Example 1 with TrustException
use of org.apache.cxf.ws.security.trust.TrustException in project OpenAM by OpenRock.
the class SoapSTSConsumer method validateToken.
/**
* Invokes the soap-sts Validate operation
* @param endpointSpecification port and service qname of soap-sts instance to be invoked
* @param toBeValidatedToken the to-be-validated SecurityToken instance returned from the Issue operation
* @throws SoapSTSConsumerException
*/
public boolean validateToken(EndpointSpecification endpointSpecification, SecurityToken toBeValidatedToken) throws SoapSTSConsumerException {
STSClient client = getSTSClient(stsInstanceWsdlUrl, endpointSpecification.serviceQName, endpointSpecification.portQName);
client.setTokenType(STSConstants.STATUS);
try {
client.validateSecurityToken(toBeValidatedToken);
return true;
} catch (TrustException e) {
return false;
} catch (Exception e) {
throw new SoapSTSConsumerException(e.getMessage(), e);
}
/*
No further checks are needed, as the STSClient will throw an exception if the token is not validated successfully.
Also checking that the type of the SecurityToken returned by the validateSecurityToken call matches that of the
type passed as a parameter to this call is also not a valid test, as the passed-in token is simply returned if
the token validated successfully (and if the token was transformed, the type is not set - this may be considered a
bug in the STSClient class - see around line 1066 - should be parsing out the TokenType element child of
RequestSecurityTokenResponse. See CXF jira: https://issues.apache.org/jira/browse/CXF-5462).
*/
}
Also used :
STSClient(org.apache.cxf.ws.security.trust.STSClient)
TrustException(org.apache.cxf.ws.security.trust.TrustException)
TrustException(org.apache.cxf.ws.security.trust.TrustException)
WSSecurityException(org.apache.ws.security.WSSecurityException)
BusException(org.apache.cxf.BusException)
EndpointException(org.apache.cxf.endpoint.EndpointException)
Example 2 with TrustException
use of org.apache.cxf.ws.security.trust.TrustException in project cxf by apache.
the class SimpleBatchSTSClient method validateBatchSecurityTokens.
protected List<SecurityToken> validateBatchSecurityTokens(List<BatchRequest> batchRequestList, String action, String requestType) throws Exception {
createClient();
BindingOperationInfo boi = findOperation("/BatchValidate");
client.getRequestContext().putAll(ctx);
client.getRequestContext().put(SoapBindingConstants.SOAP_ACTION, action);
W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
writer.writeStartElement("wst", "RequestSecurityTokenCollection", namespace);
writer.writeNamespace("wst", namespace);
for (BatchRequest batchRequest : batchRequestList) {
writer.writeStartElement("wst", "RequestSecurityToken", namespace);
writer.writeNamespace("wst", namespace);
addRequestType(requestType, writer);
addTokenType(writer, batchRequest.getTokenType());
writer.writeStartElement("wst", "ValidateTarget", namespace);
Element el = batchRequest.getValidateTarget();
StaxUtils.copy(el, writer);
writer.writeEndElement();
writer.writeEndElement();
}
writer.writeEndElement();
Object[] obj = client.invoke(boi, new DOMSource(writer.getDocument().getDocumentElement()));
Element responseCollection = getDocumentElement((DOMSource) obj[0]);
Node child = responseCollection.getFirstChild();
List<SecurityToken> tokens = new ArrayList<>();
while (child != null) {
if (child instanceof Element && "RequestSecurityTokenResponse".equals(((Element) child).getLocalName())) {
Element rstrChild = DOMUtils.getFirstElement(child);
while (rstrChild != null) {
if ("Status".equals(rstrChild.getLocalName())) {
Element e2 = DOMUtils.getFirstChildWithName(rstrChild, rstrChild.getNamespaceURI(), "Code");
String s = DOMUtils.getContent(e2);
if (!s.endsWith("/status/valid")) {
throw new TrustException(LOG, "VALIDATION_FAILED");
}
} else if ("RequestedSecurityToken".equals(rstrChild.getLocalName())) {
Element requestedSecurityTokenElement = DOMUtils.getFirstElement(rstrChild);
String id = findID(null, null, requestedSecurityTokenElement);
if (StringUtils.isEmpty(id)) {
throw new TrustException("NO_ID", LOG);
}
SecurityToken requestedSecurityToken = new SecurityToken(id);
requestedSecurityToken.setToken(requestedSecurityTokenElement);
tokens.add(requestedSecurityToken);
}
rstrChild = DOMUtils.getNextElement(rstrChild);
}
}
child = child.getNextSibling();
}
return tokens;
}
Also used :
W3CDOMStreamWriter(org.apache.cxf.staxutils.W3CDOMStreamWriter)
BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo)
DOMSource(javax.xml.transform.dom.DOMSource)
TrustException(org.apache.cxf.ws.security.trust.TrustException)
Element(org.w3c.dom.Element)
Node(org.w3c.dom.Node)
ModCountCopyOnWriteArrayList(org.apache.cxf.common.util.ModCountCopyOnWriteArrayList)
ArrayList(java.util.ArrayList)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Example 3 with TrustException
use of org.apache.cxf.ws.security.trust.TrustException in project cxf by apache.
the class SimpleBatchSTSClient method decryptKey.
protected byte[] decryptKey(Element child) throws TrustException, WSSecurityException {
String encryptionAlgorithm = X509Util.getEncAlgo(child);
// For the SPNEGO case just return the decoded cipher value and decrypt it later
if (encryptionAlgorithm != null && encryptionAlgorithm.endsWith("spnego#GSS_Wrap")) {
// Get the CipherValue
Element tmpE = XMLUtils.getDirectChildElement(child, "CipherData", WSS4JConstants.ENC_NS);
byte[] cipherValue = null;
if (tmpE != null) {
tmpE = XMLUtils.getDirectChildElement(tmpE, "CipherValue", WSS4JConstants.ENC_NS);
if (tmpE != null) {
String content = DOMUtils.getContent(tmpE);
cipherValue = Base64.getMimeDecoder().decode(content);
}
}
if (cipherValue == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noCipher");
}
return cipherValue;
}
try {
EncryptedKeyProcessor proc = new EncryptedKeyProcessor();
RequestData data = new RequestData();
data.setWssConfig(WSSConfig.getNewInstance());
data.setDecCrypto(createCrypto(true));
data.setCallbackHandler(createHandler());
WSDocInfo docInfo = new WSDocInfo(child.getOwnerDocument());
data.setWsDocInfo(docInfo);
List<WSSecurityEngineResult> result = proc.handleToken(child, data);
return (byte[]) result.get(0).get(WSSecurityEngineResult.TAG_SECRET);
} catch (IOException e) {
throw new TrustException("ENCRYPTED_KEY_ERROR", e, LOG);
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
TrustException(org.apache.cxf.ws.security.trust.TrustException)
EncryptedKeyProcessor(org.apache.wss4j.dom.processor.EncryptedKeyProcessor)
RequestData(org.apache.wss4j.dom.handler.RequestData)
Element(org.w3c.dom.Element)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 4 with TrustException
use of org.apache.cxf.ws.security.trust.TrustException in project cxf by apache.
the class SimpleBatchSTSClient method createSecurityToken.
