);

            // Now verify trust on the signature
            Credential trustCredential = new Credential();
            SAMLKeyInfo samlKeyInfo = assertion.getSignatureKeyInfo();
            trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
            trustCredential.setCertificates(samlKeyInfo.getCerts());
            trustCredential.setAssertion(assertion);

            SamlAssertionValidator trustValidator = new SamlAssertionValidator();
            trustValidator.setFutureTTL(config.getMaximumClockSkew().intValue());
           
            boolean trusted = false;
            String assertionIssuer = assertion.getIssuerString();
           
            List<TrustedIssuer> trustedIssuers = config.getTrustedIssuers();
            for (TrustedIssuer ti : trustedIssuers) {
                List<String> subjectConstraints = Collections.singletonList(ti.getSubject());
                if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) {
                    trustValidator.setSubjectConstraints(subjectConstraints);
                    trustValidator.setSignatureTrustType(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS);
                } else if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.PEER_TRUST)) {
                    trustValidator.setSignatureTrustType(TRUST_TYPE.PEER_TRUST);
                } else {
                    throw new IllegalStateException("Unsupported certificate validation method: "
                                                    + ti.getCertificateValidationMethod());
                }
                try {
                    for (TrustManager tm: config.getCertificateStores()) {
                        try {
                            requestData.setSigCrypto(tm.getCrypto());
                            trustValidator.validate(trustCredential, requestData);
                            trusted = true;
                            break;
                        } catch (Exception ex) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Issuer '" + ti.getName() + "' not validated in keystore '"
                                          + tm.getName() + "'");
                            }
                        }
                    }
                    if (trusted) {
                        break;
                    }
                   
                } catch (Exception ex) {
                    if (LOG.isInfoEnabled()) {
                        LOG.info("Issuer '" + assertionIssuer + "' doesn't match trusted issuer '" + ti.getName()
                                 + "': " + ex.getMessage());
                    }
                }
            }
           
            if (!trusted) {
                // Condition already checked in SamlAssertionValidator
                // Minor performance impact on untrusted and expired tokens
                if (!isConditionValid(assertion, config.getMaximumClockSkew().intValue())) {
                    LOG.warn("Security token expired");
                    throw new ProcessingException(TYPE.TOKEN_EXPIRED);
                } else {
                    LOG.warn("Issuer '" + assertionIssuer + "' not trusted");
                    throw new ProcessingException(TYPE.ISSUER_NOT_TRUSTED);
                }
            }
           
            // Now check for HolderOfKey requirements
            if (!SAMLUtil.checkHolderOfKey(assertion, request.getCerts())) {
                LOG.warn("Assertion fails holder-of-key requirements");
                throw new ProcessingException(TYPE.ISSUER_NOT_TRUSTED);
            }

            String audience = null;
            List<Claim> claims = null;
            if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
                claims = parseClaimsInAssertion(assertion.getSaml2());
                audience = getAudienceRestriction(assertion.getSaml2());
            } else if (assertion.getSamlVersion()
                    .equals(SAMLVersion.VERSION_11)) {
                claims = parseClaimsInAssertion(assertion.getSaml1());
                audience = getAudienceRestriction(assertion.getSaml1());
            }

            List<String> roles = parseRoles(config, claims);
           
            SAMLTokenPrincipal p = new SAMLTokenPrincipal(assertion);

            TokenValidatorResponse response = new TokenValidatorResponse(
                    assertion.getId(), p.getName(), assertionIssuer, roles,
                    new ClaimCollection(claims), audience);
            response.setExpires(getExpires(assertion));
           
            return response;

        } catch (WSSecurityException ex) {
            LOG.error("Security token validation failed", ex);
            throw new ProcessingException(TYPE.TOKEN_INVALID);
        }
    }
View Full Code Here

        FederationResponse response = null;
        if (FederationConstants.ACTION_SIGNIN.equals(request.getWa())) {
            response = this.processSignInRequest(request, config);
        } else {
            LOG.error("Invalid action '" + request.getWa() + "'");
            throw new ProcessingException(TYPE.INVALID_REQUEST);
        }
        return response;
    }
View Full Code Here

            doc = DOMUtils.readXml(new ByteArrayInputStream(wresult));
            el = doc.getDocumentElement();

