Search in sources :

Example 1 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project OpenAM by OpenRock.

the class OpenAMSessionTokenClientInterceptor method assertTokens.

/**
     * Called to assert the relevant tokens. Asserting tokens means asserting that the corresponding policy has been
     * satisfied. This method is called inbound on the client side. This method will assert that the OpenAMSessionAssertion
     * has been satisfied, and also the SupportingToken policy (the OpenAMSessionToken policy always defines a SupportingToken),
     * and, if TLS is being used in the invocation, that the TransportPolicy has also been satisfied, as the OpenAMSessionToken
     * SecurityPolicy binding is always deployed as part of an unprotected binding (i.e. a 'bare' OpenAMSessionToken), or
     * as part of the Transport binding. Note that a TransportToken is the token manifestation of a TransportPolicy binding,
     * so asserting the TransportToken will assert the TransportPolicy.
     * @param message The SoapMessage defining the invocation.
     * @return The OpenAMSessionAssertion corresponding to the OpenAMSessionToken SecurityPolicy element protecting
     * soap-sts instances.
     */
@Override
protected Token assertTokens(SoapMessage message) {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    Collection<AssertionInfo> ais = aim.getAssertionInfo(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_QNAME);
    Token token = null;
    for (AssertionInfo ai : ais) {
        token = (Token) ai.getAssertion();
        ai.setAsserted(true);
    }
    ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
    for (AssertionInfo ai : ais) {
        ai.setAsserted(true);
    }
    /*
        On the server-side, isTLSinUse is used to determine a tls invocation. On the client side, pulling the
        "http.scheme" and comparing it to https seems to be the approved approach:
        @see org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider
         */
    if (isTLSInUse(message)) {
        /*
            if TLS is in use, then the tokens are signed by TLS. So instead of having the transport binding reference
            a SupportingToken element, a SignedSupportingToken could be specified.
             */
        ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
        for (AssertionInfo ai : ais) {
            ai.setAsserted(true);
        }
        /*
            this should be asserted by the cxf TransportBindingHandler or TransportBinding or TransportToken, but
            it is not, resulting in the following messages, logged as FINE:
            An exception was thrown when verifying that the effective policy for this request was satisfied.
            However, this exception will not result in a fault.  The exception raised is: org.apache.cxf.ws.policy.PolicyException:
            These policy alternatives can not be satisfied:{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
            Asserting the TRANSPORT_TOKEN makes this message go away. I know that the OpenAMSessionToken will be deployed in
            either a 'bare' SecurityPolicy binding, or under the Transport binding, so if TLS is in use, the TRANSPORT_TOKEN
            can be asserted.
             */
        ais = aim.getAssertionInfo(SP12Constants.TRANSPORT_TOKEN);
        for (AssertionInfo ai : ais) {
            ai.setAsserted(true);
        }
    }
    return token;
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) Token(org.apache.cxf.ws.security.policy.model.Token) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)

Example 2 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project OpenAM by OpenRock.

the class OpenAMSessionTokenServerInterceptor method assertTokens.

/**
     * Called to assert the relevant tokens. Asserting tokens means asserting that the corresponding policy has been
     * satisfied. This method is called outbound on the server-side, and inbound on the client side. It is also called from
     * processTokenAbove, following successful token validation. This method will assert that the OpenAMSessionAssertion
     * has been satisfied, and also the SupportingToken policy (the OpenAMSessionToken policy always defines a SupportingToken),
     * and, if TLS is being used in the invocation, that the TransportPolicy has also been satisfied, as the OpenAMSessionToken
     * SecurityPolicy binding is always deployed as part of an unprotected binding (i.e. a 'bare' OpenAMSessionToken), or
     * as part of the Transport binding. Note that a TransportToken is the token manifestation of a TransportPolicy binding,
     * so asserting the TransportToken will assert the TransportPolicy.
     * @param message The SoapMessage defining the invocation.
     * @return The OpenAMSessionAssertion corresponding to the OpenAMSessionToken SecurityPolicy element protecting
     * soap-sts instances.
     */
@Override
protected Token assertTokens(SoapMessage message) {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    Collection<AssertionInfo> ais = aim.getAssertionInfo(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_QNAME);
    Token token = null;
    for (AssertionInfo ai : ais) {
        token = (Token) ai.getAssertion();
        ai.setAsserted(true);
    }
    ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
    for (AssertionInfo ai : ais) {
        ai.setAsserted(true);
    }
    if (isTLSInUse(message)) {
        /*
            if TLS is in use, then the tokens are signed by TLS. So instead of having the transport binding reference
            a SupportingToken element, a SignedSupportingToken could be specified.
             */
        ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
        for (AssertionInfo ai : ais) {
            ai.setAsserted(true);
        }
        /*
            this should be asserted by the cxf TransportBindingHandler or TransportBinding or TransportToken, but
            it is not, resulting in the following messages, logged as FINE:
            An exception was thrown when verifying that the effective policy for this request was satisfied.
            However, this exception will not result in a fault.  The exception raised is: org.apache.cxf.ws.policy.PolicyException:
            These policy alternatives can not be satisfied:{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
            Asserting the TRANSPORT_TOKEN makes this message go away. I know that the OpenAMSessionToken will be deployed in
            either a 'bare' SecurityPolicy binding, or under the Transport binding, so if TLS is in use, the TRANSPORT_TOKEN
            can be asserted.
            Note that this message is a bug - see
            http://cxf.547215.n5.nabble.com/Custom-SecurityPolicy-Assertions-and-the-Symmetric-binding-td5754879.html#a5755303
            for details. I will continue to assert the TRANSPORT_TOKEN to prevent these messages.
             */
        ais = aim.getAssertionInfo(SP12Constants.TRANSPORT_TOKEN);
        for (AssertionInfo ai : ais) {
            ai.setAsserted(true);
        }
    }
    return token;
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) Token(org.apache.cxf.ws.security.policy.model.Token) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)

Example 3 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project tdi-studio-se by Talend.

the class XRMAuthPolicyInterceptor method handleMessage.

public void handleMessage(SoapMessage message) throws Fault {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    if (null == aim) {
        return;
    }
    QName qname = new QName("http://schemas.microsoft.com/xrm/2011/Contracts/Services", "AuthenticationPolicy", "ms-xrm");
    Collection<AssertionInfo> ais = aim.get(qname);
    if (null == ais || ais.size() == 0) {
        return;
    }
    for (AssertionInfo ai : ais) {
        ai.setAsserted(true);
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) QName(javax.xml.namespace.QName) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)

Example 4 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project tesb-rt-se by Talend.

the class UTValidator method validate.

public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
    Credential validatedCredential = super.validate(credential, data);
    // Assert the IssuedToken policy
    SoapMessage message = (SoapMessage) data.getMsgContext();
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    Collection<AssertionInfo> ais = aim.get(SP12Constants.ISSUED_TOKEN);
    for (AssertionInfo ai : ais) {
        ai.setAsserted(true);
    }
    return validatedCredential;
}
Also used : Credential(org.apache.wss4j.dom.validate.Credential) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SoapMessage(org.apache.cxf.binding.soap.SoapMessage) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)

Example 5 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project tesb-rt-se by Talend.

the class AbstractTransformationPolicyInterceptor method handleMessage.

@Override
public void handleMessage(Message message) {
    AssertionInfo ai = null;
    try {
        ai = TransformationPolicyBuilder.getAssertion(message);
    } catch (Exception e) {
        throw new Fault(e);
    }
    TransformationAssertion tas;
    if ((ai == null || !(ai.getAssertion() instanceof TransformationAssertion))) {
        if (featureAssertion != null) {
            tas = featureAssertion;
        } else {
            confirmPolicyProcessing(message);
            return;
        }
    } else {
        tas = (TransformationAssertion) ai.getAssertion();
    }
    TransformationType transformationType = tas.getTransformationType();
    if (transformationType == TransformationType.xslt) {
        proceedXSLT(message, tas);
    } else if (transformationType == TransformationType.simple) {
        proceedSimple(message, tas);
    }
    confirmPolicyProcessing(message);
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) Fault(org.apache.cxf.interceptor.Fault)

Aggregations

AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)99 AssertionInfoMap (org.apache.cxf.ws.policy.AssertionInfoMap)45 QName (javax.xml.namespace.QName)21 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)14 ArrayList (java.util.ArrayList)12 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)12 SamlToken (org.apache.wss4j.policy.model.SamlToken)12 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)10 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)10 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)9 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)9 X509Token (org.apache.wss4j.policy.model.X509Token)9 Element (org.w3c.dom.Element)9 PolicyException (org.apache.cxf.ws.policy.PolicyException)8 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)8 Header (org.apache.wss4j.policy.model.Header)7 SoapMessage (org.apache.cxf.binding.soap.SoapMessage)6 Message (org.apache.cxf.message.Message)6 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)6 TLSSessionInfo (org.apache.cxf.security.transport.TLSSessionInfo)5