001: /*
002: * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
003: *
004: * Copyright 1997-2007 Sun Microsystems, Inc. All rights reserved.
005: *
006: * The contents of this file are subject to the terms of either the GNU
007: * General Public License Version 2 only ("GPL") or the Common Development
008: * and Distribution License("CDDL") (collectively, the "License"). You
009: * may not use this file except in compliance with the License. You can obtain
010: * a copy of the License at https://glassfish.dev.java.net/public/CDDL+GPL.html
011: * or glassfish/bootstrap/legal/LICENSE.txt. See the License for the specific
012: * language governing permissions and limitations under the License.
013: *
014: * When distributing the software, include this License Header Notice in each
015: * file and include the License file at glassfish/bootstrap/legal/LICENSE.txt.
016: * Sun designates this particular file as subject to the "Classpath" exception
017: * as provided by Sun in the GPL Version 2 section of the License file that
018: * accompanied this code. If applicable, add the following below the License
019: * Header, with the fields enclosed by brackets [] replaced by your own
020: * identifying information: "Portions Copyrighted [year]
021: * [name of copyright owner]"
022: *
023: * Contributor(s):
024: *
025: * If you wish your version of this file to be governed by only the CDDL or
026: * only the GPL Version 2, indicate your decision by adding "[Contributor]
027: * elects to include this software in this distribution under the [CDDL or GPL
028: * Version 2] license." If you don't indicate a single choice of license, a
029: * recipient has the option to distribute your version of this file under
030: * either the CDDL, the GPL Version 2 or to extend the choice of license to
031: * its licensees as provided above. However, if you add GPL Version 2 code
032: * and therefore, elected the GPL Version 2 license, then the option applies
033: * only if the new code is made subject to such option by the copyright
034: * holder.
035: */
036:
037: package com.sun.xml.ws.security.trust.impl;
038:
039: import com.sun.org.apache.xml.internal.security.keys.content.X509Data;
040: import com.sun.xml.ws.security.trust.impl.elements.str.KeyIdentifierImpl;
041: import com.sun.xml.ws.security.trust.impl.elements.str.SecurityTokenReferenceImpl;
042: import com.sun.xml.wss.impl.MessageConstants;
043: import com.sun.xml.wss.saml.NameID;
044:
045: import java.io.IOException;
046: import java.security.PrivateKey;
047: import java.security.PublicKey;
048: import java.security.cert.X509Certificate;
049: import java.util.ArrayList;
050: import java.util.Calendar;
051: import java.util.GregorianCalendar;
052: import java.util.HashMap;
053: import java.util.Iterator;
054: import java.util.List;
055: import java.util.Map;
056: import java.util.Set;
057: import java.util.UUID;
058:
059: import javax.crypto.spec.SecretKeySpec;
060: import javax.security.auth.callback.Callback;
061: import javax.security.auth.callback.CallbackHandler;
062:
063: import com.sun.org.apache.xml.internal.security.keys.KeyInfo;
064: import com.sun.org.apache.xml.internal.security.encryption.XMLCipher;
065: import com.sun.org.apache.xml.internal.security.encryption.EncryptedData;
066: import com.sun.org.apache.xml.internal.security.encryption.EncryptedKey;
067: import com.sun.org.apache.xml.internal.security.encryption.XMLEncryptionException;
068:
069: import com.sun.xml.ws.api.security.trust.STSAttributeProvider;
070: import com.sun.xml.ws.api.security.trust.WSTrustException;
