Example 11 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class AbstractBindingPolicyValidator method isTokenProtected.
/**
* Check whether the token protection policy is followed. In other words, check that the
* signature token was itself signed.
*/
protected boolean isTokenProtected(List<WSSecurityEngineResult> results, List<WSSecurityEngineResult> signedResults) {
for (WSSecurityEngineResult result : signedResults) {
// Get the Token result that was used for the signature
WSSecurityEngineResult tokenResult = findCorrespondingToken(result, results);
if (tokenResult == null) {
return false;
}
// Now go through what was signed and see if the token itself was signed
List<WSDataRef> sl = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
boolean found = false;
if (sl != null) {
for (WSDataRef dataRef : sl) {
Element referenceElement = dataRef.getProtectedElement();
if (referenceElement != null && referenceElement.equals(tokenResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT))) {
found = true;
}
}
}
if (!found) {
return false;
}
}
return true;
}
Also used :
Element(org.w3c.dom.Element)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 12 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class AlgorithmSuitePolicyValidator method checkDataRefs.
/**
* Check the individual signature references
*/
private boolean checkDataRefs(List<WSDataRef> dataRefs, AlgorithmSuite algorithmPolicy, AssertionInfo ai) {
AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
for (WSDataRef dataRef : dataRefs) {
String digestMethod = dataRef.getDigestAlgorithm();
if (!algorithmSuiteType.getDigest().equals(digestMethod)) {
ai.setNotAsserted("The digest method does not match the requirement");
return false;
}
List<String> transformAlgorithms = dataRef.getTransformAlgorithms();
// Only a max of 2 transforms per reference is allowed
if (transformAlgorithms == null || transformAlgorithms.size() > 2) {
ai.setNotAsserted("The transform algorithms do not match the requirement");
return false;
}
for (String transformAlgorithm : transformAlgorithms) {
if (!(algorithmPolicy.getC14n().getValue().equals(transformAlgorithm) || WSS4JConstants.C14N_EXCL_OMIT_COMMENTS.equals(transformAlgorithm) || STRTransform.TRANSFORM_URI.equals(transformAlgorithm) || Transforms.TRANSFORM_ENVELOPED_SIGNATURE.equals(transformAlgorithm) || WSS4JConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS.equals(transformAlgorithm) || WSS4JConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(transformAlgorithm))) {
ai.setNotAsserted("The transform algorithms do not match the requirement");
return false;
}
}
}
return true;
}
Also used :
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
Example 13 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class AlgorithmSuitePolicyValidator method checkEncryptionAlgorithms.
/**
* Check the Encryption Algorithms
*/
private boolean checkEncryptionAlgorithms(WSSecurityEngineResult result, AlgorithmSuite algorithmPolicy, AssertionInfo ai) {
AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
String transportMethod = (String) result.get(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD);
if (transportMethod != null && !algorithmSuiteType.getSymmetricKeyWrap().equals(transportMethod) && !algorithmSuiteType.getAsymmetricKeyWrap().equals(transportMethod)) {
ai.setNotAsserted("The Key transport method does not match the requirement");
return false;
}
List<WSDataRef> dataRefs = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (dataRefs != null) {
for (WSDataRef dataRef : dataRefs) {
String encryptionAlgorithm = dataRef.getAlgorithm();
if (!algorithmSuiteType.getEncryption().equals(encryptionAlgorithm)) {
ai.setNotAsserted("The encryption algorithm does not match the requirement");
return false;
}
}
}
return checkKeyLengths(result, algorithmPolicy, ai, false);
}
Also used :
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
Example 14 with WSDataRef
use of org.apache.wss4j.dom.WSDataRef in project cxf by apache.
the class SecurityActionTokenTest method testEncryption.
@Test
public void testEncryption() throws Exception {
EncryptionActionToken actionToken = new EncryptionActionToken();
actionToken.setCryptoProperties("outsecurity.properties");
actionToken.setUser("myalias");
List<HandlerAction> actions = Collections.singletonList(new HandlerAction(WSConstants.ENCR, actionToken));
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(WSHandlerConstants.HANDLER_ACTIONS, actions);
Map<String, Object> inProperties = new HashMap<>();
inProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.ENCRYPT);
inProperties.put(ConfigurationConstants.DEC_PROP_FILE, "insecurity.properties");
inProperties.put(ConfigurationConstants.PW_CALLBACK_REF, new TestPwdCallback());
List<String> xpaths = new ArrayList<>();
xpaths.add("//wsse:Security");
xpaths.add("//s:Body/xenc:EncryptedData");
List<WSHandlerResult> handlerResults = getResults(makeInvocation(outProperties, xpaths, inProperties));
assertNotNull(handlerResults);
assertSame(handlerResults.size(), 1);
//
// This should contain exactly 1 protection result
//
final java.util.List<WSSecurityEngineResult> protectionResults = handlerResults.get(0).getResults();
assertNotNull(protectionResults);
assertSame(protectionResults.size(), 1);
//
// This result should contain a reference to the decrypted element,
// which should contain the soap:Body Qname
//
final java.util.Map<String, Object> result = protectionResults.get(0);
final java.util.List<WSDataRef> protectedElements = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
assertNotNull(protectedElements);
assertSame(protectedElements.size(), 1);
assertEquals(protectedElements.get(0).getName(), new javax.xml.namespace.QName("http://schemas.xmlsoap.org/soap/envelope/", "Body"));
}
Also used :
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
HandlerAction(org.apache.wss4j.dom.handler.HandlerAction)
EncryptionActionToken(org.apache.wss4j.common.EncryptionActionToken)
Test(org.junit.Test)
Aggregations
WSDataRef (org.apache.wss4j.dom.WSDataRef)14
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)9
Element (org.w3c.dom.Element)8
ArrayList (java.util.ArrayList)5
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)4
QName (javax.xml.namespace.QName)3
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)3
HashMap (java.util.HashMap)2
HashSet (java.util.HashSet)2
SOAPException (javax.xml.soap.SOAPException)2
XPath (javax.xml.xpath.XPath)2
XPathFactory (javax.xml.xpath.XPathFactory)2
MapNamespaceContext (org.apache.cxf.helpers.MapNamespaceContext)2
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)2
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)2
Test (org.junit.Test)2
Method (java.lang.reflect.Method)1
Collection (java.util.Collection)1
LinkedList (java.util.LinkedList)1
Map (java.util.Map)1
