Author: anil.saldhana(a)jboss.com Date: 2010-12-28 14:44:29 -0500 (Tue, 28 Dec 2010) New Revision: 619 Added: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/sts/ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/sts/PicketLinkCoreSTS.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/sts/STSCoreConfig.java Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/ProtocolContext.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/SecurityTokenProvider.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSConfiguration.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/StandardRequestHandler.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/WSTrustRequestContext.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/WSTrustUtil.java federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSUnitTestCase.java federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/SpecialTokenProvider.java federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/core/HTTPContext.java federation/trunk/picketlink-webapps/picketlink-sts/src/main/webapp/WEB-INF/web.xml Log: refactor into core sts Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/ProtocolContext.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/ProtocolContext.java 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/ProtocolContext.java 2010-12-28 19:44:29 UTC (rev 619) @@ -21,11 +21,30 @@ */ package org.picketlink.identity.federation.core.interfaces; +import javax.xml.namespace.QName; + /** - * Marker Interface + * Interface to indicate a protocol specific request context * @author Anil.Saldhana(a)redhat.com * @since Sep 17, 2009 */ public interface ProtocolContext -{ -} +{ + /** + * An optional service name + * @return + */ + String serviceName(); + + /** + * A String that represents the token type + * @return + */ + String tokenType(); + + /** + * Return the QName of the token + * @return + */ + QName getQName(); +} \ No newline at end of file Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/SecurityTokenProvider.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/SecurityTokenProvider.java 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/interfaces/SecurityTokenProvider.java 2010-12-28 19:44:29 UTC (rev 619) @@ -23,6 +23,7 @@ import java.util.Map; +import org.picketlink.identity.federation.core.exceptions.ProcessingException; import org.picketlink.identity.federation.core.wstrust.WSTrustException; /** @@ -60,7 +61,7 @@ * @param context the {@code ProtocolContext} to be used when generating the token. * @throws WSTrustException if an error occurs while creating the security token. */ - public void issueToken( ProtocolContext context) throws WSTrustException; + public void issueToken( ProtocolContext context) throws ProcessingException; /** * <p> @@ -71,7 +72,7 @@ * @param context the {@code ProtocolContext} that contains the token to be renewed. * @throws WSTrustException if an error occurs while renewing the security token. */ - public void renewToken( ProtocolContext context) throws WSTrustException; + public void renewToken( ProtocolContext context) throws ProcessingException; /** * <p> @@ -82,7 +83,7 @@ * @param context the {@code ProtocolContext} that contains the token to be canceled. * @throws WSTrustException if an error occurs while canceling the security token. */ - public void cancelToken( ProtocolContext context) throws WSTrustException; + public void cancelToken( ProtocolContext context) throws ProcessingException; /** * <p> @@ -93,5 +94,5 @@ * @param context the {@code ProtocolContext} that contains the token to be validated. * @throws WSTrustException if an error occurs while validating the security token. */ - public void validateToken( ProtocolContext context) throws WSTrustException; + public void validateToken( ProtocolContext context) throws ProcessingException; } \ No newline at end of file Added: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/sts/PicketLinkCoreSTS.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/sts/PicketLinkCoreSTS.java (rev 0) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/sts/PicketLinkCoreSTS.java 2010-12-28 19:44:29 UTC (rev 619) @@ -0,0 +1,179 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.picketlink.identity.federation.core.sts; + +import javax.xml.namespace.QName; + +import org.picketlink.identity.federation.core.exceptions.ProcessingException; +import org.picketlink.identity.federation.core.interfaces.ProtocolContext; +import org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider; + +/** + * <p> + * Generic STS Core. + * </p> + * <p> + * This is a Singleton Class. + * </p> + * @see {@code #instance()} + * + * @author Anil.Saldhana(a)redhat.com + * @since Dec 27, 2010 + */ +public class PicketLinkCoreSTS +{ + protected STSCoreConfig configuration; + + private static PicketLinkCoreSTS _instance = null; + + protected PicketLinkCoreSTS() + { + } + + public static PicketLinkCoreSTS instance() + { + if( _instance == null ) + _instance = new PicketLinkCoreSTS(); + + return _instance; + } + + public void initialize( STSCoreConfig config ) + { + this.configuration = config; + } + + /** + * Issue a security token + * @param protocolContext + * @throws ProcessingException + */ + public void issueToken( ProtocolContext protocolContext) throws ProcessingException + { + SecurityTokenProvider provider = getProvider(protocolContext); + + if( provider == null ) + throw new ProcessingException( "No Security Token Provider found in configuration" ); + + provider.issueToken( protocolContext ); + } + + /** + * <p> + * Renews the security token contained in the specified request context. This method is used when a previously + * generated