in plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/FederationProcessorImpl.java [122:238]
protected FedizResponse processSignInRequest(FedizRequest request, FedizContext config) throws ProcessingException {
Element el;
try {
final Document doc = DOMUtils.readXml(new StringReader(request.getResponseToken()));
el = doc.getDocumentElement();
} catch (Exception e) {
LOG.warn("Failed to parse wresult: " + e.getMessage(), e);
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
el = DOMUtils.getFirstElement(el);
}
if (el == null || !"RequestSecurityTokenResponse".equals(el.getLocalName())) {
LOG.warn("Unexpected root element of wresult: '" + (el == null ? "null" : el.getLocalName()) + "'");
throw new ProcessingException(TYPE.INVALID_REQUEST);
}
Element rst = null;
Element lifetimeElem = null;
String tt = null;
for (el = DOMUtils.getFirstElement(el); el != null; el = DOMUtils.getNextElement(el)) {
String ln = el.getLocalName();
if (FederationConstants.WS_TRUST_13_NS.equals(el.getNamespaceURI())
|| FederationConstants.WS_TRUST_2005_02_NS.equals(el.getNamespaceURI())) {
if ("Lifetime".equals(ln)) {
lifetimeElem = el;
} else if ("RequestedSecurityToken".equals(ln)) {
rst = DOMUtils.getFirstElement(el);
} else if ("TokenType".equals(ln)) {
tt = DOMUtils.getContent(el);
}
}
}
if (LOG.isDebugEnabled()) {
if (rst != null) {
LOG.debug("RST: {}", DOM2Writer.nodeToString(rst));
}
if (lifetimeElem != null) {
LOG.debug("Lifetime: {}", DOM2Writer.nodeToString(lifetimeElem));
}
}
LOG.debug("Tokentype: {}", tt);
if (rst == null) {
LOG.warn("RequestedSecurityToken element not found in wresult");
throw new ProcessingException(TYPE.BAD_REQUEST);
}
LifeTime lifeTime = null;
if (lifetimeElem != null) {
lifeTime = processLifeTime(lifetimeElem);
Instant rightNow = Instant.now();
if (rightNow.isAfter(lifeTime.getExpires())) {
LOG.warn("RSTR Lifetime expired");
throw new ProcessingException(TYPE.TOKEN_EXPIRED);
}
DateTime currentTime = new DateTime();
DateTime validFrom = new DateTime(Date.from(lifeTime.created));
currentTime = currentTime.plusSeconds(config.getMaximumClockSkew().intValue());
if (validFrom.isAfter(currentTime)) {
LOG.debug("RSTR Lifetime not yet valid");
throw new ProcessingException(TYPE.TOKEN_INVALID);
}
}
// Check to see if RST is encrypted
if ("EncryptedData".equals(rst.getLocalName()) && WSConstants.ENC_NS.equals(rst.getNamespaceURI())) {
Element decryptedRST = decryptEncryptedRST(rst, config);
if (decryptedRST != null) {
rst = decryptedRST;
}
}
TokenValidatorResponse validatorResponse = validateToken(rst, tt, config, request.getCerts());
// Check whether token already used for signin
final Instant expires;
if (lifeTime != null && lifeTime.getExpires() != null) {
expires = lifeTime.getExpires();
} else {
expires = validatorResponse.getExpires();
}
testForReplayAttack(validatorResponse.getUniqueTokenId(), config, expires);
Instant created = validatorResponse.getCreated();
if (lifeTime != null && lifeTime.getCreated() != null) {
created = lifeTime.getCreated();
}
List<Claim> claims = validatorResponse.getClaims();
testForMandatoryClaims(config.getProtocol().getRoleURI(),
config.getProtocol().getClaimTypesRequested(),
claims);
List<ClaimsProcessor> processors = config.getClaimsProcessor();
if (processors != null) {
for (ClaimsProcessor cp : processors) {
LOG.debug("invoking ClaimsProcessor {}", cp);
claims = cp.processClaims(claims);
}
}
List<String> roles = getRoles(claims, config.getProtocol().getRoleURI());
FedizResponse fedResponse = new FedizResponse(validatorResponse.getUsername(), validatorResponse.getIssuer(),
roles, claims,
validatorResponse.getAudience(), created, expires, rst,
validatorResponse.getUniqueTokenId());
return fedResponse;
}