Examples with WSSecurityEngineResult org.apache.wss4j.dom.engine.WSSecurityEngineResult used on opensource projects

Search in sources :

Example 66 with WSSecurityEngineResult

use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.

the class X509TokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    List<WSSecurityEngineResult> bstResults = parameters.getResults().getActionResults().get(WSConstants.BST);
    for (AssertionInfo ai : ais) {
        X509Token x509TokenPolicy = (X509Token) ai.getAssertion();
        ai.setAsserted(true);
        assertToken(x509TokenPolicy, parameters.getAssertionInfoMap());
        if (!isTokenRequired(x509TokenPolicy, parameters.getMessage())) {
            continue;
        }
        if ((bstResults == null || bstResults.isEmpty()) && parameters.getSignedResults().isEmpty()) {
            ai.setNotAsserted("The received token does not match the token inclusion requirement");
            continue;
        }
        if (!checkTokenType(x509TokenPolicy.getTokenType(), bstResults, parameters.getSignedResults())) {
            ai.setNotAsserted("An incorrect X.509 Token Type is detected");
            continue;
        }
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) X509Token(org.apache.wss4j.policy.model.X509Token) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)

Example 67 with WSSecurityEngineResult

use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.

the class SecurityContextTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    List<WSSecurityEngineResult> sctResults = parameters.getResults().getActionResults().get(WSConstants.SCT);
    for (AssertionInfo ai : ais) {
        SecurityContextToken sctPolicy = (SecurityContextToken) ai.getAssertion();
        ai.setAsserted(true);
        assertToken(sctPolicy, parameters.getAssertionInfoMap());
        if (!isTokenRequired(sctPolicy, parameters.getMessage())) {
            continue;
        }
        if (sctResults == null || sctResults.isEmpty()) {
            ai.setNotAsserted("The received token does not match the token inclusion requirement");
            continue;
        }
    }
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)

Example 68 with WSSecurityEngineResult

use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.

the class WSS4JInInterceptor method importNewDomToSAAJ.

private void importNewDomToSAAJ(SOAPMessage doc, Element elem, Node originalNode, WSHandlerResult wsResult) throws SOAPException {
    if (DOMUtils.isJava9SAAJ() && originalNode != null && !originalNode.isEqualNode(elem)) {
        // ensure the new decrypted dom element could be imported into the SAAJ
        Node node = null;
        Document document = null;
        Element body = SAAJUtils.getBody(doc);
        if (body != null) {
            document = body.getOwnerDocument();
        }
        if (elem != null && elem.getOwnerDocument() != null && elem.getOwnerDocument().getDocumentElement() != null) {
            node = elem.getOwnerDocument().getDocumentElement().getFirstChild().getNextSibling().getFirstChild();
        }
        if (document != null && node != null) {
            try {
                Node newNode = DOMUtils.getDomElement(document.importNode(node, true));
                elem.getOwnerDocument().getDocumentElement().getFirstChild().getNextSibling().replaceChild(newNode, node);
                List<WSSecurityEngineResult> encryptResults = wsResult.getActionResults().get(WSConstants.ENCR);
                if (encryptResults != null) {
                    for (WSSecurityEngineResult result : wsResult.getActionResults().get(WSConstants.ENCR)) {
                        List<WSDataRef> dataRefs = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
                        for (WSDataRef dataRef : dataRefs) {
                            if (dataRef.getProtectedElement() == node) {
                                dataRef.setProtectedElement((Element) newNode);
                            }
                        }
                    }
                }
                List<WSSecurityEngineResult> signedResults = new ArrayList<>();
                if (wsResult.getActionResults().containsKey(WSConstants.SIGN)) {
                    signedResults.addAll(wsResult.getActionResults().get(WSConstants.SIGN));
                }
                if (wsResult.getActionResults().containsKey(WSConstants.UT_SIGN)) {
                    signedResults.addAll(wsResult.getActionResults().get(WSConstants.UT_SIGN));
                }
                if (wsResult.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
                    signedResults.addAll(wsResult.getActionResults().get(WSConstants.ST_SIGNED));
                }
                for (WSSecurityEngineResult result : signedResults) {
                    List<WSDataRef> dataRefs = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
                    for (WSDataRef dataRef : dataRefs) {
                        if (dataRef.getProtectedElement() == node) {
                            dataRef.setProtectedElement((Element) newNode);
                        }
                    }
                }
            } catch (Exception ex) {
                // just to the best try
                LOG.log(Level.FINE, "Something wrong during importNewDomToSAAJ", ex);
            }
        }
    }
}
Also used : Node(org.w3c.dom.Node) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) Document(org.w3c.dom.Document) WSDataRef(org.apache.wss4j.dom.WSDataRef) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) SOAPException(javax.xml.soap.SOAPException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) XMLStreamException(javax.xml.stream.XMLStreamException) InvalidCanonicalizerException(org.apache.xml.security.c14n.InvalidCanonicalizerException) TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException) IOException(java.io.IOException)