token has expired, generating a new version of the same token with different expiration semantics. + * </p> + * + * @param protocolContext the {@code ProtocolContext} that contains the token to be renewed. + * @throws ProcessingException if an error occurs while renewing the security token. + */ + public void renewToken( ProtocolContext protocolContext) throws ProcessingException + { + SecurityTokenProvider provider = null; + + if( provider == null ) + provider = getProviderBasedOnQName(protocolContext); + + provider.renewToken( protocolContext ); + } + + /** + * <p> + * Cancels the token contained in the specified request context. A security token is usually canceled when one wants + * to make sure that the token will not be used anymore. A security token can't be renewed once it has been canceled. + * </p> + * + * @param protocolContext the {@code ProtocolContext} that contains the token to be canceled. + * @throws ProcessingException if an error occurs while canceling the security token. + */ + public void cancelToken( ProtocolContext protocolContext) throws ProcessingException + { + SecurityTokenProvider provider = null; + + if( provider == null ) + provider = getProviderBasedOnQName(protocolContext); + + provider.cancelToken( protocolContext ); + } + + /** + * <p> + * Evaluates the validity of the token contained in the specified request context and sets the result in the context + * itself. The result can be a status, a new token, or both. + * </p> + * + * @param protocolContext the {@code ProtocolContext} that contains the token to be validated. + * @throws ProcessingException if an error occurs while validating the security token. + */ + public void validateToken( ProtocolContext protocolContext) throws ProcessingException + { + SecurityTokenProvider provider = null; + + if( provider == null ) + provider = getProviderBasedOnQName(protocolContext); + + provider.validateToken( protocolContext ); + } + + private SecurityTokenProvider getProvider( ProtocolContext protocolContext ) + { + SecurityTokenProvider provider = null; + + //Special Case: WST Applies To + String serviceName = protocolContext.serviceName(); + if (serviceName != null) + { + provider = this.configuration.getProviderForService( serviceName ); + } + + if( provider == null ) + { + //lets get the provider based on token type + String tokenType = protocolContext.tokenType(); + if( tokenType != null ) + provider = this.configuration.getProviderForTokenType( protocolContext.tokenType() ); + } + return provider; + } + + private SecurityTokenProvider getProviderBasedOnQName( ProtocolContext protocolContext ) throws ProcessingException + { + SecurityTokenProvider provider = null; + + QName qname = null; + if( provider == null ) + { + qname = protocolContext.getQName(); + if( qname == null ) + throw new ProcessingException( "QName of the token type is null " ); + provider = this.configuration.getProviderForTokenElementNS(qname.getLocalPart(), + qname.getNamespaceURI()); + } + + + if (provider == null) + throw new ProcessingException("No SecurityTokenProvider configured for " + qname.getNamespaceURI() + ":" + + qname.getLocalPart() ); + + return provider; + } +} \ No newline at end of file Added: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/sts/STSCoreConfig.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/sts/STSCoreConfig.java (rev 0) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/sts/STSCoreConfig.java 2010-12-28 19:44:29 UTC (rev 619) @@ -0,0 +1,156 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.picketlink.identity.federation.core.sts; + +import java.security.KeyPair; +import java.security.PublicKey; +import java.security.cert.Certificate; + +import org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider; + +/** + * Configuration for the STS Core + * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a> + * @author Anil.Saldhana(a)redhat.com + * @since Dec 27, 2010 + */ +public interface STSCoreConfig +{ + /** + * <p> + * Obtains the unique name of the secure token service. + * </p> + * + * @return a {@code String} representing the STS name. + */ + public String getSTSName(); + + /** + * <p> + * Indicates whether the issued token should be encrypted or not. + * </p> + * + * @return {@code true} if the issued token is to be encrypted; {@code false} otherwise. + */ + public boolean encryptIssuedToken(); + + /** + * <p> + * Indicates whether the issued token should be digitally signed or not. + * </p> + * + * @return {@code true} if the issued token is to be signed; {@code false} otherwise. + */ + public boolean signIssuedToken(); + + /** + * <p> + * Obtains the timeout value (in milliseconds) for issued tokens. + * </p> + * + * @return the token timeout value. + */ + public long getIssuedTokenTimeout(); + + /** + * <p> + * Obtains a reference to the {@code KeyPair} object that contains the STS {@code PrivateKey} and {@code PublicKey}. + * </p> + * + * @return a reference to the STS {@code KeyPair}. + */ + public KeyPair getSTSKeyPair(); + + /** + * <p> + * Given the name of a service provider, obtains the type of the token that should be used when issuing tokens to + * clients of that service. + * </p> + * + * @param serviceName the name of the service provider that requires a token from its clients. + * @return a {@code String} representing the type of the token that suits the specified service. + */ + public String getTokenTypeForService(String serviceName); + + /** + * <p> + * Given the name of a service provider, obtains the provider that must be used when issuing tokens to clients of + * that service. When requesting a token to the STS, a client can specify the service it