Author: sguilhen(a)redhat.com
Date: 2009-10-06 14:02:54 -0400 (Tue, 06 Oct 2009)
New Revision: 817
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/JBossSTS.java
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/StandardRequestHandler.java
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/WSTrustJAXBFactory.java
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/WSTrustUtil.java
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java
Log:
JBID-141: Added logging statements to STS classes
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/JBossSTS.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/JBossSTS.java 2009-10-05
11:16:15 UTC (rev 816)
+++
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/JBossSTS.java 2009-10-06
18:02:54 UTC (rev 817)
@@ -34,17 +34,12 @@
import javax.xml.ws.WebServiceException;
import javax.xml.ws.WebServiceProvider;
+import org.apache.log4j.Logger;
import org.jboss.identity.federation.core.config.STSType;
import org.jboss.identity.federation.core.exceptions.ConfigurationException;
import org.jboss.identity.federation.core.exceptions.ParsingException;
import org.jboss.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
import org.jboss.identity.federation.core.util.JAXBUtil;
-import org.jboss.identity.federation.core.wstrust.STSConfiguration;
-import org.jboss.identity.federation.core.wstrust.SecurityTokenService;
-import org.jboss.identity.federation.core.wstrust.WSTrustConstants;
-import org.jboss.identity.federation.core.wstrust.WSTrustException;
-import org.jboss.identity.federation.core.wstrust.WSTrustJAXBFactory;
-import org.jboss.identity.federation.core.wstrust.WSTrustRequestHandler;
import org.jboss.identity.federation.core.wstrust.wrappers.BaseRequestSecurityToken;
import org.jboss.identity.federation.core.wstrust.wrappers.RequestSecurityToken;
import
org.jboss.identity.federation.core.wstrust.wrappers.RequestSecurityTokenCollection;
@@ -63,6 +58,7 @@
@ServiceMode(value = Service.Mode.PAYLOAD)
public class JBossSTS implements SecurityTokenService
{
+ private static Logger logger = Logger.getLogger(JBossSTS.class);
@Resource
protected WebServiceContext context;
@@ -115,6 +111,8 @@
if(this.config == null)
try
{
+ if(logger.isInfoEnabled())
+ logger.info("Loading STS configuration");
this.config = this.getConfiguration();
}
catch (ConfigurationException e)
@@ -124,7 +122,9 @@
WSTrustRequestHandler handler = this.config.getRequestHandler();
String requestType = request.getRequestType().toString();
-
+ if(logger.isDebugEnabled())
+ logger.debug("STS received request of type " + requestType);
+
try
{
if (requestType.equals(WSTrustConstants.ISSUE_REQUEST))
@@ -191,7 +191,10 @@
// get the configuration file and parse it.
URL configurationFile =
SecurityActions.getContextClassLoader().getResource("jboss-sts.xml");
if (configurationFile == null)
+ {
+ logger.warn("jboss-sts.xml configuration file not found. Using default
configuration values");
return new JBossSTSConfiguration();
+ }
try
{
@@ -199,7 +202,10 @@
InputStream stream = configurationFile.openStream();
JAXBElement<STSType> element = (JAXBElement<STSType>)
JAXBUtil.getUnmarshaller(pkgName).unmarshal(stream);
STSType stsConfig = element.getValue();
- return new JBossSTSConfiguration(stsConfig);
+ STSConfiguration configuration = new JBossSTSConfiguration(stsConfig);
+ if(logger.isInfoEnabled())
+ logger.info("jboss-sts.xml configuration file loaded");
+ return configuration;
}
catch (Exception e)
{
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/StandardRequestHandler.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/StandardRequestHandler.java 2009-10-05
11:16:15 UTC (rev 816)
+++
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/StandardRequestHandler.java 2009-10-06
18:02:54 UTC (rev 817)
@@ -84,6 +84,9 @@
public RequestSecurityTokenResponse issue(RequestSecurityToken request, Principal
callerPrincipal)
throws WSTrustException
{
+ if(trace)
+ log.trace("Issuing token for principal " + callerPrincipal);
+
Document rstDocument = request.getRSTDocument();
if (rstDocument == null)
throw new IllegalArgumentException("Request does not contain the DOM
Document");
@@ -122,6 +125,8 @@
if (request.getLifetime() == null &&
this.configuration.getIssuedTokenTimeout() != 0)
{
// if no lifetime has been specified, use the configured timeout value.
