Example 1 with TokenStoreCallbackHandler
use of org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler in project cxf by apache.
the class StaxSymmetricBindingHandler method handleBinding.
public void handleBinding() {
AssertionInfoMap aim = getMessage().get(AssertionInfoMap.class);
configureTimestamp(aim);
assertPolicy(sbinding.getName());
String asymSignatureAlgorithm = (String) getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) {
sbinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
String symSignatureAlgorithm = (String) getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (symSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) {
sbinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
// Set up CallbackHandler which wraps the configured Handler
WSSSecurityProperties properties = getProperties();
try {
TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
properties.setCallbackHandler(callbackHandler);
} catch (TokenStoreException e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
if (sbinding.getProtectionOrder() == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
doEncryptBeforeSign();
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_BEFORE_SIGNING));
} else {
doSignBeforeEncrypt();
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.SIGN_BEFORE_ENCRYPTING));
}
if (!isRequestor()) {
properties.setEncryptSymmetricEncryptionKey(false);
}
configureLayout(aim);
assertAlgorithmSuite(sbinding.getAlgorithmSuite());
assertWSSProperties(sbinding.getName().getNamespaceURI());
assertTrustProperties(sbinding.getName().getNamespaceURI());
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
if (sbinding.isProtectTokens()) {
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
}
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
QName(javax.xml.namespace.QName)
TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
Fault(org.apache.cxf.interceptor.Fault)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 2 with TokenStoreCallbackHandler
use of org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler in project cxf by apache.
the class StaxAsymmetricBindingHandler method doEncryptBeforeSign.
private void doEncryptBeforeSign() {
try {
AbstractTokenWrapper wrapper;
AbstractToken encryptionToken = null;
if (isRequestor()) {
wrapper = abinding.getRecipientEncryptionToken();
if (wrapper == null) {
wrapper = abinding.getRecipientToken();
}
} else {
wrapper = abinding.getInitiatorEncryptionToken();
if (wrapper == null) {
wrapper = abinding.getInitiatorToken();
}
}
assertTokenWrapper(wrapper);
if (wrapper != null) {
encryptionToken = wrapper.getToken();
assertToken(encryptionToken);
}
AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
if (initiatorWrapper == null) {
initiatorWrapper = abinding.getInitiatorToken();
}
if (initiatorWrapper != null) {
assertTokenWrapper(initiatorWrapper);
AbstractToken initiatorToken = initiatorWrapper.getToken();
if (initiatorToken instanceof IssuedToken) {
SecurityToken sigTok = getSecurityToken();
addIssuedToken(initiatorToken, sigTok, false, true);
if (sigTok != null) {
storeSecurityToken(initiatorToken, sigTok);
outboundSecurityContext.remove(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
}
// Set up CallbackHandler which wraps the configured Handler
WSSSecurityProperties properties = getProperties();
TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
properties.setCallbackHandler(callbackHandler);
} else if (initiatorToken instanceof SamlToken) {
addSamlToken((SamlToken) initiatorToken, false, true);
}
}
final List<SecurePart> encrParts;
final List<SecurePart> sigParts;
try {
encrParts = getEncryptedParts();
// Signed parts are determined before encryption because encrypted signed headers
// will not be included otherwise
sigParts = getSignedParts();
} catch (SOAPException ex) {
throw new Fault(ex);
}
addSupportingTokens();
if (encryptionToken != null && !encrParts.isEmpty()) {
if (isRequestor()) {
encrParts.addAll(encryptedTokensList);
} else {
addSignatureConfirmation(sigParts);
}
// Check for signature protection
if (abinding.isEncryptSignature()) {
SecurePart part = new SecurePart(new QName(XMLSecurityConstants.NS_DSIG, "Signature"), Modifier.Element);
encrParts.add(part);
if (signatureConfirmationAdded) {
SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
encrParts.add(securePart);
}
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
doEncryption(wrapper, encrParts);
}
if (timestampAdded) {
SecurePart part = new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
sigParts.add(part);
}
if (!sigParts.isEmpty()) {
if (initiatorWrapper != null && isRequestor()) {
doSignature(initiatorWrapper, sigParts);
} else if (!isRequestor()) {
AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
if (recipientSignatureToken == null) {
recipientSignatureToken = abinding.getRecipientToken();
}
if (recipientSignatureToken != null) {
assertTokenWrapper(recipientSignatureToken);
assertToken(recipientSignatureToken.getToken());
doSignature(recipientSignatureToken, sigParts);
}
}
}
removeSignatureIfSignedSAML();
enforceEncryptBeforeSigningWithSignedSAML();
prependSignatureToSC();
putCustomTokenAfterSignature();
} catch (Exception e) {
String reason = e.getMessage();
LOG.log(Level.WARNING, "Encrypt before signing failed due to : " + reason);
throw new Fault(e);
}
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
QName(javax.xml.namespace.QName)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Fault(org.apache.cxf.interceptor.Fault)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
SOAPException(javax.xml.soap.SOAPException)
TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler)
AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper)
Example 3 with TokenStoreCallbackHandler
use of org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler in project cxf by apache.
the class StaxAsymmetricBindingHandler method doSignBeforeEncrypt.