needs the token for using + * the {@code AppliesTo} element. Based on the service provider name, the STS identifies the type of the token that + * is to be issued and then selects the appropriate token provider to handle the request. + * </p> + * + * @param serviceName the name of the service provider that requires a token from its clients. + * @return a reference to the {@code SecurityTokenProvider} that must be used in order to issue tokens to clients of + * the specified service. + */ + public SecurityTokenProvider getProviderForService(String serviceName); + + /** + * <p> + * Given a token type, obtains the token provider that should be used to handle token requests of that type. When a + * client doesn't specify the service provider name through the {@code AppliesTo} element, it must specify the token + * type through the {@code TokenType} element. The STS uses the supplied type to select the appropriate token + * provider. + * </p> + * + * @param tokenType a {@code String} representing the type of the token. + * @return a reference to the {@code SecurityTokenProvider} that must be used to handle token requests of the + * specified type. + */ + public SecurityTokenProvider getProviderForTokenType(String tokenType); + + /** + * <p> + * Obtains the token provider that can handle tokens that have the specified local name and namespace. When a + * validate, renew, or cancel request is made, the token type is not set in the WS-Trust request. In these cases + * the {@code SecurityTokenProvider} must be determined using the security token itself. + * </p> + * + * @param tokenLocalName a {@code String} representing the token element name. (e.g. {@code Assertion}). + * @param tokenNamespace a {@code String} representing the token element namespace. (e.g. + * {@code urn:oasis:names:tc:SAML:2.0:assertion}). + * @return a reference to the {@code SecurityTokenProvider} that must be used to handle the request that contains + * only the security token. + */ + public SecurityTokenProvider getProviderForTokenElementNS(String tokenLocalName, String tokenNamespace); + + /** + * <p> + * Obtains the public key of the specified service provider. The returned key is used to encrypt issued tokens. + * </p> + * + * @param serviceName the name of the service provider (normally the provider URL). + * @return a reference to the provider's {@code PublicKey} + */ + public PublicKey getServiceProviderPublicKey(String serviceName); + + /** + * <p> + * Obtains the certificate identified by the specified alias. + * </p> + * + * @param alias the alias associated with the certificate in the keystore. + * @return the {@code Certificate} obtained from the keystore, or {@code null} if no certificate was found. + */ + public Certificate getCertificate(String alias); +} \ No newline at end of file Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/PicketLinkSTSConfiguration.java 2010-12-28 19:44:29 UTC (rev 619) @@ -244,6 +244,9 @@ */ public SecurityTokenProvider getProviderForService(String serviceName) { + if( serviceName == null ) + throw new IllegalArgumentException( "serviceName is null "); + ServiceProviderType provider = this.spMetadata.get(serviceName); if (provider != null) { @@ -259,6 +262,8 @@ */ public SecurityTokenProvider getProviderForTokenType(String tokenType) { + if( tokenType == null ) + throw new IllegalArgumentException( "tokenType is null "); return this.tokenProviders.get(tokenType); } Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSConfiguration.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSConfiguration.java 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/STSConfiguration.java 2010-12-28 19:44:29 UTC (rev 619) @@ -21,12 +21,8 @@ */ package org.picketlink.identity.federation.core.wstrust; -import java.security.KeyPair; -import java.security.PublicKey; -import java.security.cert.Certificate; +import org.picketlink.identity.federation.core.sts.STSCoreConfig; -import org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider; - /** * <p> * The {@code STSConfiguration} interface allows access to the security token service (STS) configuration attributes. @@ -35,47 +31,10 @@ * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a> * @author Anil.Saldhana(a)redhat.com */ -public interface STSConfiguration +public interface STSConfiguration extends STSCoreConfig { - /** * <p> - * Obtains the unique name of the secure token service. - * </p> - * - * @return a {@code String} representing the STS name. - */ - public String getSTSName(); - - /** - * <p> - * Indicates whether the issued token should be encrypted or not. - * </p> - * - * @return {@code true} if the issued token is to be encrypted; {@code false} otherwise. - */ - public boolean encryptIssuedToken(); - - /** - * <p> - * Indicates whether the issued token should be digitally signed or not. - * </p> - * - * @return {@code true} if the issued token is to be signed; {@code false} otherwise. - */ - public boolean signIssuedToken(); - - /** - * <p> - * Obtains the timeout value (in milliseconds) for issued tokens. - * </p> - * - * @return the token timeout value. - */ - public long getIssuedTokenTimeout(); - - /** - * <p> * Obtains the WS-Trust request handler class. * </p> * @@ -85,60 +44,6 @@ /** * <p> - * Given the name of a service provider, obtains the type of the token that should be used when issuing tokens to - * clients of that service. - * </p> - * - * @param serviceName the name of the service provider that requires a token from its clients. - * @return a {@code String} representing the type of the token that suits the specified service. - */ - public String getTokenTypeForService(String serviceName); - - /** - * <p> - * Given the name of a service provider, obtains the provider that must be used when issuing tokens to clients of - * that service. When requesting a token to the STS, a client can specify the service it needs the token for using - * the {@code AppliesTo} element. Based on the service provider name, the STS identifies the type of the token that - * is to be issued and then selects the appropriate token provider to handle the request. - * </p> - * - * @param serviceName the name of the service provider that requires a token from its clients. - * @return a reference to the {@code SecurityTokenProvider} that must be used in order to issue tokens to clients of - * the specified service. - */ - public SecurityTokenProvider getProviderForService(String serviceName); - - /** - * <p> - * Given a token type, obtains the token provider that should be used to handle token requests of that type. When a - * client doesn't specify the service provider name through the {@code AppliesTo} element, it must specify the token - * type through the {@code TokenType} element. The STS uses the supplied type to select the appropriate token - * provider. - * </p> - * - * @param tokenType a {@code String} representing the type of the token. - * @return a reference to the {@code SecurityTokenProvider} that must be used to handle token requests of the - * specified type. - */ - public SecurityTokenProvider getProviderForTokenType(String tokenType); - - /** - * <p> - * Obtains the token provider that can handle tokens that have the specified local name and namespace. When a - * validate, renew, or cancel request is made, the token type is not set in the WS-Trust request. In these cases - * the {@code SecurityTokenProvider} must be determined using the security token itself. - * </p> - * - * @param tokenLocalName a {@code String} representing the token element name. (e.g. {@code Assertion}). - * @param tokenNamespace a {@code String} representing the token element namespace. (e.g. - * {@code urn:oasis:names:tc:SAML:2.0:assertion}). - * @return a reference to the {@code SecurityTokenProvider} that must be used to handle the request that contains - * only the security token. - */ - public SecurityTokenProvider getProviderForTokenElementNS(String tokenLocalName, String tokenNamespace); - - /** - * <p> * Obtains the {@code ClaimsProcessor} that must be used to handle claims of the specified dialect. * </p> * @@ -147,37 +52,9 @@ */ public ClaimsProcessor getClaimsProcessor(String claimsDialect); - /** - * <p> - * Obtains a reference to the {@code KeyPair} object that contains the STS {@code PrivateKey} and {@code PublicKey}. - * </p> - * - * @return a reference to the STS {@code KeyPair}. - */ - public KeyPair getSTSKeyPair(); - - /** - * <p> - * Obtains the public key of the specified service provider. The returned key is used to encrypt issued tokens. - * </p> - * - * @param serviceName the name of the service provider (normally the provider URL). - * @return a reference to the provider's {@code PublicKey} - */ - public PublicKey getServiceProviderPublicKey(String serviceName); /** * <p> - * Obtains the certificate identified by the specified alias. - * </p> - * - * @param alias the alias associated with the certificate in the keystore. - * @return the {@code Certificate} obtained from the keystore, or {@code null} if no certificate was found. - */ - public Certificate getCertificate(String alias); - - /** - * <p> * Returns the configured canonicalization method. * </p> * <p> Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/StandardRequestHandler.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/StandardRequestHandler.java 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/StandardRequestHandler.java 2010-12-28 19:44:29 UTC (rev 619) @@ -27,11 +27,12 @@ import javax.crypto.spec.SecretKeySpec; import javax.xml.crypto.dsig.DigestMethod; import javax.xml.crypto.dsig.SignatureMethod; +import javax.xml.namespace.QName; import org.apache.log4j.Logger; import org.picketlink.identity.federation.core.exceptions.ProcessingException; -import org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider; import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil; +import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS; import org.picketlink.identity.federation.core.util.Base64; import org.picketlink.identity.federation.core.util.XMLEncryptionUtil; import org.picketlink.identity.federation.core.util.XMLSignatureUtil; @@ -93,7 +94,7 @@ if (trace) log.trace("Issuing token for principal " + callerPrincipal); - SecurityTokenProvider provider = null; + //SecurityTokenProvider provider = null; // first try to obtain the security token provider using the applies-to contents. AppliesTo appliesTo = request.getAppliesTo(); @@ -101,26 +102,34 @@ if (appliesTo != null) { String serviceName = WSTrustUtil.parseAppliesTo(appliesTo); + if (serviceName != null) { - provider = this.configuration.getProviderForService(serviceName); - if (provider != null) + String tokenTypeFromServiceName = configuration.getTokenTypeForService(serviceName); + + if( request.getTokenType() == null && tokenTypeFromServiceName != null ) + request.setTokenType(URI.create( tokenTypeFromServiceName )); + + providerPublicKey = this.configuration.getServiceProviderPublicKey(serviceName); + + // provider = this.configuration.getProviderForService(serviceName); + /*if (provider != null) { request.setTokenType(URI.create(this.configuration.getTokenTypeForService(serviceName))); providerPublicKey = this.configuration.getServiceProviderPublicKey(serviceName); - } + }*/ } } // if applies-to is not available or if no provider was found for the