Example 11 with WSSecurityException
use of org.apache.wss4j.common.ext.WSSecurityException in project ddf by codice.
the class SimpleSign method validateSignature.
public void validateSignature(Signature signature, Document doc) throws SignatureException {
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(crypto.getSignatureCrypto());
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
SAMLKeyInfo samlKeyInfo = null;
KeyInfo keyInfo = signature.getKeyInfo();
if (keyInfo != null) {
try {
samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(doc)), crypto.getSignatureCrypto());
} catch (WSSecurityException e) {
throw new SignatureException("Unable to get KeyInfo.", e);
}
}
if (samlKeyInfo == null) {
throw new SignatureException("No KeyInfo supplied in the signature");
}
validateSignatureAndSamlKey(signature, samlKeyInfo);
Credential trustCredential = new Credential();
trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
trustCredential.setCertificates(samlKeyInfo.getCerts());
Validator signatureValidator = new SignatureTrustValidator();
try {
signatureValidator.validate(trustCredential, requestData);
} catch (WSSecurityException e) {
throw new SignatureException("Error validating signature", e);
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
Credential(org.apache.wss4j.dom.validate.Credential)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
RequestData(org.apache.wss4j.dom.handler.RequestData)
SignatureTrustValidator(org.apache.wss4j.dom.validate.SignatureTrustValidator)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)
Validator(org.apache.wss4j.dom.validate.Validator)
SignatureValidator(org.opensaml.xmlsec.signature.support.SignatureValidator)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
SignatureTrustValidator(org.apache.wss4j.dom.validate.SignatureTrustValidator)
Example 12 with WSSecurityException
use of org.apache.wss4j.common.ext.WSSecurityException in project ddf by codice.
the class AssertionConsumerService method findCertificate.
private X509Certificate findCertificate(String alias, Crypto crypto) throws WSSecurityException {
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(alias);
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
if (certs == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_ERROR, "Unable to retrieve certificate");
}
return certs[0];
}
Also used :
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
CryptoType(org.apache.wss4j.common.crypto.CryptoType)
X509Certificate(java.security.cert.X509Certificate)
Example 13 with WSSecurityException
use of org.apache.wss4j.common.ext.WSSecurityException in project ddf by codice.
the class IdpHandler method serializeAndSign.
private String serializeAndSign(boolean isPost, boolean wantSigned, AuthnRequest authnRequest) throws ServletException {
try {
if (isPost && wantSigned) {
simpleSign.signSamlObject(authnRequest);
}
Document doc = DOMUtils.createDocument();
doc.appendChild(doc.createElement("root"));
Element requestElement = OpenSAMLUtil.toDom(authnRequest, doc);
String requestMessage = DOM2Writer.nodeToString(requestElement);
LOGGER.trace(requestMessage);
return requestMessage;
} catch (WSSecurityException e) {
LOGGER.info(UNABLE_TO_ENCODE_SAML_AUTHN_REQUEST, e);
throw new ServletException(UNABLE_TO_ENCODE_SAML_AUTHN_REQUEST);
} catch (SimpleSign.SignatureException e) {
LOGGER.info(UNABLE_TO_SIGN_SAML_AUTHN_REQUEST, e);
throw new ServletException(UNABLE_TO_SIGN_SAML_AUTHN_REQUEST);
}
}
Also used :
ServletException(javax.servlet.ServletException)
SimpleSign(ddf.security.samlp.SimpleSign)
Element(org.w3c.dom.Element)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Document(org.w3c.dom.Document)
Example 14 with WSSecurityException
use of org.apache.wss4j.common.ext.WSSecurityException in project ddf by codice.
the class GuestInterceptor method internalHandleMessage.
private void internalHandleMessage(SoapMessage message, SOAPMessage soapMessage) throws Fault {
//Check if security header exists; if not, execute GuestInterceptor logic
String actor = (String) getOption(WSHandlerConstants.ACTOR);
if (actor == null) {
actor = (String) message.getContextualProperty(SecurityConstants.ACTOR);
}
Element existingSecurityHeader = null;
try {
LOGGER.debug("Checking for security header.");
existingSecurityHeader = WSSecurityUtil.getSecurityHeader(soapMessage.getSOAPPart(), actor);
} catch (WSSecurityException e1) {
LOGGER.debug("Issue with getting security header", e1);
}
if (existingSecurityHeader != null) {
LOGGER.debug("SOAP message contains security header, no action taken by the GuestInterceptor.");
return;
}
LOGGER.debug("Current request has no security header, continuing with GuestInterceptor");
AssertionInfoMap assertionInfoMap = message.get(AssertionInfoMap.class);
boolean hasAddressingAssertion = assertionInfoMap.entrySet().stream().flatMap(p -> p.getValue().stream()).filter(info -> MetadataConstants.ADDRESSING_ASSERTION_QNAME.equals(info.getAssertion().getName())).findFirst().isPresent();
if (hasAddressingAssertion) {
createAddressing(message, soapMessage);
}
LOGGER.debug("Creating guest security token.");
HttpServletRequest request = (HttpServletRequest) message.get(AbstractHTTPDestination.HTTP_REQUEST);
SecurityToken securityToken = createSecurityToken(request.getRemoteAddr());
message.put(SecurityConstants.TOKEN, securityToken);
if (!MessageUtils.isRequestor(message)) {
try {
message.put(Message.REQUESTOR_ROLE, true);
policyBasedWss4jOutInterceptor.handleMessage(message);
} finally {
message.remove(Message.REQUESTOR_ROLE);
}
} else {
policyBasedWss4jOutInterceptor.handleMessage(message);
}
}
Also used :
WSSecurityUtil(org.apache.wss4j.dom.util.WSSecurityUtil)
StringUtils(org.apache.commons.lang.StringUtils)
EndpointReferenceType(org.apache.cxf.ws.addressing.EndpointReferenceType)
MetadataConstants(org.apache.cxf.ws.addressing.policy.MetadataConstants)
SOAPException(javax.xml.soap.SOAPException)
STSClientConfiguration(ddf.security.sts.client.configuration.STSClientConfiguration)
LoggerFactory(org.slf4j.LoggerFactory)
XMLUtils(org.codice.ddf.platform.util.XMLUtils)
SoapBindingConstants(org.apache.cxf.binding.soap.SoapBindingConstants)
AddressingProperties(org.apache.cxf.ws.addressing.AddressingProperties)
AbstractHTTPDestination(org.apache.cxf.transport.http.AbstractHTTPDestination)
SOAPElement(javax.xml.soap.SOAPElement)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
WSS4JInInterceptor(org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Fault(org.apache.cxf.interceptor.Fault)
AttributedURIType(org.apache.cxf.ws.addressing.AttributedURIType)
PolicyBasedWSS4JInInterceptor(org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
EncryptionService(ddf.security.encryption.EncryptionService)
PrincipalCollection(org.apache.shiro.subject.PrincipalCollection)
Phase(org.apache.cxf.phase.Phase)
SAAJInInterceptor(org.apache.cxf.binding.soap.saaj.SAAJInInterceptor)
ContextPolicyManager(org.codice.ddf.security.policy.context.ContextPolicyManager)
PolicyBasedWSS4JOutInterceptor(org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Logger(org.slf4j.Logger)
Security(org.codice.ddf.security.common.Security)
Message(org.apache.cxf.message.Message)
WSHandlerConstants(org.apache.wss4j.dom.handler.WSHandlerConstants)
Set(java.util.Set)
Subject(ddf.security.Subject)
UUID(java.util.UUID)
SecurityConstants(org.apache.cxf.ws.security.SecurityConstants)
TimeUnit(java.util.concurrent.TimeUnit)
SoapMessage(org.apache.cxf.binding.soap.SoapMessage)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Element(org.w3c.dom.Element)
MessageUtils(org.apache.cxf.message.MessageUtils)
AbstractWSS4JInterceptor(org.apache.cxf.ws.security.wss4j.AbstractWSS4JInterceptor)
CacheBuilder(com.google.common.cache.CacheBuilder)
SOAPMessage(javax.xml.soap.SOAPMessage)
Cache(com.google.common.cache.Cache)
SecurityManager(ddf.security.service.SecurityManager)
SOAPFactory(javax.xml.soap.SOAPFactory)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SOAPElement(javax.xml.soap.SOAPElement)
Element(org.w3c.dom.Element)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 15 with WSSecurityException
use of org.apache.wss4j.common.ext.WSSecurityException in project ddf by codice.
the class PaosInInterceptor method handleMessage.
