a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: LibSecurityTokenProvider.java,v 1.3 2008/08/06 17:28:11 exu Exp $
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpotts * Portions Copyrighted 2016 ForgeRock AS.
ccf9d4a5c6453fa9f8b839baeee25147865fbb7dJames Phillpottsimport static org.forgerock.openam.utils.Time.*;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.configuration.SystemPropertiesManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.common.wsse.BinarySecurityToken;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.disco.common.DiscoServiceManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.disco.EncryptedResourceID;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.plugin.session.SessionManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.AttributeStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.AudienceRestrictionCondition;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.AuthenticationStatement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.Conditions;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.NameIdentifier;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.assertion.SubjectConfirmation;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLConstants;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.common.SAMLServiceManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.XMLSignatureManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The class <code>LibSecurityTokenProvider</code> is an default
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * implementation for <code>SecurityTokenProvider</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterpublic class LibSecurityTokenProvider implements SecurityTokenProvider {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected XMLSignatureManager sigManager = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // default certificate for the WSC
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "com.sun.identity.liberty.ws.wsc.certalias";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String DEFAULT_CERT_ALIAS_VALUE =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SystemPropertiesManager.get(DEFAULT_CERT_ALIAS_KEY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // cert alias for trusted authority, this is used for SAML token signing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String DEFAULT_TA_CERT_ALIAS_KEY =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "com.sun.identity.liberty.ws.ta.certalias";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static String DEFAULT_TA_CERT_ALIAS_VALUE =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SystemPropertiesManager.get(DEFAULT_TA_CERT_ALIAS_KEY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "com.sun.identity.liberty.ws.security.keyinfotype";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final String AUTH_INSTANT = "authInstant";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Debug debug = Debug.getInstance("libIDWSF");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static ResourceBundle bundle = Locale.getInstallResourceBundle(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "fmLibertySecurity");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster protected static SecurityAttributePlugin attributePlugin = null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Key name for the webservices security attribute mapper.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static final String WS_ATTRIBUTE_PLUGIN =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "com.sun.identity.liberty.ws.attributeplugin";
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Initializes the <code>LibSecurityTokenProvider</code>.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param credential The credential of the caller used to see if
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * access to this security token provider is allowed
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param sigManager XMLSignatureManager instance of XML digital
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * signature manager class, used for accessing the certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * datastore and digital signing of the assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the caller does not have
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * privilege to access the security authority manager
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void initialize(Object credential,XMLSignatureManager sigManager)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check null for signature manager
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("LibSecurityTokenProvider.initialize");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check valid Session
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionProvider provider = SessionManager.getProvider();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO : privilege checking for the ssoToken, how??
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // maybe a relation between the principal of the SSO and the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // certificate? super admin shall be allowed without checking
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // still TBD
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets the alias of the certificate used for issuing WSS token, i.e.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * WSS X509 Token, WSS SAML Token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If the certAlias is never set, a default certificate will
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * be used for issuing WSS tokens
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param certAlias String alias name for the certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setCertAlias(java.lang.String certAlias)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Sets the certificate used for issuing WSS token, i.e.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * WSS X509 Token, WSS SAML Token.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If the certificate is never set, a default certificate will
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * be used for issuing WSS tokens
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param cert X509 certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if could not get cert alias from
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * corresponding Certificate.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public void setCertificate(X509Certificate cert)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster this.certAlias = keystore.getCertificateAlias(cert);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SecurityTokenException(bundle.getString("noCertAlias"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets X509 certificate from key store based on the certAlias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>X509Certificate<code> in the keystore.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if there is an error retrieving
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the certificate.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // retrieve default certAlias from properties
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster DEFAULT_CERT_ALIAS_VALUE.trim().length() == 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // retrieve the cert from the keystore
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster X509Certificate cert = keystore.getX509Certificate(certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // the cert does not exists in the keystore
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Gets the X509 certificate Token
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the BinarySecurityToken object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the token could not be obtained .
