Example 51 with WSPasswordCallback
use of org.apache.wss4j.common.ext.WSPasswordCallback in project cxf by apache.
the class AbstractWSS4JStaxInterceptor method configureCallbackHandler.
protected void configureCallbackHandler(SoapMessage soapMessage, WSSSecurityProperties securityProperties) throws WSSecurityException {
Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, soapMessage);
CallbackHandler callbackHandler;
try {
callbackHandler = SecurityUtils.getCallbackHandler(o);
} catch (Exception ex) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
if (callbackHandler != null) {
EndpointInfo info = soapMessage.getExchange().getEndpoint().getEndpointInfo();
synchronized (info) {
info.setProperty(SecurityConstants.CALLBACK_HANDLER, callbackHandler);
}
soapMessage.getExchange().getEndpoint().put(SecurityConstants.CALLBACK_HANDLER, callbackHandler);
soapMessage.getExchange().put(SecurityConstants.CALLBACK_HANDLER, callbackHandler);
}
// If we have a "password" but no CallbackHandler then construct one
if (callbackHandler == null) {
final boolean outbound = MessageUtils.isOutbound(soapMessage);
final String password = getPassword(soapMessage);
final String signatureUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_USERNAME, soapMessage);
final String signaturePassword = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PASSWORD, soapMessage);
if (!(StringUtils.isEmpty(password) && StringUtils.isEmpty(signaturePassword))) {
callbackHandler = new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof WSPasswordCallback) {
WSPasswordCallback wsPasswordCallback = (WSPasswordCallback) callback;
if (signaturePassword != null && wsPasswordCallback.getIdentifier() != null && wsPasswordCallback.getIdentifier().equals(signatureUser) && (outbound && wsPasswordCallback.getUsage() == WSPasswordCallback.SIGNATURE) || (!outbound && wsPasswordCallback.getUsage() == WSPasswordCallback.DECRYPT)) {
wsPasswordCallback.setPassword(signaturePassword);
} else if (password != null) {
wsPasswordCallback.setPassword(password);
}
}
}
}
};
}
}
if (callbackHandler != null) {
securityProperties.setCallbackHandler(callbackHandler);
}
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
PatternSyntaxException(java.util.regex.PatternSyntaxException)
IOException(java.io.IOException)
EndpointInfo(org.apache.cxf.service.model.EndpointInfo)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
Callback(javax.security.auth.callback.Callback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
Example 52 with WSPasswordCallback
use of org.apache.wss4j.common.ext.WSPasswordCallback in project cxf by apache.
the class STSStaxTokenValidator method verifyPlaintextPassword.
/**
* Verify a UsernameToken containing a plaintext password.
*/
private void verifyPlaintextPassword(String username, PasswordString passwordType, TokenContext tokenContext) throws WSSecurityException {
WSPasswordCallback pwCb = new WSPasswordCallback(username, null, passwordType.getType(), WSPasswordCallback.USERNAME_TOKEN);
try {
WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
} catch (WSSecurityException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
}
if (pwCb.getPassword() == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
if (!passwordType.getValue().equals(pwCb.getPassword())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
passwordType.setValue(pwCb.getPassword());
}
Also used :
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
Example 53 with WSPasswordCallback
use of org.apache.wss4j.common.ext.WSPasswordCallback in project cxf by apache.
the class STSStaxTokenValidator method verifyDigestPassword.
/**
* Verify a UsernameToken containing a password digest.
*/
private void verifyDigestPassword(String username, PasswordString passwordType, byte[] nonceVal, String created, TokenContext tokenContext) throws WSSecurityException {
WSPasswordCallback pwCb = new WSPasswordCallback(username, null, passwordType.getType(), WSPasswordCallback.USERNAME_TOKEN);
try {
WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
} catch (WSSecurityException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
}
if (pwCb.getPassword() == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
String passDigest = UsernameTokenUtil.doPasswordDigest(nonceVal, created, pwCb.getPassword());
if (!passwordType.getValue().equals(passDigest)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
passwordType.setValue(pwCb.getPassword());
}
Also used :
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
AttributedString(org.apache.wss4j.binding.wss10.AttributedString)
EncodedString(org.apache.wss4j.binding.wss10.EncodedString)
PasswordString(org.apache.wss4j.binding.wss10.PasswordString)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
Example 54 with WSPasswordCallback
use of org.apache.wss4j.common.ext.WSPasswordCallback in project cxf by apache.
the class PasswordCallbackHandler method handle.
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback callback = (WSPasswordCallback) callbacks[i];
callback.setPassword("password");
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
}
}
Also used :
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
Example 55 with WSPasswordCallback
use of org.apache.wss4j.common.ext.WSPasswordCallback in project cxf by apache.
the class JWTTokenProvider method signToken.
private String signToken(JwtClaims claims, RealmProperties jwtRealm, STSPropertiesMBean stsProperties) throws Exception {
if (signToken) {
// Initialise signature objects with defaults of STSPropertiesMBean
Crypto signatureCrypto = stsProperties.getSignatureCrypto();
CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
SignatureProperties signatureProperties = stsProperties.getSignatureProperties();
String alias = stsProperties.getSignatureUsername();
if (jwtRealm != null) {
// callbackhandler and alias of STSPropertiesMBean is ignored
if (jwtRealm.getSignatureCrypto() != null) {
LOG.fine("SAMLRealm signature keystore used");
signatureCrypto = jwtRealm.getSignatureCrypto();
callbackHandler = jwtRealm.getCallbackHandler();
alias = jwtRealm.getSignatureAlias();
}
// SignatureProperties can be defined independently of SignatureCrypto
if (jwtRealm.getSignatureProperties() != null) {
signatureProperties = jwtRealm.getSignatureProperties();
}
}
// Get the signature algorithm to use - for now we don't allow the client to ask
// for a particular signature algorithm, as with SAML
String signatureAlgorithm = signatureProperties.getSignatureAlgorithm();
try {
SignatureAlgorithm.getAlgorithm(signatureAlgorithm);
} catch (IllegalArgumentException ex) {
signatureAlgorithm = SignatureAlgorithm.RS256.name();
}
// If alias not defined, get the default of the SignatureCrypto
if ((alias == null || "".equals(alias)) && (signatureCrypto != null)) {
alias = signatureCrypto.getDefaultX509Identifier();
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Signature alias is null so using default alias: " + alias);
}
}
// Get the password
String password = null;
if (callbackHandler != null) {
WSPasswordCallback[] cb = { new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE) };
callbackHandler.handle(cb);
password = cb[0].getPassword();
}
Properties signingProperties = new Properties();
signingProperties.put(JoseConstants.RSSEC_SIGNATURE_ALGORITHM, signatureAlgorithm);
if (alias != null) {
signingProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, alias);
}
if (password != null) {
signingProperties.put(JoseConstants.RSSEC_KEY_PSWD, password);
} else {
throw new STSException("Can't get the password", STSException.REQUEST_FAILED);
}
if (!(signatureCrypto instanceof Merlin)) {
throw new STSException("Can't get the keystore", STSException.REQUEST_FAILED);
}
KeyStore keystore = ((Merlin) signatureCrypto).getKeyStore();
signingProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
JwsHeaders jwsHeaders = new JwsHeaders(signingProperties);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
JwsSignatureProvider sigProvider = JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders);
return jws.signWith(sigProvider);
}
JwsHeaders jwsHeaders = new JwsHeaders(SignatureAlgorithm.NONE);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
return jws.getSignedEncodedJws();
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
SignatureProperties(org.apache.cxf.sts.SignatureProperties)
Properties(java.util.Properties)
RealmProperties(org.apache.cxf.sts.token.realm.RealmProperties)
KeyStore(java.security.KeyStore)
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SignatureProperties(org.apache.cxf.sts.SignatureProperties)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
Merlin(org.apache.wss4j.common.crypto.Merlin)
JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)
Aggregations
WSPasswordCallback (org.apache.wss4j.common.ext.WSPasswordCallback)69
Callback (javax.security.auth.callback.Callback)22
CallbackHandler (javax.security.auth.callback.CallbackHandler)20
IOException (java.io.IOException)17
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)14
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)11
ArrayList (java.util.ArrayList)8
HashMap (java.util.HashMap)8
WSS4JOutInterceptor (org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor)8
QName (javax.xml.namespace.QName)7
Endpoint (org.apache.cxf.endpoint.Endpoint)7
Test (org.junit.Test)7
URL (java.net.URL)6
Service (javax.xml.ws.Service)6
SAAJOutInterceptor (org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor)6
Client (org.apache.cxf.endpoint.Client)6
Crypto (org.apache.wss4j.common.crypto.Crypto)6
PrivateKey (java.security.PrivateKey)3
X509Certificate (java.security.cert.X509Certificate)3
DestroyFailedException (javax.security.auth.DestroyFailedException)3
