Example 86 with WSSecurityException
use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.
the class StaxCryptoCoverageChecker method checkSignedTimestamp.
private void checkSignedTimestamp(List<SecurityEvent> results) throws WSSecurityException {
if (!signTimestamp) {
return;
}
boolean isTimestampSigned = false;
for (SecurityEvent signedEvent : results) {
AbstractSecuredElementSecurityEvent securedEvent = (AbstractSecuredElementSecurityEvent) signedEvent;
if (!securedEvent.isSigned()) {
continue;
}
List<QName> signedPath = securedEvent.getElementPath();
if (isTimestamp(signedPath)) {
isTimestampSigned = true;
break;
}
}
if (!isTimestampSigned) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The Timestamp is not signed"));
}
}
Also used :
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent)
AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent)
QName(javax.xml.namespace.QName)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Example 87 with WSSecurityException
use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.
the class SamlTokenInterceptor method processToken.
private List<WSSecurityEngineResult> processToken(Element tokenElement, final SoapMessage message) throws WSSecurityException {
RequestData data = new CXFRequestData();
Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message);
try {
data.setCallbackHandler(SecurityUtils.getCallbackHandler(o));
} catch (Exception ex) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
data.setMsgContext(message);
data.setWssConfig(WSSConfig.getNewInstance());
data.setSigVerCrypto(getCrypto(SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES, message));
WSDocInfo wsDocInfo = new WSDocInfo(tokenElement.getOwnerDocument());
data.setWsDocInfo(wsDocInfo);
SAMLTokenProcessor p = new SAMLTokenProcessor();
return p.handleToken(tokenElement, data);
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
RequestData(org.apache.wss4j.dom.handler.RequestData)
SAMLTokenProcessor(org.apache.wss4j.dom.processor.SAMLTokenProcessor)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Example 88 with WSSecurityException
use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.
the class SamlTokenInterceptor method processToken.
protected void processToken(SoapMessage message) {
Header h = findSecurityHeader(message, false);
if (h == null) {
return;
}
Element el = (Element) h.getObject();
Element child = DOMUtils.getFirstElement(el);
while (child != null) {
if ("Assertion".equals(child.getLocalName()) && (WSS4JConstants.SAML_NS.equals(child.getNamespaceURI()) || WSS4JConstants.SAML2_NS.equals(child.getNamespaceURI()))) {
try {
List<WSSecurityEngineResult> samlResults = processToken(child, message);
if (samlResults != null) {
List<WSHandlerResult> results = CastUtils.cast((List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
if (results == null) {
results = new ArrayList<>();
message.put(WSHandlerConstants.RECV_RESULTS, results);
}
boolean signed = false;
for (WSSecurityEngineResult result : samlResults) {
SamlAssertionWrapper wrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (wrapper.isSigned()) {
signed = true;
break;
}
}
assertTokens(message, SPConstants.SAML_TOKEN, signed);
Integer key = WSConstants.ST_UNSIGNED;
if (signed) {
key = WSConstants.ST_SIGNED;
}
WSHandlerResult rResult = new WSHandlerResult(null, samlResults, Collections.singletonMap(key, samlResults));
results.add(0, rResult);
// Check version against policy
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
for (AssertionInfo ai : PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN)) {
SamlToken samlToken = (SamlToken) ai.getAssertion();
for (WSSecurityEngineResult result : samlResults) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (!checkVersion(aim, samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
}
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
Certificate[] tlsCerts = null;
if (tlsInfo != null) {
tlsCerts = tlsInfo.getPeerCertificates();
}
if (!DOMSAMLUtil.checkHolderOfKey(assertionWrapper, null, tlsCerts)) {
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, null, null)) {
ai.setNotAsserted("Assertion fails sender-vouches requirements");
continue;
}
}
}
if (signed) {
Principal principal = (Principal) samlResults.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
SecurityContext sc = message.get(SecurityContext.class);
if (sc == null || sc.getUserPrincipal() == null) {
message.put(SecurityContext.class, new DefaultSecurityContext(principal, null));
}
}
}
} catch (WSSecurityException ex) {
throw WSS4JUtils.createSoapFault(message, message.getVersion(), ex);
}
}
child = DOMUtils.getNextElement(child);
}
}
Also used :
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Header(org.apache.cxf.headers.Header)
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
SecurityContext(org.apache.cxf.security.SecurityContext)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
Principal(java.security.Principal)
Certificate(java.security.cert.Certificate)
Example 89 with WSSecurityException
use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.
the class WSS4JUtils method getReplayCache.
/**
* Get a ReplayCache instance. It first checks to see whether caching has been explicitly
* enabled or disabled via the booleanKey argument. If it has been set to false then no
* replay caching is done (for this booleanKey). If it has not been specified, then caching
* is enabled only if we are not the initiator of the exchange. If it has been specified, then
* caching is enabled.
*
* It tries to get an instance of ReplayCache via the instanceKey argument from a
* contextual property, and failing that the message exchange. If it can't find any, then it
* defaults to using an EH-Cache instance and stores that on the message exchange.