071: import com.sun.xml.ws.api.security.trust.config.TrustSPMetadata;
072: import com.sun.xml.ws.security.IssuedTokenContext;
073: import com.sun.xml.ws.security.trust.elements.str.KeyIdentifier;
074: import com.sun.xml.ws.security.trust.elements.str.SecurityTokenReference;
075: import com.sun.xml.ws.security.Token;
076: import com.sun.xml.ws.security.trust.GenericToken;
077: import com.sun.xml.ws.security.trust.WSTrustConstants;
078: import com.sun.xml.ws.security.trust.WSTrustElementFactory;
079: import com.sun.xml.ws.security.trust.util.WSTrustUtil;
080: import com.sun.xml.ws.security.trust.elements.BinarySecret;
081:
082: import com.sun.xml.wss.SecurityEnvironment;
083: import com.sun.xml.wss.core.reference.X509SubjectKeyIdentifier;
084: import com.sun.xml.wss.impl.callback.EncryptionKeyCallback;
085: import com.sun.xml.wss.impl.callback.SignatureKeyCallback;
086: import com.sun.xml.wss.XWSSecurityException;
087: import com.sun.xml.wss.saml.Advice;
088: import com.sun.xml.wss.saml.Assertion;
089: import com.sun.xml.wss.saml.Attribute;
090: import com.sun.xml.wss.saml.AttributeStatement;
091: import com.sun.xml.wss.saml.AuthenticationStatement;
092: import com.sun.xml.wss.saml.AuthnContext;
093: import com.sun.xml.wss.saml.AuthnStatement;
094: import com.sun.xml.wss.saml.Conditions;
095: import com.sun.xml.wss.saml.NameIdentifier;
096: import com.sun.xml.wss.saml.SAMLAssertionFactory;
097: import com.sun.xml.wss.saml.SAMLException;
098: import com.sun.xml.wss.saml.SubjectConfirmation;
099: import com.sun.xml.wss.saml.KeyInfoConfirmationData;
100:
101: import javax.security.auth.callback.UnsupportedCallbackException;
102:
103: import com.sun.xml.wss.impl.misc.Base64;
104:
105: import javax.xml.bind.JAXBException;
106: import javax.xml.namespace.QName;
107:
108: import javax.xml.parsers.DocumentBuilderFactory;
109: import javax.xml.parsers.ParserConfigurationException;
110:
111: import org.w3c.dom.*;
112:
113: import java.util.logging.Level;
114: import java.util.logging.Logger;
115: import com.sun.xml.ws.security.trust.logging.LogDomainConstants;
116: import com.sun.xml.ws.security.trust.logging.LogStringsMessages;
117:
118: public class IssueSamlTokenContractImpl extends IssueSamlTokenContract {
119:
120: private static final Logger log = Logger.getLogger(
121: LogDomainConstants.TRUST_IMPL_DOMAIN,
122: LogDomainConstants.TRUST_IMPL_DOMAIN_BUNDLE);
123:
124: private static final String SAML_HOLDER_OF_KEY = "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key";
125:
126: public Token createSAMLAssertion(final String appliesTo,
127: final String tokenType, final String keyType,
128: final String assertionId, final String issuer,
129: final Map<QName, List<String>> claimedAttrs,
130: final IssuedTokenContext context) throws WSTrustException {
131: Token token = null;
132:
133: // Get the service certificate
134: TrustSPMetadata spMd = stsConfig.getTrustSPMetadata(appliesTo);
135: if (spMd == null) {
136: spMd = stsConfig.getTrustSPMetadata("default");
137: }
138: final X509Certificate serCert = getServiceCertificate(spMd,
139: appliesTo);
140:
141: // Create the KeyInfo for SubjectConfirmation
142: final KeyInfo keyInfo = createKeyInfo(keyType, serCert,
143: context, appliesTo);
144:
145: // Create SAML assertion
146: Assertion assertion = null;
147: if (WSTrustConstants.SAML10_ASSERTION_TOKEN_TYPE
148: .equals(tokenType)
149: || WSTrustConstants.SAML11_ASSERTION_TOKEN_TYPE
150: .equals(tokenType)) {
151: assertion = createSAML11Assertion(assertionId, issuer,
