Search in sources :

Example 1 with WSSConfig

use of org.apache.wss4j.dom.engine.WSSConfig in project ddf by codice.

the class SimpleSign method validateSignature.

public void validateSignature(Signature signature, Document doc) throws SignatureException {
    RequestData requestData = new RequestData();
    requestData.setSigVerCrypto(crypto.getSignatureCrypto());
    WSSConfig wssConfig = WSSConfig.getNewInstance();
    requestData.setWssConfig(wssConfig);
    SAMLKeyInfo samlKeyInfo = null;
    KeyInfo keyInfo = signature.getKeyInfo();
    if (keyInfo != null) {
        try {
            samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(doc)), crypto.getSignatureCrypto());
        } catch (WSSecurityException e) {
            throw new SignatureException("Unable to get KeyInfo.", e);
        }
    }
    if (samlKeyInfo == null) {
        throw new SignatureException("No KeyInfo supplied in the signature");
    }
    validateSignatureAndSamlKey(signature, samlKeyInfo);
    Credential trustCredential = new Credential();
    trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
    trustCredential.setCertificates(samlKeyInfo.getCerts());
    Validator signatureValidator = new SignatureTrustValidator();
    try {
        signatureValidator.validate(trustCredential, requestData);
    } catch (WSSecurityException e) {
        throw new SignatureException("Error validating signature", e);
    }
}
Also used : WSDocInfo(org.apache.wss4j.dom.WSDocInfo) Credential(org.apache.wss4j.dom.validate.Credential) BasicX509Credential(org.opensaml.security.x509.BasicX509Credential) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) KeyInfo(org.opensaml.xmlsec.signature.KeyInfo) SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo) RequestData(org.apache.wss4j.dom.handler.RequestData) SignatureTrustValidator(org.apache.wss4j.dom.validate.SignatureTrustValidator) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor) Validator(org.apache.wss4j.dom.validate.Validator) SignatureValidator(org.opensaml.xmlsec.signature.support.SignatureValidator) SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator) SignatureTrustValidator(org.apache.wss4j.dom.validate.SignatureTrustValidator)

Example 2 with WSSConfig

use of org.apache.wss4j.dom.engine.WSSConfig in project ddf by codice.

the class StsIssueTest method processToken.

/**
     * Method to validate the retrieved token.
     */
private List<WSSecurityEngineResult> processToken(SecurityToken token) throws WSSecurityException {
    RequestData requestData = new RequestData();
    WSSConfig wssConfig = WSSConfig.getNewInstance();
    requestData.setWssConfig(wssConfig);
    /*DDF-733
        CallbackHandler callbackHandler = new CommonCallbackHandler();
        requestData.setCallbackHandler(callbackHandler);
        */
    Crypto crypto = CryptoFactory.getInstance("serverKeystore.properties");
    requestData.setDecCrypto(crypto);
    requestData.setSigVerCrypto(crypto);
    Processor processor = new SAMLTokenProcessor();
    return processor.handleToken(token.getToken(), requestData, new WSDocInfo(token.getToken().getOwnerDocument()));
}
Also used : WSDocInfo(org.apache.wss4j.dom.WSDocInfo) Crypto(org.apache.wss4j.common.crypto.Crypto) SAMLTokenProcessor(org.apache.wss4j.dom.processor.SAMLTokenProcessor) Processor(org.apache.wss4j.dom.processor.Processor) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) RequestData(org.apache.wss4j.dom.handler.RequestData) SAMLTokenProcessor(org.apache.wss4j.dom.processor.SAMLTokenProcessor)

Example 3 with WSSConfig

use of org.apache.wss4j.dom.engine.WSSConfig in project ddf by codice.

the class UPBSTValidator method validateToken.

