identitytokenissuer.java

开源的OpenId的一个java实现

        OMElement rstrElem = TrustUtil
                .createRequestSecurityTokenResponseElement(wstVersion, env
                        .getBody());
        TrustUtil.createTokenTypeElement(wstVersion, rstrElem).setText(
                data.getTokenType());

        createDisplayToken(rstrElem, ipData);

        OMElement appliesToEpr = null;
        if (encryptedKey != null) {
            int keysize = data.getKeysize();
            if (keysize == -1) {
                keysize = encryptedKey.getEphemeralKey().length * 8;
            }

            TrustUtil.createKeySizeElement(wstVersion, rstrElem, keysize);

            OMElement incomingAppliesToEpr = data.getAppliesToEpr();
            try {
                Document eprDoc = DocumentBuilderFactory.newInstance()
                        .newDocumentBuilder().parse(
                                new ByteArrayInputStream(incomingAppliesToEpr
                                        .toString().getBytes()));
                appliesToEpr = (OMElement) doc.importNode(eprDoc
                        .getDocumentElement(), true);
            } catch (Exception e) {
                throw new TrustException(TrustException.REQUEST_FAILED, e);
            }

            OMElement appliesToElem = rstrElem
                    .getOMFactory()
                    .createOMElement(
                            new QName(
                                    RahasConstants.WSP_NS,
                                    RahasConstants.IssuanceBindingLocalNames.APPLIES_TO,
                                    RahasConstants.WSP_PREFIX), rstrElem);
            appliesToElem.addChild(appliesToEpr);
        }

        // Use GMT time in milliseconds
        DateFormat zulu = new XmlSchemaDateFormat();

        // Add the Lifetime element
        TrustUtil.createLifetimeElement(wstVersion, rstrElem, zulu
                .format(notBefore), zulu.format(notAfter));

        OMElement reqSecTokenElem = TrustUtil
                .createRequestedSecurityTokenElement(wstVersion, rstrElem);

        Node assertionElement = doc.importNode(assertionElem, true);
        reqSecTokenElem.addChild((OMNode) assertionElement);

        if (log.isDebugEnabled()) {
            log.debug(assertionElement.toString());
        }

        if (encryptedKey != null) {
            encryptSAMLAssertion(doc, (Element) assertionElement, encryptedKey);
        }

        createAttachedRef(rstrElem, assertionId);
        createUnattachedRef(rstrElem, assertionId);

        // Store the Token
        Token assertionToken = new Token(assertionId, (OMElement) doc
                .importNode(assertionElem, true), notBefore, notAfter);

        // At this point we definitely have the secret
        // Otherwise it should fail with an exception earlier
        assertionToken.setSecret(data.getEphmeralKey());
        TrustUtil.getTokenStore(inMsgCtx).add(assertionToken);

        // Creating the ReqProoftoken - END
        if (log.isDebugEnabled()) {
            log.debug("RSTR Elem created.");
        }
        log.info("RSTR ready with token : " + assertionId);
        return rstrElem;
    }

    /**
     * Create and add wst:AttachedReference element
     * 
     * @param rstrElem
     *            wst:RequestSecurityToken element
     * @param id
     *            Token identifier
     */
    protected void createAttachedRef(OMElement rstrElem, String id) {
        OMFactory fac = rstrElem.getOMFactory();
        OMElement rar = fac
                .createOMElement(
                        new QName(
                                RahasConstants.WST_NS_05_02,
                                RahasConstants.IssuanceBindingLocalNames.REQUESTED_ATTACHED_REFERENCE,
                                RahasConstants.WST_PREFIX), rstrElem);
        OMElement str = fac.createOMElement(new QName(WSConstants.WSSE_NS,
                SecurityTokenReference.SECURITY_TOKEN_REFERENCE,
                WSConstants.WSSE_PREFIX), rar);
        OMElement ki = fac.createOMElement(new QName(WSConstants.WSSE_NS,
                "KeyIdentifier", WSConstants.WSSE_PREFIX), str);
        ki.addAttribute("ValueType", WSS_SAML_NS
                + WSConstants.SAML_ASSERTION_ID, null);
        ki.setText(id);
    }

    /**
     * Create and add wst:UnattachedReference element
     * 
     * @param rstrElem
     *            wst:RequestSecurityToken element
     * @param id
     *            Token identifier
     */
    protected void createUnattachedRef(OMElement rstrElem, String id) {
        OMFactory fac = rstrElem.getOMFactory();
        OMElement rar = fac
                .createOMElement(
                        new QName(
                                RahasConstants.WST_NS_05_02,
                                RahasConstants.IssuanceBindingLocalNames.REQUESTED_UNATTACHED_REFERENCE,
                                RahasConstants.WST_PREFIX), rstrElem);
        OMElement str = fac.createOMElement(new QName(WSConstants.WSSE_NS,
                SecurityTokenReference.SECURITY_TOKEN_REFERENCE,
                WSConstants.WSSE_PREFIX), rar);
        OMElement ki = fac.createOMElement(new QName(WSConstants.WSSE_NS,
                "KeyIdentifier", WSConstants.WSSE_PREFIX), str);

        ki.addAttribute("ValueType", WSS_SAML_NS
                + WSConstants.SAML_ASSERTION_ID, null);
        ki.setText(id);
    }

