Example 11 with TLSSessionInfo
use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class JAASLoginInterceptorTest method testLoginWithTlsHandler.
@Test
public void testLoginWithTlsHandler() {
JAASLoginInterceptor jaasInt = createTestJaasLoginInterceptor();
CallbackHandlerTlsCert tlsHandler = new CallbackHandlerTlsCert();
tlsHandler.setFixedPassword(TestUserPasswordLoginModule.TESTPASS);
CertKeyToUserNameMapper certMapper = new CertKeyToUserNameMapper();
certMapper.setKey("CN");
tlsHandler.setCertMapper(certMapper);
jaasInt.setCallbackHandlerProviders(Collections.singletonList((CallbackHandlerProvider) tlsHandler));
Message message = new MessageImpl();
TLSSessionInfo sessionInfo = new TLSSessionInfo("", null, new Certificate[] { createTestCert(TEST_SUBJECT_DN) });
message.put(TLSSessionInfo.class, sessionInfo);
jaasInt.handleMessage(message);
}
Also used :
CallbackHandlerTlsCert(org.apache.cxf.interceptor.security.callback.CallbackHandlerTlsCert)
Message(org.apache.cxf.message.Message)
CertKeyToUserNameMapper(org.apache.cxf.interceptor.security.callback.CertKeyToUserNameMapper)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
CallbackHandlerProvider(org.apache.cxf.interceptor.security.callback.CallbackHandlerProvider)
MessageImpl(org.apache.cxf.message.MessageImpl)
Test(org.junit.Test)
Example 12 with TLSSessionInfo
use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class OAuthRequestFilter method validateRequest.
protected void validateRequest(Message m) {
if (isCorsRequest(m)) {
return;
}
// Get the scheme and its data, Bearer only is supported by default
// WWW-Authenticate with the list of supported schemes will be sent back
// if the scheme is not accepted
String[] authParts = getAuthorizationParts(m);
if (authParts.length < 2) {
throw ExceptionUtils.toForbiddenException(null, null);
}
String authScheme = authParts[0];
String authSchemeData = authParts[1];
// Get the access token
AccessTokenValidation accessTokenV = getAccessTokenValidation(authScheme, authSchemeData, null);
if (!accessTokenV.isInitialValidationSuccessful()) {
AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
// Check audiences
String validAudience = validateAudiences(accessTokenV.getAudiences());
// Check if token was issued by the supported issuer
if (issuer != null && !issuer.equals(accessTokenV.getTokenIssuer())) {
AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
// Find the scopes which match the current request
List<OAuthPermission> permissions = accessTokenV.getTokenScopes();
List<OAuthPermission> matchingPermissions = new ArrayList<>();
HttpServletRequest req = getMessageContext().getHttpServletRequest();
for (OAuthPermission perm : permissions) {
boolean uriOK = checkRequestURI(req, perm.getUris());
boolean verbOK = checkHttpVerb(req, perm.getHttpVerbs());
boolean scopeOk = checkScopeProperty(perm.getPermission());
if (uriOK && verbOK && scopeOk) {
matchingPermissions.add(perm);
}
}
if (!permissions.isEmpty() && matchingPermissions.isEmpty() || allPermissionsMatch && (matchingPermissions.size() != permissions.size()) || !requiredScopes.isEmpty() && requiredScopes.size() != matchingPermissions.size()) {
String message = "Client has no valid permissions";
LOG.warning(message);
throw ExceptionUtils.toForbiddenException(null, null);
}
if (accessTokenV.getClientIpAddress() != null) {
String remoteAddress = getMessageContext().getHttpServletRequest().getRemoteAddr();
if (remoteAddress == null || accessTokenV.getClientIpAddress().equals(remoteAddress)) {
String message = "Client IP Address is invalid";
LOG.warning(message);
throw ExceptionUtils.toForbiddenException(null, null);
}
}
if (blockPublicClients && !accessTokenV.isClientConfidential()) {
String message = "Only Confidential Clients are supported";
LOG.warning(message);
throw ExceptionUtils.toForbiddenException(null, null);
}
if (am != null && !am.equals(accessTokenV.getTokenSubject().getAuthenticationMethod())) {
String message = "The token has been authorized by the resource owner " + "using an unsupported authentication method";
LOG.warning(message);
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
// Check Client Certificate Binding if any
String certThumbprint = accessTokenV.getExtraProps().get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256);
if (certThumbprint != null) {
TLSSessionInfo tlsInfo = getTlsSessionInfo();
X509Certificate cert = tlsInfo == null ? null : OAuthUtils.getRootTLSCertificate(tlsInfo);
if (cert == null || !OAuthUtils.compareCertificateThumbprints(cert, certThumbprint)) {
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
}
// Create the security context and make it available on the message
SecurityContext sc = createSecurityContext(req, accessTokenV);
m.put(SecurityContext.class, sc);
// Also set the OAuthContext
OAuthContext oauthContext = new OAuthContext(accessTokenV.getTokenSubject(), accessTokenV.getClientSubject(), matchingPermissions, accessTokenV.getTokenGrantType());
oauthContext.setClientId(accessTokenV.getClientId());
oauthContext.setClientConfidential(accessTokenV.isClientConfidential());
oauthContext.setTokenKey(accessTokenV.getTokenKey());
oauthContext.setTokenAudience(validAudience);
oauthContext.setTokenIssuer(accessTokenV.getTokenIssuer());
oauthContext.setTokenRequestParts(authParts);
oauthContext.setTokenExtraProperties(accessTokenV.getExtraProps());
m.setContent(OAuthContext.class, oauthContext);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission)
ArrayList(java.util.ArrayList)
SecurityContext(org.apache.cxf.security.SecurityContext)
OAuthContext(org.apache.cxf.rs.security.oauth2.common.OAuthContext)
AccessTokenValidation(org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
X509Certificate(java.security.cert.X509Certificate)
Example 13 with TLSSessionInfo
use of org.apache.cxf.security.transport.TLSSessionInfo in project cxf by apache.
the class CallbackHandlerTlsCert method getCertificate.
/**
* Extracts certificate from message, expecting to find TLSSessionInfo inside.
*
* @param message
*/
private Certificate getCertificate(Message message) {
TLSSessionInfo tlsSessionInfo = message.get(TLSSessionInfo.class);
if (tlsSessionInfo == null) {
throw new SecurityException("Not TLS connection");
}
Certificate[] certificates = tlsSessionInfo.getPeerCertificates();
if (certificates == null || certificates.length == 0) {
throw new SecurityException("No certificate found");
}
// Due to RFC5246, senders certificates always comes 1st
return certificates[0];
}
Also used :
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Aggregations
TLSSessionInfo (org.apache.cxf.security.transport.TLSSessionInfo)13
Certificate (java.security.cert.Certificate)7
X509Certificate (java.security.cert.X509Certificate)5
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)5
Element (org.w3c.dom.Element)3
QName (javax.xml.namespace.QName)2
SecurityContext (org.apache.cxf.security.SecurityContext)2
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)2
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)2
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)2
SamlToken (org.apache.wss4j.policy.model.SamlToken)2
Principal (java.security.Principal)1
ArrayList (java.util.ArrayList)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
SOAPException (javax.xml.soap.SOAPException)1
SOAPMessage (javax.xml.soap.SOAPMessage)1
XMLStreamException (javax.xml.stream.XMLStreamException)1
SoapFault (org.apache.cxf.binding.soap.SoapFault)1
SoapMessage (org.apache.cxf.binding.soap.SoapMessage)1
