Example 1 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class CryptoCoverageChecker method handleMessage.
/**
* Checks that the WSS4J results refer to the required signed/encrypted
* elements as defined by the XPath expressions in {@link #xPaths}.
*
* @param message
* the SOAP message containing the signature
*
* @throws SoapFault
* if there is an error evaluating an XPath or an element is not
* covered by the required cryptographic operation
*/
public void handleMessage(SoapMessage message) throws Fault {
if (this.xPaths == null || this.xPaths.isEmpty()) {
// return
}
if (message.getContent(SOAPMessage.class) == null) {
throw new SoapFault("Error obtaining SOAP document", Fault.FAULT_CODE_CLIENT);
}
Element documentElement = null;
try {
SOAPMessage saajDoc = message.getContent(SOAPMessage.class);
SOAPEnvelope envelope = saajDoc.getSOAPPart().getEnvelope();
if (!checkFaults && envelope.getBody().hasFault()) {
return;
}
documentElement = envelope;
documentElement = (Element) DOMUtils.getDomElement(documentElement);
} catch (SOAPException e) {
throw new SoapFault("Error obtaining SOAP document", Fault.FAULT_CODE_CLIENT);
}
final Collection<WSDataRef> signed = new HashSet<>();
final Collection<WSDataRef> encrypted = new HashSet<>();
List<WSHandlerResult> results = CastUtils.cast((List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
// Get all encrypted and signed references
if (results != null) {
for (WSHandlerResult wshr : results) {
List<WSSecurityEngineResult> signedResults = wshr.getActionResults().get(WSConstants.SIGN);
if (signedResults != null) {
for (WSSecurityEngineResult signedResult : signedResults) {
List<WSDataRef> sl = CastUtils.cast((List<?>) signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (sl != null) {
if (sl.size() == 1 && sl.get(0).getName().equals(new QName(WSS4JConstants.SIG_NS, WSS4JConstants.SIG_LN))) {
// endorsing the signature so don't include
continue;
}
signed.addAll(sl);
}
}
}
List<WSSecurityEngineResult> encryptedResults = wshr.getActionResults().get(WSConstants.ENCR);
if (encryptedResults != null) {
for (WSSecurityEngineResult encryptedResult : encryptedResults) {
List<WSDataRef> el = CastUtils.cast((List<?>) encryptedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (el != null) {
encrypted.addAll(el);
}
}
}
}
}
CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
// XPathFactory and XPath are not thread-safe so we must recreate them
// each request.
final XPathFactory factory = XPathFactory.newInstance();
final XPath xpath = factory.newXPath();
if (this.prefixMap != null) {
xpath.setNamespaceContext(new MapNamespaceContext(this.prefixMap));
}
for (XPathExpression xPathExpression : this.xPaths) {
Collection<WSDataRef> refsToCheck = null;
switch(xPathExpression.getType()) {
case SIGNED:
refsToCheck = signed;
break;
case ENCRYPTED:
refsToCheck = encrypted;
break;
default:
throw new IllegalStateException("Unexpected crypto type: " + xPathExpression.getType());
}
try {
CryptoCoverageUtil.checkCoverage(documentElement, refsToCheck, xpath, Arrays.asList(xPathExpression.getXPath()), xPathExpression.getType(), xPathExpression.getScope());
} catch (WSSecurityException e) {
throw new SoapFault("No " + xPathExpression.getType() + " element found matching XPath " + xPathExpression.getXPath(), Fault.FAULT_CODE_CLIENT);
}
}
}
Also used :
XPath(javax.xml.xpath.XPath)
SoapFault(org.apache.cxf.binding.soap.SoapFault)
QName(javax.xml.namespace.QName)
Element(org.w3c.dom.Element)
MapNamespaceContext(org.apache.cxf.helpers.MapNamespaceContext)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SOAPEnvelope(javax.xml.soap.SOAPEnvelope)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
SOAPMessage(javax.xml.soap.SOAPMessage)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
XPathFactory(javax.xml.xpath.XPathFactory)
SOAPException(javax.xml.soap.SOAPException)
HashSet(java.util.HashSet)
Example 2 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class AbstractBindingPolicyValidator method isSignedBeforeEncrypted.
/**
* Check to see if a signature was applied before encryption.
* Note that results are stored in the reverse order.
*/
private boolean isSignedBeforeEncrypted(List<WSSecurityEngineResult> results) {
boolean signed = false;
for (WSSecurityEngineResult result : results) {
Integer actInt = (Integer) result.get(WSSecurityEngineResult.TAG_ACTION);
List<WSDataRef> el = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
// Don't count an endorsing signature
if (actInt.intValue() == WSConstants.SIGN && el != null && !(el.size() == 1 && el.get(0).getName().equals(SIG_QNAME))) {
signed = true;
}
if (actInt.intValue() == WSConstants.ENCR && el != null) {
return signed;
}
}
return false;
}
Also used :
WSDataRef(org.apache.wss4j.dom.WSDataRef)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 3 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class LayoutPolicyValidator method validateStrictSignaturePlacement.
