Examples with AssertionInfo org.apache.cxf.ws.policy.AssertionInfo used on opensource projects

Search in sources :

Example 26 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class EndorsingTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
                assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                continue;
            }
            DerivedKeys derivedKeys = token.getDerivedKeys();
            boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
            boolean processingFailed = false;
            if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the endorsing supporting token requirement");
                continue;
            }
            if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)

Example 27 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class KerberosTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    List<WSSecurityEngineResult> kerberosResults = findKerberosResults(parameters.getResults().getActionResults().get(WSConstants.BST));
    for (WSSecurityEngineResult kerberosResult : kerberosResults) {
        KerberosSecurity kerberosToken = (KerberosSecurity) kerberosResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
        boolean asserted = true;
        for (AssertionInfo ai : ais) {
            KerberosToken kerberosTokenPolicy = (KerberosToken) ai.getAssertion();
            ai.setAsserted(true);
            assertToken(kerberosTokenPolicy, parameters.getAssertionInfoMap());
            if (!isTokenRequired(kerberosTokenPolicy, parameters.getMessage())) {
                PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssKerberosV5ApReqToken11"));
                PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11"));
                continue;
            }
            if (!checkToken(parameters.getAssertionInfoMap(), kerberosTokenPolicy, kerberosToken)) {
                asserted = false;
                ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
                continue;
            }
        }
        if (asserted) {
            SecurityToken token = createSecurityToken(kerberosToken);
            token.setSecret((byte[]) kerberosResult.get(WSSecurityEngineResult.TAG_SECRET));
            try {
                TokenStoreUtils.getTokenStore(parameters.getMessage()).add(token);
            } catch (TokenStoreException ex) {
                LOG.warning(ex.getMessage());
            }
            parameters.getMessage().getExchange().put(SecurityConstants.TOKEN_ID, token.getId());
            return;
        }
    }
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) KerberosSecurity(org.apache.wss4j.dom.message.token.KerberosSecurity) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) QName(javax.xml.namespace.QName) TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)

Example 28 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class RequiredPartsPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    Element header = parameters.getSoapHeader();
    for (AssertionInfo ai : ais) {
        RequiredParts rp = (RequiredParts) ai.getAssertion();
        ai.setAsserted(true);
        for (Header h : rp.getHeaders()) {
            QName qName = new QName(h.getNamespace(), h.getName());
            if (header == null || DOMUtils.getFirstChildWithName(header, qName) == null) {
                ai.setNotAsserted("No header element of name " + qName + " found.");
            }
        }
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) Header(org.apache.wss4j.policy.model.Header) QName(javax.xml.namespace.QName) Element(org.w3c.dom.Element) RequiredParts(org.apache.wss4j.policy.model.RequiredParts)

Example 29 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class SecuredElementsPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    // XPathFactory and XPath are not thread-safe so we must recreate them
    // each request.
    final XPathFactory factory = XPathFactory.newInstance();
    try {
        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
    } catch (javax.xml.xpath.XPathFactoryConfigurationException ex) {
    // ignore
    }
    final XPath xpath = factory.newXPath();
    Element soapEnvelope = parameters.getSoapHeader() != null ? parameters.getSoapHeader().getOwnerDocument().getDocumentElement() : null;
    Collection<WSDataRef> dataRefs = parameters.getEncrypted();
    if (coverageType == CoverageType.SIGNED) {
        dataRefs = parameters.getSigned();
    }
    for (AssertionInfo ai : ais) {
        RequiredElements elements = (RequiredElements) ai.getAssertion();
        ai.setAsserted(true);
        if (elements != null && elements.getXPaths() != null && !elements.getXPaths().isEmpty()) {
            List<String> expressions = new ArrayList<>();
            MapNamespaceContext namespaceContext = new MapNamespaceContext();
            for (org.apache.wss4j.policy.model.XPath xPath : elements.getXPaths()) {
                expressions.add(xPath.getXPath());
                Map<String, String> namespaceMap = xPath.getPrefixNamespaceMap();
                if (namespaceMap != null) {
                    namespaceContext.addNamespaces(namespaceMap);
                }
            }
            if (parameters.getSoapHeader() == null) {
                ai.setNotAsserted("No " + coverageType + " element found matching one of the XPaths " + Arrays.toString(expressions.toArray()));
            } else {
                xpath.setNamespaceContext(namespaceContext);
                try {
                    CryptoCoverageUtil.checkCoverage(soapEnvelope, dataRefs, xpath, expressions, coverageType, coverageScope);
                } catch (WSSecurityException e) {
                    ai.setNotAsserted("No " + coverageType + " element found matching one of the XPaths " + Arrays.toString(expressions.toArray()));
                }
            }
        }
    }
}
Also used : XPath(javax.xml.xpath.XPath) RequiredElements(org.apache.wss4j.policy.model.RequiredElements) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) MapNamespaceContext(org.apache.cxf.helpers.MapNamespaceContext) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) WSDataRef(org.apache.wss4j.dom.WSDataRef) XPathFactory(javax.xml.xpath.XPathFactory)

Example 30 with AssertionInfo

use of org.apache.cxf.ws.policy.AssertionInfo in project cxf by apache.

the class SignedEndorsingTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
                assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                continue;
            }
            DerivedKeys derivedKeys = token.getDerivedKeys();
            boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
            boolean processingFailed = false;
            if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the signed endorsing supporting token requirement");
                continue;
            }
            if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)

Aggregations

AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)99 AssertionInfoMap (org.apache.cxf.ws.policy.AssertionInfoMap)45 QName (javax.xml.namespace.QName)21 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)14 ArrayList (java.util.ArrayList)12 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)12 SamlToken (org.apache.wss4j.policy.model.SamlToken)12 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)10 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)10 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)9 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)9 X509Token (org.apache.wss4j.policy.model.X509Token)9 Element (org.w3c.dom.Element)9 PolicyException (org.apache.cxf.ws.policy.PolicyException)8 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)8 Header (org.apache.wss4j.policy.model.Header)7 SoapMessage (org.apache.cxf.binding.soap.SoapMessage)6 Message (org.apache.cxf.message.Message)6 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)6 TLSSessionInfo (org.apache.cxf.security.transport.TLSSessionInfo)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial