SoapSTSInstanceModule.java revision d3e12852242984b5ef0bb0a3760ff89c5c8a72d5
/*
* The contents of this file are subject to the terms of the Common Development and
* Distribution License (the License). You may not use this file except in compliance with the
* License.
*
* You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
* specific language governing permission and limitations under the License.
*
* When distributing Covered Software, include this CDDL Header Notice in each file and include
* the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
* Header, with the fields enclosed by brackets [] replaced by your own identifying
* information: "Portions Copyrighted [year] [name of copyright owner]".
*
* Copyright 2013-2014 ForgeRock AS. All rights reserved.
*/
import org.forgerock.openam.sts.token.validator.wss.disp.UsernameTokenAuthenticationRequestDispatcher;
/**
* This is the base module for the STS operations. It will take an instance of KeystoreConfig (ultimately provided by
* the UI elements configuring STS state) to implement the @Provides method to populate an instance of the
* STSPropertiesMBean necessary for all of the token operations.
*
*/
public class SoapSTSInstanceModule extends AbstractModule {
private final SoapSTSInstanceConfig stsInstanceConfig;
this.stsInstanceConfig = stsInstanceConfig;
}
public void configure() {
// bind(AMTokenCache.class).to(AMTokenCacheImpl.class).in(Scopes.SINGLETON);
//Bind the class used to publish STS instances. Leverages instance-specific state, so can't be global.
//we want only one instance of the TokenStore shared among all token operations
bind(AuthenticationUrlProvider.class)
.to(AuthenticationUrlProviderImpl.class);
/*
bind the class that can issue XML Element instances encapsulating an OpenAM session Id.
*/
bind(new TypeLiteral<XmlMarshaller<OpenAMSessionToken>>(){}).to(OpenAMSessionTokenMarshaller.class);
bind(new TypeLiteral<XmlMarshaller<OpenIdConnectIdToken>>(){}).to(OpenIdConnectIdTokenMarshaller.class);
bind(new TypeLiteral<JsonMarshaller<OpenIdConnectIdToken>>(){}).to(OpenIdConnectIdTokenMarshaller.class);
//binding all of the Providers of the various sorts of operations
//bind the class defining the core STS functionality - necessary for its dependencies to be injected
}
/**
* This method will provide the instance of the STSPropertiesMBean necessary both for the STS proper, and for the
* CXF interceptor-set which enforces the SecurityPolicy bindings.
*
* It should be a singleton because this same instance is shared by all of the token operation instances, as well as
* by the CXF interceptor-set
*/
stsProperties.setCallbackHandler(new SoapSTSCallbackHandler(stsInstanceConfig.getKeystoreConfig(), logger));
try {
} catch (WSSecurityException e) {
throw new IllegalStateException(message);
}
return stsProperties;
}
/*
These properties configure the web-service deployment, and are primarily referenced by the ws-security interceptors
deployed as part of CXF. These interceptors are responsible for enforcing the security-policy bindings protecting
the STS. To this end, various crypto objects are required.
*/
Map<String, Object> getProperties(Provider<UsernameTokenValidator> usernameTokenValidatorProvider, Logger logger) throws WSSecurityException {
properties.put(SecurityConstants.CALLBACK_HANDLER, new SoapSTSCallbackHandler(stsInstanceConfig.getKeystoreConfig(), logger));
properties.put(SecurityConstants.SIGNATURE_USERNAME, stsInstanceConfig.getKeystoreConfig().getSignatureKeyAlias());
/*
Plug-in the validator for Username Tokens and Certificate Tokens. These classes will be called to enforce SecurityPolicy bindings which specify
UsernameTokens and X509Certificates.
Removing the AMCertificateTokenValidator, as the AM Cert auth won't satisfy authenticating a user with a cert.
for full details.
TODO: it should also be configurable, on an STS-by-STS basis, which token-validators are plugged-into the SecurityPolicy
enforcement - perhaps this should be determined by the SecurityPolicy binding associated with the STS deployment.
*/
// properties.put(SecurityConstants.SIGNATURE_TOKEN_VALIDATOR, certificateTokenValidatorProvider.get());
return properties;
}
private Properties getEncryptionProperties() {
"org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin"
);
try {
keystorePassword = new String(stsInstanceConfig.getKeystoreConfig().getKeystorePassword(), AMSTSConstants.UTF_8_CHARSET_ID);
} catch (UnsupportedEncodingException e) {
throw new RuntimeException("Unsupported string encoding for keystore password: " + e);
}
properties.put("org.apache.ws.security.crypto.merlin.keystore.file", stsInstanceConfig.getKeystoreConfig().getKeystoreFileName());
return properties;
}
/*
The STSInstancePublisherImpl needs this dependency injected.
*/
return stsInstanceConfig;
}
/*
Ultimately, the Token*OperationProvider instances must know the set of Token{Validators | Providers | Renewers} to
create for the Token*OperationProvider. This information will ultimately come from the user, and will be injected
into the Token*OperationProvider classes. The methods below provide the state needed by Guice, leveraging the
user-provided configuration.
*/
return stsInstanceConfig.getIssueTokenTypes();
}
return stsInstanceConfig.getValidateTokenStatusTypes();
}
return stsInstanceConfig.getRenewTokenTypes();
}
/*
Provides the valid input->output mappings for the token transformations that can be realized by the validate
method.
*/
}
/*
Provides the WSSUsernameTokenValidator provider to the TokenOperationProviderImpl. Also is the UsernameTokenValidator
used to validate UNTs in the SecurityPolicy enforcement context. TODO: need to configure instances of this class
with state which will allow it to invalidate the sessions created - or perhaps to authenticate without creating a
session. In other words, if a sts instance is protected by a SecurityPolicy binding which includes a UNT ProtectionToken,
and then seeks to validate the UNT, a session will be created twice, once for SecurityPolicy enforcement, and once for
UNT verification, and caching the sessionId in the ThreadLocalTokenCache the second time will cause it to emit a warning
message. I only need to cache any interim AMSession instance as part of a token transformation - i.e. if the principal
associated with the token validation operation is necessary for the token issue operation. So my UsernameTokenValidator
needs the contextual information necessary to make this distinction.
*/
}
/*
Bindings below required by the STSAuthenticationUriProviderImpl - necessary to construct the URI for the REST authn call.
*/
}
}
return "/authenticate";
}
}
return "/sessions/?_action=logout";
}
return "/users/?_action=idFromSession";
}
return "/sts-tokengen/issue?_action=issue";
}
/*
This cannot come from the SystemPropertiesManager, as this is not running in the context of OpenAM. Perhaps
set in SystemProperties, or some other properties file? Right now, just hard-code. TODO
*/
return "iPlanetDirectoryPro";
// return SystemPropertiesManager.get(Constants.AM_COOKIE_NAME);
}
String getJsonRoot() {
return "/json";
}
}
/*
Allows for a custom AuthnContextMapper to be plugged-in. This AuthnContextMapper provides a
SAML2 AuthnContext class ref value given an input token and input token type.
*/
String customMapperClassName = SystemPropertiesManager.get(AMSTSConstants.CUSTOM_STS_AUTHN_CONTEXT_MAPPER_PROPERTY);
if (customMapperClassName == null) {
return new AuthnContextMapperImpl(logger);
} else {
try {
} catch (Exception e) {
logger.error("Exception caught implementing custom AuthnContextMapper class " + customMapperClassName
+ "; Returning default AuthnContextMapperImpl. The exception: " + e);
return new AuthnContextMapperImpl(logger);
}
}
}
Logger getSlf4jLogger() {
}
}