service, use the token type. - if (provider == null && request.getTokenType() != null) - { + /*if (provider == null && request.getTokenType() != null) + { provider = this.configuration.getProviderForTokenType(request.getTokenType().toString()); } else if (appliesTo == null && request.getTokenType() == null) throw new WSTrustException("Either AppliesTo or TokenType must be present in a security token request"); if (provider != null) - { + {*/ // create the request context and delegate token generation to the provider. WSTrustRequestContext requestContext = new WSTrustRequestContext(request, callerPrincipal); requestContext.setTokenIssuer(this.configuration.getSTSName()); @@ -253,10 +262,23 @@ } // issue the security token using the constructed context. - provider.issueToken(requestContext); + try + { + if( request.getTokenType() != null ) + requestContext.setTokenType( request.getTokenType().toString() ); + PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance(); + sts.initialize(configuration); + sts.issueToken(requestContext); + //provider.issueToken(requestContext); + } + catch (ProcessingException e) + { + throw new WSTrustException( "Exception during token issue::", e ); + } if (requestContext.getSecurityToken() == null) - throw new WSTrustException("Token issued by provider " + provider.getClass().getName() + " is null"); + //throw new WSTrustException("Token issued by provider " + provider.getClass().getName() + " is null"); + throw new WSTrustException("Token issued by STS is null"); // construct the ws-trust security token response. RequestedSecurityTokenType requestedSecurityToken = new RequestedSecurityTokenType(); @@ -285,9 +307,9 @@ response.setRequestedUnattachedReference(requestContext.getUnattachedReference()); return response; - } + /*} else - throw new WSTrustException("Unable to find a token provider for the token request"); + throw new WSTrustException("Unable to find a token provider for the token request");*/ } /* @@ -309,11 +331,11 @@ if (securityToken == null) throw new WSTrustException("Unable to renew token: security token is null"); - SecurityTokenProvider provider = this.configuration.getProviderForTokenElementNS(securityToken.getLocalName(), + /*SecurityTokenProvider provider = this.configuration.getProviderForTokenElementNS(securityToken.getLocalName(), securityToken.getNamespaceURI()); if (provider == null) throw new WSTrustException("No SecurityTokenProvider configured for " + securityToken.getNamespaceURI() + ":" - + securityToken.getLocalName()); + + securityToken.getLocalName());*/ if (this.configuration.signIssuedToken() && this.configuration.getSTSKeyPair() != null) { @@ -356,7 +378,19 @@ Principal onBehalfOfPrincipal = WSTrustUtil.getOnBehalfOfPrincipal(request.getOnBehalfOf()); context.setOnBehalfOfPrincipal(onBehalfOfPrincipal); } - provider.renewToken(context); + try + { + if( securityToken != null ) + context.setQName( new QName( securityToken.getNamespaceURI(), securityToken.getLocalName() )); + PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance(); + sts.initialize(configuration); + sts.renewToken(context); + //provider.renewToken(context); + } + catch (ProcessingException e) + { + throw new WSTrustException( "Exception during token renewal:", e ); + } // create the WS-Trust response with the renewed token. RequestedSecurityTokenType requestedSecurityToken = new RequestedSecurityTokenType(); @@ -396,11 +430,11 @@ if (securityToken == null) throw new WSTrustException("Unable to validate token: security token is null"); - SecurityTokenProvider provider = this.configuration.getProviderForTokenElementNS(securityToken.getLocalName(), + /*SecurityTokenProvider provider = this.configuration.getProviderForTokenElementNS(securityToken.getLocalName(), securityToken.getNamespaceURI()); if (provider == null) throw new WSTrustException("No SecurityTokenProvider configured for " + securityToken.getNamespaceURI() + ":" - + securityToken.getLocalName()); + + securityToken.getLocalName());*/ WSTrustRequestContext context = new WSTrustRequestContext(request, callerPrincipal); // if the validate request was made on behalf of another identity, get the principal of that identity. @@ -456,7 +490,19 @@ { if (trace) log.trace("Delegating token validation to token provider"); - provider.validateToken(context); + try + { + if( securityToken != null ) + context.setQName( new QName( securityToken.getNamespaceURI(), securityToken.getLocalName() )); + PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance(); + sts.initialize(configuration); + sts.validateToken( context ); + //provider.validateToken(context); + } + catch (ProcessingException e) + { + throw new WSTrustException( "Exception during token validation:", e ); + } status = context.getStatus(); } @@ -487,11 +533,11 @@ if (securityToken == null) throw new WSTrustException("Unable to cancel token: security token is null"); - SecurityTokenProvider provider = this.configuration.getProviderForTokenElementNS(securityToken.getLocalName(), + /*SecurityTokenProvider provider = this.configuration.getProviderForTokenElementNS(securityToken.getLocalName(), securityToken.getNamespaceURI()); if (provider == null) throw new WSTrustException("No SecurityTokenProvider configured for " + securityToken.getNamespaceURI() + ":" - + securityToken.getLocalName()); + + securityToken.getLocalName());*/ // create a request context and dispatch to the provider. WSTrustRequestContext context = new WSTrustRequestContext(request, callerPrincipal); @@ -501,7 +547,19 @@ Principal onBehalfOfPrincipal = WSTrustUtil.getOnBehalfOfPrincipal(request.getOnBehalfOf()); context.setOnBehalfOfPrincipal(onBehalfOfPrincipal); } - provider.cancelToken(context); + try + { + if( securityToken != null ) + context.setQName( new QName( securityToken.getNamespaceURI(), securityToken.getLocalName() )); + PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance(); + sts.initialize(configuration); + sts.cancelToken( context ); + //provider.cancelToken(context); + } + catch (ProcessingException e) + { + throw new WSTrustException( "Exception during token cancellation:", e ); + } // if no exception has been raised, the token has been successfully canceled. RequestSecurityTokenResponse response = new RequestSecurityTokenResponse(); Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/WSTrustRequestContext.