Examples with SecurityToken org.apache.cxf.ws.security.tokenstore.SecurityToken used on opensource projects

Search in sources :

Example 16 with SecurityToken

use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project ddf by codice.

the class UPBSTValidator method validateToken.

/**
     * Validate a Token using the given TokenValidatorParameters.
     *
     * @param tokenParameters
     * @return TokenValidatorResponse
     */
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOGGER.trace("Validating UPBST Token");
    if (parser == null) {
        throw new IllegalStateException("XMLParser must be configured.");
    }
    if (failedLoginDelayer == null) {
        throw new IllegalStateException("Failed Login Delayer must be configured");
    }
    STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
    Crypto sigCrypto = stsProperties.getSignatureCrypto();
    CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
    RequestData requestData = new RequestData();
    requestData.setSigVerCrypto(sigCrypto);
    requestData.setWssConfig(WSSConfig.getNewInstance());
    requestData.setCallbackHandler(callbackHandler);
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(STATE.INVALID);
    response.setToken(validateTarget);
    if (!validateTarget.isBinarySecurityToken()) {
        return response;
    }
    BinarySecurityTokenType binarySecurityType = (BinarySecurityTokenType) validateTarget.getToken();
    // Test the encoding type
    String encodingType = binarySecurityType.getEncodingType();
    if (!UPAuthenticationToken.BASE64_ENCODING.equals(encodingType)) {
        LOGGER.trace("Bad encoding type attribute specified: {}", encodingType);
        return response;
    }
    UPAuthenticationToken usernameToken = getUsernameTokenFromTarget(validateTarget);
    if (usernameToken == null) {
        return response;
    }
    UsernameTokenType usernameTokenType = getUsernameTokenType(usernameToken);
    // Marshall the received JAXB object into a DOM Element
    Element usernameTokenElement = null;
    JAXBElement<UsernameTokenType> tokenType = new JAXBElement<>(QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameTokenType);
    Document doc = DOMUtils.createDocument();
    Element rootElement = doc.createElement("root-element");
    List<String> ctxPath = new ArrayList<>(1);
    ctxPath.add(UsernameTokenType.class.getPackage().getName());
    ParserConfigurator configurator = parser.configureParser(ctxPath, UPBSTValidator.class.getClassLoader());
    try {
        parser.marshal(configurator, tokenType, rootElement);
    } catch (ParserException ex) {
        LOGGER.info("Unable to parse username token", ex);
        return response;
    }
    usernameTokenElement = (Element) rootElement.getFirstChild();
    //
    // Validate the token
    //
    WSSConfig wssConfig = WSSConfig.getNewInstance();
    try {
        boolean allowNamespaceQualifiedPasswordTypes = requestData.isAllowNamespaceQualifiedPasswordTypes();
        UsernameToken ut = new UsernameToken(usernameTokenElement, allowNamespaceQualifiedPasswordTypes, new BSPEnforcer());
        // The parsed principal is set independent whether validation is successful or not
        response.setPrincipal(new CustomTokenPrincipal(ut.getName()));
        if (ut.getPassword() == null) {
            return response;
        }
        String tokenId = String.format("%s:%s:%s", usernameToken.getUsername(), usernameToken.getPassword(), usernameToken.getRealm());
        // See if the UsernameToken is stored in the cache
        int hash = tokenId.hashCode();
        SecurityToken secToken = null;
        if (tokenParameters.getTokenStore() != null) {
            secToken = tokenParameters.getTokenStore().getToken(Integer.toString(hash));
            if (secToken != null && secToken.getTokenHash() != hash) {
                secToken = null;
            } else if (secToken != null) {
                validateTarget.setState(STATE.VALID);
            }
        }
        if (secToken == null) {
            Credential credential = new Credential();
            credential.setUsernametoken(ut);
            if (usernameToken.getRealm() != null && !"*".equals(usernameToken.getRealm())) {
                Validator validator = validators.get(usernameToken.getRealm());
                if (validator != null) {
                    try {
                        validator.validate(credential, requestData);
                        validateTarget.setState(STATE.VALID);
                        LOGGER.debug("Validated user against realm {}", usernameToken.getRealm());
                    } catch (WSSecurityException ex) {
                        LOGGER.debug("Not able to validate user against realm {}", usernameToken.getRealm());
                    }
                }
            } else {
                Set<Map.Entry<String, Validator>> entries = validators.entrySet();
                for (Map.Entry<String, Validator> entry : entries) {
                    try {
                        entry.getValue().validate(credential, requestData);
                        validateTarget.setState(STATE.VALID);
                        LOGGER.debug("Validated user against realm {}", entry.getKey());
                        break;
                    } catch (WSSecurityException ex) {
                        LOGGER.debug("Not able to validate user against realm {}", entry.getKey());
                    }
                }
            }
        }
        Principal principal = createPrincipal(ut.getName(), ut.getPassword(), ut.getPasswordType(), ut.getNonce(), ut.getCreated());
        // Store the successfully validated token in the cache
        if (tokenParameters.getTokenStore() != null && secToken == null && STATE.VALID.equals(validateTarget.getState())) {
            secToken = new SecurityToken(ut.getID());
            secToken.setToken(ut.getElement());
            int hashCode = tokenId.hashCode();
            String identifier = Integer.toString(hashCode);
            secToken.setTokenHash(hashCode);
            tokenParameters.getTokenStore().add(identifier, secToken);
        }
        response.setPrincipal(principal);
        response.setTokenRealm(null);
        validateTarget.setPrincipal(principal);
    } catch (WSSecurityException ex) {
        LOGGER.debug("Unable to validate token.", ex);
    }
    if (response.getToken().getState() != STATE.VALID) {
        failedLoginDelayer.delay(response.getToken().getPrincipal().getName());
    }
    return response;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) UsernameToken(org.apache.wss4j.dom.message.token.UsernameToken) AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString) PasswordString(org.apache.cxf.ws.security.sts.provider.model.secext.PasswordString) Document(org.w3c.dom.Document) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) RequestData(org.apache.wss4j.dom.handler.RequestData) UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) ParserException(org.codice.ddf.parser.ParserException) Credential(org.apache.wss4j.dom.validate.Credential) UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) JAXBElement(javax.xml.bind.JAXBElement) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) ParserConfigurator(org.codice.ddf.parser.ParserConfigurator) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) Validator(org.apache.wss4j.dom.validate.Validator) JAASUsernameTokenValidator(org.apache.wss4j.dom.validate.JAASUsernameTokenValidator) TokenValidator(org.apache.cxf.sts.token.validator.TokenValidator) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) Principal(java.security.Principal)

