Search in sources :

Example 11 with ReceivedToken

use of org.apache.cxf.sts.request.ReceivedToken in project ddf by codice.

the class GuestValidatorTest method setup.

@Before
public void setup() {
    validator = new GuestValidator();
    validator.setSupportedRealm(Arrays.asList("DDF"));
    GuestAuthenticationToken guestAuthenticationToken = new GuestAuthenticationToken("DDF", "127.0.0.1");
    GuestAuthenticationToken guestAuthenticationTokenAnyRealm = new GuestAuthenticationToken("*", "127.0.0.1");
    GuestAuthenticationToken guestAuthenticationTokenIpv6 = new GuestAuthenticationToken("*", "0:0:0:0:0:0:0:1");
    GuestAuthenticationToken guestAuthenticationTokenIpv6Reachability = new GuestAuthenticationToken("*", "0:0:0:0:0:0:0:1%4");
    BinarySecurityTokenType binarySecurityTokenType = new BinarySecurityTokenType();
    binarySecurityTokenType.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
    binarySecurityTokenType.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
    binarySecurityTokenType.setId(GuestAuthenticationToken.BST_GUEST_LN);
    binarySecurityTokenType.setValue(guestAuthenticationToken.getEncodedCredentials());
    JAXBElement<BinarySecurityTokenType> binarySecurityTokenElement = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenType);
    BinarySecurityTokenType binarySecurityTokenTypeBadToken = new BinarySecurityTokenType();
    binarySecurityTokenTypeBadToken.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
    binarySecurityTokenTypeBadToken.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
    binarySecurityTokenTypeBadToken.setId(GuestAuthenticationToken.BST_GUEST_LN);
    binarySecurityTokenTypeBadToken.setValue(Base64.getEncoder().encodeToString("NotGuest".getBytes()));
    JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementBadToken = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeBadToken);
    BinarySecurityTokenType binarySecurityTokenTypeAnyRealm = new BinarySecurityTokenType();
    binarySecurityTokenTypeAnyRealm.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
    binarySecurityTokenTypeAnyRealm.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
    binarySecurityTokenTypeAnyRealm.setId(GuestAuthenticationToken.BST_GUEST_LN);
    binarySecurityTokenTypeAnyRealm.setValue(guestAuthenticationTokenAnyRealm.getEncodedCredentials());
    JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementAnyRealm = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeAnyRealm);
    BinarySecurityTokenType binarySecurityTokenTypeIpv6 = new BinarySecurityTokenType();
    binarySecurityTokenTypeIpv6.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
    binarySecurityTokenTypeIpv6.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
    binarySecurityTokenTypeIpv6.setId(GuestAuthenticationToken.BST_GUEST_LN);
    binarySecurityTokenTypeIpv6.setValue(guestAuthenticationTokenIpv6.getEncodedCredentials());
    JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementIpv6 = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeIpv6);
    BinarySecurityTokenType binarySecurityTokenTypeIpv6Reachability = new BinarySecurityTokenType();
    binarySecurityTokenTypeIpv6Reachability.setValueType(GuestAuthenticationToken.GUEST_TOKEN_VALUE_TYPE);
    binarySecurityTokenTypeIpv6Reachability.setEncodingType(BSTAuthenticationToken.BASE64_ENCODING);
    binarySecurityTokenTypeIpv6Reachability.setId(GuestAuthenticationToken.BST_GUEST_LN);
    binarySecurityTokenTypeIpv6Reachability.setValue(guestAuthenticationTokenIpv6Reachability.getEncodedCredentials());
    JAXBElement<BinarySecurityTokenType> binarySecurityTokenElementIpv6Reachability = new JAXBElement<BinarySecurityTokenType>(new QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken"), BinarySecurityTokenType.class, binarySecurityTokenTypeIpv6Reachability);
    receivedToken = new ReceivedToken(binarySecurityTokenElement);
    receivedAnyRealmToken = new ReceivedToken(binarySecurityTokenElementAnyRealm);
    receivedBadToken = new ReceivedToken(binarySecurityTokenElementBadToken);
    receivedTokenIpv6 = new ReceivedToken(binarySecurityTokenElementIpv6);
    receivedTokenIpv6Reachability = new ReceivedToken(binarySecurityTokenElementIpv6Reachability);
    parameters = new TokenValidatorParameters();
    parameters.setToken(receivedToken);
}
Also used : TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) GuestAuthenticationToken(org.codice.ddf.security.handler.api.GuestAuthenticationToken) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) QName(javax.xml.namespace.QName) JAXBElement(javax.xml.bind.JAXBElement) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) Before(org.junit.Before)

