Search in sources :

Example 21 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class AbstractPolicySecurityTest method checkAssertion.

protected void checkAssertion(AssertionInfoMap aim, QName name, AssertionInfo inf, boolean asserted) {
    boolean pass = true;
    Collection<AssertionInfo> ail = aim.getAssertionInfo(name);
    for (AssertionInfo ai : ail) {
        if (ai.getAssertion().equal(inf.getAssertion()) && !ai.isAsserted() && !inf.getAssertion().isOptional()) {
            pass = false;
        }
    }
    if (asserted) {
        assertTrue(name + " policy erroneously failed.", pass);
    } else {
        assertFalse(name + " policy erroneously asserted.", pass);
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)

Example 22 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class RequiredElementsPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        RequiredElements rp = (RequiredElements) ai.getAssertion();
        ai.setAsserted(true);
        if (rp != null && rp.getXPaths() != null && !rp.getXPaths().isEmpty()) {
            XPathFactory factory = XPathFactory.newInstance();
            try {
                factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
            } catch (javax.xml.xpath.XPathFactoryConfigurationException ex) {
            // ignore
            }
            for (org.apache.wss4j.policy.model.XPath xPath : rp.getXPaths()) {
                Map<String, String> namespaces = xPath.getPrefixNamespaceMap();
                String expression = xPath.getXPath();
                XPath xpath = factory.newXPath();
                if (namespaces != null) {
                    xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
                }
                NodeList list;
                Element header = parameters.getSoapHeader();
                header = (Element) DOMUtils.getDomElement(header);
                if (header == null) {
                    ai.setNotAsserted("No header element matching XPath " + expression + " found.");
                } else {
                    try {
                        list = (NodeList) xpath.evaluate(expression, header, XPathConstants.NODESET);
                        if (list.getLength() == 0) {
                            ai.setNotAsserted("No header element matching XPath " + expression + " found.");
                        }
                    } catch (XPathExpressionException e) {
                        ai.setNotAsserted("Invalid XPath expression " + expression + " " + e.getMessage());
                    }
                }
            }
        }
    }
}
Also used : RequiredElements(org.apache.wss4j.policy.model.RequiredElements) XPath(javax.xml.xpath.XPath) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) XPathExpressionException(javax.xml.xpath.XPathExpressionException) NodeList(org.w3c.dom.NodeList) Element(org.w3c.dom.Element) MapNamespaceContext(org.apache.cxf.helpers.MapNamespaceContext) XPathFactory(javax.xml.xpath.XPathFactory)

Example 23 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class SamlTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SamlToken samlToken = (SamlToken) ai.getAssertion();
        ai.setAsserted(true);
        assertToken(samlToken, parameters.getAssertionInfoMap());
        if (!isTokenRequired(samlToken, parameters.getMessage())) {
            PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name()));
            continue;
        }
        if (parameters.getSamlResults().isEmpty()) {
            ai.setNotAsserted("The received token does not match the token inclusion requirement");
            continue;
        }
        String valSAMLSubjectConf = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, parameters.getMessage());
        boolean validateSAMLSubjectConf = true;
        if (valSAMLSubjectConf != null) {
            validateSAMLSubjectConf = Boolean.parseBoolean(valSAMLSubjectConf);
        }
        // All of the received SAML Assertions must conform to the policy
        for (WSSecurityEngineResult result : parameters.getSamlResults()) {
            SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            if (!checkVersion(parameters.getAssertionInfoMap(), samlToken, assertionWrapper)) {
                ai.setNotAsserted("Wrong SAML Version");
                continue;
            }
            if (validateSAMLSubjectConf) {
                TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
                Certificate[] tlsCerts = null;
                if (tlsInfo != null) {
                    tlsCerts = tlsInfo.getPeerCertificates();
                }
                if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts)) {
                    ai.setNotAsserted("Assertion fails holder-of-key requirements");
                    continue;
                }
                if (parameters.getSoapBody() == null || !DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(), parameters.getSignedResults())) {
                    ai.setNotAsserted("Assertion fails sender-vouches requirements");
                    continue;
                }
            }
        /*
                    if (!checkIssuerName(samlToken, assertionWrapper)) {
                        ai.setNotAsserted("Wrong IssuerName");
                    }
                 */
        }
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) QName(javax.xml.namespace.QName) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) Certificate(java.security.cert.Certificate)

Example 24 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class SecuredPartsPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    // 
    if (isTransportBinding(parameters.getAssertionInfoMap(), parameters.getMessage())) {
        return;
    }
    Message msg = parameters.getMessage();
    Element soapBody = parameters.getSoapBody();
    Element header = parameters.getSoapHeader();
    soapBody = (Element) DOMUtils.getDomElement(soapBody);
    header = (Element) DOMUtils.getDomElement(header);
    Collection<WSDataRef> dataRefs = parameters.getEncrypted();
    if (coverageType == CoverageType.SIGNED) {
        dataRefs = parameters.getSigned();
    }
    for (AssertionInfo ai : ais) {
        if (ai.isAsserted()) {
            // they are a child of a SupportingToken
            continue;
        }
        AbstractSecuredParts p = (AbstractSecuredParts) ai.getAssertion();
        ai.setAsserted(true);
        if (p.isBody()) {
            try {
                if (coverageType == CoverageType.SIGNED) {
                    CryptoCoverageUtil.checkBodyCoverage(soapBody, dataRefs, CoverageType.SIGNED, CoverageScope.ELEMENT);
                } else {
                    CryptoCoverageUtil.checkBodyCoverage(soapBody, dataRefs, CoverageType.ENCRYPTED, CoverageScope.CONTENT);
                }
            } catch (WSSecurityException e) {
                ai.setNotAsserted("Soap Body is not " + coverageType);
                continue;
            }
        }
        for (Header h : p.getHeaders()) {
            if (header == null) {
                ai.setNotAsserted(h.getNamespace() + ":" + h.getName() + " not + " + coverageType);
            } else {
                try {
                    CryptoCoverageUtil.checkHeaderCoverage(header, dataRefs, h.getNamespace(), h.getName(), coverageType, CoverageScope.ELEMENT);
                } catch (WSSecurityException e) {
                    ai.setNotAsserted(h.getNamespace() + ":" + h.getName() + " not + " + coverageType);
                }
            }
        }
        Attachments attachments = p.getAttachments();
        if (attachments != null) {
            try {
                CoverageScope scope = CoverageScope.ELEMENT;
                if (attachments.isContentSignatureTransform()) {
                    scope = CoverageScope.CONTENT;
                }
                CryptoCoverageUtil.checkAttachmentsCoverage(msg.getAttachments(), dataRefs, coverageType, scope);
            } catch (WSSecurityException e) {
                ai.setNotAsserted("An attachment was not signed/encrypted");
            }
        }
    }
}
Also used : CoverageScope(org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) Message(org.apache.cxf.message.Message) Header(org.apache.wss4j.policy.model.Header) AbstractSecuredParts(org.apache.wss4j.policy.model.AbstractSecuredParts) Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) WSDataRef(org.apache.wss4j.dom.WSDataRef) Attachments(org.apache.wss4j.policy.model.Attachments)

Example 25 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class SignedTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                continue;
            }
            boolean processingFailed = false;
            if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken) {
                if (!processSCTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the signed supporting token requirement");
                continue;
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SamlToken(org.apache.wss4j.policy.model.SamlToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken)

Aggregations

AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)99 AssertionInfoMap (org.apache.cxf.ws.policy.AssertionInfoMap)45 QName (javax.xml.namespace.QName)21 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)14 ArrayList (java.util.ArrayList)12 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)12 SamlToken (org.apache.wss4j.policy.model.SamlToken)12 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)10 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)10 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)9 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)9 X509Token (org.apache.wss4j.policy.model.X509Token)9 Element (org.w3c.dom.Element)9 PolicyException (org.apache.cxf.ws.policy.PolicyException)8 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)8 Header (org.apache.wss4j.policy.model.Header)7 SoapMessage (org.apache.cxf.binding.soap.SoapMessage)6 Message (org.apache.cxf.message.Message)6 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)6 TLSSessionInfo (org.apache.cxf.security.transport.TLSSessionInfo)5