Example 17 with SecurityToken

use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project ddf by codice.

the class UPBSTValidatorTest method testValidateBadTokenCache.

@Test
public void testValidateBadTokenCache() {
    UPBSTValidator upbstValidator = getUpbstValidator(new XmlParser(), meanValidator);
    upbstValidator.addRealm(null);
    TokenValidatorParameters tokenParameters = new TokenValidatorParameters();
    tokenParameters.setTokenStore(new TokenStore() {

        @Override
        public void add(SecurityToken token) {
        }

        @Override
        public void add(String identifier, SecurityToken token) {
        }

        @Override
        public void remove(String identifier) {
        }

        @Override
        public Collection<String> getTokenIdentifiers() {
            return null;
        }

        @Override
        public SecurityToken getToken(String identifier) {
            SecurityToken securityToken = new SecurityToken();
            securityToken.setTokenHash(-1432225336);
            return securityToken;
        }
    });
    ReceivedToken validateTarget = new ReceivedToken(upbstToken);
    tokenParameters.setToken(validateTarget);
    tokenParameters.setStsProperties(stsPropertiesMBean);
    TokenValidatorResponse response = upbstValidator.validateToken(tokenParameters);
    Assert.assertEquals(ReceivedToken.STATE.INVALID, response.getToken().getState());
    verify(failedLoginDelayer, times(1)).delay(anyString());
}
Also used : TokenValidatorParameters(org.apache.cxf.sts.token.validator.TokenValidatorParameters) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) XmlParser(org.codice.ddf.parser.xml.XmlParser) Collection(java.util.Collection) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) Matchers.anyString(org.mockito.Matchers.anyString) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) TokenStore(org.apache.cxf.ws.security.tokenstore.TokenStore) Test(org.junit.Test)

Example 18 with SecurityToken

use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project ddf by codice.

the class GuestInterceptor method internalHandleMessage.