/**
     * Validate a Token using the given TokenValidatorParameters.
     *
     * @param tokenParameters
     * @return TokenValidatorResponse
     */
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOGGER.trace("Validating UPBST Token");
    if (parser == null) {
        throw new IllegalStateException("XMLParser must be configured.");
    }
    if (failedLoginDelayer == null) {
        throw new IllegalStateException("Failed Login Delayer must be configured");
    }
    STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
    Crypto sigCrypto = stsProperties.getSignatureCrypto();
    CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
    RequestData requestData = new RequestData();
    requestData.setSigVerCrypto(sigCrypto);
    requestData.setWssConfig(WSSConfig.getNewInstance());
    requestData.setCallbackHandler(callbackHandler);
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(STATE.INVALID);
    response.setToken(validateTarget);
    if (!validateTarget.isBinarySecurityToken()) {
        return response;
    }
    BinarySecurityTokenType binarySecurityType = (BinarySecurityTokenType) validateTarget.getToken();
    // Test the encoding type
    String encodingType = binarySecurityType.getEncodingType();
    if (!UPAuthenticationToken.BASE64_ENCODING.equals(encodingType)) {
        LOGGER.trace("Bad encoding type attribute specified: {}", encodingType);
        return response;
    }
    UPAuthenticationToken usernameToken = getUsernameTokenFromTarget(validateTarget);
    if (usernameToken == null) {
        return response;
    }
    UsernameTokenType usernameTokenType = getUsernameTokenType(usernameToken);
    // Marshall the received JAXB object into a DOM Element
    Element usernameTokenElement = null;
    JAXBElement<UsernameTokenType> tokenType = new JAXBElement<>(QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameTokenType);
    Document doc = DOMUtils.createDocument();
    Element rootElement = doc.createElement("root-element");
    List<String> ctxPath = new ArrayList<>(1);
    ctxPath.add(UsernameTokenType.class.getPackage().getName());
    ParserConfigurator configurator = parser.configureParser(ctxPath, UPBSTValidator.class.getClassLoader());
    try {
        parser.marshal(configurator, tokenType, rootElement);
    } catch (ParserException ex) {
        LOGGER.info("Unable to parse username token", ex);
        return response;
    }
    usernameTokenElement = (Element) rootElement.getFirstChild();
    //
    // Validate the token
    //
    WSSConfig wssConfig = WSSConfig.getNewInstance();
    try {
        boolean allowNamespaceQualifiedPasswordTypes = requestData.isAllowNamespaceQualifiedPasswordTypes();
        UsernameToken ut = new UsernameToken(usernameTokenElement, allowNamespaceQualifiedPasswordTypes, new BSPEnforcer());
        // The parsed principal is set independent whether validation is successful or not
        response.setPrincipal(new CustomTokenPrincipal(ut.getName()));
        if (ut.getPassword() == null) {
            return response;
        }
        String tokenId = String.format("%s:%s:%s", usernameToken.getUsername(), usernameToken.getPassword(), usernameToken.getRealm());
        // See if the UsernameToken is stored in the cache
        int hash = tokenId.hashCode();
        SecurityToken secToken = null;
        if (tokenParameters.getTokenStore() != null) {
            secToken = tokenParameters.getTokenStore().getToken(Integer.toString(hash));
            if (secToken != null && secToken.getTokenHash() != hash) {
                secToken = null;
            } else if (secToken != null) {
                validateTarget.setState(STATE.VALID);
            }
        }
        if (secToken == null) {
            Credential credential = new Credential();
            credential.setUsernametoken(ut);
            if (usernameToken.getRealm() != null && !"*".equals(usernameToken.getRealm())) {
                Validator validator = validators.get(usernameToken.getRealm());
                if (validator != null) {
                    try {
                        validator.validate(credential, requestData);
                        validateTarget.setState(STATE.VALID);
                        LOGGER.debug("Validated user against realm {}", usernameToken.getRealm());
                    } catch (WSSecurityException ex) {
                        LOGGER.debug("Not able to validate user against realm {}", usernameToken.getRealm());
                    }
                }
            } else {
                Set<Map.Entry<String, Validator>> entries = validators.entrySet();
                for (Map.Entry<String, Validator> entry : entries) {
                    try {
                        entry.getValue().validate(credential, requestData);
                        validateTarget.setState(STATE.VALID);
                        LOGGER.debug("Validated user against realm {}", entry.getKey());
                        break;
                    } catch (WSSecurityException ex) {
                        LOGGER.debug("Not able to validate user against realm {}", entry.getKey());
                    }
                }
            }
        }
        Principal principal = createPrincipal(ut.getName(), ut.getPassword(), ut.getPasswordType(), ut.getNonce(), ut.getCreated());
        // Store the successfully validated token in the cache
        if (tokenParameters.getTokenStore() != null && secToken == null && STATE.VALID.equals(validateTarget.getState())) {
            secToken = new SecurityToken(ut.getID());
            secToken.setToken(ut.getElement());
            int hashCode = tokenId.hashCode();
            String identifier = Integer.toString(hashCode);
            secToken.setTokenHash(hashCode);
            tokenParameters.getTokenStore().add(identifier, secToken);
        }
        response.setPrincipal(principal);
        response.setTokenRealm(null);
        validateTarget.setPrincipal(principal);
    } catch (WSSecurityException ex) {
        LOGGER.debug("Unable to validate token.", ex);
    }
    if (response.getToken().getState() != STATE.VALID) {
        failedLoginDelayer.delay(response.getToken().getPrincipal().getName());
    }
    return response;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) UsernameToken(org.apache.wss4j.dom.message.token.UsernameToken) AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString) PasswordString(org.apache.cxf.ws.security.sts.provider.model.secext.PasswordString) Document(org.w3c.dom.Document) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) RequestData(org.apache.wss4j.dom.handler.RequestData) UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) ParserException(org.codice.ddf.parser.ParserException) Credential(org.apache.wss4j.dom.validate.Credential) UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) JAXBElement(javax.xml.bind.JAXBElement) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) ParserConfigurator(org.codice.ddf.parser.ParserConfigurator) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) Validator(org.apache.wss4j.dom.validate.Validator) JAASUsernameTokenValidator(org.apache.wss4j.dom.validate.JAASUsernameTokenValidator) TokenValidator(org.apache.cxf.sts.token.validator.TokenValidator) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) Principal(java.security.Principal)

