📄 identityproviderdata.java
字号:
/* * Copyright 2005,2006 WSO2, Inc. http://www.wso2.org * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */package org.wso2.solutions.identity.sts;import java.io.ByteArrayInputStream;import java.io.FileInputStream;import java.io.InputStream;import java.security.KeyStore;import java.security.Principal;import java.security.cert.CertificateFactory;import java.security.cert.X509Certificate;import java.util.ArrayList;import java.util.Enumeration;import java.util.HashMap;import java.util.Iterator;import java.util.List;import java.util.Map;import java.util.Vector;import javax.xml.namespace.QName;import javax.xml.stream.XMLStreamException;import org.apache.axiom.om.OMElement;import org.apache.axiom.om.impl.builder.StAXOMBuilder;import org.apache.axiom.om.impl.dom.factory.OMDOMFactory;import org.apache.axiom.om.impl.exception.XMLComparisonException;import org.apache.axiom.om.impl.llom.util.XMLComparator;import org.apache.axis2.context.MessageContext;import org.apache.rahas.RahasData;import org.apache.ws.security.WSConstants;import org.apache.ws.security.WSSecurityEngineResult;import org.apache.ws.security.components.crypto.X509NameTokenizer;import org.apache.ws.security.handler.WSHandlerConstants;import org.apache.ws.security.handler.WSHandlerResult;import org.apache.ws.security.util.DOM2Writer;import org.apache.ws.security.util.WSSecurityUtil;import org.apache.xml.security.keys.KeyInfo;import org.apache.xml.security.keys.content.KeyValue;import org.apache.xml.security.signature.XMLSignature;import org.apache.xml.security.utils.Base64;import org.apache.xml.security.utils.Constants;import org.opensaml.SAMLAssertion;import org.opensaml.SAMLAttribute;import org.opensaml.SAMLAttributeStatement;import org.w3c.dom.Element;import org.wso2.solutions.identity.IdentityConstants;import org.wso2.solutions.identity.IdentityProviderConstants;import org.wso2.solutions.identity.IdentityProviderException;import org.wso2.solutions.identity.UserStore;import org.wso2.solutions.identity.admin.KeystoreUtilAdmin;import org.wso2.solutions.identity.admin.RegisteredInfoCardInfoAdmin;import org.wso2.solutions.identity.admin.RelyingPartyAdmin;import org.wso2.solutions.identity.persistence.IPPersistenceManager;import org.wso2.solutions.identity.persistence.dataobject.ClaimDO;import org.wso2.solutions.identity.persistence.dataobject.RegisteredInfoCardInfoDO;import org.wso2.solutions.identity.persistence.dataobject.RelyingPartyDO;import org.wso2.solutions.identity.persistence.dataobject.UserTrustedRPDO;import org.wso2.wsas.persistence.PersistenceManager;import org.wso2.wsas.persistence.dataobject.KeyStoreDO;/** * Meta-data collection of related to CardSpace required for token issuance. */public class IdentityProviderData { protected String cardID = null; protected Map requestedClaims = new HashMap(); protected String displayTokenLang = null; public String userClass = null; public static final String USERMAN_SERVICE = "UserManServiceURL"; public static final String USER_CLASS = "UserClass"; protected UserStore userStore = null; protected Map claimObjs = new HashMap(); int authMechanism = -1; private SAMLAssertion assertion; private X509Certificate rpCert; private static KeyStore cacerts; private String userIdentifier = null; private String requiredTokenType = null; /** * Populate CardSpace specific meta-data. * * @param data * WS-Trust information in the issue request. * @throws IdentityProviderException * @throws ClassNotFoundException */ public IdentityProviderData(RahasData data) throws IdentityProviderException, ClassNotFoundException { OMElement rstElem = data.getRstElement(); OMElement claimElem = data.getClaimElem(); loadClaims(); processClaimsData(data, claimElem); processInfoCardReference(rstElem); readAuthenticationMechanism(data); readRequestedTokenType(data); processUserIdentifier(data); populateClaimValues(data); extracAndValidatetRPCert(data); } /** * Extract the relying party certiicate and validate it. * * @param data * Information in the RST extracted by Rahas. */ private void extracAndValidatetRPCert(RahasData data) throws IdentityProviderException { OMElement eprElem = data.getAppliesToEpr(); OMElement idElem = eprElem.getFirstChildWithName(new QName( IdentityConstants.IDENTITY_ADDRESSING_NS, IdentityProviderConstants.LocalNames.IDENTITY)); if (idElem != null) { OMElement keyInfoElem = idElem.getFirstChildWithName(new QName( WSConstants.SIG_NS, "KeyInfo")); if (keyInfoElem != null) { OMElement x509DataElem = keyInfoElem .getFirstChildWithName(new