@Override
public void handleMessage(Message message) throws Fault {
List authHeader = (List) ((Map) message.getExchange().getOutMessage().get(Message.PROTOCOL_HEADERS)).get("Authorization");
String authorization = null;
if (authHeader != null && authHeader.size() > 0) {
authorization = (String) authHeader.get(0);
}
InputStream content = message.getContent(InputStream.class);
String contentType = (String) message.get(Message.CONTENT_TYPE);
if (contentType == null || !contentType.contains(APPLICATION_VND_PAOS_XML)) {
return;
}
try {
SOAPPart soapMessage = SamlProtocol.parseSoapMessage(IOUtils.toString(content, Charset.forName("UTF-8")));
Iterator iterator = soapMessage.getEnvelope().getHeader().examineAllHeaderElements();
IDPEntry idpEntry = null;
String relayState = "";
String responseConsumerURL = "";
String messageId = "";
while (iterator.hasNext()) {
Element soapHeaderElement = (SOAPHeaderElement) iterator.next();
if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
relayState = DOM2Writer.nodeToString(soapHeaderElement);
} else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_OASIS_NAMES_TC_SAML_2_0_PROFILES_SSO_ECP)) {
try {
soapHeaderElement = SamlProtocol.convertDomImplementation(soapHeaderElement);
Request ecpRequest = (Request) OpenSAMLUtil.fromDom(soapHeaderElement);
IDPList idpList = ecpRequest.getIDPList();
if (idpList == null) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to determine IdP server."));
}
List<IDPEntry> idpEntrys = idpList.getIDPEntrys();
if (idpEntrys == null || idpEntrys.size() == 0) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to determine IdP server."));
}
//choose the right entry, probably need to do something better than select the first one
//but the spec doesn't specify how this is supposed to be done
idpEntry = idpEntrys.get(0);
} catch (WSSecurityException e) {
//TODO figure out IdP alternatively
LOGGER.info("Unable to determine IdP appropriately. ECP connection will fail. SP may be incorrectly configured. Contact the administrator for the remote system.");
}
} else if (REQUEST.equals(soapHeaderElement.getLocalName()) && soapHeaderElement.getNamespaceURI().equals(URN_LIBERTY_PAOS_2003_08)) {
responseConsumerURL = soapHeaderElement.getAttribute(RESPONSE_CONSUMER_URL);
messageId = soapHeaderElement.getAttribute(MESSAGE_ID);
}
}
if (idpEntry == null) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to determine IdP server."));
}
String token = createToken(authorization);
checkAuthnRequest(soapMessage);
Element authnRequestElement = SamlProtocol.getDomElement(soapMessage.getEnvelope().getBody().getFirstChild());
String loc = idpEntry.getLoc();
String soapRequest = buildSoapMessage(token, relayState, authnRequestElement, null);
HttpResponseWrapper httpResponse = getHttpResponse(loc, soapRequest, null);
InputStream httpResponseContent = httpResponse.content;
SOAPPart idpSoapResponse = SamlProtocol.parseSoapMessage(IOUtils.toString(httpResponseContent, Charset.forName("UTF-8")));
Iterator responseHeaderElements = idpSoapResponse.getEnvelope().getHeader().examineAllHeaderElements();
String newRelayState = "";
while (responseHeaderElements.hasNext()) {
SOAPHeaderElement soapHeaderElement = (SOAPHeaderElement) responseHeaderElements.next();
if (RESPONSE.equals(soapHeaderElement.getLocalName())) {
String assertionConsumerServiceURL = soapHeaderElement.getAttribute(ASSERTION_CONSUMER_SERVICE_URL);
if (!responseConsumerURL.equals(assertionConsumerServiceURL)) {
String soapFault = buildSoapFault(ECP_RESPONSE, "The responseConsumerURL does not match the assertionConsumerServiceURL.");
httpResponse = getHttpResponse(responseConsumerURL, soapFault, null);
