Search in sources :

Example 86 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class AsymmetricBindingPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    boolean hasDerivedKeys = parameters.getResults().getActionResults().containsKey(WSConstants.DKT);
    for (AssertionInfo ai : ais) {
        AsymmetricBinding binding = (AsymmetricBinding) ai.getAssertion();
        ai.setAsserted(true);
        // Check the protection order
        if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai, parameters.getResults().getResults())) {
            continue;
        }
        // Check various properties of the binding
        if (!checkProperties(binding, ai, parameters.getAssertionInfoMap(), parameters.getResults(), parameters.getSignedResults(), parameters.getMessage())) {
            continue;
        }
        // Check various tokens of the binding
        if (!checkTokens(binding, ai, parameters.getAssertionInfoMap(), hasDerivedKeys, parameters.getSignedResults(), parameters.getEncryptedResults())) {
            continue;
        }
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) AsymmetricBinding(org.apache.wss4j.policy.model.AsymmetricBinding)

Example 87 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class SecuredPartsPolicyValidator method isTransportBinding.

private boolean isTransportBinding(AssertionInfoMap aim, Message message) {
    AssertionInfo symAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
    if (symAis != null) {
        return false;
    }
    AssertionInfo asymAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
    if (asymAis != null) {
        return false;
    }
    AssertionInfo transAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING);
    if (transAis != null) {
        return true;
    }
    // No bindings, check if we are using TLS
    TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
    if (tlsInfo != null) {
        // We don't need to check these policies for TLS
        PolicyUtils.assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
        PolicyUtils.assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS);
        PolicyUtils.assertPolicy(aim, SP12Constants.SIGNED_PARTS);
        PolicyUtils.assertPolicy(aim, SP11Constants.SIGNED_PARTS);
        return true;
    }
    return false;
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)

Example 88 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class SignedEndorsingEncryptedTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available
    if (isTLSInUse(parameters.getMessage())) {
        AssertionInfo transportAi = PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), SPConstants.TRANSPORT_BINDING);
        super.setEnforceEncryptedTokens(transportAi == null);
    }
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
                assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                continue;
            }
            DerivedKeys derivedKeys = token.getDerivedKeys();
            boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
            boolean processingFailed = false;
            if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the signed endorsing encrypted " + "supporting token requirement");
                continue;
            }
            if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)

Example 89 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class TransportBindingPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        TransportBinding binding = (TransportBinding) ai.getAssertion();
        ai.setAsserted(true);
        // Check that TLS is in use if we are not the requestor
        boolean initiator = MessageUtils.isRequestor(parameters.getMessage());
        TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
        if (!initiator && tlsInfo == null) {
            ai.setNotAsserted("TLS is not enabled");
            continue;
        }
        // HttpsToken is validated by the HttpsTokenInterceptorProvider
        if (binding.getTransportToken() != null) {
            PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), binding.getTransportToken().getName());
        }
        // Check the IncludeTimestamp
        if (!validateTimestamp(binding.isIncludeTimestamp(), true, parameters.getResults(), parameters.getSignedResults(), parameters.getMessage())) {
            String error = "Received Timestamp does not match the requirements";
            ai.setNotAsserted(error);
            continue;
        }
        PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(binding.getName().getNamespaceURI(), SPConstants.INCLUDE_TIMESTAMP));
    }
    // We don't need to check these policies for the Transport binding
    if (!ais.isEmpty()) {
        PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP12Constants.ENCRYPTED_PARTS);
        PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP11Constants.ENCRYPTED_PARTS);
        PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP12Constants.SIGNED_PARTS);
        PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP11Constants.SIGNED_PARTS);
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) QName(javax.xml.namespace.QName) TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo) TransportBinding(org.apache.wss4j.policy.model.TransportBinding)

Example 90 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class X509TokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    List<WSSecurityEngineResult> bstResults = parameters.getResults().getActionResults().get(WSConstants.BST);
    for (AssertionInfo ai : ais) {
        X509Token x509TokenPolicy = (X509Token) ai.getAssertion();
        ai.setAsserted(true);
        assertToken(x509TokenPolicy, parameters.getAssertionInfoMap());
        if (!isTokenRequired(x509TokenPolicy, parameters.getMessage())) {
            continue;
        }
        if ((bstResults == null || bstResults.isEmpty()) && parameters.getSignedResults().isEmpty()) {
            ai.setNotAsserted("The received token does not match the token inclusion requirement");
            continue;
        }
        if (!checkTokenType(x509TokenPolicy.getTokenType(), bstResults, parameters.getSignedResults())) {
            ai.setNotAsserted("An incorrect X.509 Token Type is detected");
            continue;
        }
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) X509Token(org.apache.wss4j.policy.model.X509Token) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)

Aggregations

AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)99 AssertionInfoMap (org.apache.cxf.ws.policy.AssertionInfoMap)45 QName (javax.xml.namespace.QName)21 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)14 ArrayList (java.util.ArrayList)12 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)12 SamlToken (org.apache.wss4j.policy.model.SamlToken)12 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)10 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)10 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)9 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)9 X509Token (org.apache.wss4j.policy.model.X509Token)9 Element (org.w3c.dom.Element)9 PolicyException (org.apache.cxf.ws.policy.PolicyException)8 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)8 Header (org.apache.wss4j.policy.model.Header)7 SoapMessage (org.apache.cxf.binding.soap.SoapMessage)6 Message (org.apache.cxf.message.Message)6 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)6 TLSSessionInfo (org.apache.cxf.security.transport.TLSSessionInfo)5