        } catch (Exception e) {
            LOG.warn("Failed to parse wresult: " + e.getMessage());
            throw new ProcessingException(TYPE.INVALID_REQUEST);
        }

        if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
            el = DOMUtils.getFirstElement(el);
        }
        if (!"RequestSecurityTokenResponse".equals(el.getLocalName())) {
            LOG.warn("Unexpected root element of wresult: '" + el.getLocalName() + "'");
            throw new ProcessingException(TYPE.INVALID_REQUEST);
        }
        el = DOMUtils.getFirstElement(el);
        Element rst = null;
        Element lifetimeElem = null;
        String tt = null;

        while (el != null) {
            String ln = el.getLocalName();
            if (FederationConstants.WS_TRUST_13_NS.equals(el.getNamespaceURI())
                || FederationConstants.WS_TRUST_2005_02_NS.equals(el.getNamespaceURI())) {
                if ("Lifetime".equals(ln)) {
                    lifetimeElem = el;
                } else if ("RequestedSecurityToken".equals(ln)) {
                    rst = DOMUtils.getFirstElement(el);
                } else if ("TokenType".equals(ln)) {
                    tt = DOMUtils.getContent(el);
                }
            }
            el = DOMUtils.getNextElement(el);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("RST: " + ((rst != null) ? rst.toString() : "null"));
            LOG.debug("Lifetime: "
                    + ((lifetimeElem != null) ? lifetimeElem.toString()
                            : "null"));
            LOG.debug("Tokentype: " + ((tt != null) ? tt.toString() : "null"));
        }
        if (rst == null) {
            LOG.warn("RequestedSecurityToken element not found in wresult");
            throw new ProcessingException(TYPE.BAD_REQUEST);
        }
        LifeTime lifeTime = null;
        if (lifetimeElem != null) {
            lifeTime = processLifeTime(lifetimeElem);
        }

        if (config.isDetectExpiredTokens() && lifeTime != null) {
            Date currentDate = new Date();
            if (currentDate.after(lifeTime.getExpires())) {
                LOG.warn("RSTR Lifetime expired");
                throw new ProcessingException(TYPE.TOKEN_EXPIRED);
            }
            DateTime currentTime = new DateTime();
            DateTime validFrom = new DateTime(lifeTime.created);
            currentTime = currentTime.plusSeconds(config.getMaximumClockSkew().intValue());
            if (validFrom.isAfter(currentTime)) {
                LOG.debug("RSTR Lifetime not yet valid");
                throw new ProcessingException(TYPE.TOKEN_INVALID);
            }
        }
       
        // Check to see if RST is encrypted
        if ("EncryptedData".equals(rst.getLocalName())
            && WSConstants.ENC_NS.equals(rst.getNamespaceURI())) {
            Element decryptedRST = decryptEncryptedRST(rst, config);
            if (decryptedRST != null) {
                rst = decryptedRST;
            }
        }
       
        TokenValidatorResponse validatorResponse = null;
        List<TokenValidator> validators = ((FederationProtocol)config.getProtocol()).getTokenValidators();
        for (TokenValidator validator : validators) {
            boolean canHandle = false;
            if (tt != null) {
                canHandle = validator.canHandleTokenType(tt);
            } else {
                canHandle = validator.canHandleToken(rst);
            }
            if (canHandle) {
                try {
                    TokenValidatorRequest validatorRequest =
                        new TokenValidatorRequest(rst, request.getCerts());
                    validatorResponse = validator.validateAndProcessToken(validatorRequest, config);
                } catch (ProcessingException ex) {
                    throw ex;
                } catch (Exception ex) {
                    LOG.warn("Failed to validate token", ex);
                    throw new ProcessingException(TYPE.TOKEN_INVALID);
                }
                break;
            } else {
                LOG.warn("No security token validator found for '" + tt + "'");
                throw new ProcessingException(TYPE.BAD_REQUEST);
            }
        }

