Example 11 with TokenStoreException
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class WSS4JStaxOutInterceptor method configureSecurityEventListener.
protected SecurityEventListener configureSecurityEventListener(final SoapMessage msg, WSSSecurityProperties securityProperties) throws WSSPolicyException {
final List<SecurityEvent> outgoingSecurityEventList = new LinkedList<>();
msg.getExchange().put(SecurityEvent.class.getName() + ".out", outgoingSecurityEventList);
msg.put(SecurityEvent.class.getName() + ".out", outgoingSecurityEventList);
return new SecurityEventListener() {
@Override
public void registerSecurityEvent(SecurityEvent securityEvent) throws XMLSecurityException {
if (securityEvent.getSecurityEventType() == WSSecurityEventConstants.SAML_TOKEN) {
// Store SAML keys in case we need them on the inbound side
TokenSecurityEvent<?> tokenSecurityEvent = (TokenSecurityEvent<?>) securityEvent;
try {
WSS4JUtils.parseAndStoreStreamingSecurityToken(tokenSecurityEvent.getSecurityToken(), msg);
} catch (TokenStoreException e) {
throw new XMLSecurityException(e);
}
} else if (securityEvent.getSecurityEventType() == WSSecurityEventConstants.SignatureValue) {
// Required for Signature Confirmation
outgoingSecurityEventList.add(securityEvent);
}
}
};
}
Also used :
TokenSecurityEvent(org.apache.xml.security.stax.securityEvent.TokenSecurityEvent)
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
TokenSecurityEvent(org.apache.xml.security.stax.securityEvent.TokenSecurityEvent)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
LinkedList(java.util.LinkedList)
SecurityEventListener(org.apache.xml.security.stax.securityEvent.SecurityEventListener)
XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)
Example 12 with TokenStoreException
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class WSS4JStaxInInterceptor method handleMessage.
@Override
public void handleMessage(SoapMessage soapMessage) throws Fault {
if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage)) {
return;
}
soapMessage.getInterceptorChain().add(new StaxStartBodyInterceptor());
XMLStreamReader originalXmlStreamReader = soapMessage.getContent(XMLStreamReader.class);
XMLStreamReader newXmlStreamReader;
soapMessage.getInterceptorChain().add(new StaxSecurityContextInInterceptor());
try {
@SuppressWarnings("unchecked") List<SecurityEvent> requestSecurityEvents = (List<SecurityEvent>) soapMessage.getExchange().get(SecurityEvent.class.getName() + ".out");
WSSSecurityProperties secProps = createSecurityProperties();
secProps.setDocumentCreator(() -> DOMUtils.createDocument());
translateProperties(soapMessage, secProps);
configureCallbackHandler(soapMessage, secProps);
configureProperties(soapMessage, secProps);
if (secProps.getActions() != null && secProps.getActions().size() > 0) {
soapMessage.getInterceptorChain().add(new StaxActionInInterceptor(secProps.getActions()));
}
if (secProps.getAttachmentCallbackHandler() == null) {
secProps.setAttachmentCallbackHandler(new AttachmentCallbackHandler(soapMessage));
}
final TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(secProps.getCallbackHandler(), TokenStoreUtils.getTokenStore(soapMessage));
secProps.setCallbackHandler(callbackHandler);
setTokenValidators(secProps, soapMessage);
secProps.setMsgContext(soapMessage);
final List<SecurityEventListener> securityEventListeners = configureSecurityEventListeners(soapMessage, secProps);
boolean returnSecurityError = MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.RETURN_SECURITY_ERROR, false);
final InboundWSSec inboundWSSec = WSSec.getInboundWSSec(secProps, MessageUtils.isRequestor(soapMessage), returnSecurityError);
newXmlStreamReader = inboundWSSec.processInMessage(originalXmlStreamReader, requestSecurityEvents, securityEventListeners);
final Object provider = soapMessage.getExchange().get(Provider.class);
if (provider != null && ThreadLocalSecurityProvider.isInstalled()) {
newXmlStreamReader = new StreamReaderDelegate(newXmlStreamReader) {
@Override
public int next() throws XMLStreamException {
try {
ThreadLocalSecurityProvider.setProvider((Provider) provider);
return super.next();
} finally {
ThreadLocalSecurityProvider.unsetProvider();
}
}
};
}
soapMessage.setContent(XMLStreamReader.class, newXmlStreamReader);
// Warning: The exceptions which can occur here are not security relevant exceptions
// but configuration-errors. To catch security relevant exceptions you have to catch
// them e.g.in the FaultOutInterceptor. Why? Because we do streaming security. This
// interceptor doesn't handle the ws-security stuff but just setup the relevant stuff
// for it. Exceptions will be thrown as a wrapped XMLStreamException during further
// processing in the WS-Stack.