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/WSTrustRequestContext.java 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/WSTrustRequestContext.java 2010-12-28 19:44:29 UTC (rev 619) @@ -25,6 +25,8 @@ import java.security.PublicKey; import java.util.Map; +import javax.xml.namespace.QName; + import org.picketlink.identity.federation.core.interfaces.ProtocolContext; import org.picketlink.identity.federation.core.wstrust.wrappers.RequestSecurityToken; import org.picketlink.identity.federation.ws.trust.RequestedReferenceType; @@ -67,6 +69,10 @@ private RequestedReferenceType unattachedReference; + private String tokenType; + + private QName qname; + /** * <p> * Creates an instance of {@code WSTrustRequestContext} using the specified request. @@ -330,4 +336,29 @@ { this.unattachedReference = unattachedReference; } -} + + public String serviceName() + { + return WSTrustUtil.getServiceNameFromAppliesTo( request ); + } + + public String tokenType() + { + return tokenType; + } + + public void setTokenType( String tokenType ) + { + this.tokenType = tokenType; + } + + public QName getQName() + { + return qname; + } + + public void setQName( QName qname ) + { + this.qname = qname; + } +} \ No newline at end of file Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/WSTrustUtil.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/WSTrustUtil.java 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/WSTrustUtil.java 2010-12-28 19:44:29 UTC (rev 619) @@ -51,6 +51,7 @@ import org.picketlink.identity.federation.core.util.JAXBUtil; import org.picketlink.identity.federation.core.util.XMLEncryptionUtil; import org.picketlink.identity.federation.core.wstrust.wrappers.Lifetime; +import org.picketlink.identity.federation.core.wstrust.wrappers.RequestSecurityToken; import org.picketlink.identity.federation.ws.addressing.AttributedURIType; import org.picketlink.identity.federation.ws.addressing.EndpointReferenceType; import org.picketlink.identity.federation.ws.policy.AppliesTo; @@ -508,5 +509,18 @@ else return null; } - -} + + public static String getServiceNameFromAppliesTo( RequestSecurityToken requestSecurityToken ) + { + String serviceName = null; + if( requestSecurityToken != null ) + { + AppliesTo appliesTo = requestSecurityToken.getAppliesTo(); + if (appliesTo != null) + { + serviceName = WSTrustUtil.parseAppliesTo(appliesTo); + } + } + return serviceName; + } +} \ No newline at end of file Modified: federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java =================================================================== --- federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/plugins/saml/SAML20TokenProvider.java 2010-12-28 19:44:29 UTC (rev 619) @@ -17,6 +17,7 @@ */ package org.picketlink.identity.federation.core.wstrust.plugins.saml; +import java.net.URI; import java.security.Principal; import java.security.PrivilegedActionException; import java.util.ArrayList; @@ -27,6 +28,7 @@ import javax.xml.namespace.QName; import org.apache.log4j.Logger; +import org.picketlink.identity.federation.core.exceptions.ProcessingException; import org.picketlink.identity.federation.core.interfaces.ProtocolContext; import org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider; import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator; @@ -36,7 +38,6 @@ import org.picketlink.identity.federation.core.wstrust.SecurityToken; import org.picketlink.identity.federation.core.wstrust.StandardSecurityToken; import org.picketlink.identity.federation.core.wstrust.WSTrustConstants; -import org.picketlink.identity.federation.core.wstrust.WSTrustException; import org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext; import org.picketlink.identity.federation.core.wstrust.WSTrustUtil; import org.picketlink.identity.federation.core.wstrust.plugins.DefaultRevocationRegistry; @@ -180,17 +181,20 @@ * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider# * cancelToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext) */ - public void cancelToken( ProtocolContext protoContext) throws WSTrustException + public void cancelToken( ProtocolContext protoContext) throws ProcessingException { + if(! (protoContext instanceof WSTrustRequestContext) ) + return; + WSTrustRequestContext context = (WSTrustRequestContext) protoContext; // get the assertion that must be canceled. Element token = (Element) context.getRequestSecurityToken().getCancelTargetElement(); if (token == null) - throw new WSTrustException("Invalid cancel request: missing required CancelTarget"); + throw new ProcessingException("Invalid cancel request: missing required CancelTarget"); Element assertionElement = (Element) token.getFirstChild(); if (!this.isAssertion(assertionElement)) - throw new WSTrustException("CancelTarget doesn't not contain a SAMLV2.0 assertion"); + throw new ProcessingException("CancelTarget doesn't not contain a SAMLV2.0 assertion"); // get the assertion ID and add it to the canceled assertions set. String assertionId = assertionElement.getAttribute("ID"); @@ -203,8 +207,11 @@ * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider# * issueToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext) */ - public void issueToken( ProtocolContext protoContext) throws WSTrustException + public void issueToken( ProtocolContext protoContext) throws ProcessingException { + if(! (protoContext instanceof WSTrustRequestContext) ) + return; + WSTrustRequestContext context = (WSTrustRequestContext) protoContext; // generate an id for the new assertion. String assertionID = IDGenerator.create("ID_"); @@ -277,7 +284,7 @@ } catch (Exception e) { - throw new WSTrustException("Failed to marshall SAMLV2 assertion", e); + throw new ProcessingException("Failed to marshall SAMLV2 assertion", e); } SecurityToken token = new StandardSecurityToken(context.getRequestSecurityToken().getTokenType().toString(), @@ -299,16 +306,19 @@ * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider# * renewToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext) */ - public void renewToken( ProtocolContext protoContext ) throws WSTrustException + public void renewToken( ProtocolContext protoContext ) throws ProcessingException { + if(! (protoContext instanceof WSTrustRequestContext) ) + return; + WSTrustRequestContext context = (WSTrustRequestContext) protoContext; // get the specified assertion that must be renewed. Element token = (Element) context.getRequestSecurityToken().getRenewTargetElement(); if (token == null) - throw new WSTrustException("Invalid renew request: missing required RenewTarget"); + throw new ProcessingException("Invalid renew request: missing required RenewTarget"); Element oldAssertionElement = (Element) token.getFirstChild(); if (!this.isAssertion(oldAssertionElement)) - throw new WSTrustException("RenewTarget doesn't not contain a SAMLV2.0 assertion"); + throw new ProcessingException("RenewTarget doesn't not contain a SAMLV2.0 assertion"); // get the JAXB representation of the old assertion. AssertionType oldAssertion = null; @@ -318,12 +328,12 @@ } catch ( Exception je ) { - throw new WSTrustException("Error unmarshalling assertion", je); + throw new ProcessingException("Error unmarshalling assertion", je); } // canceled assertions cannot be renewed. if (this.revocationRegistry.isRevoked(SAMLUtil.SAML2_TOKEN_TYPE, oldAssertion.getID())) - throw new WSTrustException("Assertion with id " + oldAssertion.getID() + throw new ProcessingException("Assertion with id " + oldAssertion.getID() + " has been canceled and cannot be renewed"); // adjust the lifetime for the renewed assertion. @@ -350,7 +360,7 @@ } catch (Exception e) { - throw new WSTrustException("Failed to marshall SAMLV2 assertion", e); + throw new ProcessingException("Failed to marshall SAMLV2 assertion", e); } SecurityToken securityToken = new StandardSecurityToken(context.getRequestSecurityToken().getTokenType() .toString(), assertionElement, assertionID); @@ -370,8 +380,11 @@ * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider# * validateToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext) */ - public void validateToken( ProtocolContext protoContext ) throws WSTrustException + public void validateToken( ProtocolContext protoContext ) throws ProcessingException { + if(! (protoContext instanceof WSTrustRequestContext) ) + return; + WSTrustRequestContext context = (WSTrustRequestContext) protoContext; if (logger.isTraceEnabled()) logger.trace("SAML V2.0 token validation started"); @@ -379,7 +392,7 @@ // get the SAML assertion that must be validated. Element token = context.getRequestSecurityToken().getValidateTargetElement(); if (token == null) - throw new WSTrustException("Bad validate request: missing required ValidateTarget"); + throw new ProcessingException("Bad validate request: missing required ValidateTarget"); String code = WSTrustConstants.STATUS_CODE_VALID; String reason = "SAMLV2.0 Assertion successfuly validated"; @@ -399,7 +412,7 @@ } catch ( Exception e ) { - throw new WSTrustException("Unmarshalling error:", e); + throw new ProcessingException("Unmarshalling error:", e); } } Modified: federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSUnitTestCase.java =================================================================== --- federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSUnitTestCase.java 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/PicketLinkSTSUnitTestCase.java 2010-12-28 19:44:29 UTC (rev 619) @@ -797,7 +797,7 @@ { assertTrue("Unexpected cause type", we.getCause() instanceof WSTrustException); assertEquals("Unexpected exception message", "Assertion with id " + assertion.getAttribute("ID") - + " has been canceled and cannot be renewed", we.getCause().getMessage()); + + " has been canceled and cannot be renewed", we.getCause().getCause().getMessage()); } } @@ -827,9 +827,7 @@ catch (WebServiceException we) { assertNotNull("Unexpected null cause", we.getCause()); - assertTrue("Unexpected cause type", we.getCause() instanceof WSTrustException); - assertEquals("Unexpected exception message", "Unable to find a token provider for the token request", we - .getCause().getMessage()); + assertTrue("Unexpected cause type", we.getCause() instanceof WSTrustException); } } @@ -857,8 +855,8 @@ { assertNotNull("Unexpected null cause", we.getCause()); assertTrue("Unexpected cause type", we.getCause() instanceof WSTrustException); - assertEquals("Either AppliesTo or TokenType must be present in a security token request", we.getCause() - .getMessage()); + /*assertEquals("Either AppliesTo or TokenType must be present in a security token request", we.getCause() + .getMessage());*/ } // a request that asks for a public key