Example 16 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.
the class AbstractSupportingTokenPolicyValidator method processKerberosTokens.
/**
* Process Kerberos Tokens.
*/
protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean derived) {
List<WSSecurityEngineResult> tokenResults = null;
if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
tokenResults = new ArrayList<>();
for (WSSecurityEngineResult wser : parameters.getResults().getActionResults().get(WSConstants.BST)) {
BinarySecurity binarySecurity = (BinarySecurity) wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof KerberosSecurity) {
tokenResults.add(wser);
}
}
}
if (tokenResults == null || tokenResults.isEmpty()) {
return false;
}
if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage())) {
return false;
}
if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults())) {
return false;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
byte[] secret = (byte[]) wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, parameters.getResults());
if (dktResult != null) {
dktResults.add(dktResult);
}
}
tokenResults.addAll(dktResults);
}
if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), parameters.getMessage(), parameters.getTimestampElement())) {
return false;
}
return validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage());
}
Also used :
KerberosSecurity(org.apache.wss4j.dom.message.token.KerberosSecurity)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
ArrayList(java.util.ArrayList)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 17 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.
the class X509TokenPolicyValidator method checkTokenType.
/**
* Check that at least one received token matches the token type.
*/
private boolean checkTokenType(TokenType tokenType, List<WSSecurityEngineResult> bstResults, List<WSSecurityEngineResult> signedResults) {
if ((bstResults == null || bstResults.isEmpty()) && signedResults.isEmpty()) {
return false;
}
String requiredType = X509_V3_VALUETYPE;
boolean v3certRequired = false;
if (tokenType == TokenType.WssX509PkiPathV1Token10 || tokenType == TokenType.WssX509PkiPathV1Token11) {
requiredType = PKI_VALUETYPE;
} else if (tokenType == TokenType.WssX509V3Token10 || tokenType == TokenType.WssX509V3Token11) {
v3certRequired = true;
}
if (bstResults != null) {
for (WSSecurityEngineResult result : bstResults) {
BinarySecurity binarySecurityToken = (BinarySecurity) result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurityToken != null && requiredType.equals(binarySecurityToken.getValueType())) {
if (v3certRequired && binarySecurityToken instanceof X509Security) {
try {
X509Certificate cert = ((X509Security) binarySecurityToken).getX509Certificate(null);
if (cert != null && cert.getVersion() == 3) {
return true;
}
} catch (WSSecurityException e) {
LOG.log(Level.FINE, e.getMessage());
}
} else {
return true;
}
}
}
}
// Maybe the X.509 token was included as a KeyIdentifier
if (X509_V3_VALUETYPE.equals(requiredType)) {
for (WSSecurityEngineResult result : signedResults) {
STRParser.REFERENCE_TYPE referenceType = (STRParser.REFERENCE_TYPE) result.get(WSSecurityEngineResult.TAG_X509_REFERENCE_TYPE);
if (STRParser.REFERENCE_TYPE.KEY_IDENTIFIER == referenceType) {
Element signatureElement = (Element) result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
Element keyIdentifier = getKeyIdentifier(signatureElement);
if (keyIdentifier != null && X509_V3_VALUETYPE.equals(keyIdentifier.getAttributeNS(null, "ValueType"))) {
try {
X509Security token = new X509Security(keyIdentifier, new BSPEnforcer(true));
X509Certificate cert = token.getX509Certificate(null);
if (cert != null && cert.getVersion() == 3) {
return true;
}
} catch (WSSecurityException e) {
LOG.log(Level.FINE, e.getMessage());
}
}
}
}
}
return false;
}
Also used :
STRParser(org.apache.wss4j.dom.str.STRParser)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
Element(org.w3c.dom.Element)
BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Security(org.apache.wss4j.common.token.X509Security)
X509Certificate(java.security.cert.X509Certificate)
Example 18 with BinarySecurity
use of org.apache.wss4j.common.token.BinarySecurity in project cxf by apache.
the class DummyTokenProvider method createToken.
public TokenProviderResponse createToken(TokenProviderParameters tokenParameters) {
try {
Document doc = DOMUtils.getEmptyDocument();
// Mock up a dummy BinarySecurityToken
String id = "BST-1234";
BinarySecurity bst = new BinarySecurity(doc);
bst.addWSSENamespace();
bst.addWSUNamespace();
bst.setID(id);
bst.setValueType(TOKEN_TYPE);
bst.setEncodingType(BASE64_NS);
bst.setToken("12345678".getBytes());
TokenProviderResponse response = new TokenProviderResponse();
response.setToken(bst.getElement());
response.setTokenId(id);
if (tokenParameters.isEncryptToken()) {
Element el = TokenProviderUtils.encryptToken(bst.getElement(), response.getTokenId(), tokenParameters.getStsProperties(), tokenParameters.getEncryptionProperties(), tokenParameters.getKeyRequirements(), tokenParameters.getMessageContext());
response.setToken(el);
} else {
response.setToken(bst.getElement());
}
return response;
} catch (Exception e) {
throw new STSException("Can't serialize SAML assertion", e, STSException.REQUEST_FAILED);
}
}
Also used :
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
Element(org.w3c.dom.Element)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse)
Document(org.w3c.dom.Document)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
Aggregations
BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)18
X509Security (org.apache.wss4j.common.token.X509Security)11
X509Certificate (java.security.cert.X509Certificate)9
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)8
Document (org.w3c.dom.Document)8
Crypto (org.apache.wss4j.common.crypto.Crypto)5
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)5
Element (org.w3c.dom.Element)5
BinarySecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)4
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4
PKIPathSecurity (org.apache.wss4j.common.token.PKIPathSecurity)4
Node (org.w3c.dom.Node)4
PublicKey (java.security.PublicKey)3
CallbackHandler (javax.security.auth.callback.CallbackHandler)3
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)3
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)3
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)3
SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)3
RequestData (org.apache.wss4j.dom.handler.RequestData)3
Credential (org.apache.wss4j.dom.validate.Credential)3
