Example 56 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class IssuedTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
List<WSSecurityEngineResult> samlResults = parameters.getSamlResults();
if (samlResults != null) {
for (WSSecurityEngineResult samlResult : samlResults) {
SamlAssertionWrapper samlAssertion = (SamlAssertionWrapper) samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (validateSAMLToken(parameters, samlAssertion, ais)) {
// Store token on the security context
SecurityToken token = createSecurityToken(samlAssertion);
parameters.getMessage().getExchange().put(SecurityConstants.TOKEN, token);
return;
}
}
}
List<WSSecurityEngineResult> bstResults = parameters.getResults().getActionResults().get(WSConstants.BST);
if (bstResults != null) {
for (WSSecurityEngineResult bstResult : bstResults) {
BinarySecurity binarySecurity = (BinarySecurity) bstResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (Boolean.TRUE.equals(bstResult.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN)) && validateBinarySecurityToken(parameters, binarySecurity, ais)) {
// Store token on the security context
SecurityToken token = createSecurityToken(binarySecurity);
parameters.getMessage().getExchange().put(SecurityConstants.TOKEN, token);
return;
}
}
}
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 57 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class AbstractBindingPolicyValidator method isEncryptedBeforeSigned.
/**
* Check to see if encryption was applied before signature.
* Note that results are stored in the reverse order.
*/
private boolean isEncryptedBeforeSigned(List<WSSecurityEngineResult> results) {
boolean encrypted = false;
for (WSSecurityEngineResult result : results) {
Integer actInt = (Integer) result.get(WSSecurityEngineResult.TAG_ACTION);
List<WSDataRef> el = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (actInt.intValue() == WSConstants.ENCR && el != null) {
encrypted = true;
}
// Don't count an endorsing signature
if (actInt.intValue() == WSConstants.SIGN && el != null && !(el.size() == 1 && el.get(0).getName().equals(SIG_QNAME))) {
return encrypted;
}
}
return false;
}
Also used :
WSDataRef(org.apache.wss4j.dom.WSDataRef)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 58 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class AbstractBindingPolicyValidator method isSignatureEncrypted.
/**
* Check whether the primary Signature (and all SignatureConfirmation) elements were encrypted
*/
protected boolean isSignatureEncrypted(List<WSSecurityEngineResult> results) {
boolean foundPrimarySignature = false;
for (int i = results.size() - 1; i >= 0; i--) {
WSSecurityEngineResult result = results.get(i);
Integer actInt = (Integer) result.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.SIGN && !foundPrimarySignature) {
foundPrimarySignature = true;
Element sigElement = (Element) result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
if (sigElement == null || !isElementEncrypted(sigElement, results)) {
return false;
}
} else if (actInt.intValue() == WSConstants.SC) {
Element sigElement = (Element) result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
if (sigElement == null || !isElementEncrypted(sigElement, results)) {
return false;
}
}
}
return true;
}
Also used :
Element(org.w3c.dom.Element)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 59 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class AbstractBindingPolicyValidator method isTokenProtected.
/**
* Check whether the token protection policy is followed. In other words, check that the
* signature token was itself signed.
*/
protected boolean isTokenProtected(List<WSSecurityEngineResult> results, List<WSSecurityEngineResult> signedResults) {
for (WSSecurityEngineResult result : signedResults) {
// Get the Token result that was used for the signature
WSSecurityEngineResult tokenResult = findCorrespondingToken(result, results);
if (tokenResult == null) {
return false;
}
// Now go through what was signed and see if the token itself was signed
List<WSDataRef> sl = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
boolean found = false;
if (sl != null) {
for (WSDataRef dataRef : sl) {
Element referenceElement = dataRef.getProtectedElement();
if (referenceElement != null && referenceElement.equals(tokenResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT))) {
found = true;
}
}
}
if (!found) {
return false;
}
}
return true;
}
Also used :
Element(org.w3c.dom.Element)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 60 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class AbstractSupportingTokenPolicyValidator method processUsernameTokens.
/**
* Process UsernameTokens.
*/
protected boolean processUsernameTokens(PolicyValidatorParameters parameters, boolean derived) {
if (!parameters.isUtWithCallbacks()) {
return true;
}
if (parameters.getUsernameTokenResults().isEmpty()) {
return false;
}
List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
tokenResults.addAll(parameters.getUsernameTokenResults());
if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage())) {
return false;
}
if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults())) {
return false;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
for (WSSecurityEngineResult wser : parameters.getUsernameTokenResults()) {
byte[] secret = (byte[]) wser.get(WSSecurityEngineResult.TAG_SECRET);
if (secret != null) {
WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, parameters.getResults());
if (dktResult != null) {
tokenResults.add(dktResult);
}
}
}
}
return !((isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), parameters.getMessage(), parameters.getTimestampElement())) || !validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage()));
}
Also used :
ArrayList(java.util.ArrayList)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Aggregations
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)89
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)42
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)35
Element (org.w3c.dom.Element)23
HashMap (java.util.HashMap)19
ArrayList (java.util.ArrayList)18
Test (org.junit.Test)18
QName (javax.xml.namespace.QName)17
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)16
X509Certificate (java.security.cert.X509Certificate)12
SOAPMessage (javax.xml.soap.SOAPMessage)12
SoapMessage (org.apache.cxf.binding.soap.SoapMessage)12
SecurityContext (org.apache.cxf.security.SecurityContext)12
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12
Message (org.apache.cxf.message.Message)9
WSDataRef (org.apache.wss4j.dom.WSDataRef)9
Document (org.w3c.dom.Document)9
AbstractSecurityTest (org.apache.cxf.ws.security.wss4j.AbstractSecurityTest)8
BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)8
RequestData (org.apache.wss4j.dom.handler.RequestData)8