Example 12 with ReceivedToken

use of org.apache.cxf.sts.request.ReceivedToken in project ddf by codice.

the class BSTDelegationHandler method isDelegationAllowed.

public TokenDelegationResponse isDelegationAllowed(TokenDelegationParameters tokenParameters) {
    TokenDelegationResponse response = new TokenDelegationResponse();
    ReceivedToken delegateTarget = tokenParameters.getToken();
    response.setToken(delegateTarget);
    Object token = delegateTarget.getToken();
    if (token instanceof BinarySecurityTokenType) {
        response.setDelegationAllowed(true);
    }
    return response;
}
Also used : BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenDelegationResponse(org.apache.cxf.sts.token.delegation.TokenDelegationResponse)

Example 13 with ReceivedToken

use of org.apache.cxf.sts.request.ReceivedToken in project ddf by codice.

the class TestBSTDelegationHandler method testDelegationNotAllowed.

@Test
public void testDelegationNotAllowed() {
    UsernameTokenType binarySecurityTokenType = new UsernameTokenType();
    ReceivedToken receivedToken = mock(ReceivedToken.class);
    when(receivedToken.getToken()).thenReturn(binarySecurityTokenType);
    TokenDelegationParameters tokenDelegationParameters = mock(TokenDelegationParameters.class);
    when(tokenDelegationParameters.getToken()).thenReturn(receivedToken);
    BSTDelegationHandler bstDelegationHandler = new BSTDelegationHandler();
    TokenDelegationResponse response = bstDelegationHandler.isDelegationAllowed(tokenDelegationParameters);
    assertEquals(false, response.isDelegationAllowed());
}
Also used : TokenDelegationParameters(org.apache.cxf.sts.token.delegation.TokenDelegationParameters) UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenDelegationResponse(org.apache.cxf.sts.token.delegation.TokenDelegationResponse) Test(org.junit.Test)

Example 14 with ReceivedToken

use of org.apache.cxf.sts.request.ReceivedToken in project ddf by codice.

the class UPBSTValidatorTest method testNoParser.

@Test(expected = IllegalStateException.class)
public void testNoParser() {
    UPBSTValidator upbstValidator = getUpbstValidator(null, meanValidator);
    upbstValidator.addRealm(null);
    TokenValidatorParameters tokenParameters = new TokenValidatorParameters();
    tokenParameters.setTokenStore(new TokenStore() {

        @Override
        public void add(SecurityToken token) {
        }

        @Override
        public void add(String identifier, SecurityToken token) {
        }

        @Override
        public void remove(String identifier) {
        }

        @Override
        public Collection<String> getTokenIdentifiers() {
            return null;
        }

        @Override
        public SecurityToken getToken(String identifier) {
            SecurityToken securityToken = new SecurityToken();
            securityToken.setTokenHash(584149325);
            return securityToken;
        }
    });
    ReceivedToken validateTarget = new ReceivedToken(upbstToken);
    tokenParameters.setToken(validateTarget);
    tokenParameters.setStsProperties(stsPropertiesMBean);
    upbstValidator.validateToken(tokenParameters);
}
Also used : TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Collection(java.util.Collection) Matchers.anyString(org.mockito.Matchers.anyString) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenStore(org.apache.cxf.ws.security.tokenstore.TokenStore) Test(org.junit.Test)

Example 15 with ReceivedToken

use of org.apache.cxf.sts.request.ReceivedToken in project ddf by codice.

the class UsernameTokenValidator method validateToken.

