use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class SamlTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(samlToken, parameters.getAssertionInfoMap());
if (!isTokenRequired(samlToken, parameters.getMessage())) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name()));
continue;
}
if (parameters.getSamlResults().isEmpty()) {
ai.setNotAsserted("The received token does not match the token inclusion requirement");
continue;
}
// All of the received SAML Assertions must conform to the policy
for (WSSecurityEngineResult result : parameters.getSamlResults()) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (!checkVersion(parameters.getAssertionInfoMap(), samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
continue;
}
TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
Certificate[] tlsCerts = null;
if (tlsInfo != null) {
tlsCerts = tlsInfo.getPeerCertificates();
}
if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts)) {
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(), parameters.getSignedResults())) {
ai.setNotAsserted("Assertion fails sender-vouches requirements");
continue;
}
/*
if (!checkIssuerName(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong IssuerName");
}
*/
}
}
}
use of org.apache.cxf.security.transport.TLSSessionInfo in project tomee by apache.
the class AbstractHTTPDestination method propogateSecureSession.
/**
* Propogate in the message a TLSSessionInfo instance representative
* of the TLS-specific information in the HTTP request.
*
* @param request the Jetty request
* @param message the Message
*/
private static void propogateSecureSession(HttpServletRequest request, Message message) {
final String cipherSuite = (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE);
if (cipherSuite != null) {
final java.security.cert.Certificate[] certs = (java.security.cert.Certificate[]) request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE);
message.put(TLSSessionInfo.class, new TLSSessionInfo(cipherSuite, null, certs));
}
}
use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class WSS4JInInterceptor method handleMessageInternal.
@SuppressWarnings("deprecation")
private void handleMessageInternal(SoapMessage msg) throws Fault {
boolean utWithCallbacks = MessageUtils.getContextualBoolean(msg, SecurityConstants.VALIDATE_TOKEN, true);
translateProperties(msg);
RequestData reqData = new CXFRequestData();
WSSConfig config = (WSSConfig) msg.getContextualProperty(WSSConfig.class.getName());
WSSecurityEngine engine;
if (config != null) {
engine = new WSSecurityEngine();
engine.setWssConfig(config);
} else {
engine = getSecurityEngine(utWithCallbacks);
if (engine == null) {
engine = new WSSecurityEngine();
}
config = engine.getWssConfig();
}
reqData.setWssConfig(config);
reqData.setEncryptionSerializer(new StaxSerializer());
// Add Audience Restrictions for SAML
reqData.setAudienceRestrictions(SAMLUtils.getAudienceRestrictions(msg, true));
SOAPMessage doc = getSOAPMessage(msg);
boolean doDebug = LOG.isLoggable(Level.FINE);
SoapVersion version = msg.getVersion();
if (doDebug) {
LOG.fine("WSS4JInInterceptor: enter handleMessage()");
}
/*
* The overall try, just to have a finally at the end to perform some
* housekeeping.
*/
try {
reqData.setMsgContext(msg);
reqData.setAttachmentCallbackHandler(new AttachmentCallbackHandler(msg));
setAlgorithmSuites(msg, reqData);
reqData.setCallbackHandler(getCallback(reqData, utWithCallbacks));
computeAction(msg, reqData);
String action = getAction(msg, version);
List<Integer> actions = WSSecurityUtil.decodeAction(action);
String actor = (String) getOption(ConfigurationConstants.ACTOR);
if (actor == null) {
actor = (String) msg.getContextualProperty(SecurityConstants.ACTOR);
}
reqData.setActor(actor);
// Configure replay caching
configureReplayCaches(reqData, actions, msg);
TLSSessionInfo tlsInfo = msg.get(TLSSessionInfo.class);
if (tlsInfo != null) {
Certificate[] tlsCerts = tlsInfo.getPeerCertificates();
reqData.setTlsCerts(tlsCerts);
}
/*
* Get and check the Signature specific parameters first because
* they may be used for encryption too.