private void internalHandleMessage(SoapMessage message, SOAPMessage soapMessage) throws Fault {
    //Check if security header exists; if not, execute GuestInterceptor logic
    String actor = (String) getOption(WSHandlerConstants.ACTOR);
    if (actor == null) {
        actor = (String) message.getContextualProperty(SecurityConstants.ACTOR);
    }
    Element existingSecurityHeader = null;
    try {
        LOGGER.debug("Checking for security header.");
        existingSecurityHeader = WSSecurityUtil.getSecurityHeader(soapMessage.getSOAPPart(), actor);
    } catch (WSSecurityException e1) {
        LOGGER.debug("Issue with getting security header", e1);
    }
    if (existingSecurityHeader != null) {
        LOGGER.debug("SOAP message contains security header, no action taken by the GuestInterceptor.");
        return;
    }
    LOGGER.debug("Current request has no security header, continuing with GuestInterceptor");
    AssertionInfoMap assertionInfoMap = message.get(AssertionInfoMap.class);
    boolean hasAddressingAssertion = assertionInfoMap.entrySet().stream().flatMap(p -> p.getValue().stream()).filter(info -> MetadataConstants.ADDRESSING_ASSERTION_QNAME.equals(info.getAssertion().getName())).findFirst().isPresent();
    if (hasAddressingAssertion) {
        createAddressing(message, soapMessage);
    }
    LOGGER.debug("Creating guest security token.");
    HttpServletRequest request = (HttpServletRequest) message.get(AbstractHTTPDestination.HTTP_REQUEST);
    SecurityToken securityToken = createSecurityToken(request.getRemoteAddr());
    message.put(SecurityConstants.TOKEN, securityToken);
    if (!MessageUtils.isRequestor(message)) {
        try {
            message.put(Message.REQUESTOR_ROLE, true);
            policyBasedWss4jOutInterceptor.handleMessage(message);
        } finally {
            message.remove(Message.REQUESTOR_ROLE);
        }
    } else {
        policyBasedWss4jOutInterceptor.handleMessage(message);
    }
}
Also used : WSSecurityUtil(org.apache.wss4j.dom.util.WSSecurityUtil) StringUtils(org.apache.commons.lang.StringUtils) EndpointReferenceType(org.apache.cxf.ws.addressing.EndpointReferenceType) MetadataConstants(org.apache.cxf.ws.addressing.policy.MetadataConstants) SOAPException(javax.xml.soap.SOAPException) STSClientConfiguration(ddf.security.sts.client.configuration.STSClientConfiguration) LoggerFactory(org.slf4j.LoggerFactory) XMLUtils(org.codice.ddf.platform.util.XMLUtils) SoapBindingConstants(org.apache.cxf.binding.soap.SoapBindingConstants) AddressingProperties(org.apache.cxf.ws.addressing.AddressingProperties) AbstractHTTPDestination(org.apache.cxf.transport.http.AbstractHTTPDestination) SOAPElement(javax.xml.soap.SOAPElement) HttpServletRequest(javax.servlet.http.HttpServletRequest) WSS4JInInterceptor(org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap) Fault(org.apache.cxf.interceptor.Fault) AttributedURIType(org.apache.cxf.ws.addressing.AttributedURIType) PolicyBasedWSS4JInInterceptor(org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) EncryptionService(ddf.security.encryption.EncryptionService) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) Phase(org.apache.cxf.phase.Phase) SAAJInInterceptor(org.apache.cxf.binding.soap.saaj.SAAJInInterceptor) ContextPolicyManager(org.codice.ddf.security.policy.context.ContextPolicyManager) PolicyBasedWSS4JOutInterceptor(org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Logger(org.slf4j.Logger) Security(org.codice.ddf.security.common.Security) Message(org.apache.cxf.message.Message) WSHandlerConstants(org.apache.wss4j.dom.handler.WSHandlerConstants) Set(java.util.Set) Subject(ddf.security.Subject) UUID(java.util.UUID) SecurityConstants(org.apache.cxf.ws.security.SecurityConstants) TimeUnit(java.util.concurrent.TimeUnit) SoapMessage(org.apache.cxf.binding.soap.SoapMessage) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Element(org.w3c.dom.Element) MessageUtils(org.apache.cxf.message.MessageUtils) AbstractWSS4JInterceptor(org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor) CacheBuilder(com.google.common.cache.CacheBuilder) SOAPMessage(javax.xml.soap.SOAPMessage) Cache(com.google.common.cache.Cache) SecurityManager(ddf.security.service.SecurityManager) SOAPFactory(javax.xml.soap.SOAPFactory) HttpServletRequest(javax.servlet.http.HttpServletRequest) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) SOAPElement(javax.xml.soap.SOAPElement) Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)

Example 19 with SecurityToken

use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project ddf by codice.

the class GuestInterceptor method createSecurityToken.

private SecurityToken createSecurityToken(String ipAddress) {
    SecurityToken securityToken = null;
    Subject subject = getSubject(ipAddress);
    LOGGER.trace("Attempting to create Security token.");
    if (subject != null) {
        PrincipalCollection principals = subject.getPrincipals();
        if (principals != null) {
            SecurityAssertion securityAssertion = principals.oneByType(SecurityAssertion.class);
            if (securityAssertion != null) {
                securityToken = securityAssertion.getSecurityToken();
            } else {
                LOGGER.info("Subject did not contain a security assertion, could not add assertion to the security header.");
            }
        } else {
            LOGGER.info("Subject did not contain any principals, could not create security token.");
        }
    }
    return securityToken;
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) PrincipalCollection(org.apache.shiro.subject.PrincipalCollection) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject)

Example 20 with SecurityToken

use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project ddf by codice.

the class TestPepInterceptorActions method testMessageWithMessageAction.

@Test
public void testMessageWithMessageAction() throws SecurityServiceException {
    PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
    SecurityManager mockSecurityManager = mock(SecurityManager.class);
    interceptor.setSecurityManager(mockSecurityManager);
    Message messageWithAction = mock(Message.class);
    SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
    SecurityToken mockSecurityToken = mock(SecurityToken.class);
    Subject mockSubject = mock(Subject.class);
    assertNotNull(mockSecurityAssertion);
    PowerMockito.mockStatic(SecurityAssertionStore.class);
    PowerMockito.mockStatic(SecurityLogger.class);
    when(SecurityAssertionStore.getSecurityAssertion(messageWithAction)).thenReturn(mockSecurityAssertion);
    // SecurityLogger is already stubbed out
    when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
    when(mockSecurityToken.getToken()).thenReturn(null);
    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
    MessageInfo mockMessageInfo = mock(MessageInfo.class);
    when(messageWithAction.get(MessageInfo.class.getName())).thenReturn(mockMessageInfo);
    when(mockMessageInfo.getExtensionAttribute(new QName(Names.WSA_NAMESPACE_WSDL_METADATA, Names.WSAW_ACTION_NAME))).thenReturn("urn:catalog:query:query-port:search");
    doAnswer(new Answer<Boolean>() {

        @Override
        public Boolean answer(InvocationOnMock invocation) throws Throwable {
            CollectionPermission perm = (CollectionPermission) invocation.getArguments()[0];
            assertEquals("urn:catalog:query:query-port:search", perm.getAction());
            return true;
        }
    }).when(mockSubject).isPermitted(isA(CollectionPermission.class));
    // This should work.
    interceptor.handleMessage(messageWithAction);
    PowerMockito.verifyStatic();
}
Also used : SecurityManager(ddf.security.service.SecurityManager) Message(org.apache.cxf.message.Message) QName(javax.xml.namespace.QName) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject) MessageInfo(org.apache.cxf.service.model.MessageInfo) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) InvocationOnMock(org.mockito.invocation.InvocationOnMock) CollectionPermission(ddf.security.permission.CollectionPermission) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest) Test(org.junit.Test)

Aggregations

SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)187 Element (org.w3c.dom.Element)57 Test (org.junit.Test)47 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)35 Subject (ddf.security.Subject)32 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)28 SecurityAssertion (ddf.security.assertion.SecurityAssertion)27 QName (javax.xml.namespace.QName)26 Fault (org.apache.cxf.interceptor.Fault)23 SecurityManager (ddf.security.service.SecurityManager)22 TokenStoreException (org.apache.cxf.ws.security.tokenstore.TokenStoreException)18 TokenStore (org.apache.cxf.ws.security.tokenstore.TokenStore)17 SOAPException (javax.xml.soap.SOAPException)16 Message (org.apache.cxf.message.Message)16 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)16 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)15 CollectionPermission (ddf.security.permission.CollectionPermission)14 Bus (org.apache.cxf.Bus)14 Document (org.w3c.dom.Document)14 ArrayList (java.util.ArrayList)13
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial