/*
* Copyright 2005-2007 WSO2, Inc. (http://wso2.com)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.wso2.carbon.identity.sts.mgt.admin;
import org.apache.axiom.om.OMElement;
import org.apache.axis2.AxisFault;
import org.apache.axis2.description.AxisService;
import org.apache.axis2.description.Parameter;
import org.apache.axis2.engine.AxisConfiguration;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.impl.SAMLTokenIssuerConfig;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.identity.base.IdentityConstants;
import org.wso2.carbon.identity.provider.AttributeCallbackHandler;
import org.wso2.carbon.identity.provider.IdentityProviderException;
import org.wso2.carbon.identity.provider.IdentityProviderUtil;
import org.wso2.carbon.identity.sts.IPPasswordCallbackHandler;
import org.wso2.carbon.identity.sts.mgt.internal.IdentitySTSMgtServiceComponent;
import org.wso2.carbon.registry.core.Registry;
import org.wso2.carbon.security.config.SecurityConfigAdmin;
import org.wso2.carbon.security.config.SecurityServiceAdmin;
import org.wso2.carbon.utils.ServerConstants;
import org.wso2.carbon.utils.ServerException;
import javax.security.auth.callback.CallbackHandler;
/**
* This will allow setting the SecurityTokenService security configuration
*/
public class STSConfigAdmin {
private final static Log log = LogFactory.getLog(STSConfigAdmin.class);
public static void configureService(String serviceName) throws IdentityProviderException {
try {
AxisConfiguration axisConfig = IdentitySTSMgtServiceComponent.getConfigurationContext()
.getAxisConfiguration();
SecurityConfigAdmin admin = new SecurityConfigAdmin(axisConfig,
IdentitySTSMgtServiceComponent.getRegistryService().getConfigSystemRegistry(),
new IPPasswordCallbackHandler());
ServerConfiguration serverConfig = ServerConfiguration.getInstance();
String ksName = serverConfig.getFirstProperty("Security.KeyStore.Location");
ksName = ksName.substring(ksName.lastIndexOf("/") + 1);
if (log.isDebugEnabled()) {
log.debug("Applying identity security policy for service " + serviceName);
}
if (IdentityProviderUtil.isIntial()) {
if (IdentityConstants.SERVICE_NAME_STS_UT.equals(serviceName)) {
admin.applySecurity(IdentityConstants.SERVICE_NAME_STS_UT, "scenario19", null, null,
null, null);
} else if (IdentityConstants.OpenId.SERVICE_NAME_STS_OPENID.equals(serviceName)) {
admin.applySecurity(IdentityConstants.OpenId.SERVICE_NAME_STS_OPENID,
"scenario19", null, null, null, null);
} else if (IdentityConstants.SERVICE_NAME_STS_IC.equals(serviceName)) {
admin.applySecurity(IdentityConstants.SERVICE_NAME_STS_IC, "scenario18",
null, new String[] { ksName }, ksName, null);
} else if (IdentityConstants.OpenId.SERVICE_NAME_STS_IC_OPENID.equals(serviceName)) {
admin.applySecurity(IdentityConstants.OpenId.SERVICE_NAME_STS_IC_OPENID,
"scenario18", null, new String[] { ksName }, ksName, null);
} else if (IdentityConstants.SERVICE_NAME_STS_UT_SYMM.equals(serviceName)) {
admin.applySecurity(IdentityConstants.SERVICE_NAME_STS_UT_SYMM, "scenario18",
null, new String[] { ksName }, ksName, null);
} else if (IdentityConstants.SERVICE_NAME_STS_IC_SYMM.equals(serviceName)) {
admin.applySecurity(IdentityConstants.SERVICE_NAME_STS_IC_SYMM, "scenario18",
null, new String[] { ksName }, ksName, null);
}
}
if (IdentityConstants.SERVICE_NAME_STS_UT.equals(serviceName)) {
overrideCallbackHandler(axisConfig, IdentityConstants.SERVICE_NAME_STS_UT);
} else if (IdentityConstants.SERVICE_NAME_STS_UT_SYMM.equals(serviceName)) {
overrideCallbackHandler(axisConfig, IdentityConstants.SERVICE_NAME_STS_UT_SYMM);
} else if (IdentityConstants.OpenId.SERVICE_NAME_STS_OPENID.equals(serviceName)) {
overrideCallbackHandler(axisConfig,
IdentityConstants.OpenId.SERVICE_NAME_STS_OPENID);
} else if (IdentityConstants.SERVICE_NAME_STS_IC.equals(serviceName)) {
overrideCallbackHandler(axisConfig, IdentityConstants.SERVICE_NAME_STS_IC);
}
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
log.error("errorInChangingSecurityConfiguration", e);
throw new IdentityProviderException("errorInChangingSecurityConfiguration", e);
}
}
public static void configureGenericSTS() throws IdentityProviderException {
try {
AxisConfiguration config = IdentitySTSMgtServiceComponent.getConfigurationContext()
.getAxisConfiguration();
AxisService stsService = config.getService(ServerConstants.STS_NAME);
if (stsService == null) {
return;
}
Parameter origParam = stsService.getParameter(SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG
.getLocalPart());
if (origParam != null) {
OMElement samlConfigElem = origParam.getParameterElement().getFirstChildWithName(
SAMLTokenIssuerConfig.SAML_ISSUER_CONFIG);
SAMLTokenIssuerConfig samlConfig = new SAMLTokenIssuerConfig(samlConfigElem);
samlConfig.setCallbackHandlerName(AttributeCallbackHandler.class.getName());
ServerConfiguration serverConfig = ServerConfiguration.getInstance();
String ttl = serverConfig.getFirstProperty("STSTimeToLive");
if (ttl != null && ttl.length() > 0) {
try {
samlConfig.setTtl(Long.parseLong(ttl));
if (log.isDebugEnabled()) {
log.debug("STSTimeToLive read from carbon.xml " + ttl);
}
} catch (NumberFormatException e) {
log.error("Error while reading STSTimeToLive from carbon.xml", e);
}
}
setSTSParameter(samlConfig);
}
} catch (Exception e) {
log.error("Error while setting password callback to the STS", e);
throw new IdentityProviderException(e.getMessage(), e);
}
}
public static void configureService(AxisConfiguration config, Registry registry)
throws IdentityProviderException {
AxisConfiguration axisConfig = IdentitySTSMgtServiceComponent.getConfigurationContext()
.getAxisConfiguration();
try {
ServerConfiguration serverConfig = ServerConfiguration.getInstance();
String ksName = serverConfig.getFirstProperty("Security.KeyStore.Location");
ksName = ksName.substring(ksName.lastIndexOf("/") + 1);
SecurityConfigAdmin admin = new SecurityConfigAdmin(config, registry,
new IPPasswordCallbackHandler());
if (log.isDebugEnabled()) {
log.debug("Applying identity security policy for Identity STS services");
}
if (IdentityProviderUtil.isIntial()) {
if (axisConfig.getService(IdentityConstants.SERVICE_NAME_STS_UT) != null) {
admin.applySecurity(IdentityConstants.SERVICE_NAME_STS_UT, "scenario19", null, null,
null, null);
}
if (axisConfig.getService(IdentityConstants.OpenId.SERVICE_NAME_STS_OPENID) != null) {
admin.applySecurity(IdentityConstants.OpenId.SERVICE_NAME_STS_OPENID,
"scenario19", null, null, null, null);
}
if (axisConfig.getService(IdentityConstants.SERVICE_NAME_STS_IC) != null) {
admin.applySecurity(IdentityConstants.SERVICE_NAME_STS_IC, "scenario18",
null, new String[] { ksName }, ksName, null);
}
if (axisConfig.getService(IdentityConstants.OpenId.SERVICE_NAME_STS_IC_OPENID) != null) {
admin.applySecurity(IdentityConstants.OpenId.SERVICE_NAME_STS_IC_OPENID,
