Example 56 with SamlAssertionWrapper
use of org.apache.wss4j.common.saml.SamlAssertionWrapper in project cxf by apache.
the class STSTokenValidator method validateWithSTS.
public Credential validateWithSTS(Credential credential, Message message) throws WSSecurityException {
try {
SecurityToken token = new SecurityToken();
Element tokenElement = null;
int hash = 0;
if (credential.getSamlAssertion() != null) {
SamlAssertionWrapper assertion = credential.getSamlAssertion();
byte[] signatureValue = assertion.getSignatureValue();
if (signatureValue != null && signatureValue.length > 0) {
hash = Arrays.hashCode(signatureValue);
}
tokenElement = credential.getSamlAssertion().getElement();
} else if (credential.getUsernametoken() != null) {
tokenElement = credential.getUsernametoken().getElement();
hash = credential.getUsernametoken().hashCode();
} else if (credential.getBinarySecurityToken() != null) {
tokenElement = credential.getBinarySecurityToken().getElement();
hash = credential.getBinarySecurityToken().hashCode();
} else if (credential.getSecurityContextToken() != null) {
tokenElement = credential.getSecurityContextToken().getElement();
hash = credential.getSecurityContextToken().hashCode();
}
token.setToken(tokenElement);
TokenStore ts = null;
if (!disableCaching) {
ts = getTokenStore(message);
if (ts == null) {
ts = tokenStore;
}
if (ts != null && hash != 0) {
SecurityToken transformedToken = getTransformedToken(ts, hash);
if (transformedToken != null && !transformedToken.isExpired()) {
SamlAssertionWrapper assertion = new SamlAssertionWrapper(transformedToken.getToken());
credential.setPrincipal(new SAMLTokenPrincipalImpl(assertion));
credential.setTransformedToken(assertion);
return credential;
}
}
}
token.setTokenHash(hash);
STSClient c = stsClient;
if (c == null) {
c = STSUtils.getClient(message, "sts");
}
synchronized (c) {
System.setProperty("noprint", "true");
SecurityToken returnedToken = null;
if (useIssueBinding && useOnBehalfOf) {
ElementCallbackHandler callbackHandler = new ElementCallbackHandler(tokenElement);
c.setOnBehalfOf(callbackHandler);
returnedToken = c.requestSecurityToken();
c.setOnBehalfOf(null);
} else if (useIssueBinding && !useOnBehalfOf && credential.getUsernametoken() != null) {
c.getProperties().put(SecurityConstants.USERNAME, credential.getUsernametoken().getName());
c.getProperties().put(SecurityConstants.PASSWORD, credential.getUsernametoken().getPassword());
returnedToken = c.requestSecurityToken();
c.getProperties().remove(SecurityConstants.USERNAME);
c.getProperties().remove(SecurityConstants.PASSWORD);
} else {
List<SecurityToken> tokens = c.validateSecurityToken(token);
returnedToken = tokens.get(0);
}
if (returnedToken != token) {
SamlAssertionWrapper assertion = new SamlAssertionWrapper(returnedToken.getToken());
credential.setTransformedToken(assertion);
credential.setPrincipal(new SAMLTokenPrincipalImpl(assertion));
if (!disableCaching && hash != 0 && ts != null) {
ts.add(returnedToken);
token.setTransformedTokenIdentifier(returnedToken.getId());
ts.add(Integer.toString(hash), token);
}
}
return credential;
}
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "invalidSAMLsecurity");
}
}
Also used :
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
List(java.util.List)
TokenStore(org.apache.cxf.ws.security.tokenstore.TokenStore)
SAMLTokenPrincipalImpl(org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl)
Example 57 with SamlAssertionWrapper
use of org.apache.wss4j.common.saml.SamlAssertionWrapper in project cxf by apache.
the class AbstractBindingPolicyValidator method findCorrespondingToken.
/**
* Find the token corresponding to either the X509Certificate or PublicKey used to sign
* the "signatureResult" argument.
*/
private WSSecurityEngineResult findCorrespondingToken(WSSecurityEngineResult signatureResult, List<WSSecurityEngineResult> results) {
// See what was used to sign this result
X509Certificate cert = (X509Certificate) signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
PublicKey publicKey = (PublicKey) signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
for (WSSecurityEngineResult token : results) {
Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt == WSConstants.SIGN) {
continue;
}
BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (foundCert.equals(cert)) {
return token;
}
} else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (samlKeyInfo != null) {
X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
return token;
}
}
} else if (publicKey != null && publicKey.equals(foundPublicKey)) {
return token;
}
}
return null;
}
Also used :
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
PublicKey(java.security.PublicKey)
PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Certificate(java.security.cert.X509Certificate)
X509Security(org.apache.wss4j.common.token.X509Security)
Example 58 with SamlAssertionWrapper
use of org.apache.wss4j.common.saml.SamlAssertionWrapper in project cxf by apache.
the class AbstractSupportingTokenPolicyValidator method checkSignatureOrEncryptionResult.