Example 4 with WSSConfig

use of org.apache.wss4j.dom.engine.WSSConfig in project ddf by codice.

the class UsernameTokenValidator method validateToken.

/**
     * Validate a Token using the given TokenValidatorParameters.
     */
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
    LOGGER.debug("Validating UsernameToken");
    if (parser == null) {
        throw new IllegalStateException("XMLParser must be configured.");
    }
    if (failedLoginDelayer == null) {
        throw new IllegalStateException("Failed Login Delayer must be configured");
    }
    STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
    Crypto sigCrypto = stsProperties.getSignatureCrypto();
    CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
    RequestData requestData = new RequestData();
    requestData.setSigVerCrypto(sigCrypto);
    WSSConfig wssConfig = WSSConfig.getNewInstance();
    requestData.setWssConfig(wssConfig);
    requestData.setCallbackHandler(callbackHandler);
    TokenValidatorResponse response = new TokenValidatorResponse();
    ReceivedToken validateTarget = tokenParameters.getToken();
    validateTarget.setState(ReceivedToken.STATE.INVALID);
    response.setToken(validateTarget);
    if (!validateTarget.isUsernameToken()) {
        return response;
    }
    //
    // Turn the JAXB UsernameTokenType into a DOM Element for validation
    //
    UsernameTokenType usernameTokenType = (UsernameTokenType) validateTarget.getToken();
    JAXBElement<UsernameTokenType> tokenType = new JAXBElement<>(QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameTokenType);
    Document doc = DOMUtils.createDocument();
    Element rootElement = doc.createElement("root-element");
    List<String> ctxPath = new ArrayList<>(1);
    ctxPath.add(UsernameTokenType.class.getPackage().getName());
    Element usernameTokenElement = null;
    ParserConfigurator configurator = parser.configureParser(ctxPath, UsernameTokenValidator.class.getClassLoader());
    try {
        parser.marshal(configurator, tokenType, rootElement);
        usernameTokenElement = (Element) rootElement.getFirstChild();
    } catch (ParserException ex) {
        LOGGER.info("Unable to parse username token", ex);
        return response;
    }
    //
    try {
        boolean allowNamespaceQualifiedPasswordTypes = requestData.isAllowNamespaceQualifiedPasswordTypes();
        UsernameToken ut = new UsernameToken(usernameTokenElement, allowNamespaceQualifiedPasswordTypes, new BSPEnforcer());
        // The parsed principal is set independent whether validation is successful or not
        response.setPrincipal(new CustomTokenPrincipal(ut.getName()));
        if (ut.getPassword() == null) {
            failedLoginDelayer.delay(ut.getName());
            return response;
        }
        Credential credential = new Credential();
        credential.setUsernametoken(ut);
        //Only this section is new, the rest is copied from the apache class
        Set<Map.Entry<String, Validator>> entries = validators.entrySet();
        for (Map.Entry<String, Validator> entry : entries) {
            try {
                entry.getValue().validate(credential, requestData);
                validateTarget.setState(ReceivedToken.STATE.VALID);
                break;
            } catch (WSSecurityException ex) {
                LOGGER.debug("Unable to validate user against {}" + entry.getKey(), ex);
            }
        }
        if (ReceivedToken.STATE.INVALID.equals(validateTarget.getState())) {
            failedLoginDelayer.delay(ut.getName());
            return response;
        }
        //end new section
        Principal principal = createPrincipal(ut.getName(), ut.getPassword(), ut.getPasswordType(), ut.getNonce(), ut.getCreated());
        response.setPrincipal(principal);
        response.setTokenRealm(null);
        validateTarget.setState(ReceivedToken.STATE.VALID);
        validateTarget.setPrincipal(principal);
    } catch (WSSecurityException ex) {
        LOGGER.debug("Unable to validate token.", ex);
    }
    return response;
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) UsernameToken(org.apache.wss4j.dom.message.token.UsernameToken) Document(org.w3c.dom.Document) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) JAASUsernameTokenValidator(org.apache.wss4j.dom.validate.JAASUsernameTokenValidator) RequestData(org.apache.wss4j.dom.handler.RequestData) ReceivedToken(org.apache.cxf.sts.request.ReceivedToken) ParserException(org.codice.ddf.parser.ParserException) Credential(org.apache.wss4j.dom.validate.Credential) UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) JAXBElement(javax.xml.bind.JAXBElement) ParserConfigurator(org.codice.ddf.parser.ParserConfigurator) Crypto(org.apache.wss4j.common.crypto.Crypto) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) Validator(org.apache.wss4j.dom.validate.Validator) JAASUsernameTokenValidator(org.apache.wss4j.dom.validate.JAASUsernameTokenValidator) TokenValidator(org.apache.cxf.sts.token.validator.TokenValidator) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) Principal(java.security.Principal)

