Example 6 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class WSS4JInOutTest method testEncryption.
@Test
public void testEncryption() throws Exception {
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.ENCRYPT);
outProperties.put(ConfigurationConstants.ENC_PROP_FILE, "outsecurity.properties");
outProperties.put(ConfigurationConstants.USER, "myalias");
outProperties.put("password", "myAliasPassword");
Map<String, Object> inProperties = new HashMap<>();
inProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.ENCRYPT);
inProperties.put(ConfigurationConstants.DEC_PROP_FILE, "insecurity.properties");
inProperties.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
List<String> xpaths = new ArrayList<>();
xpaths.add("//wsse:Security");
xpaths.add("//s:Body/xenc:EncryptedData");
List<WSHandlerResult> handlerResults = getResults(makeInvocation(outProperties, xpaths, inProperties));
assertNotNull(handlerResults);
assertSame(handlerResults.size(), 1);
//
// This should contain exactly 1 protection result
//
final java.util.List<WSSecurityEngineResult> protectionResults = handlerResults.get(0).getResults();
assertNotNull(protectionResults);
assertSame(protectionResults.size(), 1);
//
// This result should contain a reference to the decrypted element,
// which should contain the soap:Body Qname
//
final java.util.Map<String, Object> result = protectionResults.get(0);
final java.util.List<WSDataRef> protectedElements = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
assertNotNull(protectedElements);
assertSame(protectedElements.size(), 1);
assertEquals(protectedElements.get(0).getName(), new javax.xml.namespace.QName("http://schemas.xmlsoap.org/soap/envelope/", "Body"));
}
Also used :
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
QName(javax.xml.namespace.QName)
Test(org.junit.Test)
Example 7 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class WSS4JInInterceptor method importNewDomToSAAJ.
private void importNewDomToSAAJ(SOAPMessage doc, Element elem, Node originalNode, WSHandlerResult wsResult) throws SOAPException {
if (DOMUtils.isJava9SAAJ() && originalNode != null && !originalNode.isEqualNode(elem)) {
// ensure the new decrypted dom element could be imported into the SAAJ
Node node = null;
Document document = null;
Element body = SAAJUtils.getBody(doc);
if (body != null) {
document = body.getOwnerDocument();
}
if (elem != null && elem.getOwnerDocument() != null && elem.getOwnerDocument().getDocumentElement() != null) {
node = elem.getOwnerDocument().getDocumentElement().getFirstChild().getNextSibling().getFirstChild();
}
if (document != null && node != null) {
Node newNode = null;
try {
newNode = document.importNode(node, true);
if (newNode != null) {
try {
Method method = newNode.getClass().getMethod("getDomElement");
newNode = (Element) method.invoke(newNode);
} catch (java.lang.NoSuchMethodException ex) {
// do nothing;
}
}
elem.getOwnerDocument().getDocumentElement().getFirstChild().getNextSibling().replaceChild(newNode, node);
List<WSSecurityEngineResult> encryptResults = wsResult.getActionResults().get(WSConstants.ENCR);
if (encryptResults != null) {
for (WSSecurityEngineResult result : wsResult.getActionResults().get(WSConstants.ENCR)) {
List<WSDataRef> dataRefs = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
for (WSDataRef dataRef : dataRefs) {
if (dataRef.getProtectedElement() == node) {
dataRef.setProtectedElement((Element) newNode);
}
}
}
}
List<WSSecurityEngineResult> signedResults = new ArrayList<>();
if (wsResult.getActionResults().containsKey(WSConstants.SIGN)) {
signedResults.addAll(wsResult.getActionResults().get(WSConstants.SIGN));
}
if (wsResult.getActionResults().containsKey(WSConstants.UT_SIGN)) {
signedResults.addAll(wsResult.getActionResults().get(WSConstants.UT_SIGN));
}
if (wsResult.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
signedResults.addAll(wsResult.getActionResults().get(WSConstants.ST_SIGNED));
}
for (WSSecurityEngineResult result : signedResults) {
List<WSDataRef> dataRefs = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
for (WSDataRef dataRef : dataRefs) {
if (dataRef.getProtectedElement() == node) {
dataRef.setProtectedElement((Element) newNode);
}
}
}
} catch (Exception ex) {
// just to the best try
LOG.log(Level.FINE, "Something wrong during importNewDomToSAAJ", ex);
}
}
}
}
Also used :
Node(org.w3c.dom.Node)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
Method(java.lang.reflect.Method)
Document(org.w3c.dom.Document)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
XMLStreamException(javax.xml.stream.XMLStreamException)
Example 8 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class CryptoCoverageUtil method reconcileEncryptedSignedRefs.
