use of org.apache.cxf.ws.policy.AssertionInfo in project OpenAM by OpenRock.
the class OpenAMSessionTokenClientInterceptor method assertTokens.
/**
* Called to assert the relevant tokens. Asserting tokens means asserting that the corresponding policy has been
* satisfied. This method is called inbound on the client side. This method will assert that the OpenAMSessionAssertion
* has been satisfied, and also the SupportingToken policy (the OpenAMSessionToken policy always defines a SupportingToken),
* and, if TLS is being used in the invocation, that the TransportPolicy has also been satisfied, as the OpenAMSessionToken
* SecurityPolicy binding is always deployed as part of an unprotected binding (i.e. a 'bare' OpenAMSessionToken), or
* as part of the Transport binding. Note that a TransportToken is the token manifestation of a TransportPolicy binding,
* so asserting the TransportToken will assert the TransportPolicy.
* @param message The SoapMessage defining the invocation.
* @return The OpenAMSessionAssertion corresponding to the OpenAMSessionToken SecurityPolicy element protecting
* soap-sts instances.
*/
@Override
protected Token assertTokens(SoapMessage message) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = aim.getAssertionInfo(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_QNAME);
Token token = null;
for (AssertionInfo ai : ais) {
token = (Token) ai.getAssertion();
ai.setAsserted(true);
}
ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
/*
On the server-side, isTLSinUse is used to determine a tls invocation. On the client side, pulling the
"http.scheme" and comparing it to https seems to be the approved approach:
@see org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider
*/
if (isTLSInUse(message)) {
/*
if TLS is in use, then the tokens are signed by TLS. So instead of having the transport binding reference
a SupportingToken element, a SignedSupportingToken could be specified.
*/
ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
/*
this should be asserted by the cxf TransportBindingHandler or TransportBinding or TransportToken, but
it is not, resulting in the following messages, logged as FINE:
An exception was thrown when verifying that the effective policy for this request was satisfied.
However, this exception will not result in a fault. The exception raised is: org.apache.cxf.ws.policy.PolicyException:
These policy alternatives can not be satisfied:{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
Asserting the TRANSPORT_TOKEN makes this message go away. I know that the OpenAMSessionToken will be deployed in
either a 'bare' SecurityPolicy binding, or under the Transport binding, so if TLS is in use, the TRANSPORT_TOKEN
can be asserted.
*/
ais = aim.getAssertionInfo(SP12Constants.TRANSPORT_TOKEN);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
}
return token;
}
use of org.apache.cxf.ws.policy.AssertionInfo in project OpenAM by OpenRock.
the class OpenAMSessionTokenServerInterceptor method assertTokens.
/**
* Called to assert the relevant tokens. Asserting tokens means asserting that the corresponding policy has been
* satisfied. This method is called outbound on the server-side, and inbound on the client side. It is also called from
* processTokenAbove, following successful token validation. This method will assert that the OpenAMSessionAssertion
* has been satisfied, and also the SupportingToken policy (the OpenAMSessionToken policy always defines a SupportingToken),
* and, if TLS is being used in the invocation, that the TransportPolicy has also been satisfied, as the OpenAMSessionToken
* SecurityPolicy binding is always deployed as part of an unprotected binding (i.e. a 'bare' OpenAMSessionToken), or
* as part of the Transport binding. Note that a TransportToken is the token manifestation of a TransportPolicy binding,
* so asserting the TransportToken will assert the TransportPolicy.
* @param message The SoapMessage defining the invocation.
* @return The OpenAMSessionAssertion corresponding to the OpenAMSessionToken SecurityPolicy element protecting
* soap-sts instances.
*/
@Override
protected Token assertTokens(SoapMessage message) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = aim.getAssertionInfo(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_QNAME);
Token token = null;
for (AssertionInfo ai : ais) {
token = (Token) ai.getAssertion();
ai.setAsserted(true);
}
ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
if (isTLSInUse(message)) {
/*
if TLS is in use, then the tokens are signed by TLS. So instead of having the transport binding reference
a SupportingToken element, a SignedSupportingToken could be specified.
*/
ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
/*
this should be asserted by the cxf TransportBindingHandler or TransportBinding or TransportToken, but
it is not, resulting in the following messages, logged as FINE:
An exception was thrown when verifying that the effective policy for this request was satisfied.
However, this exception will not result in a fault. The exception raised is: org.apache.cxf.ws.policy.PolicyException:
These policy alternatives can not be satisfied:{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
Asserting the TRANSPORT_TOKEN makes this message go away. I know that the OpenAMSessionToken will be deployed in
either a 'bare' SecurityPolicy binding, or under the Transport binding, so if TLS is in use, the TRANSPORT_TOKEN
can be asserted.
Note that this message is a bug - see
http://cxf.547215.n5.nabble.com/Custom-SecurityPolicy-Assertions-and-the-Symmetric-binding-td5754879.html#a5755303
for details. I will continue to assert the TRANSPORT_TOKEN to prevent these messages.
*/
ais = aim.getAssertionInfo(SP12Constants.TRANSPORT_TOKEN);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
}
return token;
}
use of org.apache.cxf.ws.policy.AssertionInfo in project tdi-studio-se by Talend.
the class XRMAuthPolicyInterceptor method handleMessage.
public void handleMessage(SoapMessage message) throws Fault {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
if (null == aim) {
return;
}
QName qname = new QName("http://schemas.microsoft.com/xrm/2011/Contracts/Services", "AuthenticationPolicy", "ms-xrm");
Collection<AssertionInfo> ais = aim.get(qname);
if (null == ais || ais.size() == 0) {
return;
}
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
}
use of org.apache.cxf.ws.policy.AssertionInfo in project tesb-rt-se by Talend.
the class UTValidator method validate.
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
Credential validatedCredential = super.validate(credential, data);
// Assert the IssuedToken policy
SoapMessage message = (SoapMessage) data.getMsgContext();
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = aim.get(SP12Constants.ISSUED_TOKEN);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
return validatedCredential;
}
use of org.apache.cxf.ws.policy.AssertionInfo in project tesb-rt-se by Talend.
the class AbstractTransformationPolicyInterceptor method handleMessage.
@Override
public void handleMessage(Message message) {
AssertionInfo ai = null;
try {
ai = TransformationPolicyBuilder.getAssertion(message);
} catch (Exception e) {
throw new Fault(e);
}
TransformationAssertion tas;
if ((ai == null || !(ai.getAssertion() instanceof TransformationAssertion))) {
if (featureAssertion != null) {
tas = featureAssertion;
} else {
confirmPolicyProcessing(message);
return;
}
} else {
tas = (TransformationAssertion) ai.getAssertion();
}
TransformationType transformationType = tas.getTransformationType();
if (transformationType == TransformationType.xslt) {
proceedXSLT(message, tas);
} else if (transformationType == TransformationType.simple) {
proceedSimple(message, tas);
}
confirmPolicyProcessing(message);
}
Aggregations