use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.
the class AbstractPolicySecurityTest method checkAssertion.
protected void checkAssertion(AssertionInfoMap aim, QName name, AssertionInfo inf, boolean asserted) {
boolean pass = true;
Collection<AssertionInfo> ail = aim.getAssertionInfo(name);
for (AssertionInfo ai : ail) {
if (ai.getAssertion().equal(inf.getAssertion()) && !ai.isAsserted() && !inf.getAssertion().isOptional()) {
pass = false;
}
}
if (asserted) {
assertTrue(name + " policy erroneously failed.", pass);
} else {
assertFalse(name + " policy erroneously asserted.", pass);
}
}
use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.
the class RequiredElementsPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
RequiredElements rp = (RequiredElements) ai.getAssertion();
ai.setAsserted(true);
if (rp != null && rp.getXPaths() != null && !rp.getXPaths().isEmpty()) {
XPathFactory factory = XPathFactory.newInstance();
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
} catch (javax.xml.xpath.XPathFactoryConfigurationException ex) {
// ignore
}
for (org.apache.wss4j.policy.model.XPath xPath : rp.getXPaths()) {
Map<String, String> namespaces = xPath.getPrefixNamespaceMap();
String expression = xPath.getXPath();
XPath xpath = factory.newXPath();
if (namespaces != null) {
xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
}
NodeList list;
Element header = parameters.getSoapHeader();
header = (Element) DOMUtils.getDomElement(header);
if (header == null) {
ai.setNotAsserted("No header element matching XPath " + expression + " found.");
} else {
try {
list = (NodeList) xpath.evaluate(expression, header, XPathConstants.NODESET);
if (list.getLength() == 0) {
ai.setNotAsserted("No header element matching XPath " + expression + " found.");
}
} catch (XPathExpressionException e) {
ai.setNotAsserted("Invalid XPath expression " + expression + " " + e.getMessage());
}
}
}
}
}
}
use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.
the class SamlTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(samlToken, parameters.getAssertionInfoMap());
if (!isTokenRequired(samlToken, parameters.getMessage())) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name()));
continue;
}
if (parameters.getSamlResults().isEmpty()) {
ai.setNotAsserted("The received token does not match the token inclusion requirement");
continue;
}
String valSAMLSubjectConf = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, parameters.getMessage());
boolean validateSAMLSubjectConf = true;
if (valSAMLSubjectConf != null) {
validateSAMLSubjectConf = Boolean.parseBoolean(valSAMLSubjectConf);
}
// All of the received SAML Assertions must conform to the policy
for (WSSecurityEngineResult result : parameters.getSamlResults()) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (!checkVersion(parameters.getAssertionInfoMap(), samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
continue;
}
if (validateSAMLSubjectConf) {
TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
Certificate[] tlsCerts = null;
if (tlsInfo != null) {
tlsCerts = tlsInfo.getPeerCertificates();
}
if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts)) {
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
if (parameters.getSoapBody() == null || !DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(), parameters.getSignedResults())) {
ai.setNotAsserted("Assertion fails sender-vouches requirements");
continue;
}
}
/*
if (!checkIssuerName(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong IssuerName");
}
*/
}
}
}
use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.
the class SecuredPartsPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
//
if (isTransportBinding(parameters.getAssertionInfoMap(), parameters.getMessage())) {
return;
}
Message msg = parameters.getMessage();
Element soapBody = parameters.getSoapBody();
Element header = parameters.getSoapHeader();
soapBody = (Element) DOMUtils.getDomElement(soapBody);
header = (Element) DOMUtils.getDomElement(header);
Collection<WSDataRef> dataRefs = parameters.getEncrypted();
if (coverageType == CoverageType.SIGNED) {
dataRefs = parameters.getSigned();
}
for (AssertionInfo ai : ais) {
if (ai.isAsserted()) {
// they are a child of a SupportingToken
continue;
}
AbstractSecuredParts p = (AbstractSecuredParts) ai.getAssertion();
ai.setAsserted(true);
if (p.isBody()) {
try {
if (coverageType == CoverageType.SIGNED) {
CryptoCoverageUtil.checkBodyCoverage(soapBody, dataRefs, CoverageType.SIGNED, CoverageScope.ELEMENT);
} else {
CryptoCoverageUtil.checkBodyCoverage(soapBody, dataRefs, CoverageType.ENCRYPTED, CoverageScope.CONTENT);
}
} catch (WSSecurityException e) {
ai.setNotAsserted("Soap Body is not " + coverageType);
continue;
}
}
for (Header h : p.getHeaders()) {
if (header == null) {
ai.setNotAsserted(h.getNamespace() + ":" + h.getName() + " not + " + coverageType);
} else {
try {
CryptoCoverageUtil.checkHeaderCoverage(header, dataRefs, h.getNamespace(), h.getName(), coverageType, CoverageScope.ELEMENT);
} catch (WSSecurityException e) {
ai.setNotAsserted(h.getNamespace() + ":" + h.getName() + " not + " + coverageType);
}
}
}
Attachments attachments = p.getAttachments();
if (attachments != null) {
try {
CoverageScope scope = CoverageScope.ELEMENT;
if (attachments.isContentSignatureTransform()) {
scope = CoverageScope.CONTENT;
}
CryptoCoverageUtil.checkAttachmentsCoverage(msg.getAttachments(), dataRefs, coverageType, scope);
} catch (WSSecurityException e) {
ai.setNotAsserted("An attachment was not signed/encrypted");
}
}
}
}
use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.
the class SignedTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
continue;
}
boolean processingFailed = false;
if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken) {
if (!processSCTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the signed supporting token requirement");
continue;
}
}
}
}
Aggregations