/**
* Inspects the signed and encrypted content in the message and accurately
* resolves encrypted and then signed elements in {@code signedRefs}.
* Entries in {@code signedRefs} that correspond to an encrypted element
* are resolved to the decrypted element and added to {@code signedRefs}.
* The original reference to the encrypted content remains unaltered in the
* list to allow for matching against a requirement that xenc:EncryptedData
* and xenc:EncryptedKey elements be signed.
*
* @param signedRefs references to the signed content in the message
* @param encryptedRefs references to the encrypted content in the message
*/
public static void reconcileEncryptedSignedRefs(final Collection<WSDataRef> signedRefs, final Collection<WSDataRef> encryptedRefs) {
final List<WSDataRef> encryptedSignedRefs = new LinkedList<>();
for (WSDataRef signedRef : signedRefs) {
Element protectedElement = signedRef.getProtectedElement();
if (protectedElement != null && ("EncryptedData".equals(protectedElement.getLocalName()) && WSS4JConstants.ENC_NS.equals(protectedElement.getNamespaceURI()) || WSS4JConstants.ENCRYPTED_HEADER.equals(protectedElement.getLocalName()) && WSS4JConstants.WSSE11_NS.equals(protectedElement.getNamespaceURI()) || WSS4JConstants.ENCRYPED_ASSERTION_LN.equals(protectedElement.getLocalName()) && WSS4JConstants.SAML2_NS.equals(protectedElement.getNamespaceURI()))) {
for (WSDataRef encryptedRef : encryptedRefs) {
if (protectedElement == encryptedRef.getEncryptedElement()) {
final WSDataRef encryptedSignedRef = new WSDataRef();
encryptedSignedRef.setWsuId(signedRef.getWsuId());
encryptedSignedRef.setContent(false);
encryptedSignedRef.setName(encryptedRef.getName());
encryptedSignedRef.setProtectedElement(encryptedRef.getProtectedElement());
encryptedSignedRef.setXpath(encryptedRef.getXpath());
encryptedSignedRefs.add(encryptedSignedRef);
break;
}
}
}
}
signedRefs.addAll(encryptedSignedRefs);
}
Also used :
Element(org.w3c.dom.Element)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
LinkedList(java.util.LinkedList)
Example 9 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class PolicyBasedWSS4JInInterceptor method doResults.
@Override
protected void doResults(SoapMessage msg, String actor, Element soapHeader, Element soapBody, WSHandlerResult results, boolean utWithCallbacks) throws SOAPException, XMLStreamException, WSSecurityException {
//
// Pre-fetch various results
//
List<WSSecurityEngineResult> signedResults = new ArrayList<>();
if (results.getActionResults().containsKey(WSConstants.SIGN)) {
signedResults.addAll(results.getActionResults().get(WSConstants.SIGN));
}
if (results.getActionResults().containsKey(WSConstants.UT_SIGN)) {
signedResults.addAll(results.getActionResults().get(WSConstants.UT_SIGN));
}
if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
signedResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
}
Collection<WSDataRef> signed = new HashSet<>();
for (WSSecurityEngineResult result : signedResults) {
List<WSDataRef> sl = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (sl != null) {
for (WSDataRef r : sl) {
signed.add(r);
}
}
}
List<WSSecurityEngineResult> encryptResults = results.getActionResults().get(WSConstants.ENCR);
Collection<WSDataRef> encrypted = new HashSet<>();
if (encryptResults != null) {
for (WSSecurityEngineResult result : encryptResults) {
List<WSDataRef> sl = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (sl != null) {
for (WSDataRef r : sl) {
encrypted.add(r);
}
}
}
}
CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
//
// Check policies
//
PolicyValidatorParameters parameters = new PolicyValidatorParameters();
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
parameters.setAssertionInfoMap(aim);
parameters.setMessage(msg);
parameters.setSoapBody(soapBody);
parameters.setSoapHeader(soapHeader);
parameters.setResults(results);
parameters.setSignedResults(signedResults);
parameters.setEncryptedResults(encryptResults);
parameters.setUtWithCallbacks(utWithCallbacks);
