Example 6 with WSEncryptionPart
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class AbstractBindingBuilder method handleEncryptedSignedHeaders.
/**
* Processes the parts to be signed and reconfigures those parts that have
* already been encrypted.
*
* @param encryptedParts
* the parts that have been encrypted
* @param signedParts
* the parts that are to be signed
*
* @throws IllegalArgumentException
* if an element in {@code signedParts} contains a {@code
* WSEncryptionPart} with a {@code null} {@code id} value
* and the {@code WSEncryptionPart} {@code name} value is not
* "Token"
*/
public void handleEncryptedSignedHeaders(List<WSEncryptionPart> encryptedParts, List<WSEncryptionPart> signedParts) {
final List<WSEncryptionPart> signedEncryptedParts = new ArrayList<>();
for (WSEncryptionPart encryptedPart : encryptedParts) {
final Iterator<WSEncryptionPart> signedPartsIt = signedParts.iterator();
while (signedPartsIt.hasNext()) {
WSEncryptionPart signedPart = signedPartsIt.next();
// if it were ever to be set before this method is called.
if (signedPart.getId() == null && !"Token".equals(signedPart.getName())) {
throw new IllegalArgumentException("WSEncryptionPart must be ID based but no id was found.");
} else if (encryptedPart.getEncModifier().equals("Header") && signedPart.getId().equals(encryptedPart.getId())) {
// We are to sign something that has already been encrypted.
// We need to preserve the original aspects of signedPart but
// change the ID to the encrypted ID.
signedPartsIt.remove();
WSEncryptionPart part = new WSEncryptionPart(encryptedPart.getEncId(), encryptedPart.getEncModifier());
part.setElement(encryptedPart.getElement());
signedEncryptedParts.add(part);
}
}
}
signedParts.addAll(signedEncryptedParts);
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
ArrayList(java.util.ArrayList)
Example 7 with WSEncryptionPart
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class AbstractBindingBuilder method addSignatureConfirmation.
protected void addSignatureConfirmation(List<WSEncryptionPart> sigParts) {
Wss10 wss10 = getWss10();
if (!(wss10 instanceof Wss11) || !((Wss11) wss10).isRequireSignatureConfirmation()) {
// If we don't require sig confirmation simply go back :-)
return;
}
List<WSHandlerResult> results = CastUtils.cast((List<?>) message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS));
/*
* loop over all results gathered by all handlers in the chain. For each
* handler result get the various actions. After that loop we have all
* signature results in the signatureActions list
*/
List<WSSecurityEngineResult> signatureActions = new ArrayList<>();
for (WSHandlerResult wshResult : results) {
if (wshResult.getActionResults().containsKey(WSConstants.SIGN)) {
signatureActions.addAll(wshResult.getActionResults().get(WSConstants.SIGN));
}
if (wshResult.getActionResults().containsKey(WSConstants.UT_SIGN)) {
signatureActions.addAll(wshResult.getActionResults().get(WSConstants.UT_SIGN));
}
}
sigConfList = new ArrayList<>();
// prepare a SignatureConfirmation token
WSSecSignatureConfirmation wsc = new WSSecSignatureConfirmation(secHeader);
wsc.setIdAllocator(wssConfig.getIdAllocator());
if (!signatureActions.isEmpty()) {
for (WSSecurityEngineResult wsr : signatureActions) {
byte[] sigVal = (byte[]) wsr.get(WSSecurityEngineResult.TAG_SIGNATURE_VALUE);
wsc.setSignatureValue(sigVal);
wsc.prepare();
addSupportingElement(wsc.getSignatureConfirmationElement());
if (sigParts != null) {
WSEncryptionPart part = new WSEncryptionPart(wsc.getId(), "Element");
part.setElement(wsc.getSignatureConfirmationElement());
sigParts.add(part);
sigConfList.add(part);
}
}
} else {
// No Sig value
wsc.prepare();
addSupportingElement(wsc.getSignatureConfirmationElement());
if (sigParts != null) {
WSEncryptionPart part = new WSEncryptionPart(wsc.getId(), "Element");
part.setElement(wsc.getSignatureConfirmationElement());
sigParts.add(part);
sigConfList.add(part);
}
}
assertPolicy(new QName(wss10.getName().getNamespaceURI(), SPConstants.REQUIRE_SIGNATURE_CONFIRMATION));
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
QName(javax.xml.namespace.QName)
WSSecSignatureConfirmation(org.apache.wss4j.dom.message.WSSecSignatureConfirmation)
Wss11(org.apache.wss4j.policy.model.Wss11)
ArrayList(java.util.ArrayList)
Wss10(org.apache.wss4j.policy.model.Wss10)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 8 with WSEncryptionPart
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class AbstractBindingBuilder method addSignatureParts.
