Search in sources :

Example 6 with TLSSessionInfo

use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.

the class SamlTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SamlToken samlToken = (SamlToken) ai.getAssertion();
        ai.setAsserted(true);
        assertToken(samlToken, parameters.getAssertionInfoMap());
        if (!isTokenRequired(samlToken, parameters.getMessage())) {
            PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name()));
            continue;
        }
        if (parameters.getSamlResults().isEmpty()) {
            ai.setNotAsserted("The received token does not match the token inclusion requirement");
            continue;
        }
        // All of the received SAML Assertions must conform to the policy
        for (WSSecurityEngineResult result : parameters.getSamlResults()) {
            SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            if (!checkVersion(parameters.getAssertionInfoMap(), samlToken, assertionWrapper)) {
                ai.setNotAsserted("Wrong SAML Version");
                continue;
            }
            TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
            Certificate[] tlsCerts = null;
            if (tlsInfo != null) {
                tlsCerts = tlsInfo.getPeerCertificates();
            }
            if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts)) {
                ai.setNotAsserted("Assertion fails holder-of-key requirements");
                continue;
            }
            if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(), parameters.getSignedResults())) {
                ai.setNotAsserted("Assertion fails sender-vouches requirements");
                continue;
            }
        /*
                    if (!checkIssuerName(samlToken, assertionWrapper)) {
                        ai.setNotAsserted("Wrong IssuerName");
                    }
                 */
        }
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) QName(javax.xml.namespace.QName) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) Certificate(java.security.cert.Certificate)

Example 7 with TLSSessionInfo

use of org.apache.cxf.security.transport.TLSSessionInfo in project tomee by apache.

the class AbstractHTTPDestination method propogateSecureSession.

/**
 * Propogate in the message a TLSSessionInfo instance representative
 * of the TLS-specific information in the HTTP request.
 *
 * @param request the Jetty request
 * @param message the Message
 */
private static void propogateSecureSession(HttpServletRequest request, Message message) {
    final String cipherSuite = (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE);
    if (cipherSuite != null) {
        final java.security.cert.Certificate[] certs = (java.security.cert.Certificate[]) request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE);
        message.put(TLSSessionInfo.class, new TLSSessionInfo(cipherSuite, null, certs));
    }
}
Also used : TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)

Example 8 with TLSSessionInfo

use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.

the class WSS4JInInterceptor method handleMessageInternal.

