private STSInstanceState getSTSInstanceState(
TokenGenerationServiceInvocationState invocationState) throws ResourceException {
STSInstanceState stsInstanceState;
try {
if (AMSTSConstants.STSType.REST.equals(invocationState.getStsType())) {
stsInstanceState =
restSTSInstanceStateProvider.getSTSInstanceState(
invocationState.getStsInstanceId(), invocationState.getRealm());
} else if (AMSTSConstants.STSType.SOAP.equals(invocationState.getStsType())) {
stsInstanceState =
soapSTSInstanceStateProvider.getSTSInstanceState(
invocationState.getStsInstanceId(), invocationState.getRealm());
} else {
String message =
"Illegal STSType specified in TokenGenerationService invocation: "
+ invocationState.getStsType();
logger.error(message);
throw new BadRequestException(message);
}
} catch (TokenCreationException | STSPublishException e) {
logger.error(
"Exception caught obtaining the sts instance state necessary to generate a saml2 assertion: "
+ e,
e);
throw e;
} catch (Exception e) {
logger.error(
"Exception caught obtaining the sts instance state necessary to generate a saml2 assertion: "
+ e,
e);
throw new InternalServerErrorException(e);
}
return stsInstanceState;
}
private SSOToken validateAssertionSubjectSession(
TokenGenerationServiceInvocationState invocationState) throws ForbiddenException {
SSOToken subjectToken;
SSOTokenManager tokenManager;
try {
tokenManager = SSOTokenManager.getInstance();
subjectToken = tokenManager.createSSOToken(invocationState.getSsoTokenString());
} catch (SSOException e) {
logger.debug(
"Exception caught creating the SSO token from the token string, almost certainly "
+ "because token string does not correspond to a valid session: "
+ e);
throw new ForbiddenException(e.toString(), e);
}
if (!tokenManager.isValidToken(subjectToken)) {
throw new ForbiddenException("SSO token string does not correspond to a valid SSOToken");
}
try {
AMIdentity subjectIdentity = IdUtils.getIdentity(subjectToken);
String invocationRealm = invocationState.getRealm();
String subjectSessionRealm = DNMapper.orgNameToRealmName(subjectIdentity.getRealm());
logger.debug(
"TokenGenerationService:validateAssertionSubjectSession subjectRealm "
+ subjectSessionRealm
+ " invocation realm: "
+ invocationRealm);
if (!invocationRealm.equalsIgnoreCase(subjectSessionRealm)) {
logger.error(
"TokenGenerationService:validateAssertionSubjectSession realms do not match: Subject realm : "
+ subjectSessionRealm
+ " invocation realm: "
+ invocationRealm);
throw new ForbiddenException("SSO token subject realm does not match invocation realm");
}
} catch (SSOException | IdRepoException e) {
logger.error(
"TokenGenerationService:validateAssertionSubjectSession error while validating identity : "
+ e);
throw new ForbiddenException(e.toString(), e);
}
return subjectToken;
}