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public BinarySecurityToken getX509CertificateToken()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get X509Certificate
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // return base 64 encoded binary & X509v3
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SecurityTokenException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML Assertion for message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return Assertion which contains an AuthenticationStatement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public SecurityAssertion getSAMLAuthenticationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier senderIdentity) throws SecurityTokenException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getSAMLToken(senderIdentity, null, null, true, false, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML Assertion for message authorization, the assertion could
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * optionally contain an AuthenticationStatement which will be used for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param invocatorSession SessionContext of the invocation identity, it
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is normally obtained by the credential reference in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the SAML AttributeDesignator for discovery resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * offering which is part of the liberty ID-FF
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthenResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param resourceID id for the resource to be accessed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeAuthN if true, include an AutheticationStatement in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * the Assertion which will be used for message
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authentication. if false, no AuthenticationStatement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeResourceAccessStatement if true, a ResourceAccessStatement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be included in the Assertion (for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthorizeRequester directive). If false, a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SessionContextStatement will be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion (for AuthenticationSessionContext directive).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * In the case when both AuthorizeRequester and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthenticationSessionContext directive need to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * handled, use "true" as parameter here since the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SessionContext will always be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * ResourceAccessStatement.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param recipientProviderID recipient's provider ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>Assertion</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public SecurityAssertion getSAMLAuthorizationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getSAMLToken(senderIdentity, invocatorSession, resourceID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML Assertion for message authorization, the assertion could
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * optionally contain an AuthenticationStatement which will be used for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param invocatorSession SessionContext of the invocation identity, it
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is normally obtained by the credential reference in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML AttributeDesignator for discovery resource offering
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * which is part of the liberty ID-FF AuthenResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param encResourceID Encrypted ID for the resource to be accessed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeAuthN if true, include an AutheticationStatement in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion which will be used for message authentication.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * if false, no AuthenticationStatement will be included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeResourceAccessStatement if true, a ResourceAccessStatement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be included in the Assertion (for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthorizeRequester directive). If false, a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SessionContextStatement will be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion (for AuthenticationSessionContext directive).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * In the case when both AuthorizeRequester and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthenticationSessionContext directive need to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * handled, use "true" as parameter here since the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SessionContext will always be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * ResourceAccessStatement.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param recipientProviderID recipient's provider ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>Assertion</code> object
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public SecurityAssertion getSAMLAuthorizationToken(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getSAMLToken(senderIdentity, invocatorSession, encResourceID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML assertion. The confirmationMethod will be set to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "urn:oasis:names:tc:SAML:1.0:cm:bearer".
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param invocatorSession SessionContext of the invocation identity, it
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is normally obtained by the credential reference in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML AttributeDesignator for discovery resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * offering which is part of the liberty ID-FF
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthenResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param resourceID id for the resource to be accessed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeAuthN if true, include an AutheticationStatement in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion which will be used for message
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authentication. if false, no AuthenticationStatement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeResourceAccessStatement if true, a ResourceAccessStatement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be included in the Assertion (for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthorizeRequester directive). If false, a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SessionContextStatement will be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion (for AuthenticationSessionContext directive).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * In the case when both AuthorizeRequester and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthenticationSessionContext directive need to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * handled, use "true" as parameter here since the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SessionContext will always be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * ResourceAccessStatement.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param recipientProviderID recipient's provider ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>SecurityAssertion</code>
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getSAMLToken(senderIdentity, invocatorSession, resourceID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a SAML assertion. The confirmationMethod will be set to
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "urn:oasis:names:tc:SAML:1.0:cm:bearer".
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param senderIdentity name identifier of the sender.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param invocatorSession SessionContext of the invocation identity, it
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * is normally obtained by the credential reference in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SAML AttributeDesignator for discovery resource
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * offering which is part of the liberty ID-FF
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthenResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param encResourceID Encrypted ID for the resource to be accessed.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeAuthN if true, include an AutheticationStatement in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion which will be used for message
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * authentication. if false, no AuthenticationStatement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be included.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param includeResourceAccessStatement if true, a ResourceAccessStatement
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * will be included in the Assertion (for
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthorizeRequester directive). If false, a
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SessionContextStatement will be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Assertion (for AuthenticationSessionContext directive).
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * In the case when both AuthorizeRequester and
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthenticationSessionContext directive need to be
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * handled, use "true" as parameter here since the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * SessionContext will always be included in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * ResourceAccessStatement.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param recipientProviderID recipient's provider ID.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return the <code>Assertion</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SecurityTokenException if the assertion could not be obtained
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return getSAMLToken(senderIdentity, invocatorSession, encResourceID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the Security Assertion.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("getSAMLToken: isBear = " + isBear);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "LibSecurityTokenProvider.getSAMLToken:senderIdentity is null");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createAuthenticationStatement(senderIdentity, isBear);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ResourceAccessStatement ras = createResourceAccessStatement(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SessionContextStatement scs = createSessionContextStatement(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // make sure the statements is not empty
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("getSAMLAuthorizationToken: SAML statement should " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "not be null.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String issuer = DiscoServiceManager.getDiscoProviderID();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //Check for the attribute statements.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attributes = attributePlugin.getAttributes(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if(attributes != null && attributes.size() != 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createAttributeStatement(senderIdentity,attributes,isBear);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster conditions.addAudienceRestrictionCondition(arc);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion = new SecurityAssertion("", issuer, issueInstant,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion = new SecurityAssertion("", issuer, issueInstant,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster assertion.signXML(DEFAULT_TA_CERT_ALIAS_VALUE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates Authentication Statement for the name identifier.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private AuthenticationStatement createAuthenticationStatement(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier senderIdentity, boolean isBearer)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String authMethod = SAMLServiceManager.getAuthMethodURI(authType);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Date authInstant = DateUtils.stringToDate(authTime);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject = new Subject(senderIdentity, subConfirmation);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authStatement = new AuthenticationStatement(authMethod,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("createAuthenticationStatement: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SecurityTokenException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates <code>ResourceAccessStatement</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private ResourceAccessStatement createResourceAccessStatement(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isBear) throws SecurityTokenException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "createResourceAccessStatement: resourceID class = " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster resourceID.getClass() + ", value = " + resourceID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List subjects = createSubjectAndProxySubject(senderIdentity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "createResourceAccessStatement: ras = " + ras);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("createResourceAccessStatement: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SecurityTokenException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns a list of Subjects.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private List createSubjectAndProxySubject(NameIdentifier senderIdentity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster !(sessIdentity = invocatorSession.getSessionSubject()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster .getNameIdentifier()).equals(senderIdentity)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CONFIRMATION_METHOD_SENDERVOUCHES);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // add proxy subject
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject = new Subject(sessIdentity, subConfirmation);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster proxySubject = createProxySubject(senderIdentity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject = new Subject(senderIdentity, subConfirmation);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates the <code>SessionContextStatement</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private SessionContextStatement createSessionContextStatement(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster boolean isBear) throws SecurityTokenException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List subjects = createSubjectAndProxySubject(senderIdentity,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return new SessionContextStatement(invocatorSession,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.error("createSessionContextStatement: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SecurityTokenException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Creates a <code>ProxySubject</code> object.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return new ProxySubject(senderIdentity, subConfirmation);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns the <code>KeyInfo</code> object as a Document Element.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private Element createKeyInfo() throws SecurityTokenException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SecurityTokenException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster keyNameTextString = cert.getSubjectDN().getName();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster base64CertString = Base64.encode(cert.getEncoded());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SecurityTokenException(e.getMessage());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster keyInfo.setAttribute("xmlns", SAMLConstants.XMLSIG_NAMESPACE_URI);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((keyInfoType!=null)&&(keyInfoType.equalsIgnoreCase("certificate"))){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //put Certificate in KeyInfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Text certText = doc.createTextNode(base64CertString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster keyInfo.appendChild(x509Data).appendChild(x509Certificate);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else { //put public key in keyinfo
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Text keyNameText = doc.createTextNode(keyNameTextString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster , "DSAKeyValue");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doc.createTextNode(Base64.encode(_p.toByteArray()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doc.createTextNode(Base64.encode(_q.toByteArray()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doc.createTextNode(Base64.encode(_g.toByteArray()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doc.createTextNode(Base64.encode(_y.toByteArray()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster } else { // It is RSA
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster BigInteger exponent = rsakey.getPublicExponent();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster , "RSAKeyValue");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster , "Modulus");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster , "Exponent");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doc.createTextNode(Base64.encode(modulus.toByteArray()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster doc.createTextNode(Base64.encode(exponent.toByteArray()));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster keyInfo.appendChild(keyName).appendChild(keyNameText);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private AttributeStatement createAttributeStatement(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIdentifier senderIdentity, List attributes,boolean isBearer) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAMLConstants.CONFIRMATION_METHOD_HOLDEROFKEY);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster subject = new Subject(senderIdentity, subConfirmation);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return new AttributeStatement(subject, attributes);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster debug.message("createAttributeStatement: ", e);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static SecurityAttributePlugin getAttributePlugin() {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String pluginName = SystemPropertiesManager.get(WS_ATTRIBUTE_PLUGIN);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if(pluginName == null || pluginName.length() == 0) {