152: appliesTo, keyInfo, claimedAttrs);
153: } else if (WSTrustConstants.SAML20_ASSERTION_TOKEN_TYPE
154: .equals(tokenType)) {
155: assertion = createSAML20Assertion(assertionId, issuer,
156: appliesTo, keyInfo, claimedAttrs);
157: } else {
158: log.log(Level.SEVERE, LogStringsMessages
159: .WST_0031_UNSUPPORTED_TOKEN_TYPE(tokenType,
160: appliesTo));
161: throw new WSTrustException(LogStringsMessages
162: .WST_0031_UNSUPPORTED_TOKEN_TYPE(tokenType,
163: appliesTo));
164: }
165:
166: // Get the STS's certificate and private key
167: Object[] stsCertsAndPrikey = getSTSCertAndPrivateKey();
168: final X509Certificate stsCert = (X509Certificate) stsCertsAndPrikey[0];
169: final PrivateKey stsPrivKey = (PrivateKey) stsCertsAndPrikey[1];
170:
171: // Sign the assertion with STS's private key
172: Element signedAssertion = null;
173: try {
174: signedAssertion = assertion.sign(stsCert, stsPrivKey);
175: } catch (SAMLException ex) {
176: log.log(Level.SEVERE, LogStringsMessages
177: .WST_0032_ERROR_CREATING_SAML_ASSERTION(), ex);
178: throw new WSTrustException(LogStringsMessages
179: .WST_0032_ERROR_CREATING_SAML_ASSERTION(), ex);
180: }
181:
182: //javax.xml.bind.Unmarshaller u = eleFac.getContext().createUnmarshaller();
183: //JAXBElement<AssertionType> aType = u.unmarshal(signedAssertion, AssertionType.class);
184: //assertion = new com.sun.xml.wss.saml.assertion.saml11.jaxb20.Assertion(aType.getValue());
185: //token = new GenericToken(signedAssertion);
186:
187: if (stsConfig.getEncryptIssuedToken()) {
188: Element encData = encryptToken(signedAssertion, serCert,
189: appliesTo);
190: token = new GenericToken(encData);
191: //JAXBElement<EncryptedDataType> eEle = u.unmarshal(cipher.martial(encData), EncryptedDataType.class);
192: //return eEle.getValue();
193: } else {
194: token = new GenericToken(signedAssertion);
195: }
196:
197: return token;
198: }
199:
200: private EncryptedKey encryptKey(final Document doc,
201: final byte[] encryptedKey, final X509Certificate cert,
202: final String appliesTo) throws WSTrustException {
203: EncryptedKey encKey = null;
204: try {
205: final PublicKey pubKey = cert.getPublicKey();
206: final XMLCipher cipher = XMLCipher
207: .getInstance(XMLCipher.RSA_OAEP);
208: cipher.init(XMLCipher.WRAP_MODE, pubKey);
209:
210: encKey = cipher.encryptKey(doc, new SecretKeySpec(
211: encryptedKey, "AES"));
212: final KeyInfo keyinfo = new KeyInfo(doc);
213: //KeyIdentifier keyIdentifier = new KeyIdentifierImpl(MessageConstants.ThumbPrintIdentifier_NS,null);
214: //keyIdentifier.setValue(Base64.encode(X509ThumbPrintIdentifier.getThumbPrintIdentifier(serCert)));
215: byte[] skid = X509SubjectKeyIdentifier
216: .getSubjectKeyIdentifier(cert);
217: if (skid != null && skid.length > 0) {
218: final KeyIdentifier keyIdentifier = new KeyIdentifierImpl(
219: MessageConstants.X509SubjectKeyIdentifier_NS,
220: null);
221: keyIdentifier.setValue(Base64.encode(skid));
222: final SecurityTokenReference str = new SecurityTokenReferenceImpl(
223: keyIdentifier);
224: keyinfo.addUnknownElement((Element) doc.importNode(
225: WSTrustElementFactory.newInstance().toElement(
226: str, null), true));
227: } else {
228: final X509Data x509data = new X509Data(doc);
229: x509data.addCertificate(cert);
230: }
231: encKey.setKeyInfo(keyinfo);
232: } catch (XWSSecurityException ex) {
233: log.log(Level.SEVERE, LogStringsMessages
234: .WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo), ex);
235: throw new WSTrustException(LogStringsMessages
236: .WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo), ex);
