Examples with AssertionInfoMap org.apache.cxf.ws.policy.AssertionInfoMap used on opensource projects

Example 1 with AssertionInfoMap

use of org.apache.cxf.ws.policy.AssertionInfoMap in project OpenAM by OpenRock.

the class OpenAMSessionTokenClientInterceptor method assertTokens.

/**
     * Called to assert the relevant tokens. Asserting tokens means asserting that the corresponding policy has been
     * satisfied. This method is called inbound on the client side. This method will assert that the OpenAMSessionAssertion
     * has been satisfied, and also the SupportingToken policy (the OpenAMSessionToken policy always defines a SupportingToken),
     * and, if TLS is being used in the invocation, that the TransportPolicy has also been satisfied, as the OpenAMSessionToken
     * SecurityPolicy binding is always deployed as part of an unprotected binding (i.e. a 'bare' OpenAMSessionToken), or
     * as part of the Transport binding. Note that a TransportToken is the token manifestation of a TransportPolicy binding,
     * so asserting the TransportToken will assert the TransportPolicy.
     * @param message The SoapMessage defining the invocation.
     * @return The OpenAMSessionAssertion corresponding to the OpenAMSessionToken SecurityPolicy element protecting
     * soap-sts instances.
     */
@Override
protected Token assertTokens(SoapMessage message) {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    Collection<AssertionInfo> ais = aim.getAssertionInfo(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_QNAME);
    Token token = null;
    for (AssertionInfo ai : ais) {
        token = (Token) ai.getAssertion();
        ai.setAsserted(true);
    }
    ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
    for (AssertionInfo ai : ais) {
        ai.setAsserted(true);
    }
    /*
        On the server-side, isTLSinUse is used to determine a tls invocation. On the client side, pulling the
        "http.scheme" and comparing it to https seems to be the approved approach:
        @see org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider
         */
    if (isTLSInUse(message)) {
        /*
            if TLS is in use, then the tokens are signed by TLS. So instead of having the transport binding reference
            a SupportingToken element, a SignedSupportingToken could be specified.
             */
        ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
        for (AssertionInfo ai : ais) {
            ai.setAsserted(true);
        }
        /*
            this should be asserted by the cxf TransportBindingHandler or TransportBinding or TransportToken, but
            it is not, resulting in the following messages, logged as FINE:
            An exception was thrown when verifying that the effective policy for this request was satisfied.
            However, this exception will not result in a fault.  The exception raised is: org.apache.cxf.ws.policy.PolicyException:
            These policy alternatives can not be satisfied:{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
            Asserting the TRANSPORT_TOKEN makes this message go away. I know that the OpenAMSessionToken will be deployed in
            either a 'bare' SecurityPolicy binding, or under the Transport binding, so if TLS is in use, the TRANSPORT_TOKEN
            can be asserted.
             */
        ais = aim.getAssertionInfo(SP12Constants.TRANSPORT_TOKEN);
        for (AssertionInfo ai : ais) {
            ai.setAsserted(true);
        }
    }
    return token;
}

Example 2 with AssertionInfoMap

use of org.apache.cxf.ws.policy.AssertionInfoMap in project OpenAM by OpenRock.

the class OpenAMSessionTokenServerInterceptor method assertTokens.

/**
     * Called to assert the relevant tokens. Asserting tokens means asserting that the corresponding policy has been
     * satisfied. This method is called outbound on the server-side, and inbound on the client side. It is also called from
     * processTokenAbove, following successful token validation. This method will assert that the OpenAMSessionAssertion
     * has been satisfied, and also the SupportingToken policy (the OpenAMSessionToken policy always defines a SupportingToken),
     * and, if TLS is being used in the invocation, that the TransportPolicy has also been satisfied, as the OpenAMSessionToken
     * SecurityPolicy binding is always deployed as part of an unprotected binding (i.e. a 'bare' OpenAMSessionToken), or
     * as part of the Transport binding. Note that a TransportToken is the token manifestation of a TransportPolicy binding,
     * so asserting the TransportToken will assert the TransportPolicy.
     * @param message The SoapMessage defining the invocation.
     * @return The OpenAMSessionAssertion corresponding to the OpenAMSessionToken SecurityPolicy element protecting
     * soap-sts instances.
     */
@Override
protected Token assertTokens(SoapMessage message) {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    Collection<AssertionInfo> ais = aim.getAssertionInfo(AMSTSConstants.AM_SESSION_TOKEN_ASSERTION_QNAME);
    Token token = null;
    for (AssertionInfo ai : ais) {
        token = (Token) ai.getAssertion();
        ai.setAsserted(true);
    }
    ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
    for (AssertionInfo ai : ais) {
        ai.setAsserted(true);
    }
    if (isTLSInUse(message)) {
        /*
            if TLS is in use, then the tokens are signed by TLS. So instead of having the transport binding reference
            a SupportingToken element, a SignedSupportingToken could be specified.
             */
        ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
        for (AssertionInfo ai : ais) {
            ai.setAsserted(true);
        }
        /*
            this should be asserted by the cxf TransportBindingHandler or TransportBinding or TransportToken, but
            it is not, resulting in the following messages, logged as FINE:
            An exception was thrown when verifying that the effective policy for this request was satisfied.
            However, this exception will not result in a fault.  The exception raised is: org.apache.cxf.ws.policy.PolicyException:
            These policy alternatives can not be satisfied:{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
            Asserting the TRANSPORT_TOKEN makes this message go away. I know that the OpenAMSessionToken will be deployed in
            either a 'bare' SecurityPolicy binding, or under the Transport binding, so if TLS is in use, the TRANSPORT_TOKEN
            can be asserted.
            Note that this message is a bug - see
            http://cxf.547215.n5.nabble.com/Custom-SecurityPolicy-Assertions-and-the-Symmetric-binding-td5754879.html#a5755303
            for details. I will continue to assert the TRANSPORT_TOKEN to prevent these messages.
             */
        ais = aim.getAssertionInfo(SP12Constants.TRANSPORT_TOKEN);
        for (AssertionInfo ai : ais) {
            ai.setAsserted(true);
        }
    }
    return token;
}

Example 3 with AssertionInfoMap

use of org.apache.cxf.ws.policy.AssertionInfoMap in project tdi-studio-se by Talend.

the class XRMAuthPolicyInterceptor method handleMessage.

public void handleMessage(SoapMessage message) throws Fault {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    if (null == aim) {
        return;
    }
    QName qname = new QName("http://schemas.microsoft.com/xrm/2011/Contracts/Services", "AuthenticationPolicy", "ms-xrm");
    Collection<AssertionInfo> ais = aim.get(qname);
    if (null == ais || ais.size() == 0) {
        return;
    }
    for (AssertionInfo ai : ais) {
        ai.setAsserted(true);
    }
}

Example 4 with AssertionInfoMap

use of org.apache.cxf.ws.policy.AssertionInfoMap in project ddf by codice.

the class GuestInterceptor method internalHandleMessage.

private void internalHandleMessage(SoapMessage message, SOAPMessage soapMessage) throws Fault {
    //Check if security header exists; if not, execute GuestInterceptor logic
    String actor = (String) getOption(WSHandlerConstants.ACTOR);
    if (actor == null) {
        actor = (String) message.getContextualProperty(SecurityConstants.ACTOR);
    }
    Element existingSecurityHeader = null;
    try {
        LOGGER.debug("Checking for security header.");
        existingSecurityHeader = WSSecurityUtil.getSecurityHeader(soapMessage.getSOAPPart(), actor);
    } catch (WSSecurityException e1) {
        LOGGER.debug("Issue with getting security header", e1);
    }
    if (existingSecurityHeader != null) {
        LOGGER.debug("SOAP message contains security header, no action taken by the GuestInterceptor.");
        return;
    }
    LOGGER.debug("Current request has no security header, continuing with GuestInterceptor");
    AssertionInfoMap assertionInfoMap = message.get(AssertionInfoMap.class);
    boolean hasAddressingAssertion = assertionInfoMap.entrySet().stream().flatMap(p -> p.getValue().stream()).filter(info -> MetadataConstants.ADDRESSING_ASSERTION_QNAME.equals(info.getAssertion().getName())).findFirst().isPresent();
    if (hasAddressingAssertion) {
        createAddressing(message, soapMessage);
    }
    LOGGER.debug("Creating guest security token.");
    HttpServletRequest request = (HttpServletRequest) message.get(AbstractHTTPDestination.HTTP_REQUEST);
    SecurityToken securityToken = createSecurityToken(request.getRemoteAddr());
    message.put(SecurityConstants.TOKEN, securityToken);
    if (!MessageUtils.isRequestor(message)) {
        try {
            message.put(Message.REQUESTOR_ROLE, true);
            policyBasedWss4jOutInterceptor.handleMessage(message);
        } finally {
            message.remove(Message.REQUESTOR_ROLE);
        }
    } else {
        policyBasedWss4jOutInterceptor.handleMessage(message);
    }
}

Example 5 with AssertionInfoMap

use of org.apache.cxf.ws.policy.AssertionInfoMap in project cxf by apache.

the class MAPAggregatorImpl method assertAddressing.

/**
 * If the isRequestor(message) == true and isAddressRequired() == false
 * Assert all the wsa related assertion to true
 *
 * @param message the current message
 */
private void assertAddressing(Message message) {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    if (null == aim) {
        return;
    }
    QName[] types = new QName[] { MetadataConstants.ADDRESSING_ASSERTION_QNAME, MetadataConstants.USING_ADDRESSING_2004_QNAME, MetadataConstants.USING_ADDRESSING_2005_QNAME, MetadataConstants.USING_ADDRESSING_2006_QNAME };
    for (QName type : types) {
        assertAssertion(aim, type);
        // ADDRESSING_ASSERTION is normalized, so check only the default namespace
        if (type.equals(MetadataConstants.ADDRESSING_ASSERTION_QNAME)) {
            assertAssertion(aim, MetadataConstants.ANON_RESPONSES_ASSERTION_QNAME);
            assertAssertion(aim, MetadataConstants.NON_ANON_RESPONSES_ASSERTION_QNAME);
        }
    }
}