Example 1 with TLSSessionInfo
use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class CallbackHandlerTlsCert method create.
@Override
public CallbackHandler create(Message message) {
TLSSessionInfo tlsSession = message.get(TLSSessionInfo.class);
if (tlsSession == null) {
return null;
}
Certificate cert = getCertificate(message);
String name = certMapper.getUserName(cert);
String password = nameToPasswordMapper.getPassword(name);
return new NamePasswordCallbackHandler(name, password);
}
Also used :
NamePasswordCallbackHandler(org.apache.cxf.interceptor.security.NamePasswordCallbackHandler)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 2 with TLSSessionInfo
use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class CertConstraintsInterceptor method handleMessage.
public void handleMessage(Message message) throws Fault {
final CertConstraints certConstraints = (CertConstraints) message.getContextualProperty(CertConstraints.class.getName());
if (certConstraints == null) {
return;
}
if (isRequestor(message)) {
try {
String scheme = (String) message.get("http.scheme");
if ("https".equals(scheme)) {
final MessageTrustDecider orig = message.get(MessageTrustDecider.class);
MessageTrustDecider trust = new HttpsMessageTrustDecider(certConstraints, orig);
message.put(MessageTrustDecider.class, trust);
} else {
throw new UntrustedURLConnectionIOException("TLS is not in use");
}
} catch (UntrustedURLConnectionIOException ex) {
throw new Fault(ex);
}
} else {
try {
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
final Certificate[] certs = tlsInfo.getPeerCertificates();
if (certs == null || certs.length == 0) {
throw new UntrustedURLConnectionIOException("No client certificates were found");
}
X509Certificate[] x509Certs = (X509Certificate[]) certs;
if (!certConstraints.matches(x509Certs[0])) {
throw new UntrustedURLConnectionIOException("The client certificate does not match the defined cert constraints");
}
} catch (UntrustedURLConnectionIOException ex) {
throw new Fault(ex);
}
}
}
Also used :
UntrustedURLConnectionIOException(org.apache.cxf.transport.http.UntrustedURLConnectionIOException)
Fault(org.apache.cxf.interceptor.Fault)
MessageTrustDecider(org.apache.cxf.transport.http.MessageTrustDecider)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
X509Certificate(java.security.cert.X509Certificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 3 with TLSSessionInfo
use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class AbstractHTTPDestination method propogateSecureSession.
/**
* Propogate in the message a TLSSessionInfo instance representative
* of the TLS-specific information in the HTTP request.
*
* @param request the Jetty request
* @param message the Message
*/
private static void propogateSecureSession(HttpServletRequest request, Message message) {
final String cipherSuite = (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE);
if (cipherSuite != null) {
final java.security.cert.Certificate[] certs = (java.security.cert.Certificate[]) request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE);
message.put(TLSSessionInfo.class, new TLSSessionInfo(cipherSuite, null, certs));
}
}
Also used :
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
Example 4 with TLSSessionInfo
use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class SamlTokenInterceptor method processToken.