237: } catch (XMLEncryptionException ex) {
238: log.log(Level.SEVERE, LogStringsMessages
239: .WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo), ex);
240: throw new WSTrustException(LogStringsMessages
241: .WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo), ex);
242: } catch (com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException ex) {
243: log.log(Level.SEVERE, LogStringsMessages
244: .WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo), ex);
245: throw new WSTrustException(LogStringsMessages
246: .WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo), ex);
247: }
248:
249: return encKey;
250: }
251:
252: private Element encryptToken(final Element assertion,
253: final X509Certificate serCert, final String appliesTo)
254: throws WSTrustException {
255: Element encDataEle = null;
256: // Create the encryption key
257: try {
258: final XMLCipher cipher = XMLCipher
259: .getInstance(XMLCipher.AES_256);
260: final int keysizeInBytes = 32;
261: final byte[] skey = WSTrustUtil
262: .generateRandomSecret(keysizeInBytes);
263: cipher.init(XMLCipher.ENCRYPT_MODE, new SecretKeySpec(skey,
264: "AES"));
265:
266: // Encrypt the assertion and return the Encrypteddata
267: final Document owner = assertion.getOwnerDocument();
268: final EncryptedData encData = cipher.encryptData(owner,
269: assertion);
270: final String id = "uuid-" + UUID.randomUUID().toString();
271: encData.setId(id);
272:
273: final KeyInfo encKeyInfo = new KeyInfo(owner);
274: final EncryptedKey encKey = encryptKey(owner, skey,
275: serCert, appliesTo);
276: encKeyInfo.add(encKey);
277: encData.setKeyInfo(encKeyInfo);
278:
279: encDataEle = cipher.martial(encData);
280: } catch (XMLEncryptionException ex) {
281: log
282: .log(
283: Level.SEVERE,
284: LogStringsMessages
285: .WST_0044_ERROR_ENCRYPT_ISSUED_TOKEN(appliesTo),
286: ex);
287: throw new WSTrustException(LogStringsMessages
288: .WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo), ex);
289: } catch (Exception ex) {
290: log
291: .log(
292: Level.SEVERE,
293: LogStringsMessages
294: .WST_0044_ERROR_ENCRYPT_ISSUED_TOKEN(appliesTo),
295: ex);
296: throw new WSTrustException(LogStringsMessages
297: .WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo), ex);
298: }
299:
300: return encDataEle;
301: }
302:
303: private X509Certificate getServiceCertificate(TrustSPMetadata spMd,
304: String appliesTo) throws WSTrustException {
305: String certAlias = spMd.getCertAlias();
306: X509Certificate cert = null;
307: CallbackHandler callbackHandler = stsConfig
308: .getCallbackHandler();
309: if (callbackHandler != null) {
310: // Get the service certificate
311: final EncryptionKeyCallback.AliasX509CertificateRequest req = new EncryptionKeyCallback.AliasX509CertificateRequest(
312: spMd.getCertAlias());
313: final EncryptionKeyCallback callback = new EncryptionKeyCallback(
314: req);
315: final Callback[] callbacks = { callback };
316: try {
317: callbackHandler.handle(callbacks);
318: } catch (IOException ex) {
319: log.log(Level.SEVERE, LogStringsMessages
320: .WST_0033_UNABLE_GET_SERVICE_CERT(appliesTo),
321: ex);
322: throw new WSTrustException(LogStringsMessages
323: .WST_0033_UNABLE_GET_SERVICE_CERT(appliesTo),
324: ex);
325: } catch (UnsupportedCallbackException ex) {
326: log.log(Level.SEVERE, LogStringsMessages
327: .WST_0033_UNABLE_GET_SERVICE_CERT(appliesTo),
328: ex);
329: throw new WSTrustException(LogStringsMessages
330: .WST_0033_UNABLE_GET_SERVICE_CERT(appliesTo),
331: ex);
332: }
333:
334: cert = req.getX509Certificate();
335: } else {