    /**
     * Encrypt the given SAML Assertion element with the given key information.
     * 
     * @param doc
     * @param assertionElement
     * @param encryptedKey
     */
    private void encryptSAMLAssertion(Document doc, Element assertionElement,
            WSSecEncryptedKey encryptedKey) throws TrustException {
        try {
            XMLCipher xmlCipher = XMLCipher.getInstance(WSConstants.AES_256);
            SecretKey secretKey = WSSecurityUtil.prepareSecretKey(
                    WSConstants.AES_256, encryptedKey.getEphemeralKey());
            xmlCipher.init(XMLCipher.ENCRYPT_MODE, secretKey);
            String xencEncryptedDataId = "EncDataId-"
                    + assertionElement.hashCode();

            KeyInfo keyInfo = new KeyInfo(doc);
            keyInfo.addUnknownElement(encryptedKey.getEncryptedKeyElement());

            EncryptedData encData = xmlCipher.getEncryptedData();
            encData.setId(xencEncryptedDataId);
            encData.setKeyInfo(keyInfo);
            xmlCipher.doFinal(doc, assertionElement, false);
        } catch (Exception e) {
            throw new TrustException(TrustException.REQUEST_FAILED, e);
        }
    }

    /**
     * Create the DisplayToken element according to CardSpace specifications.
     * 
     * @param rahasData
     *            Information from the WS-Trust request.
     * @param ipData
     *            CardSpace specific meta-data for this issuance.
     * @return The DisplayToken element.
     */
    protected OMElement createDisplayToken(OMElement rstrElem,
            IdentityProviderData ipData) throws IdentityProviderException {
        if (log.isDebugEnabled()) {
            log.debug("Begin Display token creation.");
        }

        Map requestedClaims = ipData.getRequestedClaims();

        if (requestedClaims.isEmpty())
            return null;

        OMElement rdt = IdentityProviderUtil.createRequestedDisplayToken(
                rstrElem, ipData);
        OMElement displayToken = IdentityProviderUtil.createDisplayToken(rdt,
                ipData);

        try {
            Iterator ite = requestedClaims.values().iterator();
            while (ite.hasNext()) {
                RequestedClaimData claim = (RequestedClaimData) ite.next();

                if (claim.uri.equals(IdentityConstants.CLAIM_PPID)) {
                    // PPID display token
                    IdentityProviderUtil.createDisplayClaim(displayToken,
                            ipData.getDisplayName(claim.uri), IdentityUtil
                                    .getPPIDDisplayValue(claim.value),
                            claim.uri);
                } else {
                    IdentityProviderUtil.createDisplayClaim(displayToken,
                            ipData.getDisplayName(claim.uri), claim.value,
                            claim.uri);
                }
            }
        } catch (Exception e) {
            throw new IdentityProviderException(e.getMessage(), e);
        }

        if (log.isDebugEnabled()) {
            log.debug("createDisplayToken");
        }

        return rdt;
    }

    /**
     * {@inheritDoc}
     */
    public void setConfigurationElement(OMElement configElement) {
        // Nothing to do
    }

    /**
     * {@inheritDoc}
     */
    public void setConfigurationFile(String configFile) {
        // Nothing to do
    }

    /**
     * {@inheritDoc}
     */
    public void setConfigurationParamName(String configParamName) {
        // Nothing to do
    }

    /**
     * Check whether the information card referenced in the token request is a
     * valid managed information card issued by the identity provider.
     * 
     * @param cardId
     *            Identifier of the information card.
     * @return Whether the card is valid or not.
     * @throws IdentityProviderException
     */
    private boolean isValidCard(String cardId) throws IdentityProviderException {
        if (log.isDebugEnabled()) {
            log.debug("Begin Validating card.");
        }
        boolean retval = false;
        IPPersistenceManager dbman = IPPersistenceManager
                .getPersistanceManager();
        InfoCardDO card = dbman.getInfoCard(cardId);
        if (card != null) {
            Calendar cal = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
            Date now = cal.getTime();

            if (now.before(card.getDateExpires())
                    && now.after(card.getDateIssued())) {
                retval = true;
            }
        }

        return retval;
    }

    protected IdentityProviderData getIdentityProviderData(RahasData rahasData)
            throws Exception {
        return new IdentityProviderData(rahasData);
    }

    protected Element createSAMLAssertionAsDOM(IdentityProviderData ipData,
            RahasData rahasData, DateTime notBefore, DateTime notAfter,
            String assertionId) throws IdentityProviderException {

        Element elem = null;
        SAMLTokenBuilder builder = null;
        final String requiredTokenType = ipData.getRequiredTokenType();
        if (requiredTokenType.equals(IdentityConstants.SAML10_URL)
                || requiredTokenType.equals(IdentityConstants.SAML11_URL)) {
            builder = new SAML1TokenBuilder();
        } else if (requiredTokenType.equals(IdentityConstants.SAML20_URL)) {
            builder = new SAML2TokenBuilder();
        }

        SAMLTokenDirector director = new SAMLTokenDirector(builder, rahasData,
                ipData);
        elem = director.createSAMLToken(notBefore, notAfter, assertionId);

        return elem;
    }

    protected boolean checkIsValidTokenType(IdentityProviderData data)
            throws IdentityProviderException {
        boolean isValid = false;
        String type = data.getRequiredTokenType();
        ParameterAdmin admin = new ParameterAdmin();
        String types = admin
                .getParameterValue(IdentityConstants.PARAM_SUPPORTED_TOKEN_TYPES);
        String[] arrTypes = types.split(",");

        for (int i = 0; i < arrTypes.length; i++) {
            if (arrTypes[i].equals(type)) {
                isValid = true;
                break;
            }
        }
        return isValid;
    }

}