+ if (log.isDebugEnabled())
+ log.debug("Lifetime has not been specified. Using the default timeout
value.");
request.setLifetime(WSTrustUtil.createDefaultLifetime(this.configuration.getIssuedTokenTimeout()));
}
requestContext.setServiceProviderPublicKey(providerPublicKey);
@@ -130,16 +135,20 @@
URI keyType = request.getKeyType();
if (keyType == null)
{
+ if(log.isDebugEnabled())
+ log.debug("No key type could be found in the request. Using the
default BEARER type.");
keyType = URI.create(WSTrustConstants.KEY_TYPE_BEARER);
request.setKeyType(keyType);
}
long keySize = request.getKeySize();
if (keySize == 0)
{
+ if (log.isDebugEnabled())
+ log.debug("No key size could be found in the request. Using the
default size. (" + KEY_SIZE + ")");
keySize = KEY_SIZE;
request.setKeySize(keySize);
}
-
+
// get the key wrap algorithm.
URI keyWrapAlgo = request.getKeyWrapAlgorithm();
@@ -178,20 +187,22 @@
{
throw new WSTrustException("Error generating combined secret
key", e);
}
- requestContext.setProofTokenInfo(WSTrustUtil.createKeyInfo(combinedSecret,
providerPublicKey, keyWrapAlgo));
+ requestContext.setProofTokenInfo(WSTrustUtil.createKeyInfo(combinedSecret,
providerPublicKey,
+ keyWrapAlgo));
}
else
{
// client secret has not been specified - use the sts secret only.
requestedProofToken.setAny(objFactory.createBinarySecret(serverBinarySecret));
- requestContext.setProofTokenInfo(WSTrustUtil.createKeyInfo(serverSecret,
providerPublicKey, keyWrapAlgo));
+ requestContext
+ .setProofTokenInfo(WSTrustUtil.createKeyInfo(serverSecret,
providerPublicKey, keyWrapAlgo));
}
}
else if (WSTrustConstants.KEY_TYPE_PUBLIC.equalsIgnoreCase(keyType.toString()))
{
// TODO: get the client certificate from a metadata provider or from the
UseKey section of the WS-T request.
Certificate certificate = null;
- if(certificate != null)
+ if (certificate != null)
requestContext.setProofTokenInfo(WSTrustUtil.createKeyInfo(certificate));
else
throw new WSTrustException("Unable to locate client public
key");
@@ -217,12 +228,12 @@
response.setKeySize(keySize);
response.setKeyType(keyType);
response.setRequestedSecurityToken(requestedSecurityToken);
-
- if(requestedProofToken != null)
+
+ if (requestedProofToken != null)
response.setRequestedProofToken(requestedProofToken);
- if(serverEntropy != null)
+ if (serverEntropy != null)
response.setEntropy(serverEntropy);
-
+
// set the attached and unattached references.
if (requestContext.getAttachedReference() != null)
response.setRequestedAttachedReference(requestContext.getAttachedReference());
@@ -270,9 +281,6 @@
else if (appliesTo == null && request.getTokenType() == null)
throw new WSTrustException("Either AppliesTo or TokenType must be present
in a security token request");
- // TODO: get the provider using the token from the request.
- provider = this.configuration.getProviderForTokenType(SAMLUtil.SAML2_TOKEN_TYPE);
-
if (provider != null)
{
// create the request context and delegate token generation to the provider.