336: SecurityEnvironment secEnv = (SecurityEnvironment) stsConfig
337: .getOtherOptions().get(
338: WSTrustConstants.SECURITY_ENVIRONMENT);
339: try {
340: cert = secEnv.getCertificate(new HashMap(), certAlias,
341: false);
342: } catch (XWSSecurityException ex) {
343: log.log(Level.SEVERE, LogStringsMessages
344: .WST_0033_UNABLE_GET_SERVICE_CERT(appliesTo),
345: ex);
346: throw new WSTrustException(LogStringsMessages
347: .WST_0033_UNABLE_GET_SERVICE_CERT(appliesTo),
348: ex);
349: }
350: }
351:
352: return cert;
353: }
354:
355: private Object[] getSTSCertAndPrivateKey() throws WSTrustException {
356:
357: X509Certificate stsCert = null;
358: PrivateKey stsPrivKey = null;
359: CallbackHandler callbackHandler = stsConfig
360: .getCallbackHandler();
361: if (callbackHandler != null) {
362: final SignatureKeyCallback.DefaultPrivKeyCertRequest request = new SignatureKeyCallback.DefaultPrivKeyCertRequest();
363: final Callback skc = new SignatureKeyCallback(request);
364: final Callback[] callbacks = { skc };
365: try {
366: callbackHandler.handle(callbacks);
367: } catch (IOException ex) {
368: log.log(Level.SEVERE, LogStringsMessages
369: .WST_0043_UNABLE_GET_STS_KEY(), ex);
370: throw new WSTrustException(LogStringsMessages
371: .WST_0043_UNABLE_GET_STS_KEY(), ex);
372: } catch (UnsupportedCallbackException ex) {
373: log.log(Level.SEVERE, LogStringsMessages
374: .WST_0043_UNABLE_GET_STS_KEY(), ex);
375: throw new WSTrustException(LogStringsMessages
376: .WST_0043_UNABLE_GET_STS_KEY(), ex);
377: }
378:
379: stsPrivKey = request.getPrivateKey();
380: stsCert = request.getX509Certificate();
381: } else {
382: SecurityEnvironment secEnv = (SecurityEnvironment) stsConfig
383: .getOtherOptions().get(
384: WSTrustConstants.SECURITY_ENVIRONMENT);
385: try {
386: stsCert = secEnv.getDefaultCertificate(new HashMap());
387: stsPrivKey = secEnv.getPrivateKey(new HashMap(),
388: stsCert);
389: } catch (XWSSecurityException ex) {
390: log.log(Level.SEVERE, LogStringsMessages
391: .WST_0043_UNABLE_GET_STS_KEY(), ex);
392: throw new WSTrustException(LogStringsMessages
393: .WST_0043_UNABLE_GET_STS_KEY(), ex);
394: }
395: }
396:
397: Object[] results = new Object[2];
398: results[0] = stsCert;
399: results[1] = stsPrivKey;
400: return results;
401: }
402:
403: private KeyInfo createKeyInfo(final String keyType,
404: final X509Certificate serCert,
405: final IssuedTokenContext ctx, String appliesTo)
406: throws WSTrustException {
407: final DocumentBuilderFactory docFactory = DocumentBuilderFactory
408: .newInstance();
409:
410: Document doc = null;
411: try {
412: doc = docFactory.newDocumentBuilder().newDocument();
413: } catch (ParserConfigurationException ex) {
414: log.log(Level.SEVERE, LogStringsMessages
415: .WST_0039_ERROR_CREATING_DOCFACTORY(), ex);
416: throw new WSTrustException(LogStringsMessages
417: .WST_0039_ERROR_CREATING_DOCFACTORY(), ex);
418: }
419:
420: final KeyInfo keyInfo = new KeyInfo(doc);
421: if (WSTrustConstants.SYMMETRIC_KEY.equals(keyType)) {
422: final byte[] key = ctx.getProofKey();
423: if (!stsConfig.getEncryptIssuedToken()
424: && stsConfig.getEncryptIssuedKey()) {
425: final EncryptedKey encKey = encryptKey(doc, key,
426: serCert, appliesTo);
427: try {
428: keyInfo.add(encKey);
429: } catch (XMLEncryptionException ex) {
430: log
431: .log(
432: Level.SEVERE,
433: LogStringsMessages
434: .WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo),
435: ex);
436: throw new WSTrustException(
437: LogStringsMessages
438: .WST_0040_ERROR_ENCRYPT_PROOFKEY(appliesTo),
439: ex);
440: }
441: } else {