parameters.setSigned(signed);
parameters.setEncrypted(encrypted);
List<WSSecurityEngineResult> utResults = new ArrayList<>();
if (results.getActionResults().containsKey(WSConstants.UT)) {
utResults.addAll(results.getActionResults().get(WSConstants.UT));
}
if (results.getActionResults().containsKey(WSConstants.UT_NOPASSWORD)) {
utResults.addAll(results.getActionResults().get(WSConstants.UT_NOPASSWORD));
}
parameters.setUsernameTokenResults(utResults);
List<WSSecurityEngineResult> samlResults = new ArrayList<>();
if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
samlResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
}
if (results.getActionResults().containsKey(WSConstants.ST_UNSIGNED)) {
samlResults.addAll(results.getActionResults().get(WSConstants.ST_UNSIGNED));
}
parameters.setSamlResults(samlResults);
// Store the timestamp element
WSSecurityEngineResult tsResult = null;
if (results.getActionResults().containsKey(WSConstants.TS)) {
tsResult = results.getActionResults().get(WSConstants.TS).get(0);
}
Element timestamp = null;
if (tsResult != null) {
Timestamp ts = (Timestamp) tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
timestamp = ts.getElement();
}
parameters.setTimestampElement(timestamp);
// Validate security policies
Map<QName, SecurityPolicyValidator> validators = ValidatorUtils.getSecurityPolicyValidators(msg);
for (Map.Entry<QName, Collection<AssertionInfo>> entry : aim.entrySet()) {
// Check to see if we have a security policy + if we can validate it
if (validators.containsKey(entry.getKey())) {
validators.get(entry.getKey()).validatePolicies(parameters, entry.getValue());
}
}
super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
}
Also used :
QName(javax.xml.namespace.QName)
Element(org.w3c.dom.Element)
SecurityPolicyValidator(org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator)
ArrayList(java.util.ArrayList)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Timestamp(org.apache.wss4j.dom.message.token.Timestamp)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Collection(java.util.Collection)
PolicyValidatorParameters(org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Map(java.util.Map)
HashSet(java.util.HashSet)
Example 10 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class AbstractBindingPolicyValidator method isEncryptedBeforeSigned.
/**
* Check to see if encryption was applied before signature.
* Note that results are stored in the reverse order.
*/
private boolean isEncryptedBeforeSigned(List<WSSecurityEngineResult> results) {
boolean encrypted = false;
for (WSSecurityEngineResult result : results) {
Integer actInt = (Integer) result.get(WSSecurityEngineResult.TAG_ACTION);
List<WSDataRef> el = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (actInt.intValue() == WSConstants.ENCR && el != null) {
encrypted = true;
}
// Don't count an endorsing signature
if (actInt.intValue() == WSConstants.SIGN && el != null && !(el.size() == 1 && el.get(0).getName().equals(SIG_QNAME))) {
return encrypted;
}
}
return false;
}
Also used :
WSDataRef(org.apache.wss4j.dom.WSDataRef)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Aggregations
WSDataRef (org.apache.wss4j.dom.WSDataRef)14
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)9
Element (org.w3c.dom.Element)8
ArrayList (java.util.ArrayList)5
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4
QName (javax.xml.namespace.QName)3
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)3
HashMap (java.util.HashMap)2
HashSet (java.util.HashSet)2
SOAPException (javax.xml.soap.SOAPException)2
XPath (javax.xml.xpath.XPath)2
XPathFactory (javax.xml.xpath.XPathFactory)2
MapNamespaceContext (org.apache.cxf.helpers.MapNamespaceContext)2
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)2
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)2
Test (org.junit.Test)2
Method (java.lang.reflect.Method)1
Collection (java.util.Collection)1
LinkedList (java.util.LinkedList)1
Map (java.util.Map)1