soapMessage.put(SECURITY_PROCESSED, Boolean.TRUE);
} catch (WSSecurityException e) {
throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), e);
} catch (XMLSecurityException | TokenStoreException e) {
throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender());
} catch (WSSPolicyException e) {
throw new SoapFault(e.getMessage(), e, soapMessage.getVersion().getSender());
} catch (XMLStreamException e) {
throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender());
}
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
SoapFault(org.apache.cxf.binding.soap.SoapFault)
XMLStreamReader(javax.xml.stream.XMLStreamReader)
Message(org.apache.cxf.common.i18n.Message)
SoapMessage(org.apache.cxf.binding.soap.SoapMessage)
LinkedList(java.util.LinkedList)
List(java.util.List)
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)
Provider(java.security.Provider)
ThreadLocalSecurityProvider(org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider)
XMLStreamException(javax.xml.stream.XMLStreamException)
StreamReaderDelegate(javax.xml.stream.util.StreamReaderDelegate)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
WSSPolicyException(org.apache.wss4j.common.WSSPolicyException)
SecurityEventListener(org.apache.xml.security.stax.securityEvent.SecurityEventListener)
InboundWSSec(org.apache.wss4j.stax.setup.InboundWSSec)
Example 13 with TokenStoreException
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class WSS4JInInterceptor method getCallback.
protected CallbackHandler getCallback(RequestData reqData) throws WSSecurityException, TokenStoreException {
Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, (SoapMessage) reqData.getMsgContext());
CallbackHandler cbHandler;
try {
cbHandler = SecurityUtils.getCallbackHandler(o);
} catch (Exception ex) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
if (cbHandler == null) {
try {
cbHandler = getPasswordCallbackHandler(reqData);
} catch (WSSecurityException sec) {
Endpoint ep = ((SoapMessage) reqData.getMsgContext()).getExchange().getEndpoint();
if (ep != null && ep.getEndpointInfo() != null) {
TokenStore store = TokenStoreUtils.getTokenStore((SoapMessage) reqData.getMsgContext());
return new TokenStoreCallbackHandler(null, store);
}
throw sec;
}
}
// Defer to SecurityConstants.SIGNATURE_PASSWORD for decryption if no callback handler is defined
if (cbHandler == null) {
String signatureUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_USERNAME, (SoapMessage) reqData.getMsgContext());
String password = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PASSWORD, (SoapMessage) reqData.getMsgContext());
if (!(StringUtils.isEmpty(signatureUser) || StringUtils.isEmpty(password))) {
cbHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback c : callbacks) {
WSPasswordCallback pwCallback = (WSPasswordCallback) c;
if (WSPasswordCallback.DECRYPT == pwCallback.getUsage() && signatureUser.equals(pwCallback.getIdentifier())) {
pwCallback.setPassword(password);
}
}
}
};
}
}
Endpoint ep = ((SoapMessage) reqData.getMsgContext()).getExchange().getEndpoint();
if (ep != null && ep.getEndpointInfo() != null) {
TokenStore store = TokenStoreUtils.getTokenStore((SoapMessage) reqData.getMsgContext());
return new TokenStoreCallbackHandler(cbHandler, store);
}
return cbHandler;
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
SOAPException(javax.xml.soap.SOAPException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
XMLStreamException(javax.xml.stream.XMLStreamException)
InvalidCanonicalizerException(org.apache.xml.security.c14n.InvalidCanonicalizerException)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
IOException(java.io.IOException)
SoapMessage(org.apache.cxf.binding.soap.SoapMessage)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
Callback(javax.security.auth.callback.Callback)
Endpoint(org.apache.cxf.endpoint.Endpoint)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
TokenStore(org.apache.cxf.ws.security.tokenstore.TokenStore)
Example 14 with TokenStoreException
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class AbstractBindingBuilder method addSamlToken.
protected SamlAssertionWrapper addSamlToken(SamlToken token) throws WSSecurityException, TokenStoreException {
assertToken(token);
if (!isTokenRequired(token.getIncludeTokenType())) {
return null;
}
//
// Get the SAML CallbackHandler
//
Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_CALLBACK_HANDLER, message);
if (o == null) {
SecurityToken securityToken = getSecurityToken();
if (securityToken != null) {
Element tokenElement = securityToken.getToken();
String namespace = tokenElement.getNamespaceURI();
String localname = tokenElement.getLocalName();
SamlTokenType tokenType = token.getSamlTokenType();
if ((tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) && WSS4JConstants.SAML_NS.equals(namespace) && "Assertion".equals(localname)) {
return new SamlAssertionWrapper(tokenElement);
} else if (tokenType == SamlTokenType.WssSamlV20Token11 && WSS4JConstants.SAML2_NS.equals(namespace) && "Assertion".equals(localname)) {
return new SamlAssertionWrapper(tokenElement);
}
}
}
SAMLCallback samlCallback = new SAMLCallback();
SamlTokenType tokenType = token.getSamlTokenType();
if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) {
samlCallback.setSamlVersion(Version.SAML_11);
} else if (tokenType == SamlTokenType.WssSamlV20Token11) {
samlCallback.setSamlVersion(Version.SAML_20);
}
try {
CallbackHandler handler = SecurityUtils.getCallbackHandler(o);
if (handler == null) {
unassertPolicy(token, "No SAML CallbackHandler available");
return null;
}
SAMLUtil.doSAMLCallback(handler, samlCallback);
} catch (Exception ex) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
if (samlCallback.isSignAssertion()) {
String issuerName = samlCallback.getIssuerKeyName();
if (issuerName == null) {
String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
issuerName = (String) SecurityUtils.getSecurityPropertyValue(userNameKey, message);
}
String password = samlCallback.getIssuerKeyPassword();
if (password == null) {
password = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PASSWORD, message);
if (StringUtils.isEmpty(password)) {
password = getPassword(issuerName, token, WSPasswordCallback.SIGNATURE);
}
}
Crypto crypto = samlCallback.getIssuerCrypto();
if (crypto == null) {
crypto = getSignatureCrypto();
}
assertion.signAssertion(issuerName, password, crypto, samlCallback.isSendKeyValue(), samlCallback.getCanonicalizationAlgorithm(), samlCallback.getSignatureAlgorithm(), samlCallback.getSignatureDigestAlgorithm());
}
return assertion;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SamlTokenType(org.apache.wss4j.policy.model.SamlToken.SamlTokenType)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
Crypto(org.apache.wss4j.common.crypto.Crypto)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
XMLStreamException(javax.xml.stream.XMLStreamException)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
XPathExpressionException(javax.xml.xpath.XPathExpressionException)
Example 15 with TokenStoreException
use of org.apache.cxf.ws.security.tokenstore.TokenStoreException in project cxf by apache.