QName(WSConstants.SIG_NS, "X509Data")); if (x509DataElem != null) { OMElement x509CertElem = x509DataElem .getFirstChildWithName(new QName( WSConstants.SIG_NS, "X509Certificate")); if (x509CertElem != null) { String base64Cert = x509CertElem.getText(); try { ByteArrayInputStream bais = new ByteArrayInputStream( Base64.decode(base64Cert)); X509Certificate receivedCert = (X509Certificate) CertificateFactory .getInstance("X.509").generateCertificate( bais); // Validate the rpCert if (cacerts == null) { String cacertsPath = System .getProperty("java.home") + "/lib/security/cacerts"; InputStream cacertsIs = new FileInputStream( cacertsPath); cacerts = KeyStore.getInstance(KeyStore .getDefaultType()); cacerts.load(cacertsIs, "changeit" .toCharArray()); cacertsIs.close(); } // Check whether the issuer of the RP cert is // a known CA Principal issuer = receivedCert.getIssuerDN(); Vector issuerRDN = splitAndTrim(issuer.getName()); Enumeration aliasEnum = cacerts.aliases(); boolean trusted = false; while (aliasEnum.hasMoreElements()) { String alilas = (String) aliasEnum .nextElement(); if (cacerts.isCertificateEntry(alilas)) { X509Certificate cert = (X509Certificate) cacerts .getCertificate(alilas); Vector certRDN = splitAndTrim(cert .getSubjectDN().getName()); if (certRDN.equals(issuerRDN)) { // We have the issuer cert in our // trusted certs trusted = true; this.rpCert = receivedCert; // If this relying party is not // registered // register it in the DB RelyingPartyAdmin rpAdmin = new RelyingPartyAdmin(); String hostName = IdentityProviderUtil .getAppliesToHostName(data); if (rpAdmin.getRelyingParty(hostName) == null) { rpAdmin.create(hostName); } break; } } } if (!trusted) { // RP Cert is not a issued by a trusted CA X509Certificate cert = this .readRpCertFromStores(data); if (cert == null) { // We do not trust the RP throw new IdentityProviderException( "rpNotTrusted"); } // Match the cert to the incoming cert to // validate if (cert.equals(receivedCert)) { this.rpCert = cert; } else { throw new IdentityProviderException( "receivedCertMismatchWithTrustedCert", new String[] { base64Cert, Base64.encode(cert .getEncoded()) }); } } } catch (IdentityProviderException e) { throw e; } catch (Exception e) { // all other exception throw new IdentityProviderException( "malformedBase64Certificate", new String[] { base64Cert }, e); } } else { throw new IdentityProviderException( "malformedElement", new String[] { idElem.toString() + " missing ds:X509Certificate element" }); } } else { throw new IdentityProviderException("malformedElement", new String[] { idElem.toString() + " missing ds:X509Data element" }); } } else { throw new IdentityProviderException("malformedElement", new String[] { idElem.toString() + " missing ds:KeyInfo element" }); } } else { throw new IdentityProviderException("missingIdentityElement", new String[] { eprElem.toString() }); } } private Vector splitAndTrim(String inString) { X509NameTokenizer nmTokens = new X509NameTokenizer(inString); Vector vr = new Vector(); while (nmTokens.hasMoreTokens()) { vr.add(nmTokens.nextToken()); } java.util.Collections.sort(vr); return vr; } /** * Process and extract information card reference. * * @param rst * RequestSecurityToken element * @param data */ private void processInfoCardReference(OMElement rst) throws IdentityProviderException { OMElement infoCardRef = rst.getFirstChildWithName(new QName( IdentityConstants.NS, IdentityProviderConstants.LocalNames.INFO_CARD_REFERENCE)); OMElement omCardID = infoCardRef.getFirstChildWithName(new QName( IdentityConstants.NS, IdentityProviderConstants.LocalNames.CARD_ID)); this.cardID = omCardID.getText(); } private void readRequestedTokenType(RahasData data) { requiredTokenType = data.getTokenType(); if (requiredTokenType == null || requiredTokenType.trim().length() == 0) { requiredTokenType = getDefautTokenType(); } } /** * Process and extract required claims information. * * @param rst * RequestSecurityToken element * @param data */ private void processClaimsData(RahasData rahasData, OMElement claims) throws IdentityProviderException { if (claims == null) { return; } Iterator ite = claims.getChildrenWithName(new QName( IdentityConstants.NS, IdentityProviderConstants.LocalNames.IDENTITY_CLAIM_TYPE)); while (ite.hasNext()) { OMElement omElem = (OMElement) ite.next(); RequestedClaimData claim = getRequestedClaim(); String uriClaim = omElem.getAttributeValue(new QName(null, "Uri")); if (uriClaim == null) {⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -