Search in sources :

Example 1 with PasswordString

use of org.apache.wss4j.binding.wss10.PasswordString in project cxf by apache.

the class STSStaxTokenValidator method validate.

@SuppressWarnings("unchecked")
@Override
public <T extends UsernameSecurityToken & InboundSecurityToken> T validate(UsernameTokenType usernameTokenType, TokenContext tokenContext) throws WSSecurityException {
    // If the UsernameToken is to be used for key derivation, the (1.1)
    // spec says that it cannot contain a password, and it must contain
    // an Iteration element
    final byte[] salt = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE11_SALT);
    PasswordString passwordType = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE_PASSWORD);
    final Long iteration = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE11_ITERATION);
    if (salt != null && (passwordType != null || iteration == null)) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01");
    }
    boolean handleCustomPasswordTypes = tokenContext.getWssSecurityProperties().getHandleCustomPasswordTypes();
    boolean allowUsernameTokenNoPassword = tokenContext.getWssSecurityProperties().isAllowUsernameTokenNoPassword() || Boolean.parseBoolean((String) tokenContext.getWsSecurityContext().get(WSSConstants.PROP_ALLOW_USERNAMETOKEN_NOPASSWORD));
    // Check received password type against required type
    WSSConstants.UsernameTokenPasswordType requiredPasswordType = tokenContext.getWssSecurityProperties().getUsernameTokenPasswordType();
    if (requiredPasswordType != null) {
        if (passwordType == null || passwordType.getType() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
        WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType = WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(passwordType.getType());
        if (requiredPasswordType != usernameTokenPasswordType) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
    }
    WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType = WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE;
    if (passwordType != null && passwordType.getType() != null) {
        usernameTokenPasswordType = WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(passwordType.getType());
    }
    final AttributedString username = usernameTokenType.getUsername();
    if (username == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01");
    }
    final EncodedString encodedNonce = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE_NONCE);
    byte[] nonceVal = null;
    if (encodedNonce != null && encodedNonce.getValue() != null) {
        nonceVal = Base64.decodeBase64(encodedNonce.getValue());
    }
    final AttributedDateTime attributedDateTimeCreated = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSU_CREATED);
    String created = null;
    if (attributedDateTimeCreated != null) {
        created = attributedDateTimeCreated.getValue();
    }
    // Validate to STS if required
    boolean valid = false;
    final SoapMessage message = (SoapMessage) tokenContext.getWssSecurityProperties().getMsgContext();
    if (alwaysValidateToSts) {
        Element tokenElement = convertToDOM(username.getValue(), passwordType.getValue(), passwordType.getType(), usernameTokenType.getId());
        validateTokenToSTS(tokenElement, message);
        valid = true;
    }
    if (!valid) {
        try {
            if (usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
                if (encodedNonce == null || attributedDateTimeCreated == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01");
                }
                if (!WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING.equals(encodedNonce.getEncodingType())) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN, "badTokenType01");
                }
                verifyDigestPassword(username.getValue(), passwordType, nonceVal, created, tokenContext);
            } else if (usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT || passwordType != null && passwordType.getValue() != null && usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
                verifyPlaintextPassword(username.getValue(), passwordType, tokenContext);
            } else if (passwordType != null && passwordType.getValue() != null) {
                if (!handleCustomPasswordTypes) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
                }
                verifyPlaintextPassword(username.getValue(), passwordType, tokenContext);
            } else {
                if (!allowUsernameTokenNoPassword) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
                }
            }
        } catch (WSSecurityException ex) {
            Element tokenElement = convertToDOM(username.getValue(), passwordType.getValue(), passwordType.getType(), usernameTokenType.getId());
            validateTokenToSTS(tokenElement, message);
        }
    }
    final String password;
    if (passwordType != null) {
        password = passwordType.getValue();
    } else if (salt != null) {
        WSPasswordCallback pwCb = new WSPasswordCallback(username.getValue(), WSPasswordCallback.USERNAME_TOKEN);
        try {
            WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
        } catch (WSSecurityException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
        }
        password = pwCb.getPassword();
    } else {
        password = null;
    }
    UsernameSecurityTokenImpl usernameSecurityToken = new UsernameSecurityTokenImpl(usernameTokenPasswordType, username.getValue(), password, created, nonceVal, salt, iteration, tokenContext.getWsSecurityContext(), usernameTokenType.getId(), WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
    usernameSecurityToken.setElementPath(tokenContext.getElementPath());
    usernameSecurityToken.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
    return (T) usernameSecurityToken;
}
Also used : WSSConstants(org.apache.wss4j.stax.ext.WSSConstants) UsernameSecurityTokenImpl(org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl) Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) AttributedString(org.apache.wss4j.binding.wss10.AttributedString) EncodedString(org.apache.wss4j.binding.wss10.EncodedString) PasswordString(org.apache.wss4j.binding.wss10.PasswordString) AttributedDateTime(org.apache.wss4j.binding.wsu10.AttributedDateTime) SoapMessage(org.apache.cxf.binding.soap.SoapMessage) PasswordString(org.apache.wss4j.binding.wss10.PasswordString) AttributedString(org.apache.wss4j.binding.wss10.AttributedString) EncodedString(org.apache.wss4j.binding.wss10.EncodedString) WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)

Example 2 with PasswordString

use of org.apache.wss4j.binding.wss10.PasswordString in project cxf by apache.

the class STSStaxTokenValidator method verifyDigestPassword.

/**
 * Verify a UsernameToken containing a password digest.
 */
private void verifyDigestPassword(String username, PasswordString passwordType, byte[] nonceVal, String created, TokenContext tokenContext) throws WSSecurityException {
    WSPasswordCallback pwCb = new WSPasswordCallback(username, null, passwordType.getType(), WSPasswordCallback.USERNAME_TOKEN);
    try {
        WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
    } catch (WSSecurityException e) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
    }
    if (pwCb.getPassword() == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
    }
    String passDigest = WSSUtils.doPasswordDigest(nonceVal, created, pwCb.getPassword());
    if (!passwordType.getValue().equals(passDigest)) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
    }
    passwordType.setValue(pwCb.getPassword());
}
Also used : WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) AttributedString(org.apache.wss4j.binding.wss10.AttributedString) EncodedString(org.apache.wss4j.binding.wss10.EncodedString) PasswordString(org.apache.wss4j.binding.wss10.PasswordString) WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)

Aggregations

AttributedString (org.apache.wss4j.binding.wss10.AttributedString)2 EncodedString (org.apache.wss4j.binding.wss10.EncodedString)2 PasswordString (org.apache.wss4j.binding.wss10.PasswordString)2 WSPasswordCallback (org.apache.wss4j.common.ext.WSPasswordCallback)2 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2 SoapMessage (org.apache.cxf.binding.soap.SoapMessage)1 AttributedDateTime (org.apache.wss4j.binding.wsu10.AttributedDateTime)1 WSSConstants (org.apache.wss4j.stax.ext.WSSConstants)1 UsernameSecurityTokenImpl (org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl)1 Element (org.w3c.dom.Element)1