442: final BinarySecret secret = eleFac.createBinarySecret(
443: key, BinarySecret.SYMMETRIC_KEY_TYPE);
444: final Element bsEle = eleFac.toElement(secret, doc);
445: keyInfo.addUnknownElement(bsEle);
446: }
447: } else if (WSTrustConstants.PUBLIC_KEY.equals(keyType)) {
448: final X509Data x509data = new X509Data(doc);
449: try {
450: x509data.addCertificate(ctx.getRequestorCertificate());
451: } catch (com.sun.org.apache.xml.internal.security.exceptions.XMLSecurityException ex) {
452: log.log(Level.SEVERE, LogStringsMessages
453: .WST_0034_UNABLE_GET_CLIENT_CERT(), ex);
454: throw new WSTrustException(LogStringsMessages
455: .WST_0034_UNABLE_GET_CLIENT_CERT(), ex);
456: }
457: keyInfo.add(x509data);
458: }
459:
460: return keyInfo;
461: }
462:
463: private Assertion createSAML11Assertion(final String assertionId,
464: final String issuer, final String appliesTo,
465: final KeyInfo keyInfo,
466: final Map<QName, List<String>> claimedAttrs)
467: throws WSTrustException {
468: Assertion assertion = null;
469: try {
470: final SAMLAssertionFactory samlFac = SAMLAssertionFactory
471: .newInstance(SAMLAssertionFactory.SAML1_1);
472:
473: final GregorianCalendar issuerInst = new GregorianCalendar();
474: final GregorianCalendar notOnOrAfter = new GregorianCalendar();
475: notOnOrAfter.add(Calendar.MILLISECOND, (int) stsConfig
476: .getIssuedTokenTimeout());
477:
478: final Conditions conditions = samlFac.createConditions(
479: issuerInst, notOnOrAfter, null, null, null);
480: final Advice advice = samlFac
481: .createAdvice(null, null, null);
482:
483: final List<String> confirmMethods = new ArrayList<String>();
484: confirmMethods.add(SAML_HOLDER_OF_KEY);
485:
486: final SubjectConfirmation subjectConfirm = samlFac
487: .createSubjectConfirmation(confirmMethods, null,
488: keyInfo.getElement());
489:
490: com.sun.xml.wss.saml.Subject subj = null;
491: final List<Attribute> attrs = new ArrayList<Attribute>();
492: final Set<Map.Entry<QName, List<String>>> entries = claimedAttrs
493: .entrySet();
494: for (Map.Entry<QName, List<String>> entry : entries) {
495: final QName attrKey = (QName) entry.getKey();
496: final List<String> values = (List<String>) entry
497: .getValue();
498: if (values != null && values.size() > 0) {
499: if (STSAttributeProvider.NAME_IDENTIFIER
500: .equals(attrKey.getLocalPart())
501: && subj == null) {
502: final NameIdentifier nameId = samlFac
503: .createNameIdentifier(values.get(0),
504: attrKey.getNamespaceURI(), null);
505: subj = samlFac.createSubject(nameId,
506: subjectConfirm);
507: } else {
508: final Attribute attr = samlFac.createAttribute(
509: attrKey.getLocalPart(), attrKey
510: .getNamespaceURI(), values);
511: attrs.add(attr);
512: }
513: }
514: }
515:
516: final List<Object> statements = new ArrayList<Object>();
517: if (attrs.isEmpty()) {
518: final AuthenticationStatement statement = samlFac
519: .createAuthenticationStatement(null,
520: issuerInst, subj, null, null);
521: statements.add(statement);
522: } else {
523: final AttributeStatement statement = samlFac
524: .createAttributeStatement(subj, attrs);
525: statements.add(statement);
526: }
527: assertion = samlFac.createAssertion(assertionId, issuer,
528: issuerInst, conditions, advice, statements);
529: } catch (SAMLException ex) {
530: log.log(Level.SEVERE, LogStringsMessages
531: .WST_0032_ERROR_CREATING_SAML_ASSERTION(), ex);
532: throw new WSTrustException(LogStringsMessages
533: .WST_0032_ERROR_CREATING_SAML_ASSERTION(), ex);
534: } catch (XWSSecurityException ex) {
535: log.log(Level.SEVERE, LogStringsMessages
