Example 6 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.
the class AbstractSupportingTokenPolicyValidator method processX509Tokens.
/**
* Process X509 Tokens.
*/
protected boolean processX509Tokens(PolicyValidatorParameters parameters, boolean derived) {
List<WSSecurityEngineResult> tokenResults = null;
if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
tokenResults = new ArrayList<>();
for (WSSecurityEngineResult wser : parameters.getResults().getActionResults().get(WSConstants.BST)) {
BinarySecurity binarySecurity = (BinarySecurity) wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
tokenResults.add(wser);
}
}
}
if (tokenResults == null || tokenResults.isEmpty()) {
return false;
}
if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage())) {
return false;
}
if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults())) {
return false;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser, parameters.getResults());
if (resultToStore != null) {
dktResults.add(resultToStore);
}
}
tokenResults.addAll(dktResults);
}
if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), parameters.getMessage(), parameters.getTimestampElement())) {
return false;
}
return validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage());
}
Also used :
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
PKIPathSecurity(org.apache.wss4j.common.token.PKIPathSecurity)
ArrayList(java.util.ArrayList)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Security(org.apache.wss4j.common.token.X509Security)
Example 7 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.
the class DoubleItBSTImpl method doubleIt.
public int doubleIt(int numberToDouble) throws DoubleItFault {
if (numberToDouble == 0) {
throw new DoubleItFault("0 can't be doubled!");
}
List<WSHandlerResult> results = CastUtils.cast((List<?>) wsContext.getMessageContext().get(WSHandlerConstants.RECV_RESULTS));
Assert.assertNotNull("Security Results cannot be null", results);
Assert.assertFalse(results.isEmpty());
WSHandlerResult result = results.get(0);
List<WSSecurityEngineResult> securityResults = result.getResults();
Assert.assertNotNull("Security Results cannot be null", securityResults);
Assert.assertFalse(securityResults.isEmpty());
WSSecurityEngineResult securityResult = securityResults.get(0);
BinarySecurity binarySecurityToken = (BinarySecurity) securityResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
Assert.assertNotNull(binarySecurityToken);
Assert.assertArrayEquals(binarySecurityToken.getToken(), "This is a token".getBytes());
return numberToDouble * 2;
}
Also used :
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
DoubleItFault(org.example.contract.doubleit.DoubleItFault)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 8 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.
the class CustomBSTTokenProvider method createToken.
public TokenProviderResponse createToken(TokenProviderParameters tokenParameters) {
try {
Document doc = DOMUtils.getEmptyDocument();
// Mock up a BinarySecurityToken
String id = "BST-1234";
BinarySecurity bst = new BinarySecurity(doc);
bst.addWSSENamespace();
bst.addWSUNamespace();
bst.setID(id);
bst.setValueType(TOKEN_TYPE);
bst.setEncodingType(BASE64_NS);
bst.setToken("12345678".getBytes());
TokenProviderResponse response = new TokenProviderResponse();
response.setToken(bst.getElement());
response.setTokenId(id);
return response;
} catch (Exception e) {
e.printStackTrace();
throw new STSException("Can't serialize SAML assertion", e, STSException.REQUEST_FAILED);
}
}
Also used :
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse)
Document(org.w3c.dom.Document)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
Example 9 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.
the class AbstractBindingBuilder method addSignatureParts.
protected void addSignatureParts(List<SupportingToken> tokenList, List<WSEncryptionPart> sigParts) {
boolean useSTRTransform = MessageUtils.getContextualBoolean(message, SecurityConstants.USE_STR_TRANSFORM, true);
for (SupportingToken supportingToken : tokenList) {
Object tempTok = supportingToken.getTokenImplementation();
WSEncryptionPart part = null;
if (tempTok instanceof WSSecSignature) {
WSSecSignature tempSig = (WSSecSignature) tempTok;
SecurityTokenReference secRef = tempSig.getSecurityTokenReference();
if (WSS4JConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()) || WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
Element secRefElement = cloneElement(secRef.getElement());
addSupportingElement(secRefElement);
part = new WSEncryptionPart("STRTransform", null, "Element");
part.setId(tempSig.getSecurityTokenReferenceURI());
part.setElement(secRefElement);
} else {
if (tempSig.getBSTTokenId() != null) {
part = new WSEncryptionPart(tempSig.getBSTTokenId());
part.setElement(tempSig.getBinarySecurityTokenElement());
}
}
} else if (tempTok instanceof WSSecUsernameToken) {
WSSecUsernameToken unt = (WSSecUsernameToken) tempTok;
part = new WSEncryptionPart(unt.getId());
part.setElement(unt.getUsernameTokenElement());
} else if (tempTok instanceof BinarySecurity) {
BinarySecurity bst = (BinarySecurity) tempTok;
part = new WSEncryptionPart(bst.getID());
part.setElement(bst.getElement());
} else if (tempTok instanceof SamlAssertionWrapper) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) tempTok;
Document doc = assertionWrapper.getElement().getOwnerDocument();
boolean saml1 = assertionWrapper.getSaml1() != null;
if (useSTRTransform) {
// TODO We only support using a KeyIdentifier for the moment
SecurityTokenReference secRef = createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false);
Element clone = cloneElement(secRef.getElement());
addSupportingElement(clone);
part = new WSEncryptionPart("STRTransform", null, "Element");
part.setId(secRef.getID());
part.setElement(clone);
} else {
part = new WSEncryptionPart(assertionWrapper.getId());
part.setElement(assertionWrapper.getElement());
}
} else if (tempTok instanceof WSSecurityTokenHolder) {
SecurityToken token = ((WSSecurityTokenHolder) tempTok).getToken();
String tokenType = token.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType) || WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
Document doc = token.getToken().getOwnerDocument();
boolean saml1 = WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType);
String id = token.getId();
if (id == null || "".equals(id)) {
if (saml1) {
id = token.getToken().getAttributeNS(null, "AssertionID");
} else {
id = token.getToken().getAttributeNS(null, "ID");
}
}
if (useSTRTransform) {
SecurityTokenReference secRef = createSTRForSamlAssertion(doc, id, saml1, false);
Element clone = cloneElement(secRef.getElement());
addSupportingElement(clone);
part = new WSEncryptionPart("STRTransform", null, "Element");
part.setId(secRef.getID());
part.setElement(clone);
} else {
part = new WSEncryptionPart(id);
part.setElement(token.getToken());
}
} else {
String id = XMLUtils.getIDFromReference(token.getId());
part = new WSEncryptionPart(id);
part.setElement(token.getToken());
}
} else {
unassertPolicy(supportingToken.getToken(), "UnsupportedTokenInSupportingToken: " + tempTok);
}
if (part != null) {
sigParts.add(part);
}
}
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
Document(org.w3c.dom.Document)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
Example 10 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.
the class AbstractBindingBuilder method getEncryptedKeyBuilder.
protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token, SecretKey symmetricKey) throws WSSecurityException {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader);
encrKey.setIdAllocator(wssConfig.getIdAllocator());
encrKey.setCallbackLookup(callbackLookup);
encrKey.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
encrKey.setStoreBytesInAttachment(storeBytesInAttachment);
Crypto crypto = getEncryptionCrypto();
message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
setKeyIdentifierType(encrKey, token);
boolean alsoIncludeToken = false;
// Find out do we also need to include the token as per the Inclusion requirement
if (token instanceof X509Token && token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER && encrKey.getKeyIdentifierType() != WSConstants.BST_DIRECT_REFERENCE) {
alsoIncludeToken = true;
}
String encrUser = setEncryptionUser(encrKey, token, false, crypto);
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
encrKey.setMGFAlgorithm(algType.getMGFAlgo());
encrKey.prepare(crypto, symmetricKey);
if (alsoIncludeToken) {
X509Certificate encCert = getEncryptCert(crypto, encrUser);
BinarySecurity bstToken = new X509Security(saaj.getSOAPPart());
((X509Security) bstToken).setX509Certificate(encCert);
bstToken.addWSUNamespace();
bstToken.setID(wssConfig.getIdAllocator().createSecureId("X509-", encCert));
WSSecurityUtil.prependChildElement(secHeader.getSecurityHeaderElement(), bstToken.getElement());
bstElement = bstToken.getElement();
}
return encrKey;
}
Also used :
Crypto(org.apache.wss4j.common.crypto.Crypto)
WSSecEncryptedKey(org.apache.wss4j.dom.message.WSSecEncryptedKey)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
X509Token(org.apache.wss4j.policy.model.X509Token)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
X509Certificate(java.security.cert.X509Certificate)
X509Security(org.apache.wss4j.common.token.X509Security)
Aggregations
BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)18
X509Security (org.apache.wss4j.common.token.X509Security)11
X509Certificate (java.security.cert.X509Certificate)9
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)8
Document (org.w3c.dom.Document)8
Crypto (org.apache.wss4j.common.crypto.Crypto)5
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)5
Element (org.w3c.dom.Element)5
BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)4
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4
PKIPathSecurity (org.apache.wss4j.common.token.PKIPathSecurity)4
Node (org.w3c.dom.Node)4
PublicKey (java.security.PublicKey)3
CallbackHandler (javax.security.auth.callback.CallbackHandler)3
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)3
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)3
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)3
SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)3
RequestData (org.apache.wss4j.dom.handler.RequestData)3
Credential (org.apache.wss4j.dom.validate.Credential)3