@@ -293,8 +301,6 @@
RequestedSecurityTokenType requestedSecurityToken = new
RequestedSecurityTokenType();
requestedSecurityToken.setAny(requestContext.getSecurityToken().getTokenValue());
- // TODO: create proof token and encrypt the token if needed
-
RequestSecurityTokenResponse response = new RequestSecurityTokenResponse();
if (request.getContext() != null)
response.setContext(request.getContext());
@@ -324,6 +330,8 @@
public RequestSecurityTokenResponse validate(RequestSecurityToken request, Principal
callerPrincipal)
throws WSTrustException
{
+ if (trace)
+ log.trace("Started validation for request " + request.getContext());
Document rstDocument = request.getRSTDocument();
if (rstDocument == null)
throw new IllegalArgumentException("Request does not contain the DOM
Document");
@@ -342,7 +350,6 @@
+ securityToken.getLocalName());
WSTrustRequestContext context = new WSTrustRequestContext(request,
callerPrincipal);
-
StatusType status = null;
// validate the security token digital signature.
@@ -378,11 +385,18 @@
status.setReason("Validation failure: unable to verify digital
signature: " + e.getMessage());
}
}
- // TODO: add logging statements alerting that signature validation was not
performed.
-
+ else
+ {
+ if(trace)
+ log.trace("Security Token digital signature has NOT been verified.
Either the STS has been configured" +
+ "not to sign tokens or the STS key pair has not been properly
specified.");
+ }
+
// if the signature is valid, then let the provider perform any additional
validation checks.
if (status == null)
{
+ if (trace)
+ log.trace("Delegating token validation to token provider");
provider.validateToken(context);
status = context.getStatus();
}
@@ -424,49 +438,43 @@
if (this.configuration.signIssuedToken() &&
this.configuration.getSTSKeyPair() != null)
{
KeyPair keyPair = this.configuration.getSTSKeyPair();
- if (keyPair != null)
+ URI signatureURI = request.getSignatureAlgorithm();
+ String signatureMethod = signatureURI != null ? signatureURI.toString() :
SignatureMethod.RSA_SHA1;
+ try
{
- URI signatureURI = request.getSignatureAlgorithm();
- String signatureMethod = signatureURI != null ? signatureURI.toString() :
SignatureMethod.RSA_SHA1;
- try
+ Node rst = rstrDocument
+ .getElementsByTagNameNS(WSTrustConstants.BASE_NAMESPACE,
"RequestedSecurityToken").item(0);
+ Element tokenElement = (Element) rst.getFirstChild();
+ if (trace)
{
- Node rst =
rstrDocument.getElementsByTagNameNS(WSTrustConstants.BASE_NAMESPACE,
- "RequestedSecurityToken").item(0);
- Element tokenElement = (Element) rst.getFirstChild();
- if (trace)
+ log.trace("NamespaceURI of element to be signed:" +
tokenElement.getNamespaceURI());
+ }
+ rstrDocument = XMLSignatureUtil.sign(rstrDocument, tokenElement, keyPair,
DigestMethod.SHA1,
+ signatureMethod, "#" +
tokenElement.getAttribute("ID"));
+ if (trace)
+ {
+ try
{
- log.trace("NamespaceURI of element to be signed:" +
tokenElement.getNamespaceURI());
- }
- /* XMLSignatureUtil.sign(tokenElement.getOwnerDocument(), keyPair,
DigestMethod.SHA1, signatureMethod,
- "#" + tokenElement.getAttribute("ID"));
- */
- rstrDocument = XMLSignatureUtil.sign(rstrDocument, tokenElement,
keyPair, DigestMethod.SHA1,
- signatureMethod, "#" +
tokenElement.getAttribute("ID"));
- if (trace)
- {
- try
- {
- log.trace("Signed Token:" +
DocumentUtil.getNodeAsString(tokenElement));
+ log.trace("Signed Token:" +
DocumentUtil.getNodeAsString(tokenElement));
- Document tokenDocument = DocumentUtil.createDocument();
- tokenDocument.appendChild(tokenDocument.importNode(tokenElement,
true));
- log.trace("valid=" +
XMLSignatureUtil.validate(tokenDocument, keyPair.getPublic()));
+ Document tokenDocument = DocumentUtil.createDocument();
+ tokenDocument.appendChild(tokenDocument.importNode(tokenElement,
true));
+ log.trace("valid=" +
XMLSignatureUtil.validate(tokenDocument, keyPair.getPublic()));
- }
- catch (Exception ignore)
- {
- }
}
+ catch (Exception ignore)
+ {
+ }
}
- catch (Exception e)
- {
- throw new WSTrustException("Failed to sign security token",
e);
- }
}
+ catch (Exception e)
+ {
+ throw new WSTrustException("Failed to sign security token", e);
+ }
}
}
return rstrDocument;
}
-
+
}
\ No newline at end of file
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/WSTrustJAXBFactory.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/WSTrustJAXBFactory.java 2009-10-05
11:16:15 UTC (rev 816)
+++
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/WSTrustJAXBFactory.java 2009-10-06
18:02:54 UTC (rev 817)
@@ -150,42 +150,6 @@
{
throw new ParsingException(e);
}
-
-
- /*Element targetElement = this.getValidateOrRenewOrCancelTarget(document);
-
- try
- {
- Object object = this.unmarshaller.unmarshal(request);
- if (object instanceof JAXBElement)
- {
- JAXBElement<?> element = (JAXBElement<?>) object;
- if (element.getDeclaredType().equals(RequestSecurityTokenType.class))
- {
- RequestSecurityToken parsedRequest = new
RequestSecurityToken((RequestSecurityTokenType) element
- .getValue());
- // insert the request target in the parsed request.