the class SecureConversationOutInterceptor method renewToken.
private SecurityToken renewToken(SoapMessage message, AssertionInfoMap aim, SecurityToken tok, SecureConversationToken itok) throws TokenStoreException {
if (!tok.isExpired()) {
return tok;
}
// Remove the old token
message.getExchange().getEndpoint().remove(SecurityConstants.TOKEN);
message.getExchange().getEndpoint().remove(SecurityConstants.TOKEN_ID);
message.getExchange().remove(SecurityConstants.TOKEN_ID);
message.getExchange().remove(SecurityConstants.TOKEN);
TokenStoreUtils.getTokenStore(message).remove(tok.getId());
STSClient client = STSUtils.getClient(message, "sct");
AddressingProperties maps = (AddressingProperties) message.get("javax.xml.ws.addressing.context.outbound");
if (maps == null) {
maps = (AddressingProperties) message.get("javax.xml.ws.addressing.context");
} else if (maps.getAction().getValue().endsWith("Renew")) {
return tok;
}
synchronized (client) {
try {
SecureConversationTokenInterceptorProvider.setupClient(client, message, aim, itok, true);
String s = message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString();
client.setLocation(s);
Map<String, Object> ctx = client.getRequestContext();
ctx.put(SecurityConstants.TOKEN_ID, tok.getId());
if (maps != null) {
client.setAddressingNamespace(maps.getNamespaceURI());
}
return client.renewSecurityToken(tok);
} catch (RuntimeException ex) {
LOG.log(Level.WARNING, "Error renewing a token", ex);
boolean issueAfterFailedRenew = MessageUtils.getContextualBoolean(message, SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, true);
if (issueAfterFailedRenew) {
// Perhaps the STS does not support renewing, so try to issue a new token
return issueToken(message, aim, itok);
}
throw ex;
} catch (Exception ex) {
LOG.log(Level.WARNING, "Error renewing a token", ex);
boolean issueAfterFailedRenew = MessageUtils.getContextualBoolean(message, SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW, true);
if (issueAfterFailedRenew) {
// Perhaps the STS does not support renewing, so try to issue a new token
return issueToken(message, aim, itok);
}
throw new Fault(ex);
} finally {
client.setTrust((Trust10) null);
client.setTrust((Trust13) null);
client.setTemplate(null);
client.setLocation(null);
client.setAddressingNamespace(null);
}
}
}
Also used :
STSClient(org.apache.cxf.ws.security.trust.STSClient)
AddressingProperties(org.apache.cxf.ws.addressing.AddressingProperties)
Fault(org.apache.cxf.interceptor.Fault)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
Aggregations
TokenStoreException (org.apache.cxf.ws.security.tokenstore.TokenStoreException)15
Fault (org.apache.cxf.interceptor.Fault)10
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)7
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)6
SOAPException (javax.xml.soap.SOAPException)5
QName (javax.xml.namespace.QName)4
InvalidCanonicalizerException (org.apache.xml.security.c14n.InvalidCanonicalizerException)4
Element (org.w3c.dom.Element)4
XMLStreamException (javax.xml.stream.XMLStreamException)3
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)3
AssertionInfoMap (org.apache.cxf.ws.policy.AssertionInfoMap)3
AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)3
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)3
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)3
SamlToken (org.apache.wss4j.policy.model.SamlToken)3
LinkedList (java.util.LinkedList)2
CallbackHandler (javax.security.auth.callback.CallbackHandler)2
SoapMessage (org.apache.cxf.binding.soap.SoapMessage)2
WSEncryptionPart (org.apache.wss4j.common.WSEncryptionPart)2
Crypto (org.apache.wss4j.common.crypto.Crypto)2
