Examples with WSSecurityEngine org.apache.wss4j.dom.engine.WSSecurityEngine used on opensource projects

Example 1 with WSSecurityEngine

use of org.apache.wss4j.dom.engine.WSSecurityEngine in project cxf by apache.

the class RequestParserUnitTest method testValidateSCT.

/**
 * Test for fetching (and validating) a referenced SecurityContextToken.
 */
@org.junit.Test
public void testValidateSCT() throws Exception {
    Element secHeaderElement = (Element) parseStringToElement(SECURITY_HEADER).getFirstChild();
    RequestSecurityTokenType request = createJaxbObject(VALIDATE_SCT_REFERENCE);
    RequestParser parser = new RequestParser();
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgContext = new WrappedMessageContext(msg);
    // Process the security header and store the results in the message context
    WSSecurityEngine securityEngine = new WSSecurityEngine();
    RequestData reqData = new RequestData();
    reqData.setCallbackHandler(new PasswordCallbackHandler());
    WSHandlerResult results = securityEngine.processSecurityHeader(secHeaderElement, reqData);
    List<WSHandlerResult> resultsList = new ArrayList<>();
    resultsList.add(results);
    msgContext.put(WSHandlerConstants.RECV_RESULTS, resultsList);
    RequestRequirements requestRequirements = parser.parseRequest(request, msgContext, null, null);
    SCTValidator sctValidator = new SCTValidator();
    assertTrue(sctValidator.canHandleToken(requestRequirements.getTokenRequirements().getValidateTarget()));
}

Example 2 with WSSecurityEngine

use of org.apache.wss4j.dom.engine.WSSecurityEngine in project cxf by apache.

the class WSS4JInInterceptor method createSecurityEngine.

/**
 * @return      a freshly minted WSSecurityEngine instance, using the
 *              (non-null) processor map, to be used to initialize the
 *              WSSecurityEngine instance.
 */
protected static WSSecurityEngine createSecurityEngine(final Map<QName, Object> map) {
    assert map != null;
    final WSSConfig config = WSSConfig.getNewInstance();
    for (Map.Entry<QName, Object> entry : map.entrySet()) {
        final QName key = entry.getKey();
        Object val = entry.getValue();
        if (val instanceof Class<?>) {
            config.setProcessor(key, (Class<?>) val);
        } else if (val instanceof Processor) {
            config.setProcessor(key, (Processor) val);
        } else if (val instanceof Validator) {
            config.setValidator(key, (Validator) val);
        } else if (val == null) {
            config.setProcessor(key, (Class<?>) null);
        }
    }
    final WSSecurityEngine ret = new WSSecurityEngine();
    ret.setWssConfig(config);
    return ret;
}

Example 3 with WSSecurityEngine

use of org.apache.wss4j.dom.engine.WSSecurityEngine in project cxf by apache.

the class WSS4JInInterceptor method handleMessageInternal.

@SuppressWarnings("deprecation")
private void handleMessageInternal(SoapMessage msg) throws Fault {
    boolean utWithCallbacks = MessageUtils.getContextualBoolean(msg, SecurityConstants.VALIDATE_TOKEN, true);
    translateProperties(msg);
    RequestData reqData = new CXFRequestData();
    WSSConfig config = (WSSConfig) msg.getContextualProperty(WSSConfig.class.getName());
    WSSecurityEngine engine;
    if (config != null) {
        engine = new WSSecurityEngine();
        engine.setWssConfig(config);
    } else {
        engine = getSecurityEngine(utWithCallbacks);
        if (engine == null) {
            engine = new WSSecurityEngine();
        }
        config = engine.getWssConfig();
    }
    reqData.setWssConfig(config);
    reqData.setEncryptionSerializer(new StaxSerializer());
    // Add Audience Restrictions for SAML
    reqData.setAudienceRestrictions(SAMLUtils.getAudienceRestrictions(msg, true));
    SOAPMessage doc = getSOAPMessage(msg);
    boolean doDebug = LOG.isLoggable(Level.FINE);
    SoapVersion version = msg.getVersion();
    if (doDebug) {
        LOG.fine("WSS4JInInterceptor: enter handleMessage()");
    }
    /*
         * The overall try, just to have a finally at the end to perform some
         * housekeeping.
         */
    try {
        reqData.setMsgContext(msg);
        reqData.setAttachmentCallbackHandler(new AttachmentCallbackHandler(msg));
        setAlgorithmSuites(msg, reqData);
        reqData.setCallbackHandler(getCallback(reqData, utWithCallbacks));
        computeAction(msg, reqData);
        String action = getAction(msg, version);
        List<Integer> actions = WSSecurityUtil.decodeAction(action);
        String actor = (String) getOption(ConfigurationConstants.ACTOR);
        if (actor == null) {
            actor = (String) msg.getContextualProperty(SecurityConstants.ACTOR);
        }
        reqData.setActor(actor);
        // Configure replay caching
        configureReplayCaches(reqData, actions, msg);
        TLSSessionInfo tlsInfo = msg.get(TLSSessionInfo.class);
        if (tlsInfo != null) {
            Certificate[] tlsCerts = tlsInfo.getPeerCertificates();
            reqData.setTlsCerts(tlsCerts);
        }
        /*
             * Get and check the Signature specific parameters first because
             * they may be used for encryption too.
             */
        doReceiverAction(actions, reqData);
        // explicitly specified by the user)
        if (getString(ConfigurationConstants.EXPAND_XOP_INCLUDE_FOR_SIGNATURE, msg) == null && getString(ConfigurationConstants.EXPAND_XOP_INCLUDE, msg) == null) {
            reqData.setExpandXopInclude(AttachmentUtil.isMtomEnabled(msg));
        }
        /*get chance to check msg context enableRevocation setting
             *when use policy based ws-security where the WSHandler configuration
             *isn't available
             */
        boolean enableRevocation = reqData.isRevocationEnabled() || MessageUtils.isTrue(SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, msg));
        reqData.setEnableRevocation(enableRevocation);
        Element soapBody = SAAJUtils.getBody(doc);
        if (soapBody != null) {
            engine.setCallbackLookup(new CXFCallbackLookup(soapBody.getOwnerDocument(), soapBody));
        }
        Element elem = WSSecurityUtil.getSecurityHeader(doc.getSOAPHeader(), actor, version.getVersion() != 1.1);
        elem = (Element) DOMUtils.getDomElement(elem);
        Node originalNode = null;
        if (elem != null) {
            originalNode = elem.cloneNode(true);
        }
        WSHandlerResult wsResult = engine.processSecurityHeader(elem, reqData);
        importNewDomToSAAJ(doc, elem, originalNode, wsResult);
        Element header = SAAJUtils.getHeader(doc);
        Element body = SAAJUtils.getBody(doc);
        header = (Element) DOMUtils.getDomElement(header);
        body = (Element) DOMUtils.getDomElement(body);
        if (!(wsResult.getResults() == null || wsResult.getResults().isEmpty())) {
            // security header found
            if (reqData.isEnableSignatureConfirmation()) {
                checkSignatureConfirmation(reqData, wsResult);
            }
            checkActions(msg, reqData, wsResult.getResults(), actions, SAAJUtils.getBody(doc));
            doResults(msg, actor, header, body, wsResult, utWithCallbacks);
        } else {
            // no security header found
            if (doc.getSOAPPart().getEnvelope().getBody().hasFault() && isRequestor(msg)) {
                LOG.warning("The request is a SOAP Fault, but it is not secured");
                // We allow lax action matching here for backwards compatibility
                // with manually configured WSS4JInInterceptors that previously
                // allowed faults to pass through even if their actions aren't
                // a strict match against those configured.  In the WS-SP case,
                // we will want to still call doResults as it handles asserting
                // certain assertions that do not require a WS-S header such as
                // a sp:TransportBinding assertion.  In the case of WS-SP,
                // the unasserted assertions will provide confirmation that
                // security was not sufficient.
                // checkActions(msg, reqData, wsResult, actions);
                doResults(msg, actor, header, body, wsResult, utWithCallbacks);
            } else {
                checkActions(msg, reqData, wsResult.getResults(), actions, SAAJUtils.getBody(doc));
                doResults(msg, actor, header, body, wsResult, utWithCallbacks);
            }
        }
        if (SAAJUtils.getBody(doc) != null) {
            advanceBody(msg, body);
        }
        SAAJInInterceptor.replaceHeaders(doc, msg);
        if (doDebug) {
            LOG.fine("WSS4JInInterceptor: exit handleMessage()");
        }
        msg.put(SECURITY_PROCESSED, Boolean.TRUE);
    } catch (WSSecurityException e) {
        throw WSS4JUtils.createSoapFault(msg, version, e);
    } catch (XMLStreamException e) {
        throw new SoapFault(new Message("STAX_EX", LOG), e, version.getSender());
    } catch (SOAPException e) {
        throw new SoapFault(new Message("SAAJ_EX", LOG), e, version.getSender());
    } finally {
        reqData = null;
    }
}

