/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: LibSecurityTokenProvider.java,v 1.3 2008/08/06 17:28:11 exu Exp $
*
* Portions Copyrighted 2016 ForgeRock AS.
*/
/**
* The class <code>LibSecurityTokenProvider</code> is an default
* implementation for <code>SecurityTokenProvider</code>.
*/
// default certificate for the WSC
"com.sun.identity.liberty.ws.wsc.certalias";
// cert alias for trusted authority, this is used for SAML token signing
"com.sun.identity.liberty.ws.ta.certalias";
"com.sun.identity.liberty.ws.security.keyinfotype";
"fmLibertySecurity");
/**
* Key name for the webservices security attribute mapper.
*/
"com.sun.identity.liberty.ws.attributeplugin";
/**
* Initializes the <code>LibSecurityTokenProvider</code>.
*
* @param credential The credential of the caller used to see if
* access to this security token provider is allowed
* @param sigManager XMLSignatureManager instance of XML digital
* signature manager class, used for accessing the certificate
* datastore and digital signing of the assertion.
* @throws SecurityTokenException if the caller does not have
* privilege to access the security authority manager
*/
throws SecurityTokenException {
// check null for signature manager
if (sigManager == null) {
throw new SecurityTokenException(
}
// check valid Session
try {
throw new SecurityTokenException(
}
}
}
} catch (SessionException e) {
throw new SecurityTokenException(
}
//
// TODO : privilege checking for the ssoToken, how??
// maybe a relation between the principal of the SSO and the
// certificate? super admin shall be allowed without checking
// still TBD
//
this.sigManager = sigManager;
}
/**
* Sets the alias of the certificate used for issuing WSS token, i.e.
* WSS X509 Token, WSS SAML Token.
* If the certAlias is never set, a default certificate will
* be used for issuing WSS tokens
*
* @param certAlias String alias name for the certificate
*/
throws SecurityTokenException {
if (debug.messageEnabled()) {
}
wssCert = this.getX509Certificate();
}
/**
* Sets the certificate used for issuing WSS token, i.e.
* WSS X509 Token, WSS SAML Token.
* If the certificate is never set, a default certificate will
* be used for issuing WSS tokens
*
* @param cert X509 certificate
* @throws SecurityTokenException if could not get cert alias from
* corresponding Certificate.
*/
throws SecurityTokenException {
if (debug.messageEnabled()) {
}
}
}
/**
* Gets X509 certificate from key store based on the certAlias
*
* @return the <code>X509Certificate<code> in the keystore.
* @throws SecurityTokenException if there is an error retrieving
* the certificate.
*/
throws SecurityTokenException {
// retrieve default certAlias from properties
if (DEFAULT_CERT_ALIAS_VALUE == null ||
throw new SecurityTokenException(
}
}
// retrieve the cert from the keystore
// the cert does not exists in the keystore
throw new SecurityTokenException(
}
return cert;
}
/**
* Gets the X509 certificate Token
*
* @return the BinarySecurityToken object.
* @throws SecurityTokenException if the token could not be obtained .
*/
throws SecurityTokenException {
// get X509Certificate
wssCert = this.getX509Certificate();
}
// return base 64 encoded binary & X509v3
try {
return new BinarySecurityToken(value,
} catch (Exception e) {
throw new SecurityTokenException(e.getMessage());
}
}
/**
* Creates a SAML Assertion for message authentication.
*
* @param senderIdentity name identifier of the sender.
* @return Assertion which contains an AuthenticationStatement
* @throws SecurityTokenException if the assertion could not be obtained
*/
false);
}
/**
* Creates a SAML Assertion for message authorization, the assertion could
* optionally contain an AuthenticationStatement which will be used for
* message authentication.
*
* @param senderIdentity name identifier of the sender.
* @param invocatorSession SessionContext of the invocation identity, it
* is normally obtained by the credential reference in
* the SAML AttributeDesignator for discovery resource
* offering which is part of the liberty ID-FF
* AuthenResponse.
* @param resourceID id for the resource to be accessed.
* @param includeAuthN if true, include an AutheticationStatement in
* the Assertion which will be used for message
* authentication. if false, no AuthenticationStatement
* will be included.