"scenario18", null, new String[] { ksName }, ksName, null);
}
if (axisConfig.getService(IdentityConstants.SERVICE_NAME_STS_UT_SYMM) != null) {
admin.applySecurity(IdentityConstants.SERVICE_NAME_STS_UT_SYMM, "scenario18",
null, new String[] { ksName }, ksName, null);
}
if (axisConfig.getService(IdentityConstants.SERVICE_NAME_STS_IC_SYMM) != null) {
admin.applySecurity(IdentityConstants.SERVICE_NAME_STS_IC_SYMM, "scenario18",
null, new String[] { ksName }, ksName, null);
}
}
if (axisConfig.getService(IdentityConstants.SERVICE_NAME_STS_UT) != null) {
overrideCallbackHandler(axisConfig, IdentityConstants.SERVICE_NAME_STS_UT);
}
if (axisConfig.getService(IdentityConstants.SERVICE_NAME_STS_UT_SYMM) != null) {
overrideCallbackHandler(axisConfig, IdentityConstants.SERVICE_NAME_STS_UT_SYMM);
}
if (axisConfig.getService(IdentityConstants.OpenId.SERVICE_NAME_STS_OPENID) != null) {
overrideCallbackHandler(axisConfig,
IdentityConstants.OpenId.SERVICE_NAME_STS_OPENID);
}
if (axisConfig.getService(IdentityConstants.SERVICE_NAME_STS_IC) != null) {
overrideCallbackHandler(axisConfig, IdentityConstants.SERVICE_NAME_STS_IC);
}
} catch (Exception e) {
log.error("errorInChangingSecurityConfiguration", e);
throw new IdentityProviderException("errorInChangingSecurityConfiguration", e);
}
}
/**
* Override WSAS callback handler to be able to auth users with usermanager.
*
* @param axisConfig
* @throws AxisFault
*/
public static void overrideCallbackHandler(AxisConfiguration axisConfig, String service)
throws AxisFault {
AxisService sts = axisConfig.getService(service);
Parameter cbHandlerParam = sts.getParameter(WSHandlerConstants.PW_CALLBACK_REF);
if (cbHandlerParam != null) {
sts.removeParameter(cbHandlerParam);
if (log.isDebugEnabled()) {
log.debug("removedParameter");
}
}
Parameter param = getPasswordCallBackRefParameter(service);
sts.addParameter(param);
if (log.isDebugEnabled()) {
log.debug("addedParameter");
}
}
public static void overrideCallbackHandler(AxisService service) throws AxisFault {
Parameter cbHandlerParam = service.getParameter(WSHandlerConstants.PW_CALLBACK_REF);
CallbackHandler handler = null;
if (cbHandlerParam != null) {
handler = (CallbackHandler) cbHandlerParam;
service.removeParameter(cbHandlerParam);
if (log.isDebugEnabled()) {
log.debug("removedParameter");
}
}
CallbackHandler cb = null;
if (handler != null) {
cb = handler;
} else {
cb = new IPPasswordCallbackHandler();
}
Parameter param = new Parameter();
param.setName(WSHandlerConstants.PW_CALLBACK_REF);
param.setValue(cb);
service.addParameter(param);
if (log.isDebugEnabled()) {
log.debug("addedParameter");
}
}
public static Parameter getPasswordCallBackRefParameter(String serviceId) throws AxisFault {
Parameter param = new Parameter();
param.setName(WSHandlerConstants.PW_CALLBACK_REF);
try {
param.setValue(new IPPasswordCallbackHandler());
} catch (Exception e) {
log.error(e.getMessage(), e);
throw new AxisFault(e.getMessage(), e);
}
return param;
}
private static void setSTSParameter(SAMLTokenIssuerConfig samlConfig) throws AxisFault, ServerException {
AxisConfiguration config = IdentitySTSMgtServiceComponent.getConfigurationContext()
.getAxisConfiguration();
try {
new SecurityServiceAdmin(config).setServiceParameterElement(ServerConstants.STS_NAME,
samlConfig.getParameter());
} catch (ServerException e) {
throw new AxisFault("Error configuring STS parameters.");
}
}
}