Example 4 with WSSecurityEngine

use of org.apache.wss4j.dom.engine.WSSecurityEngine in project cxf by apache.

the class RequestParserUnitTest method testCancelSCT.

/**
 * Test for fetching (and cancelling) a referenced SecurityContextToken.
 */
@org.junit.Test
public void testCancelSCT() throws Exception {
    Element secHeaderElement = (Element) parseStringToElement(SECURITY_HEADER).getFirstChild();
    RequestSecurityTokenType request = createJaxbObject(CANCEL_SCT_REFERENCE);
    RequestParser parser = new RequestParser();
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgContext = new WrappedMessageContext(msg);
    // Process the security header and store the results in the message context
    WSSecurityEngine securityEngine = new WSSecurityEngine();
    RequestData reqData = new RequestData();
    reqData.setCallbackHandler(new PasswordCallbackHandler());
    WSHandlerResult results = securityEngine.processSecurityHeader(secHeaderElement, reqData);
    List<WSHandlerResult> resultsList = new ArrayList<>();
    resultsList.add(results);
    msgContext.put(WSHandlerConstants.RECV_RESULTS, resultsList);
    RequestRequirements requestRequirements = parser.parseRequest(request, msgContext, null, null);
    SCTCanceller sctCanceller = new SCTCanceller();
    assertTrue(sctCanceller.canHandleToken(requestRequirements.getTokenRequirements().getCancelTarget()));
}

Example 5 with WSSecurityEngine

use of org.apache.wss4j.dom.engine.WSSecurityEngine in project cxf by apache.

the class RequestParserUnitTest method testUseKeyX509.

/**
 * Test for fetching (and validating) a referenced BinarySecurityToken from a UseKey Element.
 */
@org.junit.Test
public void testUseKeyX509() throws Exception {
    Element secHeaderElement = (Element) parseStringToElement(SECURITY_HEADER_X509).getFirstChild();
    RequestSecurityTokenType request = createJaxbObject(USE_KEY_X509_REFERENCE);
    RequestParser parser = new RequestParser();
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgContext = new WrappedMessageContext(msg);
    // Process the security header and store the results in the message context
    WSSecurityEngine securityEngine = new WSSecurityEngine();
    RequestData reqData = new RequestData();
    reqData.setSigVerCrypto(getCrypto());
    reqData.setCallbackHandler(new PasswordCallbackHandler());
    WSHandlerResult results = securityEngine.processSecurityHeader(secHeaderElement, reqData);
    List<WSHandlerResult> resultsList = new ArrayList<>();
    resultsList.add(results);
    msgContext.put(WSHandlerConstants.RECV_RESULTS, resultsList);
    RequestRequirements requestRequirements = parser.parseRequest(request, msgContext, null, null);
    assertNotNull(requestRequirements.getKeyRequirements().getReceivedKey().getX509Cert());
}