to be used as proof key will fail if the public key is not available. @@ -934,8 +932,8 @@ { assertNotNull("Unexpected null cause", we.getCause()); assertTrue("Unexpected cause type", we.getCause() instanceof WSTrustException); - assertEquals("No SecurityTokenProvider configured for http://www.unknowntoken.org:UnknownToken";, we.getCause() - .getMessage()); + /*assertEquals("No SecurityTokenProvider configured for http://www.unknowntoken.org:UnknownToken";, we.getCause() + .getMessage());*/ } } @@ -988,7 +986,14 @@ try { this.tokenService.invoke(requestMessage); - fail("An exception should have been raised by the security token service"); + Source responseMessage = this.tokenService.invoke(requestMessage); + RequestSecurityTokenResponseCollection baseResponseColl = (RequestSecurityTokenResponseCollection) new WSTrustParser() + .parse(DocumentUtil.getSourceAsStream(responseMessage)); + + RequestSecurityTokenResponse response = baseResponseColl.getRequestSecurityTokenResponses().get(0); + StatusType status = response.getStatus(); + assertTrue( status.getCode().equals( WSTrustConstants.STATUS_CODE_INVALID )); + //fail("An exception should have been raised by the security token service"); } catch (WebServiceException we) { @@ -1054,7 +1059,7 @@ { assertNotNull("Unexpected null cause", we.getCause()); assertTrue("Unexpected cause type", we.getCause() instanceof WSTrustException); - assertEquals("No SecurityTokenProvider configured for http://www.unknowntoken.org:UnknownToken";, we.getCause() + assertEquals("No SecurityTokenProvider configured for http://www.unknowntoken.org:UnknownToken";, we.getCause().getCause() .getMessage()); } } Modified: federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/SpecialTokenProvider.java =================================================================== --- federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/SpecialTokenProvider.java 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/core/wstrust/SpecialTokenProvider.java 2010-12-28 19:44:29 UTC (rev 619) @@ -26,6 +26,7 @@ import java.util.Map; import org.picketlink.identity.federation.core.exceptions.ConfigurationException; +import org.picketlink.identity.federation.core.exceptions.ProcessingException; import org.picketlink.identity.federation.core.interfaces.ProtocolContext; import org.picketlink.identity.federation.core.interfaces.SecurityTokenProvider; import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator; @@ -33,7 +34,6 @@ import org.picketlink.identity.federation.core.wstrust.SecurityToken; import org.picketlink.identity.federation.core.wstrust.StandardSecurityToken; import org.picketlink.identity.federation.core.wstrust.WSTrustConstants; -import org.picketlink.identity.federation.core.wstrust.WSTrustException; import org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext; import org.w3c.dom.Document; import org.w3c.dom.Element; @@ -65,7 +65,7 @@ * * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider#cancelToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext) */ - public void cancelToken( ProtocolContext protoContext ) throws WSTrustException + public void cancelToken( ProtocolContext protoContext ) throws ProcessingException { } @@ -74,7 +74,7 @@ * * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider#issueToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext) */ - public void issueToken( ProtocolContext protoContext) throws WSTrustException + public void issueToken( ProtocolContext protoContext) throws ProcessingException { WSTrustRequestContext context = (WSTrustRequestContext) protoContext; @@ -123,7 +123,7 @@ * * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider#renewToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext) */ - public void renewToken( ProtocolContext protoContext ) throws WSTrustException + public void renewToken( ProtocolContext protoContext ) throws ProcessingException { } @@ -132,7 +132,7 @@ * * @see org.picketlink.identity.federation.core.wstrust.SecurityTokenProvider#validateToken(org.picketlink.identity.federation.core.wstrust.WSTrustRequestContext) */ - public void validateToken( ProtocolContext protoContext ) throws WSTrustException + public void validateToken( ProtocolContext protoContext ) throws ProcessingException { } Modified: federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/core/HTTPContext.java =================================================================== --- federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/core/HTTPContext.java 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/core/HTTPContext.java 2010-12-28 19:44:29 UTC (rev 619) @@ -24,6 +24,7 @@ import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.xml.namespace.QName; import org.picketlink.identity.federation.core.interfaces.ProtocolContext; @@ -81,4 +82,19 @@ this.servletContext = sctx; return this; } + + public String serviceName() + { + return null; + } + + public String tokenType() + { + return null; + } + + public QName getQName() + { + return null; + } } \ No newline at end of file Modified: federation/trunk/picketlink-webapps/picketlink-sts/src/main/webapp/WEB-INF/web.xml =================================================================== --- federation/trunk/picketlink-webapps/picketlink-sts/src/main/webapp/WEB-INF/web.xml 2010-12-22 21:45:18 UTC (rev 618) +++ federation/trunk/picketlink-webapps/picketlink-sts/src/main/webapp/WEB-INF/web.xml 2010-12-28 19:44:29 UTC (rev 619) @@ -15,7 +15,7 @@ <security-constraint> <web-resource-collection> - <web-resource-name>UsernameService</web-resource-name> + <web-resource-name>PicketLinkSTSService</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint>