STSValidatingLoginModule.java example

Explorer
picketlink-master
/*
 * JBoss, Home of Professional Open Source
 *
 * Copyright 2013 Red Hat, Inc. and/or its affiliates.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.picketlink.identity.federation.core.wstrust.auth;

import org.picketlink.common.exceptions.fed.WSTrustException;
import org.picketlink.identity.federation.core.wstrust.STSClient;
import org.w3c.dom.Element;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import java.io.IOException;

/**
 * JAAS LoginModule for JBoss STS (Security Token Service) that validates security tokens. </p> This LoginModule only
 * performs
 * validation of existing SAML Assertions and does not issue any such Assertions.
 *
 * <h3>Configuration example</h3>
 *
 * <pre>
 * {@code
 * <application-policy name="saml-validate-token">
 *   <authentication>
 *     <login-module code="org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule"
 * flag="required">
 *       <module-option name="configFile">/sts-client.properties</module-option>
 *     </login-module>
 *   </authentication>
 * </application-policy>
 * }
 * </pre>
 *
 * @author <a href="mailto:dbevenius@jboss.com">Daniel Bevenius</a>
 */
public class STSValidatingLoginModule extends AbstractSTSLoginModule {

    /**
     * This method will validate the token with the configured STS.
     *
     * @return Element The token that was validated.
     *
     * @throws LoginException If it was not possible to validate the token for any reason.
     */
    public Element invokeSTS(final STSClient stsClient) throws WSTrustException, LoginException {
        try {
            // See if a previous stacked login module stored the token.
            Element token = (Element) getSharedToken();

            if (token == null)
                token = getSamlTokenFromCaller();

            final boolean result = stsClient.validateToken(token);

            logger.debug("SAML Token Validation result: " + result);

            if (result == false) {
                // Throw an exception as returing false only says that this login module should be ignored.
                throw logger.authCouldNotValidateSAMLToken(token);
            }

            return token;
        } catch (final IOException e) {
            throw logger.authLoginError(e);
        } catch (final UnsupportedCallbackException e) {
            throw logger.authLoginError(e);
        }
    }

    private Element getSamlTokenFromCaller() throws UnsupportedCallbackException, LoginException, IOException {
        final TokenCallback callback = new TokenCallback();

        getCallbackHandler().handle(new Callback[]{callback});

        final Element token = (Element) callback.getToken();
        if (token == null)
            throw logger.authCouldNotLocateSecurityToken();

        return token;
    }
}