protected void processToken(SoapMessage message) {
Header h = findSecurityHeader(message, false);
if (h == null) {
return;
}
Element el = (Element) h.getObject();
Element child = DOMUtils.getFirstElement(el);
while (child != null) {
if ("Assertion".equals(child.getLocalName()) && (WSS4JConstants.SAML_NS.equals(child.getNamespaceURI()) || WSS4JConstants.SAML2_NS.equals(child.getNamespaceURI()))) {
try {
List<WSSecurityEngineResult> samlResults = processToken(child, message);
if (samlResults != null) {
List<WSHandlerResult> results = CastUtils.cast((List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
if (results == null) {
results = new ArrayList<>();
message.put(WSHandlerConstants.RECV_RESULTS, results);
}
boolean signed = false;
for (WSSecurityEngineResult result : samlResults) {
SamlAssertionWrapper wrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (wrapper.isSigned()) {
signed = true;
break;
}
}
assertTokens(message, SPConstants.SAML_TOKEN, signed);
Integer key = WSConstants.ST_UNSIGNED;
if (signed) {
key = WSConstants.ST_SIGNED;
}
WSHandlerResult rResult = new WSHandlerResult(null, samlResults, Collections.singletonMap(key, samlResults));
results.add(0, rResult);
// Check version against policy
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
for (AssertionInfo ai : PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN)) {
SamlToken samlToken = (SamlToken) ai.getAssertion();
for (WSSecurityEngineResult result : samlResults) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (!checkVersion(aim, samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
}
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
Certificate[] tlsCerts = null;
if (tlsInfo != null) {
tlsCerts = tlsInfo.getPeerCertificates();
}
if (!DOMSAMLUtil.checkHolderOfKey(assertionWrapper, null, tlsCerts)) {
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, null, null)) {
ai.setNotAsserted("Assertion fails sender-vouches requirements");
continue;
}
}
}
if (signed) {
Principal principal = (Principal) samlResults.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
SecurityContext sc = message.get(SecurityContext.class);
if (sc == null || sc.getUserPrincipal() == null) {
message.put(SecurityContext.class, new DefaultSecurityContext(principal, null));
}
}
}
} catch (WSSecurityException ex) {
throw WSS4JUtils.createSoapFault(message, message.getVersion(), ex);
}
}
child = DOMUtils.getNextElement(child);
}
}
Also used :
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Header(org.apache.cxf.headers.Header)
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
SecurityContext(org.apache.cxf.security.SecurityContext)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
Principal(java.security.Principal)
Certificate(java.security.cert.Certificate)
Example 5 with TLSSessionInfo
use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class IssuedTokenPolicyValidator method validateSAMLToken.
private boolean validateSAMLToken(PolicyValidatorParameters parameters, SamlAssertionWrapper samlAssertion, Collection<AssertionInfo> ais) {
boolean asserted = true;
for (AssertionInfo ai : ais) {
IssuedToken issuedToken = (IssuedToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(issuedToken, parameters.getAssertionInfoMap());
if (!isTokenRequired(issuedToken, parameters.getMessage())) {
continue;
}
if (samlAssertion == null) {
asserted = false;
ai.setNotAsserted("The received token does not match the token inclusion requirement");
continue;
}
Element template = issuedToken.getRequestSecurityTokenTemplate();
if (template != null && !checkIssuedTokenTemplate(template, samlAssertion)) {
asserted = false;
ai.setNotAsserted("Error in validating the IssuedToken policy");
continue;
}
Element claims = issuedToken.getClaims();
if (claims != null) {
String dialect = claims.getAttributeNS(null, "Dialect");
if (claimsValidator.getDialect().equals(dialect) && !claimsValidator.validatePolicy(claims, samlAssertion)) {
asserted = false;
ai.setNotAsserted("Error in validating the Claims policy");
continue;
}
}
TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
Certificate[] tlsCerts = null;
if (tlsInfo != null) {
tlsCerts = tlsInfo.getPeerCertificates();
}
if (!checkHolderOfKey(samlAssertion, parameters.getSignedResults(), tlsCerts)) {
asserted = false;
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
}
return asserted;
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Aggregations
TLSSessionInfo (org.apache.cxf.security.transport.TLSSessionInfo)13
Certificate (java.security.cert.Certificate)7
X509Certificate (java.security.cert.X509Certificate)5
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)5
Element (org.w3c.dom.Element)3
QName (javax.xml.namespace.QName)2
SecurityContext (org.apache.cxf.security.SecurityContext)2
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)2
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)2
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)2
SamlToken (org.apache.wss4j.policy.model.SamlToken)2
Principal (java.security.Principal)1
ArrayList (java.util.ArrayList)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
SOAPException (javax.xml.soap.SOAPException)1
SOAPMessage (javax.xml.soap.SOAPMessage)1
XMLStreamException (javax.xml.stream.XMLStreamException)1
SoapFault (org.apache.cxf.binding.soap.SoapFault)1
SoapMessage (org.apache.cxf.binding.soap.SoapMessage)1
