org.atricore.idbus.capabilities.sts.main.WSTSecurityTokenService.java Source code

Java tutorial

Introduction

Here is the source code for org.atricore.idbus.capabilities.sts.main.WSTSecurityTokenService.java

Source

/*
 * Atricore IDBus
 *
 * Copyright (c) 2009, Atricore Inc.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */

package org.atricore.idbus.capabilities.sts.main;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.atricore.idbus.kernel.main.authn.Constants;
import org.atricore.idbus.kernel.main.authn.SecurityToken;
import org.atricore.idbus.kernel.main.mediation.Artifact;
import org.atricore.idbus.kernel.main.mediation.ArtifactImpl;
import org.atricore.idbus.kernel.main.mediation.MessageQueueManager;
import org.atricore.idbus.kernel.main.provisioning.exception.ProvisioningException;
import org.atricore.idbus.kernel.main.provisioning.spi.ProvisioningTarget;
import org.atricore.idbus.kernel.main.provisioning.spi.request.AddSecurityTokenRequest;
import org.atricore.idbus.kernel.main.provisioning.spi.request.FindSecurityTokensByExpiresOnBeforeRequest;
import org.atricore.idbus.kernel.main.provisioning.spi.request.RemoveSecurityTokenRequest;
import org.atricore.idbus.kernel.main.provisioning.spi.response.AddSecurityTokenResponse;
import org.atricore.idbus.kernel.main.provisioning.spi.response.FindSecurityTokensByExpiresOnBeforeResponse;
import org.oasis_open.docs.wss._2004._01.oasis_200401_wss_wssecurity_secext_1_0.UsernameTokenType;
import org.xmlsoap.schemas.ws._2005._02.trust.RequestSecurityTokenResponseType;
import org.xmlsoap.schemas.ws._2005._02.trust.RequestSecurityTokenType;
import org.xmlsoap.schemas.ws._2005._02.trust.RequestedSecurityTokenType;
import org.xmlsoap.schemas.ws._2005._02.trust.wsdl.SecurityTokenServiceImpl;

import javax.security.auth.Subject;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
import java.util.ArrayList;
import java.util.Collection;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;

/**
 * This is the default WS-Trust-compliant STS implementation.
 *
 * @org.apache.xbean.XBean element="security-token-service"
 * description="Default STS implementation"
 *
 * @author <a href="mailto:gbrigand@josso.org">Gianluca Brigandi</a>
 * @version $Id: SSOGatewayImpl.java 1040 2009-03-05 00:56:52Z gbrigand $
 */
public class WSTSecurityTokenService extends SecurityTokenServiceImpl implements WSTConstants {

    private static final Log logger = LogFactory.getLog(WSTSecurityTokenService.class);

    private static final String WST_EMIT_REQUEST_TYPE = "http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue";

    private Collection<SecurityTokenEmitter> emitters = new ArrayList<SecurityTokenEmitter>();

    private Collection<SecurityTokenAuthenticator> authenticators = new ArrayList<SecurityTokenAuthenticator>();

    private MessageQueueManager artifactQueueManager;

    private String name;

    /**
     * The provisioning target selected for this STS instance.
     */
    private ProvisioningTarget provisioningTarget;

    private TokenMonitor tokenMonitor;

    private ScheduledThreadPoolExecutor stpe;

    private long tokenMonitorInterval = 1000L * 60L * 10L;

    public void init() {
        tokenMonitor = new TokenMonitor(this, getTokenMonitorInterval());

        stpe = new ScheduledThreadPoolExecutor(3);
        stpe.scheduleAtFixedRate(tokenMonitor, getTokenMonitorInterval(), getTokenMonitorInterval(),
                TimeUnit.MILLISECONDS);

        // Register sessions in security domain !
        logger.info("[initialize()] : WST Security Token Service =" + getName());

    }

    public RequestSecurityTokenResponseType requestSecurityToken(RequestSecurityTokenType rst) {

        JAXBElement<String> requestType;
        JAXBElement requestToken;

        JAXBElement<String> tokenType = (JAXBElement<String>) rst.getAny().get(0);

        requestType = (JAXBElement<String>) rst.getAny().get(1);
        requestToken = (JAXBElement) rst.getAny().get(2);

        SecurityToken securityToken = null;
        Subject subject = null;

        Artifact rstCtxArtifact = null;

        if (!requestType.getValue().equals(WST_EMIT_REQUEST_TYPE)) {
            throw new IllegalArgumentException("Only token emission is supported");
        }

        try {

            SecurityTokenProcessingContext processingContext = new SecurityTokenProcessingContext();

            // Special use of request context
            if (rst.getContext() != null) {

                // We may have a context.
                String artifactContent = rst.getContext();
                logger.debug("Using RST Context [" + artifactContent
                        + "] as artifact ID to access Artifact Queue Manager.");