protected void addSignatureParts(List<SupportingToken> tokenList, List<WSEncryptionPart> sigParts) {
boolean useSTRTransform = MessageUtils.getContextualBoolean(message, SecurityConstants.USE_STR_TRANSFORM, true);
for (SupportingToken supportingToken : tokenList) {
Object tempTok = supportingToken.getTokenImplementation();
WSEncryptionPart part = null;
if (tempTok instanceof WSSecSignature) {
WSSecSignature tempSig = (WSSecSignature) tempTok;
SecurityTokenReference secRef = tempSig.getSecurityTokenReference();
if (WSS4JConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()) || WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
Element secRefElement = cloneElement(secRef.getElement());
addSupportingElement(secRefElement);
part = new WSEncryptionPart("STRTransform", null, "Element");
part.setId(tempSig.getSecurityTokenReferenceURI());
part.setElement(secRefElement);
} else {
if (tempSig.getBSTTokenId() != null) {
part = new WSEncryptionPart(tempSig.getBSTTokenId());
part.setElement(tempSig.getBinarySecurityTokenElement());
}
}
} else if (tempTok instanceof WSSecUsernameToken) {
WSSecUsernameToken unt = (WSSecUsernameToken) tempTok;
part = new WSEncryptionPart(unt.getId());
part.setElement(unt.getUsernameTokenElement());
} else if (tempTok instanceof BinarySecurity) {
BinarySecurity bst = (BinarySecurity) tempTok;
part = new WSEncryptionPart(bst.getID());
part.setElement(bst.getElement());
} else if (tempTok instanceof SamlAssertionWrapper) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) tempTok;
Document doc = assertionWrapper.getElement().getOwnerDocument();
boolean saml1 = assertionWrapper.getSaml1() != null;
if (useSTRTransform) {
// TODO We only support using a KeyIdentifier for the moment
SecurityTokenReference secRef = createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false);
Element clone = cloneElement(secRef.getElement());
addSupportingElement(clone);
part = new WSEncryptionPart("STRTransform", null, "Element");
part.setId(secRef.getID());
part.setElement(clone);
} else {
part = new WSEncryptionPart(assertionWrapper.getId());
part.setElement(assertionWrapper.getElement());
}
} else if (tempTok instanceof WSSecurityTokenHolder) {
SecurityToken token = ((WSSecurityTokenHolder) tempTok).getToken();
String tokenType = token.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType) || WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
Document doc = token.getToken().getOwnerDocument();
boolean saml1 = WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType);
String id = token.getId();
if (id == null || "".equals(id)) {
if (saml1) {
id = token.getToken().getAttributeNS(null, "AssertionID");
} else {
id = token.getToken().getAttributeNS(null, "ID");
}
}
if (useSTRTransform) {
SecurityTokenReference secRef = createSTRForSamlAssertion(doc, id, saml1, false);
Element clone = cloneElement(secRef.getElement());
addSupportingElement(clone);
part = new WSEncryptionPart("STRTransform", null, "Element");
part.setId(secRef.getID());
part.setElement(clone);
} else {
part = new WSEncryptionPart(id);
part.setElement(token.getToken());
}
} else {
String id = XMLUtils.getIDFromReference(token.getId());
part = new WSEncryptionPart(id);
part.setElement(token.getToken());
}
} else {
unassertPolicy(supportingToken.getToken(), "UnsupportedTokenInSupportingToken: " + tempTok);
}
if (part != null) {
sigParts.add(part);
}
}
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
Document(org.w3c.dom.Document)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
Example 9 with WSEncryptionPart
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class AsymmetricBindingHandler method encryptTokensInSecurityHeader.
private void encryptTokensInSecurityHeader(AbstractToken encryptionToken, WSSecBase encrBase) {
List<WSEncryptionPart> secondEncrParts = new ArrayList<>();
// Check for signature protection
if (abinding.isEncryptSignature()) {
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
// Now encrypt the signature using the above token
if (mainSigId != null) {
WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
sigPart.setElement(bottomUpElement);
secondEncrParts.add(sigPart);
}
if (sigConfList != null && !sigConfList.isEmpty()) {
secondEncrParts.addAll(sigConfList);
}
}
// Add any SupportingTokens that need to be encrypted
if (isRequestor()) {
secondEncrParts.addAll(encryptedTokensList);
}
if (secondEncrParts.isEmpty()) {
return;
}
// Perform encryption
if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys && encrBase instanceof WSSecDKEncrypt) {
try {
Element secondRefList = ((WSSecDKEncrypt) encrBase).encryptForExternalRef(null, secondEncrParts);
if (secondRefList != null) {
((WSSecDKEncrypt) encrBase).addExternalRefElement(secondRefList);
}
} catch (WSSecurityException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
}
} else if (encrBase instanceof WSSecEncrypt) {
try {
// Encrypt, get hold of the ref list and add it
Element secondRefList = saaj.getSOAPPart().createElementNS(WSS4JConstants.ENC_NS, WSS4JConstants.ENC_PREFIX + ":ReferenceList");
if (lastEncryptedKeyElement != null) {
insertAfter(secondRefList, lastEncryptedKeyElement);
} else {
this.insertBeforeBottomUp(secondRefList);
}
((WSSecEncrypt) encrBase).encryptForRef(secondRefList, secondEncrParts);
} catch (WSSecurityException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
}
}
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
WSSecEncrypt(org.apache.wss4j.dom.message.WSSecEncrypt)
QName(javax.xml.namespace.QName)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Fault(org.apache.cxf.interceptor.Fault)
WSSecDKEncrypt(org.apache.wss4j.dom.message.WSSecDKEncrypt)
Example 10 with WSEncryptionPart
use of org.apache.wss4j.common.WSEncryptionPart in project cxf by apache.