@SuppressWarnings("deprecation")
private void handleMessageInternal(SoapMessage msg) throws Fault {
    boolean utWithCallbacks = MessageUtils.getContextualBoolean(msg, SecurityConstants.VALIDATE_TOKEN, true);
    translateProperties(msg);
    RequestData reqData = new CXFRequestData();
    WSSConfig config = (WSSConfig) msg.getContextualProperty(WSSConfig.class.getName());
    WSSecurityEngine engine;
    if (config != null) {
        engine = new WSSecurityEngine();
        engine.setWssConfig(config);
    } else {
        engine = getSecurityEngine(utWithCallbacks);
        if (engine == null) {
            engine = new WSSecurityEngine();
        }
        config = engine.getWssConfig();
    }
    reqData.setWssConfig(config);
    reqData.setEncryptionSerializer(new StaxSerializer());
    // Add Audience Restrictions for SAML
    reqData.setAudienceRestrictions(SAMLUtils.getAudienceRestrictions(msg, true));
    SOAPMessage doc = getSOAPMessage(msg);
    boolean doDebug = LOG.isLoggable(Level.FINE);
    SoapVersion version = msg.getVersion();
    if (doDebug) {
        LOG.fine("WSS4JInInterceptor: enter handleMessage()");
    }
    /*
         * The overall try, just to have a finally at the end to perform some
         * housekeeping.
         */
    try {
        reqData.setMsgContext(msg);
        reqData.setAttachmentCallbackHandler(new AttachmentCallbackHandler(msg));
        setAlgorithmSuites(msg, reqData);
        reqData.setCallbackHandler(getCallback(reqData, utWithCallbacks));
        computeAction(msg, reqData);
        String action = getAction(msg, version);
        List<Integer> actions = WSSecurityUtil.decodeAction(action);
        String actor = (String) getOption(ConfigurationConstants.ACTOR);
        if (actor == null) {
            actor = (String) msg.getContextualProperty(SecurityConstants.ACTOR);
        }
        reqData.setActor(actor);
        // Configure replay caching
        configureReplayCaches(reqData, actions, msg);
        TLSSessionInfo tlsInfo = msg.get(TLSSessionInfo.class);
        if (tlsInfo != null) {
            Certificate[] tlsCerts = tlsInfo.getPeerCertificates();
            reqData.setTlsCerts(tlsCerts);
        }
        /*
             * Get and check the Signature specific parameters first because
             * they may be used for encryption too.
             */
        doReceiverAction(actions, reqData);
        // explicitly specified by the user)
        if (getString(ConfigurationConstants.EXPAND_XOP_INCLUDE_FOR_SIGNATURE, msg) == null && getString(ConfigurationConstants.EXPAND_XOP_INCLUDE, msg) == null) {
            reqData.setExpandXopInclude(AttachmentUtil.isMtomEnabled(msg));
        }
        /*get chance to check msg context enableRevocation setting
             *when use policy based ws-security where the WSHandler configuration
             *isn't available
             */
        boolean enableRevocation = reqData.isRevocationEnabled() || MessageUtils.isTrue(SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, msg));
        reqData.setEnableRevocation(enableRevocation);
        Element soapBody = SAAJUtils.getBody(doc);
        if (soapBody != null) {
            engine.setCallbackLookup(new CXFCallbackLookup(soapBody.getOwnerDocument(), soapBody));
        }
        Element elem = WSSecurityUtil.getSecurityHeader(doc.getSOAPHeader(), actor, version.getVersion() != 1.1);
        elem = (Element) DOMUtils.getDomElement(elem);
        Node originalNode = null;
        if (elem != null) {
            originalNode = elem.cloneNode(true);
        }
        WSHandlerResult wsResult = engine.processSecurityHeader(elem, reqData);
        importNewDomToSAAJ(doc, elem, originalNode, wsResult);
        Element header = SAAJUtils.getHeader(doc);
        Element body = SAAJUtils.getBody(doc);
        header = (Element) DOMUtils.getDomElement(header);
        body = (Element) DOMUtils.getDomElement(body);
        if (!(wsResult.getResults() == null || wsResult.getResults().isEmpty())) {
            // security header found
            if (reqData.isEnableSignatureConfirmation()) {
                checkSignatureConfirmation(reqData, wsResult);
            }
            checkActions(msg, reqData, wsResult.getResults(), actions, SAAJUtils.getBody(doc));
            doResults(msg, actor, header, body, wsResult, utWithCallbacks);
        } else {
            // no security header found
            if (doc.getSOAPPart().getEnvelope().getBody().hasFault() && isRequestor(msg)) {
                LOG.warning("The request is a SOAP Fault, but it is not secured");
                // We allow lax action matching here for backwards compatibility
                // with manually configured WSS4JInInterceptors that previously
                // allowed faults to pass through even if their actions aren't
                // a strict match against those configured.  In the WS-SP case,
                // we will want to still call doResults as it handles asserting
                // certain assertions that do not require a WS-S header such as
                // a sp:TransportBinding assertion.  In the case of WS-SP,
                // the unasserted assertions will provide confirmation that
                // security was not sufficient.
                // checkActions(msg, reqData, wsResult, actions);
                doResults(msg, actor, header, body, wsResult, utWithCallbacks);
            } else {
                checkActions(msg, reqData, wsResult.getResults(), actions, SAAJUtils.getBody(doc));
                doResults(msg, actor, header, body, wsResult, utWithCallbacks);
            }
        }
        if (SAAJUtils.getBody(doc) != null) {
            advanceBody(msg, body);
        }
        SAAJInInterceptor.replaceHeaders(doc, msg);
        if (doDebug) {
            LOG.fine("WSS4JInInterceptor: exit handleMessage()");
        }
        msg.put(SECURITY_PROCESSED, Boolean.TRUE);
    } catch (WSSecurityException e) {
        throw WSS4JUtils.createSoapFault(msg, version, e);
    } catch (XMLStreamException e) {
        throw new SoapFault(new Message("STAX_EX", LOG), e, version.getSender());
    } catch (SOAPException e) {
        throw new SoapFault(new Message("SAAJ_EX", LOG), e, version.getSender());
    } finally {
        reqData = null;
    }
}
Also used : SoapFault(org.apache.cxf.binding.soap.SoapFault) SoapMessage(org.apache.cxf.binding.soap.SoapMessage) Message(org.apache.cxf.common.i18n.Message) SOAPMessage(javax.xml.soap.SOAPMessage) Element(org.w3c.dom.Element) Node(org.w3c.dom.Node) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SOAPMessage(javax.xml.soap.SOAPMessage) WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult) SoapVersion(org.apache.cxf.binding.soap.SoapVersion) XMLStreamException(javax.xml.stream.XMLStreamException) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) RequestData(org.apache.wss4j.dom.handler.RequestData) SOAPException(javax.xml.soap.SOAPException) WSSecurityEngine(org.apache.wss4j.dom.engine.WSSecurityEngine) TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo) Certificate(java.security.cert.Certificate)