*/
public static ReplayCache getReplayCache(SoapMessage message, String booleanKey, String instanceKey) throws WSSecurityException {
boolean specified = false;
Object o = message.getContextualProperty(booleanKey);
if (o != null) {
if (!PropertyUtils.isTrue(o)) {
return null;
}
specified = true;
}
if (!specified && MessageUtils.isRequestor(message)) {
return null;
}
ReplayCache replayCache = (ReplayCache) message.getContextualProperty(instanceKey);
Endpoint ep = message.getExchange().getEndpoint();
if (replayCache == null && ep != null && ep.getEndpointInfo() != null) {
EndpointInfo info = ep.getEndpointInfo();
synchronized (info) {
replayCache = (ReplayCache) info.getProperty(instanceKey);
if (replayCache == null) {
String cacheKey = instanceKey;
if (info.getName() != null) {
int hashcode = info.getName().toString().hashCode();
if (hashcode < 0) {
cacheKey += hashcode;
} else {
cacheKey += "-" + hashcode;
}
}
if (WSS4JCacheUtil.isEhCacheInstalled()) {
Bus bus = message.getExchange().getBus();
final Path diskstoreParent;
try {
diskstoreParent = Files.createTempDirectory("cxf");
} catch (IOException ex) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
replayCache = new CXFEHCacheReplayCache(cacheKey, bus, diskstoreParent);
} else {
replayCache = new MemoryReplayCache();
}
info.setProperty(instanceKey, replayCache);
}
}
}
return replayCache;
}
Also used :
Path(java.nio.file.Path)
Bus(org.apache.cxf.Bus)
MemoryReplayCache(org.apache.wss4j.common.cache.MemoryReplayCache)
ReplayCache(org.apache.wss4j.common.cache.ReplayCache)
CXFEHCacheReplayCache(org.apache.cxf.ws.security.cache.CXFEHCacheReplayCache)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
Endpoint(org.apache.cxf.endpoint.Endpoint)
EndpointInfo(org.apache.cxf.service.model.EndpointInfo)
CXFEHCacheReplayCache(org.apache.cxf.ws.security.cache.CXFEHCacheReplayCache)
MemoryReplayCache(org.apache.wss4j.common.cache.MemoryReplayCache)
Endpoint(org.apache.cxf.endpoint.Endpoint)
Example 90 with WSSecurityException
use of org.apache.wss4j.common.ext.WSSecurityException in project cxf by apache.
the class SimpleBatchSTSClient method decryptKey.
protected byte[] decryptKey(Element child) throws TrustException, WSSecurityException {
String encryptionAlgorithm = X509Util.getEncAlgo(child);
// For the SPNEGO case just return the decoded cipher value and decrypt it later
if (encryptionAlgorithm != null && encryptionAlgorithm.endsWith("spnego#GSS_Wrap")) {
// Get the CipherValue
Element tmpE = XMLUtils.getDirectChildElement(child, "CipherData", WSS4JConstants.ENC_NS);
byte[] cipherValue = null;
if (tmpE != null) {
tmpE = XMLUtils.getDirectChildElement(tmpE, "CipherValue", WSS4JConstants.ENC_NS);
if (tmpE != null) {
String content = DOMUtils.getContent(tmpE);
cipherValue = Base64.getMimeDecoder().decode(content);
}
}
if (cipherValue == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noCipher");
}
return cipherValue;
}
try {
EncryptedKeyProcessor proc = new EncryptedKeyProcessor();
RequestData data = new RequestData();
data.setWssConfig(WSSConfig.getNewInstance());
data.setDecCrypto(createCrypto(true));
data.setCallbackHandler(createHandler());
WSDocInfo docInfo = new WSDocInfo(child.getOwnerDocument());
data.setWsDocInfo(docInfo);
List<WSSecurityEngineResult> result = proc.handleToken(child, data);
return (byte[]) result.get(0).get(WSSecurityEngineResult.TAG_SECRET);
} catch (IOException e) {
throw new TrustException("ENCRYPTED_KEY_ERROR", e, LOG);
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
TrustException(org.apache.cxf.ws.security.trust.TrustException)
EncryptedKeyProcessor(org.apache.wss4j.dom.processor.EncryptedKeyProcessor)
RequestData(org.apache.wss4j.dom.handler.RequestData)
Element(org.w3c.dom.Element)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Aggregations
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)241
Element (org.w3c.dom.Element)72
Document (org.w3c.dom.Document)53
IOException (java.io.IOException)51
Crypto (org.apache.wss4j.common.crypto.Crypto)50
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)39
Credential (org.apache.wss4j.dom.validate.Credential)37
RequestData (org.apache.wss4j.dom.handler.RequestData)36
X509Certificate (java.security.cert.X509Certificate)31
Response (org.opensaml.saml.saml2.core.Response)31
SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)25
DateTime (org.joda.time.DateTime)22
XMLObject (org.opensaml.core.xml.XMLObject)22
XMLStreamException (javax.xml.stream.XMLStreamException)21
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)21
Fault (org.apache.cxf.interceptor.Fault)20
SOAPException (javax.xml.soap.SOAPException)19
CallbackHandler (javax.security.auth.callback.CallbackHandler)18
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)17
InputStream (java.io.InputStream)16