protected SecurityToken createSecurityToken(Element el, byte[] requestorEntropy) throws WSSecurityException {
if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
el = DOMUtils.getFirstElement(el);
}
if (!"RequestSecurityTokenResponse".equals(el.getLocalName())) {
throw new Fault("Unexpected element " + el.getLocalName(), LOG);
}
el = DOMUtils.getFirstElement(el);
Element rst = null;
Element rar = null;
Element rur = null;
Element rpt = null;
Element lte = null;
Element entropy = null;
String tt = null;
while (el != null) {
String ln = el.getLocalName();
if (namespace.equals(el.getNamespaceURI())) {
if ("Lifetime".equals(ln)) {
lte = el;
} else if ("RequestedSecurityToken".equals(ln)) {
rst = DOMUtils.getFirstElement(el);
} else if ("RequestedAttachedReference".equals(ln)) {
rar = DOMUtils.getFirstElement(el);
} else if ("RequestedUnattachedReference".equals(ln)) {
rur = DOMUtils.getFirstElement(el);
} else if ("RequestedProofToken".equals(ln)) {
rpt = el;
} else if ("Entropy".equals(ln)) {
entropy = el;
} else if ("TokenType".equals(ln)) {
tt = DOMUtils.getContent(el);
}
}
el = DOMUtils.getNextElement(el);
}
Element rstDec = rst;
String id = findID(rar, rur, rstDec);
if (StringUtils.isEmpty(id)) {
throw new TrustException("NO_ID", LOG);
}
SecurityToken token = new SecurityToken(id, rstDec, lte);
token.setAttachedReference(rar);
token.setUnattachedReference(rur);
token.setIssuerAddress(location);
token.setTokenType(tt);
byte[] secret = null;
if (rpt != null) {
Element child = DOMUtils.getFirstElement(rpt);
QName childQname = DOMUtils.getElementQName(child);
if (childQname.equals(new QName(namespace, "BinarySecret"))) {
// First check for the binary secret
String b64Secret = DOMUtils.getContent(child);
secret = Base64.getMimeDecoder().decode(b64Secret);
} else if (childQname.equals(new QName(WSS4JConstants.ENC_NS, WSS4JConstants.ENC_KEY_LN))) {
secret = decryptKey(child);
} else if (childQname.equals(new QName(namespace, "ComputedKey"))) {
// Handle the computed key
Element computedKeyChild = entropy == null ? null : DOMUtils.getFirstElement(entropy);
byte[] serviceEntr = null;
if (computedKeyChild != null) {
QName computedKeyChildQName = DOMUtils.getElementQName(computedKeyChild);
if (computedKeyChildQName.equals(new QName(WSS4JConstants.ENC_NS, WSS4JConstants.ENC_KEY_LN))) {
serviceEntr = decryptKey(computedKeyChild);
} else if (computedKeyChildQName.equals(new QName(namespace, "BinarySecret"))) {
String content = DOMUtils.getContent(computedKeyChild);
serviceEntr = Base64.getMimeDecoder().decode(content);
}
}
if (serviceEntr != null) {
// Right now we only use PSHA1 as the computed key algo
P_SHA1 psha1 = new P_SHA1();
int length = (keySize > 0) ? keySize : 256;
if (algorithmSuite != null) {
AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
length = (keySize > 0) ? keySize : algType.getMaximumSymmetricKeyLength();
}
try {
secret = psha1.createKey(requestorEntropy, serviceEntr, 0, length / 8);
} catch (WSSecurityException e) {
throw new TrustException("DERIVED_KEY_ERROR", e, LOG);
}
} else {
// Service entropy missing
throw new TrustException("NO_ENTROPY", LOG);
}
}
} else if (requestorEntropy != null) {
// Use requester entropy as the key
secret = requestorEntropy;
}
token.setSecret(secret);
return token;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
P_SHA1(org.apache.wss4j.common.derivedKey.P_SHA1)
TrustException(org.apache.cxf.ws.security.trust.TrustException)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
QName(javax.xml.namespace.QName)
Element(org.w3c.dom.Element)
Fault(org.apache.cxf.interceptor.Fault)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Endpoint(org.apache.cxf.endpoint.Endpoint)
Aggregations
TrustException (org.apache.cxf.ws.security.trust.TrustException)4
Element (org.w3c.dom.Element)3
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)2
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2
IOException (java.io.IOException)1
ArrayList (java.util.ArrayList)1
QName (javax.xml.namespace.QName)1
DOMSource (javax.xml.transform.dom.DOMSource)1
BusException (org.apache.cxf.BusException)1
ModCountCopyOnWriteArrayList (org.apache.cxf.common.util.ModCountCopyOnWriteArrayList)1
Endpoint (org.apache.cxf.endpoint.Endpoint)1
EndpointException (org.apache.cxf.endpoint.EndpointException)1
Fault (org.apache.cxf.interceptor.Fault)1
BindingOperationInfo (org.apache.cxf.service.model.BindingOperationInfo)1
W3CDOMStreamWriter (org.apache.cxf.staxutils.W3CDOMStreamWriter)1
STSClient (org.apache.cxf.ws.security.trust.STSClient)1
WSSecurityException (org.apache.ws.security.WSSecurityException)1
P_SHA1 (org.apache.wss4j.common.derivedKey.P_SHA1)1
WSDocInfo (org.apache.wss4j.dom.WSDocInfo)1
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)1