private boolean validateStrictSignaturePlacement(List<WSSecurityEngineResult> results, List<WSSecurityEngineResult> signedResults) {
// Go through each Signature and check any security header token is before the Signature
for (WSSecurityEngineResult signedResult : signedResults) {
List<WSDataRef> sl = CastUtils.cast((List<?>) signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
Integer actInt = (Integer) signedResult.get(WSSecurityEngineResult.TAG_ACTION);
if (sl == null || WSConstants.ST_SIGNED == actInt) {
continue;
}
for (WSDataRef r : sl) {
String xpath = r.getXpath();
if (xpath != null) {
String[] nodes = StringUtils.split(xpath, "/");
// envelope/Header/wsse:Security/header
if (nodes.length == 5) {
Element protectedElement = r.getProtectedElement();
boolean tokenFound = false;
// Results are stored in reverse order
for (WSSecurityEngineResult result : results) {
Element resultElement = (Element) result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
if (resultElement == protectedElement) {
tokenFound = true;
}
if (tokenFound && result == signedResult) {
return false;
} else if (resultElement != null && result == signedResult) {
break;
}
}
}
}
}
}
return true;
}
Also used :
Element(org.w3c.dom.Element)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 4 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class SecuredElementsPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
// XPathFactory and XPath are not thread-safe so we must recreate them
// each request.
final XPathFactory factory = XPathFactory.newInstance();
final XPath xpath = factory.newXPath();
Element soapEnvelope = parameters.getSoapHeader().getOwnerDocument().getDocumentElement();
Collection<WSDataRef> dataRefs = parameters.getEncrypted();
if (coverageType == CoverageType.SIGNED) {
dataRefs = parameters.getSigned();
}
for (AssertionInfo ai : ais) {
RequiredElements elements = (RequiredElements) ai.getAssertion();
ai.setAsserted(true);
if (elements != null && elements.getXPaths() != null && !elements.getXPaths().isEmpty()) {
List<String> expressions = new ArrayList<>();
MapNamespaceContext namespaceContext = new MapNamespaceContext();
for (org.apache.wss4j.policy.model.XPath xPath : elements.getXPaths()) {
expressions.add(xPath.getXPath());
Map<String, String> namespaceMap = xPath.getPrefixNamespaceMap();
if (namespaceMap != null) {
namespaceContext.addNamespaces(namespaceMap);
}
}
xpath.setNamespaceContext(namespaceContext);
try {
CryptoCoverageUtil.checkCoverage(soapEnvelope, dataRefs, xpath, expressions, coverageType, coverageScope);
} catch (WSSecurityException e) {
ai.setNotAsserted("No " + coverageType + " element found matching one of the XPaths " + Arrays.toString(expressions.toArray()));
}
}
}
}
Also used :
XPath(javax.xml.xpath.XPath)
RequiredElements(org.apache.wss4j.policy.model.RequiredElements)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
MapNamespaceContext(org.apache.cxf.helpers.MapNamespaceContext)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
XPathFactory(javax.xml.xpath.XPathFactory)
Example 5 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class SecuredPartsPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
//
if (isTransportBinding(parameters.getAssertionInfoMap(), parameters.getMessage())) {
return;
}
Message msg = parameters.getMessage();
Element soapBody = parameters.getSoapBody();
Element header = parameters.getSoapHeader();
soapBody = (Element) DOMUtils.getDomElement(soapBody);
header = (Element) DOMUtils.getDomElement(header);
Collection<WSDataRef> dataRefs = parameters.getEncrypted();
if (coverageType == CoverageType.SIGNED) {
dataRefs = parameters.getSigned();
}
for (AssertionInfo ai : ais) {
if (ai.isAsserted()) {
// they are a child of a SupportingToken
continue;
}
AbstractSecuredParts p = (AbstractSecuredParts) ai.getAssertion();
ai.setAsserted(true);
if (p.isBody()) {
try {
if (coverageType == CoverageType.SIGNED) {
CryptoCoverageUtil.checkBodyCoverage(soapBody, dataRefs, CoverageType.SIGNED, CoverageScope.ELEMENT);
} else {
CryptoCoverageUtil.checkBodyCoverage(soapBody, dataRefs, CoverageType.ENCRYPTED, CoverageScope.CONTENT);
}
} catch (WSSecurityException e) {
ai.setNotAsserted("Soap Body is not " + coverageType);
continue;
}
}
for (Header h : p.getHeaders()) {
try {
CryptoCoverageUtil.checkHeaderCoverage(header, dataRefs, h.getNamespace(), h.getName(), coverageType, CoverageScope.ELEMENT);
} catch (WSSecurityException e) {
ai.setNotAsserted(h.getNamespace() + ":" + h.getName() + " not + " + coverageType);
}
}
Attachments attachments = p.getAttachments();
if (attachments != null) {
try {
CoverageScope scope = CoverageScope.ELEMENT;
if (attachments.isContentSignatureTransform()) {
scope = CoverageScope.CONTENT;
}
CryptoCoverageUtil.checkAttachmentsCoverage(msg.getAttachments(), dataRefs, coverageType, scope);
} catch (WSSecurityException e) {
ai.setNotAsserted("An attachment was not signed/encrypted");
}
}
}
}
Also used :
CoverageScope(org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
Message(org.apache.cxf.message.Message)
Header(org.apache.wss4j.policy.model.Header)
AbstractSecuredParts(org.apache.wss4j.policy.model.AbstractSecuredParts)
Element(org.w3c.dom.Element)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
Attachments(org.apache.wss4j.policy.model.Attachments)
Aggregations
WSDataRef (org.apache.wss4j.dom.WSDataRef)14
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)9
Element (org.w3c.dom.Element)8
ArrayList (java.util.ArrayList)5
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4
QName (javax.xml.namespace.QName)3
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)3
HashMap (java.util.HashMap)2
HashSet (java.util.HashSet)2
SOAPException (javax.xml.soap.SOAPException)2
XPath (javax.xml.xpath.XPath)2
XPathFactory (javax.xml.xpath.XPathFactory)2
MapNamespaceContext (org.apache.cxf.helpers.MapNamespaceContext)2
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)2
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)2
Test (org.junit.Test)2
Method (java.lang.reflect.Method)1
Collection (java.util.Collection)1
LinkedList (java.util.LinkedList)1
Map (java.util.Map)1