* @param includeResourceAccessStatement if true, a ResourceAccessStatement
* will be included in the Assertion (for
* AuthorizeRequester directive). If false, a
* SessionContextStatement will be included in the
* Assertion (for AuthenticationSessionContext directive).
* In the case when both AuthorizeRequester and
* AuthenticationSessionContext directive need to be
* handled, use "true" as parameter here since the
* SessionContext will always be included in the
* ResourceAccessStatement.
* @param recipientProviderID recipient's provider ID.
* @return the <code>Assertion</code> object.
* @throws SecurityTokenException if the assertion could not be obtained.
*/
boolean includeAuthN,
boolean includeResourceAccessStatement,
throws SecurityTokenException {
recipientProviderID, false);
}
/**
* Creates a SAML Assertion for message authorization, the assertion could
* optionally contain an AuthenticationStatement which will be used for
* message authentication.
*
* @param senderIdentity name identifier of the sender.
* @param invocatorSession SessionContext of the invocation identity, it
* is normally obtained by the credential reference in the
* SAML AttributeDesignator for discovery resource offering
* which is part of the liberty ID-FF AuthenResponse.
* @param encResourceID Encrypted ID for the resource to be accessed.
* @param includeAuthN if true, include an AutheticationStatement in the
* Assertion which will be used for message authentication.
* if false, no AuthenticationStatement will be included.
* @param includeResourceAccessStatement if true, a ResourceAccessStatement
* will be included in the Assertion (for
* AuthorizeRequester directive). If false, a
* SessionContextStatement will be included in the
* Assertion (for AuthenticationSessionContext directive).
* In the case when both AuthorizeRequester and
* AuthenticationSessionContext directive need to be
* handled, use "true" as parameter here since the
* SessionContext will always be included in the
* ResourceAccessStatement.
* @param recipientProviderID recipient's provider ID.
* @return the <code>Assertion</code> object
* @throws SecurityTokenException if the assertion could not be obtained
*/
boolean includeAuthN,
boolean includeResourceAccessStatement,
throws SecurityTokenException {
recipientProviderID, false);
}
/**
* Creates a SAML assertion. The confirmationMethod will be set to
* "urn:oasis:names:tc:SAML:1.0:cm:bearer".
*
* @param senderIdentity name identifier of the sender.
* @param invocatorSession SessionContext of the invocation identity, it
* is normally obtained by the credential reference in the
* SAML AttributeDesignator for discovery resource
* offering which is part of the liberty ID-FF
* AuthenResponse.
* @param resourceID id for the resource to be accessed.
* @param includeAuthN if true, include an AutheticationStatement in the
* Assertion which will be used for message
* authentication. if false, no AuthenticationStatement
* will be included.
* @param includeResourceAccessStatement if true, a ResourceAccessStatement
* will be included in the Assertion (for
* AuthorizeRequester directive). If false, a
* SessionContextStatement will be included in the
* Assertion (for AuthenticationSessionContext directive).
* In the case when both AuthorizeRequester and
* AuthenticationSessionContext directive need to be
* handled, use "true" as parameter here since the
* SessionContext will always be included in the
* ResourceAccessStatement.
* @param recipientProviderID recipient's provider ID.
* @return the <code>SecurityAssertion</code>
* @throws SecurityTokenException if the assertion could not be obtained
*/
boolean includeAuthN,
boolean includeResourceAccessStatement,
throws SecurityTokenException {
recipientProviderID, true);
}
/**
* Creates a SAML assertion. The confirmationMethod will be set to
* "urn:oasis:names:tc:SAML:1.0:cm:bearer".
*
* @param senderIdentity name identifier of the sender.
* @param invocatorSession SessionContext of the invocation identity, it
* is normally obtained by the credential reference in the
* SAML AttributeDesignator for discovery resource
* offering which is part of the liberty ID-FF
* AuthenResponse.
* @param encResourceID Encrypted ID for the resource to be accessed.
* @param includeAuthN if true, include an AutheticationStatement in the
* Assertion which will be used for message
* authentication. if false, no AuthenticationStatement
* will be included.