Example 69 with WSSecurityEngineResult

use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.

the class AbstractSTSClient method decryptKey.

protected byte[] decryptKey(Element child) throws TrustException, WSSecurityException, Base64DecodingException {
    String encryptionAlgorithm = X509Util.getEncAlgo(child);
    // For the SPNEGO case just return the decoded cipher value and decrypt it later
    if (encryptionAlgorithm != null && encryptionAlgorithm.endsWith("spnego#GSS_Wrap")) {
        // Get the CipherValue
        Element tmpE = XMLUtils.getDirectChildElement(child, "CipherData", WSS4JConstants.ENC_NS);
        byte[] cipherValue = null;
        if (tmpE != null) {
            tmpE = XMLUtils.getDirectChildElement(tmpE, "CipherValue", WSS4JConstants.ENC_NS);
            if (tmpE != null) {
                String content = DOMUtils.getContent(tmpE);
                cipherValue = org.apache.xml.security.utils.XMLUtils.decode(content);
            }
        }
        if (cipherValue == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noCipher");
        }
        return cipherValue;
    }
    try {
        EncryptedKeyProcessor proc = new EncryptedKeyProcessor();
        WSDocInfo docInfo = new WSDocInfo(child.getOwnerDocument());
        RequestData data = new RequestData();
        data.setWssConfig(WSSConfig.getNewInstance());
        data.setDecCrypto(createCrypto(true));
        data.setCallbackHandler(createHandler());
        data.setWsDocInfo(docInfo);
        List<WSSecurityEngineResult> result = proc.handleToken(child, data);
        return (byte[]) result.get(0).get(WSSecurityEngineResult.TAG_SECRET);
    } catch (IOException e) {
        throw new TrustException("ENCRYPTED_KEY_ERROR", e, LOG);
    }
}
Also used : WSDocInfo(org.apache.wss4j.dom.WSDocInfo) EncryptedKeyProcessor(org.apache.wss4j.dom.processor.EncryptedKeyProcessor) RequestData(org.apache.wss4j.dom.handler.RequestData) ExtensibilityElement(javax.wsdl.extensions.ExtensibilityElement) Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)

Example 70 with WSSecurityEngineResult

use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.

the class PolicyBasedWSS4JInInterceptor method doResults.

