use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.
the class AsymmetricBindingPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
boolean hasDerivedKeys = parameters.getResults().getActionResults().containsKey(WSConstants.DKT);
for (AssertionInfo ai : ais) {
AsymmetricBinding binding = (AsymmetricBinding) ai.getAssertion();
ai.setAsserted(true);
// Check the protection order
if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai, parameters.getResults().getResults())) {
continue;
}
// Check various properties of the binding
if (!checkProperties(binding, ai, parameters.getAssertionInfoMap(), parameters.getResults(), parameters.getSignedResults(), parameters.getMessage())) {
continue;
}
// Check various tokens of the binding
if (!checkTokens(binding, ai, parameters.getAssertionInfoMap(), hasDerivedKeys, parameters.getSignedResults(), parameters.getEncryptedResults())) {
continue;
}
}
}
use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.
the class SecuredPartsPolicyValidator method isTransportBinding.
private boolean isTransportBinding(AssertionInfoMap aim, Message message) {
AssertionInfo symAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (symAis != null) {
return false;
}
AssertionInfo asymAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (asymAis != null) {
return false;
}
AssertionInfo transAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING);
if (transAis != null) {
return true;
}
// No bindings, check if we are using TLS
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
if (tlsInfo != null) {
// We don't need to check these policies for TLS
PolicyUtils.assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
PolicyUtils.assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS);
PolicyUtils.assertPolicy(aim, SP12Constants.SIGNED_PARTS);
PolicyUtils.assertPolicy(aim, SP11Constants.SIGNED_PARTS);
return true;
}
return false;
}
use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.
the class SignedEndorsingEncryptedTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
// Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available
if (isTLSInUse(parameters.getMessage())) {
AssertionInfo transportAi = PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), SPConstants.TRANSPORT_BINDING);
super.setEnforceEncryptedTokens(transportAi == null);
}
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the signed endorsing encrypted " + "supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.
the class TransportBindingPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
TransportBinding binding = (TransportBinding) ai.getAssertion();
ai.setAsserted(true);
// Check that TLS is in use if we are not the requestor
boolean initiator = MessageUtils.isRequestor(parameters.getMessage());
TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
if (!initiator && tlsInfo == null) {
ai.setNotAsserted("TLS is not enabled");
continue;
}
// HttpsToken is validated by the HttpsTokenInterceptorProvider
if (binding.getTransportToken() != null) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), binding.getTransportToken().getName());
}
// Check the IncludeTimestamp
if (!validateTimestamp(binding.isIncludeTimestamp(), true, parameters.getResults(), parameters.getSignedResults(), parameters.getMessage())) {
String error = "Received Timestamp does not match the requirements";
ai.setNotAsserted(error);
continue;
}
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(binding.getName().getNamespaceURI(), SPConstants.INCLUDE_TIMESTAMP));
}
// We don't need to check these policies for the Transport binding
if (!ais.isEmpty()) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP12Constants.ENCRYPTED_PARTS);
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP11Constants.ENCRYPTED_PARTS);
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP12Constants.SIGNED_PARTS);
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), SP11Constants.SIGNED_PARTS);
}
}
use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.
the class X509TokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
List<WSSecurityEngineResult> bstResults = parameters.getResults().getActionResults().get(WSConstants.BST);
for (AssertionInfo ai : ais) {
X509Token x509TokenPolicy = (X509Token) ai.getAssertion();
ai.setAsserted(true);
assertToken(x509TokenPolicy, parameters.getAssertionInfoMap());
if (!isTokenRequired(x509TokenPolicy, parameters.getMessage())) {
continue;
}
if ((bstResults == null || bstResults.isEmpty()) && parameters.getSignedResults().isEmpty()) {
ai.setNotAsserted("The received token does not match the token inclusion requirement");
continue;
}
if (!checkTokenType(x509TokenPolicy.getTokenType(), bstResults, parameters.getSignedResults())) {
ai.setNotAsserted("An incorrect X.509 Token Type is detected");
continue;
}
}
}
Aggregations