* @param includeResourceAccessStatement if true, a ResourceAccessStatement
* will be included in the Assertion (for
* AuthorizeRequester directive). If false, a
* SessionContextStatement will be included in the
* Assertion (for AuthenticationSessionContext directive).
* In the case when both AuthorizeRequester and
* AuthenticationSessionContext directive need to be
* handled, use "true" as parameter here since the
* SessionContext will always be included in the
* ResourceAccessStatement.
* @param recipientProviderID recipient's provider ID.
* @return the <code>Assertion</code> object.
* @throws SecurityTokenException if the assertion could not be obtained
*/
boolean includeAuthN,
boolean includeResourceAccessStatement,
throws SecurityTokenException {
recipientProviderID, true);
}
/**
* Returns the Security Assertion.
*/
boolean includeAuthN,
boolean includeResourceAccessStatement,
boolean isBear)
throws SecurityTokenException {
if (debug.messageEnabled()) {
}
if (senderIdentity== null) {
"LibSecurityTokenProvider.getSAMLToken:senderIdentity is null");
throw new SecurityTokenException(
}
boolean statementNotFound = true;
if (includeAuthN) {
statementNotFound = false;
}
isBear);
statementNotFound = false;
} else {
if (invocatorSession!=null) {
isBear);
statementNotFound = false;
}
}
// make sure the statements is not empty
if (statementNotFound) {
"not be null.");
throw new SecurityTokenException(
}
//Check for the attribute statements.
if(attributePlugin != null) {
if(attributeStatement != null) {
}
}
}
try {
if (recipientProviderID != null) {
} else {
}
} catch (Exception e) {
throw new SecurityTokenException(
}
return assertion;
}
/**
* Creates Authentication Statement for the name identifier.
*/
throws SecurityTokenException {
try {
if (isBearer) {
} else {
}
subject);
} catch (Exception e) {
throw new SecurityTokenException(e.getMessage());
}
return authStatement;
}
/**
* Creates <code>ResourceAccessStatement</code> object.
*/
boolean isBear) throws SecurityTokenException {
if (debug.messageEnabled()) {
"createResourceAccessStatement: resourceID class = " +
}
try {
isBear);
}
if (resourceID instanceof String) {
ras = new ResourceAccessStatement(
subject);
} else {
ras = new ResourceAccessStatement(
subject);
}
if (debug.messageEnabled()) {
"createResourceAccessStatement: ras = " + ras);
}
} catch (Exception e) {
throw new SecurityTokenException(e.getMessage());
}
return ras;
}
/**
* Returns a list of Subjects.
*/
if (invocatorSession != null &&
// add proxy subject
isBear);
} else {
if (isBear) {
} else {
}
}
return returnList;
}
/**
* Creates the <code>SessionContextStatement</code> object.
*/
boolean isBear) throws SecurityTokenException {
try {
isBear);
}
return new SessionContextStatement(invocatorSession,
subject);
} catch (Exception e) {
throw new SecurityTokenException(e.getMessage());
}
}
/**
* Creates a <code>ProxySubject</code> object.
*/
boolean isBear)
throws SecurityTokenException, SAMLException {
if (isBear) {
} else {
}
}
/**
* Returns the <code>KeyInfo</code> object as a Document Element.
*/
try {
} catch (Exception e) {
throw new SecurityTokenException(e.getMessage());
}
try {
} catch (Exception e) {
throw new SecurityTokenException(e.getMessage());
}
//put Certificate in KeyInfo
} else { //put public key in keyinfo
, "DSAKeyValue");
p.appendChild(value_p);
q.appendChild(value_q);
g.appendChild(value_g);
y.appendChild(value_y);
} else { // It is RSA
, "RSAKeyValue");
, "Modulus");
, "Exponent");
}
}
return keyInfo;
}
try {
if (isBearer) {
} else {
}
} catch (Exception e) {
if(debug.messageEnabled()) {
}
}
return null;
}
if(attributePlugin != null) {
return attributePlugin;
}
return null;
}
try {
if(debug.warningEnabled()) {
"getAttributePlugin: Exception", ex);
}
}
return attributePlugin;
}
}