message.setContent(InputStream.class, httpResponse.content);
return;
}
} else if (RELAY_STATE.equals(soapHeaderElement.getLocalName())) {
newRelayState = DOM2Writer.nodeToString(soapHeaderElement);
if (StringUtils.isNotEmpty(relayState) && !relayState.equals(newRelayState)) {
LOGGER.debug("RelayState does not match between ECP request and response");
}
if (StringUtils.isNotEmpty(relayState)) {
newRelayState = relayState;
}
}
}
checkSamlpResponse(idpSoapResponse);
Element samlpResponseElement = SamlProtocol.getDomElement(idpSoapResponse.getEnvelope().getBody().getFirstChild());
Response paosResponse = null;
if (StringUtils.isNotEmpty(messageId)) {
paosResponse = getPaosResponse(messageId);
}
String soapResponse = buildSoapMessage(null, newRelayState, samlpResponseElement, paosResponse);
httpResponse = getHttpResponse(responseConsumerURL, soapResponse, message.getExchange().getOutMessage());
if (httpResponse.statusCode < 400) {
httpResponseContent = httpResponse.content;
message.setContent(InputStream.class, httpResponseContent);
} else {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection due to an error."));
}
} catch (IOException e) {
LOGGER.debug("Error encountered while performing ECP handshake.", e);
} catch (XMLStreamException | SOAPException e) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. The server's response was not in the correct format."));
} catch (WSSecurityException e) {
throw new Fault(new AccessDeniedException("Unable to complete SAML ECP connection. Unable to send SOAP request messages."));
}
}
Also used :
SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement)
AccessDeniedException(org.apache.cxf.interceptor.security.AccessDeniedException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
SOAPHeaderElement(javax.xml.soap.SOAPHeaderElement)
Element(org.w3c.dom.Element)
AuthnRequest(org.opensaml.saml.saml2.core.AuthnRequest)
HttpRequest(com.google.api.client.http.HttpRequest)
Request(org.opensaml.saml.saml2.ecp.Request)
IDPList(org.opensaml.saml.saml2.core.IDPList)
Fault(org.apache.cxf.interceptor.Fault)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
IOException(java.io.IOException)
HttpResponse(com.google.api.client.http.HttpResponse)
Response(ddf.security.liberty.paos.Response)
XMLStreamException(javax.xml.stream.XMLStreamException)
SOAPException(javax.xml.soap.SOAPException)
SOAPPart(javax.xml.soap.SOAPPart)
Iterator(java.util.Iterator)
IDPList(org.opensaml.saml.saml2.core.IDPList)
List(java.util.List)
IDPEntry(org.opensaml.saml.saml2.core.IDPEntry)
Aggregations
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)44
IOException (java.io.IOException)16
X509Certificate (java.security.cert.X509Certificate)13
RequestData (org.apache.wss4j.dom.handler.RequestData)13
Credential (org.apache.wss4j.dom.validate.Credential)12
Document (org.w3c.dom.Document)12
BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)11
Crypto (org.apache.wss4j.common.crypto.Crypto)11
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)10
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)10
TokenValidatorResponse (org.apache.cxf.sts.token.validator.TokenValidatorResponse)10
XMLObject (org.opensaml.core.xml.XMLObject)7
AuthnRequest (org.opensaml.saml.saml2.core.AuthnRequest)7
Element (org.w3c.dom.Element)7
X500Principal (javax.security.auth.x500.X500Principal)6
XMLStreamException (javax.xml.stream.XMLStreamException)6
ByteArrayInputStream (java.io.ByteArrayInputStream)5
CallbackHandler (javax.security.auth.callback.CallbackHandler)5
TokenValidatorParameters (org.apache.cxf.sts.token.validator.TokenValidatorParameters)5
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)5