Example 9 with TLSSessionInfo

use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.

the class SecuredPartsPolicyValidator method isTransportBinding.

private boolean isTransportBinding(AssertionInfoMap aim, Message message) {
    AssertionInfo symAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
    if (symAis != null) {
        return false;
    }
    AssertionInfo asymAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
    if (asymAis != null) {
        return false;
    }
    AssertionInfo transAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING);
    if (transAis != null) {
        return true;
    }
    // No bindings, check if we are using TLS
    TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
    if (tlsInfo != null) {
        // We don't need to check these policies for TLS
        PolicyUtils.assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
        PolicyUtils.assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS);
        PolicyUtils.assertPolicy(aim, SP12Constants.SIGNED_PARTS);
        PolicyUtils.assertPolicy(aim, SP11Constants.SIGNED_PARTS);
        return true;
    }
    return false;
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)

Example 10 with TLSSessionInfo

use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.

the class TransportBindingPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        TransportBinding binding = (TransportBinding) ai.getAssertion();
        ai.setAsserted(true);
        // Check that TLS is in use if we are not the requestor
        boolean initiator = MessageUtils.isRequestor(parameters.getMessage());
        TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
        if (!initiator && tlsInfo == null) {
            ai.setNotAsserted("TLS is not enabled");
            continue;
        }
        // HttpsToken is validated by the HttpsTokenInterceptorProvider
        if (binding.getTransportToken() != null) {
            PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), binding.getTransportToken().getName());
        }
        // Check the IncludeTimestamp
        if (!validateTimestamp(binding.isIncludeTimestamp(), true, parameters.getResults(), parameters.getSignedResults(), parameters.getMessage())) {
            String error = "Received Timestamp does not match the requirements";
            ai.setNotAsserted(error);
            continue;
        }
        PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(binding.getName().getNamespaceURI(), SPConstants.INCLUDE_TIMESTAMP));
    }
    // We don't need to check these policies for the Transport binding
    if (!ais.isEmpty()) {
        PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP12Constants.ENCRYPTED_PARTS);
        PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP11Constants.ENCRYPTED_PARTS);
        PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP12Constants.SIGNED_PARTS);
        PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP11Constants.SIGNED_PARTS);
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) QName(javax.xml.namespace.QName) TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo) TransportBinding(org.apache.wss4j.policy.model.TransportBinding)

Aggregations

TLSSessionInfo (org.apache.cxf.security.transport.TLSSessionInfo)13 Certificate (java.security.cert.Certificate)7 X509Certificate (java.security.cert.X509Certificate)5 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)5 Element (org.w3c.dom.Element)3 QName (javax.xml.namespace.QName)2 SecurityContext (org.apache.cxf.security.SecurityContext)2 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)2 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)2 WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)2 SamlToken (org.apache.wss4j.policy.model.SamlToken)2 Principal (java.security.Principal)1 ArrayList (java.util.ArrayList)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 SOAPException (javax.xml.soap.SOAPException)1 SOAPMessage (javax.xml.soap.SOAPMessage)1 XMLStreamException (javax.xml.stream.XMLStreamException)1 SoapFault (org.apache.cxf.binding.soap.SoapFault)1 SoapMessage (org.apache.cxf.binding.soap.SoapMessage)1