536: .WST_0032_ERROR_CREATING_SAML_ASSERTION(), ex);
537: throw new WSTrustException(LogStringsMessages
538: .WST_0032_ERROR_CREATING_SAML_ASSERTION(), ex);
539: }
540:
541: return assertion;
542: }
543:
544: private Assertion createSAML20Assertion(final String assertionId,
545: final String issuer, final String appliesTo,
546: final KeyInfo keyInfo,
547: final Map<QName, List<String>> claimedAttrs)
548: throws WSTrustException {
549: Assertion assertion = null;
550: try {
551: final SAMLAssertionFactory samlFac = SAMLAssertionFactory
552: .newInstance(SAMLAssertionFactory.SAML2_0);
553:
554: // Create Conditions
555: final GregorianCalendar issueInst = new GregorianCalendar();
556: final GregorianCalendar notOnOrAfter = new GregorianCalendar();
557: notOnOrAfter.add(Calendar.MILLISECOND, (int) stsConfig
558: .getIssuedTokenTimeout());
559:
560: final Conditions conditions = samlFac.createConditions(
561: issueInst, notOnOrAfter, null, null, null, null);
562:
563: // Create Subject
564:
565: // SubjectConfirmationData subjComfData = samlFac.createSubjectConfirmationData(
566: // null, null, null, null, appliesTo, keyInfo.getElement());
567:
568: final KeyInfoConfirmationData keyInfoConfData = samlFac
569: .createKeyInfoConfirmationData(keyInfo.getElement());
570:
571: final SubjectConfirmation subjectConfirm = samlFac
572: .createSubjectConfirmation(null, keyInfoConfData,
573: SAML_HOLDER_OF_KEY);
574:
575: com.sun.xml.wss.saml.Subject subj = null;
576: final List<Attribute> attrs = new ArrayList<Attribute>();
577: final Set<Map.Entry<QName, List<String>>> entries = claimedAttrs
578: .entrySet();
579: for (Map.Entry<QName, List<String>> entry : entries) {
580: final QName attrKey = (QName) entry.getKey();
581: final List<String> values = (List<String>) entry
582: .getValue();
583: if (values != null && values.size() > 0) {
584: if (STSAttributeProvider.NAME_IDENTIFIER
585: .equals(attrKey.getLocalPart())
586: && subj == null) {
587: final NameID nameId = samlFac.createNameID(
588: values.get(0), attrKey
589: .getNamespaceURI(), null);
590: subj = samlFac.createSubject(nameId,
591: subjectConfirm);
592: } else {
593: final Attribute attr = samlFac.createAttribute(
594: attrKey.getLocalPart(), values);
595: attrs.add(attr);
596: }
597: }
598: }
599:
600: final List<Object> statements = new ArrayList<Object>();
601: if (attrs.isEmpty()) {
602: // To Do: create AuthnContext with proper content. Currently what
603: // we have is a place holder.
604: AuthnContext ctx = samlFac.createAuthnContext();
605: final AuthnStatement statement = samlFac
606: .createAuthnStatement(issueInst, null, ctx);
607: statements.add(statement);
608: } else {
609: final AttributeStatement statement = samlFac
610: .createAttributeStatement(attrs);
611: statements.add(statement);
612: }
613:
614: final NameID issuerID = samlFac.createNameID(issuer, null,
615: null);
616:
617: // Create Assertion
618: assertion = samlFac.createAssertion(assertionId, issuerID,
619: issueInst, conditions, null, subj, statements);
620: } catch (SAMLException ex) {
621: log.log(Level.SEVERE, LogStringsMessages
622: .WST_0032_ERROR_CREATING_SAML_ASSERTION(), ex);
623: throw new WSTrustException(LogStringsMessages
624: .WST_0032_ERROR_CREATING_SAML_ASSERTION(), ex);
625: } catch (XWSSecurityException ex) {
626: log.log(Level.SEVERE, LogStringsMessages
627: .WST_0032_ERROR_CREATING_SAML_ASSERTION(), ex);
628: throw new WSTrustException(LogStringsMessages
629: .WST_0032_ERROR_CREATING_SAML_ASSERTION(), ex);
630: }
631:
632: return assertion;
633: }
634: }
|