/**
* Check that a WSSecurityEngineResult corresponding to a signature or encryption uses the same
* signing/encrypting credential as one of the tokens.
* @param signatureResult a WSSecurityEngineResult corresponding to a signature or encryption
* @param tokenResult A list of WSSecurityEngineResults corresponding to tokens
* @return
*/
private boolean checkSignatureOrEncryptionResult(WSSecurityEngineResult result, List<WSSecurityEngineResult> tokenResult) {
// See what was used to sign/encrypt this result
X509Certificate cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
byte[] secret = (byte[]) result.get(WSSecurityEngineResult.TAG_SECRET);
PublicKey publicKey = (PublicKey) result.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
// Now see if the same credential exists in the tokenResult list
for (WSSecurityEngineResult token : tokenResult) {
Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
BinarySecurity binarySecurity = (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
X509Certificate foundCert = (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (foundCert.equals(cert)) {
return true;
}
} else if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (samlKeyInfo != null) {
X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
byte[] subjectSecretKey = samlKeyInfo.getSecret();
PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) || (subjectSecretKey != null && Arrays.equals(subjectSecretKey, secret)) || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
return true;
}
}
} else if (publicKey != null) {
PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
if (publicKey.equals(foundPublicKey)) {
return true;
}
} else {
byte[] foundSecret = (byte[]) token.get(WSSecurityEngineResult.TAG_SECRET);
byte[] derivedKey = (byte[]) token.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY);
if ((foundSecret != null && Arrays.equals(foundSecret, secret)) || (derivedKey != null && Arrays.equals(derivedKey, secret))) {
return true;
}
}
}
return false;
}
Also used :
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
PublicKey(java.security.PublicKey)
PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Certificate(java.security.cert.X509Certificate)
X509Security(org.apache.wss4j.common.token.X509Security)
Example 59 with SamlAssertionWrapper
use of org.apache.wss4j.common.saml.SamlAssertionWrapper in project cxf by apache.
the class AbstractSupportingTokenPolicyValidator method processSAMLTokens.
/**
* Process SAML Tokens. Only signed results are supported.
*/
protected boolean processSAMLTokens(PolicyValidatorParameters parameters, boolean derived) {
if (parameters.getSamlResults().isEmpty()) {
return false;
}
List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
tokenResults.addAll(parameters.getSamlResults());
if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage())) {
return false;
}
if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(), parameters.getMessage())) {
return false;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
SamlAssertionWrapper assertion = (SamlAssertionWrapper) wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (assertion != null && assertion.getSubjectKeyInfo() != null && assertion.getSubjectKeyInfo().getSecret() != null) {
WSSecurityEngineResult dktResult = getMatchingDerivedKey(assertion.getSubjectKeyInfo().getSecret(), parameters.getResults());
if (dktResult != null) {
dktResults.add(dktResult);
}
}
}
tokenResults.addAll(dktResults);
}
if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), parameters.getMessage(), parameters.getTimestampElement())) {
return false;
}
return validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage());
}
Also used :
ArrayList(java.util.ArrayList)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 60 with SamlAssertionWrapper
use of org.apache.wss4j.common.saml.SamlAssertionWrapper in project cxf by apache.
the class SamlTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(samlToken, parameters.getAssertionInfoMap());
if (!isTokenRequired(samlToken, parameters.getMessage())) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name()));
continue;
}
if (parameters.getSamlResults().isEmpty()) {
ai.setNotAsserted("The received token does not match the token inclusion requirement");
continue;
}
// All of the received SAML Assertions must conform to the policy
for (WSSecurityEngineResult result : parameters.getSamlResults()) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (!checkVersion(parameters.getAssertionInfoMap(), samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
continue;
}
TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
Certificate[] tlsCerts = null;
if (tlsInfo != null) {
tlsCerts = tlsInfo.getPeerCertificates();
}
if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts)) {
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(), parameters.getSignedResults())) {
ai.setNotAsserted("Assertion fails sender-vouches requirements");
continue;
}
/*
if (!checkIssuerName(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong IssuerName");
}
*/
}
}
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
QName(javax.xml.namespace.QName)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Certificate(java.security.cert.Certificate)
Aggregations
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)141
Element (org.w3c.dom.Element)68
Document (org.w3c.dom.Document)55
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)44
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)40
SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)35
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)27
Crypto (org.apache.wss4j.common.crypto.Crypto)26
Response (org.opensaml.saml.saml2.core.Response)23
URL (java.net.URL)22
Bus (org.apache.cxf.Bus)20
SpringBusFactory (org.apache.cxf.bus.spring.SpringBusFactory)19
ArrayList (java.util.ArrayList)18
WebClient (org.apache.cxf.jaxrs.client.WebClient)18
Status (org.opensaml.saml.saml2.core.Status)18
HashMap (java.util.HashMap)16
Test (org.junit.Test)16
Principal (java.security.Principal)15
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)14
Response (javax.ws.rs.core.Response)13