/**
     * Validate a Token using the given TokenValidatorParameters.
     */
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOGGER.debug("Validating UsernameToken");
    if (parser == null) {
        throw new IllegalStateException("XMLParser must be configured.");
    }
    if (failedLoginDelayer == null) {
        throw new IllegalStateException("Failed Login Delayer must be configured");
    }
    STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
    Crypto sigCrypto = stsProperties.getSignatureCrypto();
    CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
    RequestData requestData = new RequestData();
    requestData.setSigVerCrypto(sigCrypto);
    WSSConfig wssConfig = WSSConfig.getNewInstance();
    requestData.setWssConfig(wssConfig);
    requestData.setCallbackHandler(callbackHandler);
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(ReceivedToken.STATE.INVALID);
    response.setToken(validateTarget);
    if (!validateTarget.isUsernameToken()) {
        return response;
    }
    //
    // Turn the JAXB UsernameTokenType into a DOM Element for validation
    //
    UsernameTokenType usernameTokenType = (UsernameTokenType) validateTarget.getToken();
    JAXBElement<UsernameTokenType> tokenType = new JAXBElement<>(QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameTokenType);
    Document doc = DOMUtils.createDocument();
    Element rootElement = doc.createElement("root-element");
    List<String> ctxPath = new ArrayList<>(1);
    ctxPath.add(UsernameTokenType.class.getPackage().getName());
    Element usernameTokenElement = null;
    ParserConfigurator configurator = parser.configureParser(ctxPath, UsernameTokenValidator.class.getClassLoader());
    try {
        parser.marshal(configurator, tokenType, rootElement);
        usernameTokenElement = (Element) rootElement.getFirstChild();
    } catch (ParserException ex) {
        LOGGER.info("Unable to parse username token", ex);
        return response;
    }
    //
    try {
        boolean allowNamespaceQualifiedPasswordTypes = requestData.isAllowNamespaceQualifiedPasswordTypes();
        UsernameToken ut = new UsernameToken(usernameTokenElement, allowNamespaceQualifiedPasswordTypes, new BSPEnforcer());
        // The parsed principal is set independent whether validation is successful or not
        response.setPrincipal(new CustomTokenPrincipal(ut.getName()));
        if (ut.getPassword() == null) {
            failedLoginDelayer.delay(ut.getName());
            return response;
        }
        Credential credential = new Credential();
        credential.setUsernametoken(ut);
        //Only this section is new, the rest is copied from the apache class
        Set<Map.Entry<String, Validator>> entries = validators.entrySet();
        for (Map.Entry<String, Validator> entry : entries) {
            try {
                entry.getValue().validate(credential, requestData);
                validateTarget.setState(ReceivedToken.STATE.VALID);
                break;
            } catch (WSSecurityException ex) {
                LOGGER.debug("Unable to validate user against {}" + entry.getKey(), ex);
            }
        }
        if (ReceivedToken.STATE.INVALID.equals(validateTarget.getState())) {
            failedLoginDelayer.delay(ut.getName());
            return response;
        }
        //end new section
        Principal principal = createPrincipal(ut.getName(), ut.getPassword(), ut.getPasswordType(), ut.getNonce(), ut.getCreated());
        response.setPrincipal(principal);
        response.setTokenRealm(null);
        validateTarget.setState(ReceivedToken.STATE.VALID);
        validateTarget.setPrincipal(principal);
    } catch (WSSecurityException ex) {
        LOGGER.debug("Unable to validate token.", ex);
    }
    return response;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) UsernameToken(org.apache.wss4j.dom.message.token.UsernameToken) Document(org.w3c.dom.Document) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) JAASUsernameTokenValidator(org.apache.wss4j.dom.validate.JAASUsernameTokenValidator) RequestData(org.apache.wss4j.dom.handler.RequestData) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) ParserException(org.codice.ddf.parser.ParserException) Credential(org.apache.wss4j.dom.validate.Credential) UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) JAXBElement(javax.xml.bind.JAXBElement) ParserConfigurator(org.codice.ddf.parser.ParserConfigurator) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) Validator(org.apache.wss4j.dom.validate.Validator) JAASUsernameTokenValidator(org.apache.wss4j.dom.validate.JAASUsernameTokenValidator) TokenValidator(org.apache.cxf.sts.token.validator.TokenValidator) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) Principal(java.security.Principal)

Aggregations

ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)41 Test (org.junit.Test)25 TokenValidatorResponse (org.apache.cxf.sts.token.validator.TokenValidatorResponse)23 BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)21 TokenValidatorParameters (org.apache.cxf.sts.token.validator.TokenValidatorParameters)20 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)18 Crypto (org.apache.wss4j.common.crypto.Crypto)15 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)10 RequestData (org.apache.wss4j.dom.handler.RequestData)10 Credential (org.apache.wss4j.dom.validate.Credential)9 XmlParser (org.codice.ddf.parser.xml.XmlParser)9 X500Principal (javax.security.auth.x500.X500Principal)8 JAASUsernameTokenValidator (org.apache.wss4j.dom.validate.JAASUsernameTokenValidator)7 PKIAuthenticationToken (org.codice.ddf.security.handler.api.PKIAuthenticationToken)7 X509Certificate (java.security.cert.X509Certificate)6 PKIAuthenticationTokenFactory (org.codice.ddf.security.handler.api.PKIAuthenticationTokenFactory)6 HashSet (java.util.HashSet)5 CallbackHandler (javax.security.auth.callback.CallbackHandler)5 JAXBContext (javax.xml.bind.JAXBContext)5 JAXBException (javax.xml.bind.JAXBException)5