*/
doReceiverAction(actions, reqData);
// explicitly specified by the user)
if (getString(ConfigurationConstants.EXPAND_XOP_INCLUDE_FOR_SIGNATURE, msg) == null && getString(ConfigurationConstants.EXPAND_XOP_INCLUDE, msg) == null) {
reqData.setExpandXopInclude(AttachmentUtil.isMtomEnabled(msg));
}
/*get chance to check msg context enableRevocation setting
*when use policy based ws-security where the WSHandler configuration
*isn't available
*/
boolean enableRevocation = reqData.isRevocationEnabled() || MessageUtils.isTrue(SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, msg));
reqData.setEnableRevocation(enableRevocation);
Element soapBody = SAAJUtils.getBody(doc);
if (soapBody != null) {
engine.setCallbackLookup(new CXFCallbackLookup(soapBody.getOwnerDocument(), soapBody));
}
Element elem = WSSecurityUtil.getSecurityHeader(doc.getSOAPHeader(), actor, version.getVersion() != 1.1);
elem = (Element) DOMUtils.getDomElement(elem);
Node originalNode = null;
if (elem != null) {
originalNode = elem.cloneNode(true);
}
WSHandlerResult wsResult = engine.processSecurityHeader(elem, reqData);
importNewDomToSAAJ(doc, elem, originalNode, wsResult);
Element header = SAAJUtils.getHeader(doc);
Element body = SAAJUtils.getBody(doc);
header = (Element) DOMUtils.getDomElement(header);
body = (Element) DOMUtils.getDomElement(body);
if (!(wsResult.getResults() == null || wsResult.getResults().isEmpty())) {
// security header found
if (reqData.isEnableSignatureConfirmation()) {
checkSignatureConfirmation(reqData, wsResult);
}
checkActions(msg, reqData, wsResult.getResults(), actions, SAAJUtils.getBody(doc));
doResults(msg, actor, header, body, wsResult, utWithCallbacks);
} else {
// no security header found
if (doc.getSOAPPart().getEnvelope().getBody().hasFault() && isRequestor(msg)) {
LOG.warning("The request is a SOAP Fault, but it is not secured");
// We allow lax action matching here for backwards compatibility
// with manually configured WSS4JInInterceptors that previously
// allowed faults to pass through even if their actions aren't
// a strict match against those configured. In the WS-SP case,
// we will want to still call doResults as it handles asserting
// certain assertions that do not require a WS-S header such as
// a sp:TransportBinding assertion. In the case of WS-SP,
// the unasserted assertions will provide confirmation that
// security was not sufficient.
// checkActions(msg, reqData, wsResult, actions);
doResults(msg, actor, header, body, wsResult, utWithCallbacks);
} else {
checkActions(msg, reqData, wsResult.getResults(), actions, SAAJUtils.getBody(doc));
doResults(msg, actor, header, body, wsResult, utWithCallbacks);
}
}
if (SAAJUtils.getBody(doc) != null) {
advanceBody(msg, body);
}
SAAJInInterceptor.replaceHeaders(doc, msg);
if (doDebug) {
LOG.fine("WSS4JInInterceptor: exit handleMessage()");
}
msg.put(SECURITY_PROCESSED, Boolean.TRUE);
} catch (WSSecurityException e) {
throw WSS4JUtils.createSoapFault(msg, version, e);
} catch (XMLStreamException e) {
throw new SoapFault(new Message("STAX_EX", LOG), e, version.getSender());
} catch (SOAPException e) {
throw new SoapFault(new Message("SAAJ_EX", LOG), e, version.getSender());
} finally {
reqData = null;
}
}
use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class SecuredPartsPolicyValidator method isTransportBinding.
private boolean isTransportBinding(AssertionInfoMap aim, Message message) {
AssertionInfo symAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (symAis != null) {
return false;
}
AssertionInfo asymAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (asymAis != null) {
return false;
}
AssertionInfo transAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING);
if (transAis != null) {
return true;
}
// No bindings, check if we are using TLS
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
if (tlsInfo != null) {
// We don't need to check these policies for TLS
PolicyUtils.assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
PolicyUtils.assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS);
PolicyUtils.assertPolicy(aim, SP12Constants.SIGNED_PARTS);
PolicyUtils.assertPolicy(aim, SP11Constants.SIGNED_PARTS);
return true;
}
return false;
}
use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class TransportBindingPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
TransportBinding binding = (TransportBinding) ai.getAssertion();
ai.setAsserted(true);
// Check that TLS is in use if we are not the requestor
boolean initiator = MessageUtils.isRequestor(parameters.getMessage());
TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
if (!initiator && tlsInfo == null) {
ai.setNotAsserted("TLS is not enabled");
continue;
}
// HttpsToken is validated by the HttpsTokenInterceptorProvider
if (binding.getTransportToken() != null) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), binding.getTransportToken().getName());
}
// Check the IncludeTimestamp
if (!validateTimestamp(binding.isIncludeTimestamp(), true, parameters.getResults(), parameters.getSignedResults(), parameters.getMessage())) {
String error = "Received Timestamp does not match the requirements";
ai.setNotAsserted(error);
continue;
}
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(binding.getName().getNamespaceURI(), SPConstants.INCLUDE_TIMESTAMP));
}
// We don't need to check these policies for the Transport binding
if (!ais.isEmpty()) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP12Constants.ENCRYPTED_PARTS);
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP11Constants.ENCRYPTED_PARTS);
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP12Constants.SIGNED_PARTS);
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP11Constants.SIGNED_PARTS);
}
}
Aggregations