Example 5 with WSSConfig

use of org.apache.wss4j.dom.engine.WSSConfig in project cxf by apache.

the class WSS4JInInterceptor method createSecurityEngine.

/**
 * @return      a freshly minted WSSecurityEngine instance, using the
 *              (non-null) processor map, to be used to initialize the
 *              WSSecurityEngine instance.
 */
protected static WSSecurityEngine createSecurityEngine(final Map<QName, Object> map) {
    assert map != null;
    final WSSConfig config = WSSConfig.getNewInstance();
    for (Map.Entry<QName, Object> entry : map.entrySet()) {
        final QName key = entry.getKey();
        Object val = entry.getValue();
        if (val instanceof Class<?>) {
            config.setProcessor(key, (Class<?>) val);
        } else if (val instanceof Processor) {
            config.setProcessor(key, (Processor) val);
        } else if (val instanceof Validator) {
            config.setValidator(key, (Validator) val);
        } else if (val == null) {
            config.setProcessor(key, (Class<?>) null);
        }
    }
    final WSSecurityEngine ret = new WSSecurityEngine();
    ret.setWssConfig(config);
    return ret;
}
Also used : Processor(org.apache.wss4j.dom.processor.Processor) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) QName(javax.xml.namespace.QName) WSSecurityEngine(org.apache.wss4j.dom.engine.WSSecurityEngine) Map(java.util.Map) HashMap(java.util.HashMap) NoOpValidator(org.apache.wss4j.dom.validate.NoOpValidator) Validator(org.apache.wss4j.dom.validate.Validator)

Aggregations

WSSConfig (org.apache.wss4j.dom.engine.WSSConfig)24 RequestData (org.apache.wss4j.dom.handler.RequestData)16 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)15 Credential (org.apache.wss4j.dom.validate.Credential)12 WSDocInfo (org.apache.wss4j.dom.WSDocInfo)11 WSSSAMLKeyInfoProcessor (org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)10 Crypto (org.apache.wss4j.common.crypto.Crypto)9 SAMLKeyInfo (org.apache.wss4j.common.saml.SAMLKeyInfo)8 Element (org.w3c.dom.Element)8 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)7 KeyInfo (org.opensaml.xmlsec.signature.KeyInfo)7 Document (org.w3c.dom.Document)7 CallbackHandler (javax.security.auth.callback.CallbackHandler)6 Principal (java.security.Principal)5 ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)5 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)5 Validator (org.apache.wss4j.dom.validate.Validator)4 BasicX509Credential (org.opensaml.security.x509.BasicX509Credential)4 X509Certificate (java.security.cert.X509Certificate)3 Map (java.util.Map)3