the class AsymmetricBindingHandler method doSignBeforeEncrypt.
private void doSignBeforeEncrypt() {
try {
AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
if (initiatorWrapper == null) {
initiatorWrapper = abinding.getInitiatorToken();
}
assertTokenWrapper(initiatorWrapper);
boolean attached = false;
if (initiatorWrapper != null) {
AbstractToken initiatorToken = initiatorWrapper.getToken();
if (initiatorToken instanceof IssuedToken) {
SecurityToken secToken = getSecurityToken();
if (secToken == null) {
unassertPolicy(initiatorToken, "Security token is not found or expired");
return;
} else if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
Element el = secToken.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
}
} else if (initiatorToken instanceof SamlToken && isRequestor()) {
SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) initiatorToken);
if (assertionWrapper != null && isTokenRequired(initiatorToken.getIncludeTokenType())) {
Element envelope = saaj.getSOAPPart().getEnvelope();
envelope = (Element) DOMUtils.getDomElement(envelope);
addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
storeAssertionAsSecurityToken(assertionWrapper);
}
} else if (initiatorToken instanceof SamlToken) {
String tokenId = getSAMLToken();
if (tokenId == null) {
unassertPolicy(initiatorToken, "Security token is not found or expired");
return;
}
}
assertToken(initiatorToken);
}
// Add timestamp
List<WSEncryptionPart> sigs = new ArrayList<>();
if (timestampEl != null) {
WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
sigs.add(timestampPart);
}
addSupportingTokens(sigs);
sigs.addAll(this.getSignedParts(null));
if (isRequestor() && initiatorWrapper != null) {
doSignature(initiatorWrapper, sigs, attached);
doEndorse();
} else if (!isRequestor()) {
// confirm sig
addSignatureConfirmation(sigs);
AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
if (recipientSignatureToken == null) {
recipientSignatureToken = abinding.getRecipientToken();
}
if (recipientSignatureToken != null) {
assertTokenWrapper(recipientSignatureToken);
assertToken(recipientSignatureToken.getToken());
doSignature(recipientSignatureToken, sigs, attached);
}
}
List<WSEncryptionPart> enc = getEncryptedParts();
// Check for signature protection
if (abinding.isEncryptSignature()) {
if (mainSigId != null) {
WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
sigPart.setElement(bottomUpElement);
enc.add(sigPart);
}
if (sigConfList != null && !sigConfList.isEmpty()) {
enc.addAll(sigConfList);
}
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
// Do encryption
AbstractTokenWrapper encToken;
if (isRequestor()) {
enc.addAll(encryptedTokensList);
encToken = abinding.getRecipientEncryptionToken();
if (encToken == null) {
encToken = abinding.getRecipientToken();
}
} else {
encToken = abinding.getInitiatorEncryptionToken();
if (encToken == null) {
encToken = abinding.getInitiatorToken();
}
}
doEncryption(encToken, enc, false);
if (encToken != null) {
assertTokenWrapper(encToken);
assertToken(encToken.getToken());
}
} catch (Exception e) {
String reason = e.getMessage();
LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
QName(javax.xml.namespace.QName)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
Fault(org.apache.cxf.interceptor.Fault)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper)
Aggregations
WSEncryptionPart (org.apache.wss4j.common.WSEncryptionPart)25
Element (org.w3c.dom.Element)17
ArrayList (java.util.ArrayList)13
WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)10
QName (javax.xml.namespace.QName)8
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)8
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)8
SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)8
Reference (javax.xml.crypto.dsig.Reference)7
SOAPException (javax.xml.soap.SOAPException)7
WSSecSignature (org.apache.wss4j.dom.message.WSSecSignature)7
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)7
Fault (org.apache.cxf.interceptor.Fault)6
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)6
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)6
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)6
AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)5
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)5
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)5
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)5