@Override
protected void doResults(SoapMessage msg, String actor, Element soapHeader, Element soapBody, WSHandlerResult results, boolean utWithCallbacks) throws SOAPException, XMLStreamException, WSSecurityException {
    // 
    // Pre-fetch various results
    // 
    List<WSSecurityEngineResult> signedResults = new ArrayList<>();
    if (results.getActionResults().containsKey(WSConstants.SIGN)) {
        signedResults.addAll(results.getActionResults().get(WSConstants.SIGN));
    }
    if (results.getActionResults().containsKey(WSConstants.UT_SIGN)) {
        signedResults.addAll(results.getActionResults().get(WSConstants.UT_SIGN));
    }
    if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
        signedResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
    }
    Collection<WSDataRef> signed = new HashSet<>();
    for (WSSecurityEngineResult result : signedResults) {
        List<WSDataRef> sl = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
        if (sl != null) {
            for (WSDataRef r : sl) {
                signed.add(r);
            }
        }
    }
    List<WSSecurityEngineResult> encryptResults = results.getActionResults().get(WSConstants.ENCR);
    Collection<WSDataRef> encrypted = new HashSet<>();
    if (encryptResults != null) {
        for (WSSecurityEngineResult result : encryptResults) {
            List<WSDataRef> sl = CastUtils.cast((List<?>) result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (sl != null) {
                for (WSDataRef r : sl) {
                    encrypted.add(r);
                }
            }
        }
    }
    CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
    // 
    // Check policies
    // 
    PolicyValidatorParameters parameters = new PolicyValidatorParameters();
    AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
    parameters.setAssertionInfoMap(aim);
    parameters.setMessage(msg);
    parameters.setSoapBody(soapBody);
    parameters.setSoapHeader(soapHeader);
    parameters.setResults(results);
    parameters.setSignedResults(signedResults);
    parameters.setEncryptedResults(encryptResults);
    parameters.setUtWithCallbacks(utWithCallbacks);
    parameters.setSigned(signed);
    parameters.setEncrypted(encrypted);
    List<WSSecurityEngineResult> utResults = new ArrayList<>();
    if (results.getActionResults().containsKey(WSConstants.UT)) {
        utResults.addAll(results.getActionResults().get(WSConstants.UT));
    }
    if (results.getActionResults().containsKey(WSConstants.UT_NOPASSWORD)) {
        utResults.addAll(results.getActionResults().get(WSConstants.UT_NOPASSWORD));
    }
    parameters.setUsernameTokenResults(utResults);
    List<WSSecurityEngineResult> samlResults = new ArrayList<>();
    if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
        samlResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
    }
    if (results.getActionResults().containsKey(WSConstants.ST_UNSIGNED)) {
        samlResults.addAll(results.getActionResults().get(WSConstants.ST_UNSIGNED));
    }
    parameters.setSamlResults(samlResults);
    // Store the timestamp element
    WSSecurityEngineResult tsResult = null;
    if (results.getActionResults().containsKey(WSConstants.TS)) {
        tsResult = results.getActionResults().get(WSConstants.TS).get(0);
    }
    Element timestamp = null;
    if (tsResult != null) {
        Timestamp ts = (Timestamp) tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
        timestamp = ts.getElement();
    }
    parameters.setTimestampElement(timestamp);
    // Validate security policies
    Map<QName, SecurityPolicyValidator> validators = ValidatorUtils.getSecurityPolicyValidators(msg);
    for (Map.Entry<QName, Collection<AssertionInfo>> entry : aim.entrySet()) {
        // Check to see if we have a security policy + if we can validate it
        if (validators.containsKey(entry.getKey())) {
            validators.get(entry.getKey()).validatePolicies(parameters, entry.getValue());
        }
    }
    super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
}
Also used : QName(javax.xml.namespace.QName) Element(org.w3c.dom.Element) SecurityPolicyValidator(org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator) ArrayList(java.util.ArrayList) WSDataRef(org.apache.wss4j.dom.WSDataRef) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) Timestamp(org.apache.wss4j.dom.message.token.Timestamp) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap) Collection(java.util.Collection) PolicyValidatorParameters(org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap) Map(java.util.Map) HashSet(java.util.HashSet)

Aggregations

WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)89 WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)42 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)35 Element (org.w3c.dom.Element)23 HashMap (java.util.HashMap)19 ArrayList (java.util.ArrayList)18 Test (org.junit.Test)18 QName (javax.xml.namespace.QName)17 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)16 X509Certificate (java.security.cert.X509Certificate)12 SOAPMessage (javax.xml.soap.SOAPMessage)12 SoapMessage (org.apache.cxf.binding.soap.SoapMessage)12 SecurityContext (org.apache.cxf.security.SecurityContext)12 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12 Message (org.apache.cxf.message.Message)9 WSDataRef (org.apache.wss4j.dom.WSDataRef)9 Document (org.w3c.dom.Document)9 AbstractSecurityTest (org.apache.cxf.ws.security.wss4j.AbstractSecurityTest)8 BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)8 RequestData (org.apache.wss4j.dom.handler.RequestData)8
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial