Examples with AssertionInfoMap org.apache.cxf.ws.policy.AssertionInfoMap used on opensource projects
Example 41 with AssertionInfoMap
use of org.apache.cxf.ws.policy.AssertionInfoMap in project cxf by apache.
the class AbstractCommonBindingHandler method assertWSSProperties.
protected void assertWSSProperties(String namespace) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> wss10Ais = aim.get(new QName(namespace, SPConstants.WSS10));
if (wss10Ais != null) {
for (AssertionInfo ai : wss10Ais) {
ai.setAsserted(true);
Wss10 wss10 = (Wss10) ai.getAssertion();
assertWSS10Properties(wss10);
}
}
Collection<AssertionInfo> wss11Ais = aim.get(new QName(namespace, SPConstants.WSS11));
if (wss11Ais != null) {
for (AssertionInfo ai : wss11Ais) {
ai.setAsserted(true);
Wss11 wss11 = (Wss11) ai.getAssertion();
assertWSS10Properties(wss11);
if (wss11.isMustSupportRefThumbprint()) {
assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_THUMBPRINT));
}
if (wss11.isMustSupportRefEncryptedKey()) {
assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY));
}
if (wss11.isRequireSignatureConfirmation()) {
assertPolicy(new QName(namespace, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION));
}
}
}
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
QName(javax.xml.namespace.QName)
Wss11(org.apache.wss4j.policy.model.Wss11)
Wss10(org.apache.wss4j.policy.model.Wss10)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 42 with AssertionInfoMap
use of org.apache.cxf.ws.policy.AssertionInfoMap in project cxf by apache.
the class AbstractCommonBindingHandler method assertTrustProperties.
protected void assertTrustProperties(String namespace) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> trust10Ais = aim.get(new QName(namespace, SPConstants.TRUST_10));
if (trust10Ais != null) {
for (AssertionInfo ai : trust10Ais) {
ai.setAsserted(true);
Trust10 trust10 = (Trust10) ai.getAssertion();
assertTrust10Properties(trust10);
}
}
Collection<AssertionInfo> trust13Ais = aim.get(new QName(namespace, SPConstants.TRUST_13));
if (trust13Ais != null) {
for (AssertionInfo ai : trust13Ais) {
ai.setAsserted(true);
Trust13 trust13 = (Trust13) ai.getAssertion();
assertTrust10Properties(trust13);
if (trust13.isRequireRequestSecurityTokenCollection()) {
assertPolicy(new QName(namespace, SPConstants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION));
}
if (trust13.isRequireAppliesTo()) {
assertPolicy(new QName(namespace, SPConstants.REQUIRE_APPLIES_TO));
}
if (trust13.isScopePolicy15()) {
assertPolicy(new QName(namespace, SPConstants.SCOPE_POLICY_15));
}
if (trust13.isMustSupportInteractiveChallenge()) {
assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_INTERACTIVE_CHALLENGE));
}
}
}
}
Also used :
Trust13(org.apache.wss4j.policy.model.Trust13)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
QName(javax.xml.namespace.QName)
Trust10(org.apache.wss4j.policy.model.Trust10)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 43 with AssertionInfoMap
use of org.apache.cxf.ws.policy.AssertionInfoMap in project cxf by apache.
the class PolicyBasedWSS4JInInterceptor method computeAction.
@Override
protected void computeAction(SoapMessage message, RequestData data) throws WSSecurityException {
String action = getString(ConfigurationConstants.ACTION, message);
if (action == null) {
action = "";
}
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
if (aim != null) {
// things that DO impact setup
handleWSS11(aim, message);
action = checkAsymmetricBinding(aim, action, message, data);
action = checkSymmetricBinding(aim, action, message, data);
Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
if ("".equals(action) || (ais != null && !ais.isEmpty())) {
action = checkDefaultBinding(action, message, data);
}
// Allow for setting non-standard asymmetric signature algorithms
String asymSignatureAlgorithm = (String) message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
String symSignatureAlgorithm = (String) message.getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null || symSignatureAlgorithm != null) {
Collection<AssertionInfo> algorithmSuites = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
if (!algorithmSuites.isEmpty()) {
for (AssertionInfo algorithmSuite : algorithmSuites) {
AlgorithmSuite algSuite = (AlgorithmSuite) algorithmSuite.getAssertion();
if (asymSignatureAlgorithm != null) {
algSuite.getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
if (symSignatureAlgorithm != null) {
algSuite.getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
}
}
}
checkUsernameToken(aim, message);
// stuff we can default to asserted and un-assert if a condition isn't met
PolicyUtils.assertPolicy(aim, SPConstants.KEY_VALUE_TOKEN);
PolicyUtils.assertPolicy(aim, SPConstants.RSA_KEY_VALUE);
// WSS10
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS10);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
}
// Trust 1.0
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
boolean trust10Asserted = false;
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
trust10Asserted = true;
}
// Trust 1.3
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
PolicyUtils.assertPolicy(aim, SP12Constants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION);
PolicyUtils.assertPolicy(aim, SP12Constants.REQUIRE_APPLIES_TO);
PolicyUtils.assertPolicy(aim, SP13Constants.SCOPE_POLICY_15);
PolicyUtils.assertPolicy(aim, SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE);
if (!trust10Asserted) {
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
}
}
message.put(ConfigurationConstants.ACTION, action.trim());
}
}
Also used :
AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 44 with AssertionInfoMap
use of org.apache.cxf.ws.policy.AssertionInfoMap in project cxf by apache.
the class PolicyBasedWSS4JInInterceptor method doResults.
@Override
protected void doResults(SoapMessage msg, String actor, Element soapHeader, Element soapBody, WSHandlerResult results, boolean utWithCallbacks) throws SOAPException, XMLStreamException, WSSecurityException {
//
// Pre-fetch various results
//
List<WSSecurityEngineResult> signedResults = new ArrayList<>();
if (results.getActionResults().containsKey(WSConstants.SIGN)) {
signedResults.addAll(results.getActionResults().get(WSConstants.SIGN));
}
if (results.getActionResults().containsKey(WSConstants.UT_SIGN)) {
signedResults.addAll(results.getActionResults().get(WSConstants.UT_SIGN));
}
if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
signedResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
}
Collection<WSDataRef> signed = new HashSet<>();
for (WSSecurityEngineResult result : signedResults) {
List<WSDataRef> sl = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (sl != null) {
for (WSDataRef r : sl) {
signed.add(r);
}
}
}
List<WSSecurityEngineResult> encryptResults = results.getActionResults().get(WSConstants.ENCR);
Collection<WSDataRef> encrypted = new HashSet<>();
if (encryptResults != null) {
for (WSSecurityEngineResult result : encryptResults) {
List<WSDataRef> sl = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (sl != null) {
for (WSDataRef r : sl) {
encrypted.add(r);
}
}
}
}
CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
//
// Check policies
//
PolicyValidatorParameters parameters = new PolicyValidatorParameters();
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
parameters.setAssertionInfoMap(aim);
parameters.setMessage(msg);
parameters.setSoapBody(soapBody);
parameters.setSoapHeader(soapHeader);
parameters.setResults(results);
parameters.setSignedResults(signedResults);
parameters.setEncryptedResults(encryptResults);
parameters.setUtWithCallbacks(utWithCallbacks);
parameters.setSigned(signed);
parameters.setEncrypted(encrypted);
List<WSSecurityEngineResult> utResults = new ArrayList<>();
if (results.getActionResults().containsKey(WSConstants.UT)) {
utResults.addAll(results.getActionResults().get(WSConstants.UT));
}
if (results.getActionResults().containsKey(WSConstants.UT_NOPASSWORD)) {
utResults.addAll(results.getActionResults().get(WSConstants.UT_NOPASSWORD));
}
parameters.setUsernameTokenResults(utResults);
List<WSSecurityEngineResult> samlResults = new ArrayList<>();
if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
samlResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
}
if (results.getActionResults().containsKey(WSConstants.ST_UNSIGNED)) {
samlResults.addAll(results.getActionResults().get(WSConstants.ST_UNSIGNED));
}
parameters.setSamlResults(samlResults);
// Store the timestamp element
WSSecurityEngineResult tsResult = null;
if (results.getActionResults().containsKey(WSConstants.TS)) {
tsResult = results.getActionResults().get(WSConstants.TS).get(0);
}
Element timestamp = null;
if (tsResult != null) {
Timestamp ts = (Timestamp) tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
timestamp = ts.getElement();
}
parameters.setTimestampElement(timestamp);
// Validate security policies
Map<QName, SecurityPolicyValidator> validators = ValidatorUtils.getSecurityPolicyValidators(msg);
for (Map.Entry<QName, Collection<AssertionInfo>> entry : aim.entrySet()) {
// Check to see if we have a security policy + if we can validate it
if (validators.containsKey(entry.getKey())) {
validators.get(entry.getKey()).validatePolicies(parameters, entry.getValue());
}
}
super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
}
Also used :
QName(javax.xml.namespace.QName)
Element(org.w3c.dom.Element)
SecurityPolicyValidator(org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator)
ArrayList(java.util.ArrayList)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Timestamp(org.apache.wss4j.dom.message.token.Timestamp)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Collection(java.util.Collection)
PolicyValidatorParameters(org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 45 with AssertionInfoMap
use of org.apache.cxf.ws.policy.AssertionInfoMap in project cxf by apache.
the class PolicyBasedWSS4JStaxInInterceptor method configureProperties.
@Override
protected void configureProperties(SoapMessage msg, WSSSecurityProperties securityProperties) throws XMLSecurityException {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
checkAsymmetricBinding(aim, msg, securityProperties);
checkSymmetricBinding(aim, msg, securityProperties);
checkTransportBinding(aim, msg, securityProperties);
// Allow for setting non-standard signature algorithms
String asymSignatureAlgorithm = (String) msg.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
String symSignatureAlgorithm = (String) msg.getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null || symSignatureAlgorithm != null) {
Collection<AssertionInfo> algorithmSuites = aim.get(SP12Constants.ALGORITHM_SUITE);
if (algorithmSuites != null && !algorithmSuites.isEmpty()) {
for (AssertionInfo algorithmSuite : algorithmSuites) {
AlgorithmSuite algSuite = (AlgorithmSuite) algorithmSuite.getAssertion();
if (asymSignatureAlgorithm != null) {
algSuite.getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
if (symSignatureAlgorithm != null) {
algSuite.getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
}
}
}
super.configureProperties(msg, securityProperties);
}
Also used :
AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Aggregations
AssertionInfoMap (org.apache.cxf.ws.policy.AssertionInfoMap)65
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)44
QName (javax.xml.namespace.QName)15
SoapMessage (org.apache.cxf.binding.soap.SoapMessage)12
Message (org.apache.cxf.message.Message)10
ArrayList (java.util.ArrayList)9
PolicyException (org.apache.cxf.ws.policy.PolicyException)7
Fault (org.apache.cxf.interceptor.Fault)6
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)6
Element (org.w3c.dom.Element)6
Exchange (org.apache.cxf.message.Exchange)5
TokenStoreException (org.apache.cxf.ws.security.tokenstore.TokenStoreException)5
Policy (org.apache.neethi.Policy)5
Message (org.apache.cxf.common.i18n.Message)4
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)4
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)4
SOAPException (javax.xml.soap.SOAPException)3
Header (org.apache.cxf.headers.Header)3
PolicyAssertion (org.apache.cxf.ws.policy.PolicyAssertion)3
WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)3