                Artifact rstArtifact = ArtifactImpl.newInstance(artifactContent);
                Object rstCtx = artifactQueueManager.pullMessage(rstArtifact);
                if (rstCtx == null)
                    logger.warn("No RST Context found for artifact " + rstArtifact);

                if (logger.isDebugEnabled())
                    logger.debug("Found RST Context artifact " + rstCtx);

                processingContext.setProperty(RST_CTX, rstCtx);

            }

            // -----------------------------------------
            // 1. Authenticate
            // -----------------------------------------
            subject = authenticate(requestToken.getValue(), tokenType.getValue());
            if (logger.isTraceEnabled())
                logger.trace("User " + subject + " authenticated successfully");

            processingContext.setProperty(SUBJECT_PROP, subject);

            // -----------------------------------------
            // 2. Emit security token
            // -----------------------------------------
            securityToken = emit(processingContext, requestToken.getValue(), tokenType.getValue());

            logger.debug("Security Token " + securityToken + " emitted successfully");

            if (processingContext.getProperty(RST_CTX) != null) {
                rstCtxArtifact = artifactQueueManager.pushMessage(processingContext.getProperty(RST_CTX));
                if (logger.isDebugEnabled())
                    logger.debug("Sent RST Context, artifact " + rstCtxArtifact);

            }

            // -----------------------------------------
            // Some token processing
            // -----------------------------------------
            for (SecurityToken emitted : processingContext.getEmittedTokens()) {
                postProcess(processingContext, requestToken.getValue(), tokenType.getValue(), emitted);
            }

        } catch (SecurityTokenAuthenticationFailure e) {
            throw e;
        } catch (Exception e) {
            logger.error(e.getMessage(), e);
            throw new SecurityTokenAuthenticationFailure(e.getMessage(), e);
        }

        // TODO : Use planning infrastructure to transfor RST to RSTR
        // Transform RST in RSTR

        org.xmlsoap.schemas.ws._2005._02.trust.ObjectFactory of = new org.xmlsoap.schemas.ws._2005._02.trust.ObjectFactory();

        RequestSecurityTokenResponseType rstr = of.createRequestSecurityTokenResponseType();

        // Send context back, updated
        if (rstCtxArtifact != null) {
            rstr.setContext(rstCtxArtifact.getContent());
        }

        JAXBElement<String> srcTokenType = (JAXBElement<String>) rst.getAny().get(0);
        tokenType = of.createTokenType(srcTokenType.getValue());
        rstr.getAny().add(tokenType);

        // Embed the new token in the response
        JAXBElement<RequestedSecurityTokenType> requestedSecurityToken;
        requestedSecurityToken = of.createRequestedSecurityToken(new RequestedSecurityTokenType());
        requestedSecurityToken.getValue().setAny(securityToken.getContent());
        rstr.getAny().add(requestedSecurityToken);
        rstr.getAny().add(subject);

        return rstr;
    }

    /**
     * For now authenticators are all considered to be sufficient, as long as one of them succeeds, the authentication is valid.
     */
    protected Subject authenticate(Object requestToken, String tokenType) throws SecurityTokenEmissionException {

        // Authenticate the request token!
        SecurityTokenAuthenticator selectedAuthenticator = null;
        SecurityTokenAuthenticationFailure lastAuthnFailedException = null;
        for (SecurityTokenAuthenticator authenticator : authenticators) {

            logger.debug("Checking whether authenticator " + authenticator.getId() + " can handle token of type "
                    + tokenType);
            if (authenticator.canAuthenticate(requestToken)) {

                try {
                    selectedAuthenticator = authenticator;

                    logger.debug("Selected Security Token Authenticator for token type [" + tokenType + " is " + "["
                            + selectedAuthenticator.getId() + "]");

                    // Return the authenticated subject

                    return authenticator.authenticate(requestToken);

                } catch (SecurityTokenAuthenticationFailure e) {

                    lastAuthnFailedException = e;

                    if (logger.isDebugEnabled())
                        logger.debug("Authentication failed for " + authenticator.getId());

                    if (logger.isTraceEnabled())
                        logger.trace(e.getMessage(), e);

                }
            }

        }

        if (selectedAuthenticator == null) {
            throw new RuntimeException("No authenticator configured for security token type [" + tokenType + "] "
                    + requestToken.getClass().getSimpleName());
        }

        // We have a selected authenticator, but the authentication failed
        throw lastAuthnFailedException;

    }

    protected SecurityToken emit(SecurityTokenProcessingContext ctx, Object requestToken, String tokenType) {

        SecurityToken securityToken = null;

        for (SecurityTokenEmitter emitter : emitters) {

            if (logger.isDebugEnabled())
                logger.debug("Testing emitter " + emitter.getId());

            try {

                if (emitter.canEmit(ctx, requestToken, tokenType)) {

                    logger.debug("Selected Security Token Emitter for token type [" + tokenType + " is " + "["
                            + emitter.getId() + "]");

