use of org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator in project cxf by apache.
the class PolicyBasedWSS4JInInterceptor method doResults.
@Override
protected void doResults(SoapMessage msg, String actor, Element soapHeader, Element soapBody, WSHandlerResult results, boolean utWithCallbacks) throws SOAPException, XMLStreamException, WSSecurityException {
//
// Pre-fetch various results
//
List<WSSecurityEngineResult> signedResults = new ArrayList<>();
if (results.getActionResults().containsKey(WSConstants.SIGN)) {
signedResults.addAll(results.getActionResults().get(WSConstants.SIGN));
}
if (results.getActionResults().containsKey(WSConstants.UT_SIGN)) {
signedResults.addAll(results.getActionResults().get(WSConstants.UT_SIGN));
}
if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
signedResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
}
Collection<WSDataRef> signed = new HashSet<>();
for (WSSecurityEngineResult result : signedResults) {
List<WSDataRef> sl = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (sl != null) {
for (WSDataRef r : sl) {
signed.add(r);
}
}
}
List<WSSecurityEngineResult> encryptResults = results.getActionResults().get(WSConstants.ENCR);
Collection<WSDataRef> encrypted = new HashSet<>();
if (encryptResults != null) {
for (WSSecurityEngineResult result : encryptResults) {
List<WSDataRef> sl = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (sl != null) {
for (WSDataRef r : sl) {
encrypted.add(r);
}
}
}
}
CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
//
// Check policies
//
PolicyValidatorParameters parameters = new PolicyValidatorParameters();
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
parameters.setAssertionInfoMap(aim);
parameters.setMessage(msg);
parameters.setSoapBody(soapBody);
parameters.setSoapHeader(soapHeader);
parameters.setResults(results);
parameters.setSignedResults(signedResults);
parameters.setEncryptedResults(encryptResults);
parameters.setUtWithCallbacks(utWithCallbacks);
parameters.setSigned(signed);
parameters.setEncrypted(encrypted);
List<WSSecurityEngineResult> utResults = new ArrayList<>();
if (results.getActionResults().containsKey(WSConstants.UT)) {
utResults.addAll(results.getActionResults().get(WSConstants.UT));
}
if (results.getActionResults().containsKey(WSConstants.UT_NOPASSWORD)) {
utResults.addAll(results.getActionResults().get(WSConstants.UT_NOPASSWORD));
}
parameters.setUsernameTokenResults(utResults);
List<WSSecurityEngineResult> samlResults = new ArrayList<>();
if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
samlResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
}
if (results.getActionResults().containsKey(WSConstants.ST_UNSIGNED)) {
samlResults.addAll(results.getActionResults().get(WSConstants.ST_UNSIGNED));
}
parameters.setSamlResults(samlResults);
// Store the timestamp element
WSSecurityEngineResult tsResult = null;
if (results.getActionResults().containsKey(WSConstants.TS)) {
tsResult = results.getActionResults().get(WSConstants.TS).get(0);
}
Element timestamp = null;
if (tsResult != null) {
Timestamp ts = (Timestamp) tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
timestamp = ts.getElement();
}
parameters.setTimestampElement(timestamp);
// Validate security policies
Map<QName, SecurityPolicyValidator> validators = ValidatorUtils.getSecurityPolicyValidators(msg);
for (Map.Entry<QName, Collection<AssertionInfo>> entry : aim.entrySet()) {
// Check to see if we have a security policy + if we can validate it
if (validators.containsKey(entry.getKey())) {
validators.get(entry.getKey()).validatePolicies(parameters, entry.getValue());
}
}
super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
}
Aggregations