private void doSignBeforeEncrypt() {
try {
AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
if (initiatorWrapper == null) {
initiatorWrapper = abinding.getInitiatorToken();
}
if (initiatorWrapper != null) {
assertTokenWrapper(initiatorWrapper);
AbstractToken initiatorToken = initiatorWrapper.getToken();
if (initiatorToken instanceof IssuedToken) {
SecurityToken sigTok = getSecurityToken();
addIssuedToken(initiatorToken, sigTok, false, true);
if (sigTok != null) {
storeSecurityToken(initiatorToken, sigTok);
outboundSecurityContext.remove(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
}
// Set up CallbackHandler which wraps the configured Handler
WSSSecurityProperties properties = getProperties();
TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
properties.setCallbackHandler(callbackHandler);
} else if (initiatorToken instanceof SamlToken) {
addSamlToken((SamlToken) initiatorToken, false, true);
}
assertToken(initiatorToken);
}
// Add timestamp
List<SecurePart> sigs = new ArrayList<>();
if (timestampAdded) {
SecurePart part = new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
sigs.add(part);
}
sigs.addAll(this.getSignedParts());
if (isRequestor() && initiatorWrapper != null) {
doSignature(initiatorWrapper, sigs);
} else if (!isRequestor()) {
// confirm sig
addSignatureConfirmation(sigs);
AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
if (recipientSignatureToken == null) {
recipientSignatureToken = abinding.getRecipientToken();
}
if (recipientSignatureToken != null) {
assertTokenWrapper(recipientSignatureToken);
assertToken(recipientSignatureToken.getToken());
}
if (recipientSignatureToken != null && !sigs.isEmpty()) {
doSignature(recipientSignatureToken, sigs);
}
}
addSupportingTokens();
removeSignatureIfSignedSAML();
prependSignatureToSC();
List<SecurePart> enc = getEncryptedParts();
// Check for signature protection
if (abinding.isEncryptSignature()) {
SecurePart part = new SecurePart(new QName(XMLSecurityConstants.NS_DSIG, "Signature"), Modifier.Element);
enc.add(part);
if (signatureConfirmationAdded) {
SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
enc.add(securePart);
}
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
// Do encryption
AbstractTokenWrapper encToken;
if (isRequestor()) {
enc.addAll(encryptedTokensList);
encToken = abinding.getRecipientEncryptionToken();
if (encToken == null) {
encToken = abinding.getRecipientToken();
}
} else {
encToken = abinding.getInitiatorEncryptionToken();
if (encToken == null) {
encToken = abinding.getInitiatorToken();
}
}
if (encToken != null) {
assertTokenWrapper(encToken);
assertToken(encToken.getToken());
}
doEncryption(encToken, enc);
putCustomTokenAfterSignature();
} catch (Exception e) {
String reason = e.getMessage();
LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
throw new Fault(e);
}
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
QName(javax.xml.namespace.QName)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
ArrayList(java.util.ArrayList)
Fault(org.apache.cxf.interceptor.Fault)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler)
AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper)
Example 4 with TokenStoreCallbackHandler
use of org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler in project cxf by apache.
the class StaxTransportBindingHandler method handleEndorsingToken.
private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
assertToken(token);
if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
return;
}
if (token instanceof IssuedToken) {
SecurityToken securityToken = getSecurityToken();
addIssuedToken(token, securityToken, false, true);
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
WSSSecurityProperties properties = getProperties();
if (securityToken != null && securityToken.getSecret() != null) {
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
} else {
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
}
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
} else if (token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
SecurityToken securityToken = getSecurityToken();
addIssuedToken(token, securityToken, false, true);
WSSSecurityProperties properties = getProperties();
if (securityToken != null) {
storeSecurityToken(token, securityToken);
// Set up CallbackHandler which wraps the configured Handler
TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
properties.setCallbackHandler(callbackHandler);
}
doSignature(token, wrapper);
properties.setIncludeSignatureToken(true);
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
} else if (token instanceof X509Token || token instanceof KeyValueToken) {
doSignature(token, wrapper);
} else if (token instanceof SamlToken) {
addSamlToken((SamlToken) token, false, true);
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
WSSSecurityProperties properties = getProperties();
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
} else if (token instanceof UsernameToken) {
throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
} else if (token instanceof KerberosToken) {
WSSSecurityProperties properties = getProperties();
properties.addAction(XMLSecurityConstants.SIGNATURE);
configureSignature(token, false);
addKerberosToken((KerberosToken) token, false, true, false);
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
}
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
SOAPException(javax.xml.soap.SOAPException)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler)
Aggregations
TokenStoreCallbackHandler (org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler)4
WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)4
QName (javax.xml.namespace.QName)3
SOAPException (javax.xml.soap.SOAPException)3
Fault (org.apache.cxf.interceptor.Fault)3
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)3
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)3
SamlToken (org.apache.wss4j.policy.model.SamlToken)3
TokenStoreException (org.apache.cxf.ws.security.tokenstore.TokenStoreException)2
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)2
AbstractTokenWrapper (org.apache.wss4j.policy.model.AbstractTokenWrapper)2
SecurePart (org.apache.xml.security.stax.ext.SecurePart)2
ArrayList (java.util.ArrayList)1
AssertionInfoMap (org.apache.cxf.ws.policy.AssertionInfoMap)1
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)1
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)1
KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)1
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)1
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)1