                    SecurityToken st = emitter.emit(ctx, requestToken, tokenType);

                    if (st != null) {
                        logger.debug("Emission successful for token [" + st.getId() + "] " + " type [" + tokenType
                                + "] using " + "[" + emitter.getId() + "]");
                    }

                    if (emitter.isTargetedEmitter(ctx, requestToken, tokenType)) {

                        logger.debug("Emission successful for token [" + st.getId() + "] " + " type [" + tokenType
                                + "] using targeted " + "[" + emitter.getId() + "]");

                        if (securityToken != null) {
                            logger.warn("Security configured multiple requested emitters, using token " + st);
                        }
                        securityToken = st;
                    }
                    ctx.getEmittedTokens().add(st);

                }

            } catch (SecurityTokenEmissionException e) {
                logger.error("Fatal error generating security token of type [" + tokenType + "]", e);
                throw new RuntimeException("Fatal error generating security token of type [" + tokenType + "]", e);
            }

        }

        if (securityToken == null) {
            throw new RuntimeException("No requested Emitter configured");
        }

        return securityToken;

    }

    protected void postProcess(SecurityTokenProcessingContext ctx, Object requestToken, String tokenType,
            SecurityToken emitted) {

        if (provisioningTarget == null) {
            logger.error("No provisioning target configured !");
            return;
        }

        // Check whether we have to persist the token or not.
        if (requestToken instanceof UsernameTokenType) {

            UsernameTokenType ut = (UsernameTokenType) requestToken;

            // When the requested token has a remember-me attribute, we must persist the token
            String rememberMe = ut.getOtherAttributes().get(new QName(Constants.REMEMBERME_NS));

            if (rememberMe != null && Boolean.parseBoolean(rememberMe)) {

                // User requested to be remembered, check weather this is the token to store.
                String nm = emitted.getNameIdentifier();

                if (nm != null && nm.equals(WSTConstants.WST_OAUTH2_TOKEN_TYPE)) {
                    // Persist this token
                    AddSecurityTokenRequest req = new AddSecurityTokenRequest();
                    req.setTokenId(emitted.getId());
                    req.setNameIdentifier(emitted.getNameIdentifier());
                    req.setContent(emitted.getContent());
                    req.setSerializedContent(emitted.getSerializedContent());
                    req.setIssueInstant(emitted.getIssueInstant());

                    try {
                        AddSecurityTokenResponse resp = provisioningTarget.addSecurityToken(req);
                    } catch (ProvisioningException e) {
                        logger.error("Cannot store emitted token " + emitted, e);
                    }
                }
            }

        }

    }

    /**
     * @org.apache.xbean.Property alias="artifact-queue-mgr"
     * @return
     */
    public MessageQueueManager getArtifactQueueManager() {
        return artifactQueueManager;
    }

    public void setArtifactQueueManager(MessageQueueManager artifactQueueManager) {
        this.artifactQueueManager = artifactQueueManager;
    }

    /**
     * @org.apache.xbean.Property alias="emitters" nestedType="org.atricore.idbus.capabilities.sts.main.SecurityTokenEmitter"
     */
    public Collection<SecurityTokenEmitter> getEmitters() {
        return emitters;
    }

    public void setEmitters(Collection<SecurityTokenEmitter> emitters) {
        this.emitters = emitters;
    }

    /**
      * @org.apache.xbean.Property alias="authenticators" nestedType="org.atricore.atricore.idbus.kernel.main.authn.SecurityTokenAuthenticator"
      */
    public Collection<SecurityTokenAuthenticator> getAuthenticators() {
        return authenticators;
    }

    public void setAuthenticators(Collection<SecurityTokenAuthenticator> authenticators) {
        this.authenticators = authenticators;
    }

    public ProvisioningTarget getProvisioningTarget() {
        return provisioningTarget;
    }

    public void setProvisioningTarget(ProvisioningTarget provisioningTarget) {
        this.provisioningTarget = provisioningTarget;
    }

    public long getTokenMonitorInterval() {
        return tokenMonitorInterval;
    }

    public void setTokenMonitorInterval(long tokenMonitorInterval) {
        this.tokenMonitorInterval = tokenMonitorInterval;
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    protected void checkExpiredTokens() {

        try {
            long now = System.currentTimeMillis();

            FindSecurityTokensByExpiresOnBeforeRequest req = new FindSecurityTokensByExpiresOnBeforeRequest();
            req.setExpiresOnBefore(now);
            FindSecurityTokensByExpiresOnBeforeResponse resp = this.provisioningTarget
                    .findSecurityTokensByExpiresOnBefore(req);

            if (resp.getSecurityTokens() != null) {
                for (SecurityToken expired : resp.getSecurityTokens()) {
                    RemoveSecurityTokenRequest removeReq = new RemoveSecurityTokenRequest();
                    removeReq.setTokenId(expired.getId());

                    try {
                        this.provisioningTarget.removeSecurityToken(removeReq);
                    } catch (ProvisioningException e) {
                        logger.error("Cannot remove expired token : " + expired.getId() + " : " + e.getMessage(),
                                e);
                    }

                }
            }
        } catch (Exception e) {
            logger.error(e.getMessage(), e);
        }

    }
}