        // Check whether token already used for signin
        if (validatorResponse.getUniqueTokenId() != null
                && config.isDetectReplayedTokens()) {
            // Check whether token has already been processed once, prevent
            // replay attack
            if (config.getTokenReplayCache().getId(validatorResponse.getUniqueTokenId()) == null) {
                // not cached
                Date expires = null;
                if (lifeTime != null && lifeTime.getExpires() != null) {
                    expires = lifeTime.getExpires();
                } else {
                    expires = validatorResponse.getExpires();
                }
                if (expires != null) {
                    Date currentTime = new Date();
                    long ttl = expires.getTime() - currentTime.getTime();
                    config.getTokenReplayCache().putId(validatorResponse.getUniqueTokenId(), ttl / 1000L);
                } else {
                    config.getTokenReplayCache().putId(validatorResponse.getUniqueTokenId());
                }
            } else {
                LOG.error("Replay attack with token id: " + validatorResponse.getUniqueTokenId());
                throw new ProcessingException("Replay attack with token id: "
                        + validatorResponse.getUniqueTokenId(), TYPE.TOKEN_REPLAY);
            }
        }

        FederationResponse fedResponse = new FederationResponse(
View Full Code Here

        KeyManager decryptionKeyManager = config.getDecryptionKey();
        if (decryptionKeyManager == null || decryptionKeyManager.getCrypto() == null) {
            LOG.debug(
                "We must have a decryption Crypto instance configured to decrypt encrypted tokens"
            );
            throw new ProcessingException(TYPE.BAD_REQUEST);
        }
        String keyPassword = decryptionKeyManager.getKeyPassword();
        if (keyPassword == null) {
            LOG.debug(
                "We must have a decryption key password to decrypt encrypted tokens"
            );
            throw new ProcessingException(TYPE.BAD_REQUEST);
        }
       
        EncryptedDataProcessor proc = new EncryptedDataProcessor();
        WSDocInfo docInfo = new WSDocInfo(encryptedRST.getOwnerDocument());
        RequestData data = new RequestData();
       
        // Disable WSS4J processing of the (decrypted) SAML Token
        WSSConfig wssConfig = WSSConfig.getNewInstance();
        wssConfig.setProcessor(WSSecurityEngine.SAML_TOKEN, new NOOpProcessor());
        wssConfig.setProcessor(WSSecurityEngine.SAML2_TOKEN, new NOOpProcessor());
        data.setWssConfig(wssConfig);
       
        data.setDecCrypto(decryptionKeyManager.getCrypto());
        data.setCallbackHandler(new DecryptionCallbackHandler(keyPassword));
        try {
            List<WSSecurityEngineResult> result =
                proc.handleToken(encryptedRST, data, docInfo);
            if (result.size() > 0) {
                @SuppressWarnings("unchecked")
                List<WSDataRef> dataRefs =
                    (List<WSDataRef>)result.get(result.size() - 1).get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
                if (dataRefs != null && dataRefs.size() > 0) {
                    return dataRefs.get(0).getProtectedElement();
                }
            }
        } catch (WSSecurityException e) {
            LOG.debug(e.getMessage(), e);
            throw new ProcessingException(TYPE.TOKEN_INVALID);
        }
        return null;
    }
View Full Code Here

            return new LifeTime(created, expires);

        } catch (ParseException e) {
            LOG.error("Failed to parse lifetime element in wresult: " + e.getMessage());
            throw new ProcessingException(TYPE.BAD_REQUEST);
        }
    }
View Full Code Here

            }
           
            redirectURL = redirectURL + "?" + sb.toString();
        } catch (Exception ex) {
            LOG.error("Failed to create SignInRequest", ex);
            throw new ProcessingException("Failed to create SignInRequest");
        }       
        return redirectURL;
    }
View Full Code Here

TOP

Related Classes of org.apache.cxf.fediz.core.exception.ProcessingException

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.