- if (targetElement != null)
- {
- if (parsedRequest.getValidateTarget() != null)
- parsedRequest.getValidateTarget().setAny(targetElement);
- else if (parsedRequest.getRenewTarget() != null)
- parsedRequest.getRenewTarget().setAny(targetElement);
- else if (parsedRequest.getCancelTarget() != null)
- parsedRequest.getCancelTarget().setAny(targetElement);
- }
- return parsedRequest;
- }
- else
- throw new RuntimeException("Invalid request type: " +
element.getDeclaredType());
- }
- else
- throw new RuntimeException("Invalid request type: " +
object.getClass().getName());
- }
- catch (Exception e)
- {
- throw new RuntimeException("Failed to unmarshall security token
request", e);
- }*/
}
/**
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/WSTrustUtil.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/WSTrustUtil.java 2009-10-05
11:16:15 UTC (rev 816)
+++
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/WSTrustUtil.java 2009-10-06
18:02:54 UTC (rev 817)
@@ -35,6 +35,7 @@
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
+import org.apache.log4j.Logger;
import org.apache.xml.security.encryption.EncryptedKey;
import org.apache.xml.security.encryption.XMLCipher;
import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil;
@@ -65,6 +66,8 @@
public class WSTrustUtil
{
+ private static Logger logger = Logger.getLogger(WSTrustUtil.class);
+
/**
* <p>
* Creates an instance of {@code KeyIdentifierType} with the specified values.
@@ -311,7 +314,7 @@
}
else
{
- // TODO: log a warn message or throw an exception to inform client that the
secret could not be encrypted.
+ logger.warn("Secret key could not be encrypted because the endpoint's
PKC has not been specified");
}
return keyInfo;
}
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java 2009-10-05
11:16:15 UTC (rev 816)
+++
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java 2009-10-06
18:02:54 UTC (rev 817)
@@ -29,6 +29,7 @@
import javax.xml.bind.JAXBException;
import javax.xml.namespace.QName;
+import org.apache.log4j.Logger;
import org.jboss.identity.federation.core.saml.v2.common.IDGenerator;
import org.jboss.identity.federation.core.saml.v2.factories.SAMLAssertionFactory;
import org.jboss.identity.federation.core.saml.v2.util.AssertionUtil;
@@ -64,6 +65,8 @@
public class SAML20TokenProvider implements SecurityTokenProvider
{
+ private static Logger logger = Logger.getLogger(SAML20TokenProvider.class);
+
private Map<String, String> properties;
/*
@@ -121,6 +124,9 @@
@SuppressWarnings("unchecked")
public void validateToken(WSTrustRequestContext context) throws WSTrustException
{
+ if (logger.isTraceEnabled())
+ logger.trace("SAML V2.0 token validation started");
+
// get the SAML assertion that must be validated.
ValidateTargetType validateTarget =
context.getRequestSecurityToken().getValidateTarget();
if(validateTarget == null)