Example 21 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class SamlTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(samlToken, parameters.getAssertionInfoMap());
if (!isTokenRequired(samlToken, parameters.getMessage())) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name()));
continue;
}
if (parameters.getSamlResults().isEmpty()) {
ai.setNotAsserted("The received token does not match the token inclusion requirement");
continue;
}
String valSAMLSubjectConf = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, parameters.getMessage());
boolean validateSAMLSubjectConf = true;
if (valSAMLSubjectConf != null) {
validateSAMLSubjectConf = Boolean.parseBoolean(valSAMLSubjectConf);
}
// All of the received SAML Assertions must conform to the policy
for (WSSecurityEngineResult result : parameters.getSamlResults()) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (!checkVersion(parameters.getAssertionInfoMap(), samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
continue;
}
if (validateSAMLSubjectConf) {
TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
Certificate[] tlsCerts = null;
if (tlsInfo != null) {
tlsCerts = tlsInfo.getPeerCertificates();
}
if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts)) {
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
if (parameters.getSoapBody() == null || !DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(), parameters.getSignedResults())) {
ai.setNotAsserted("Assertion fails sender-vouches requirements");
continue;
}
}
/*
if (!checkIssuerName(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong IssuerName");
}
*/
}
}
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
QName(javax.xml.namespace.QName)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Certificate(java.security.cert.Certificate)
Example 22 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class KerberosTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
List<WSSecurityEngineResult> kerberosResults = findKerberosResults(parameters.getResults().getActionResults().get(WSConstants.BST));
for (WSSecurityEngineResult kerberosResult : kerberosResults) {
KerberosSecurity kerberosToken = (KerberosSecurity) kerberosResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
boolean asserted = true;
for (AssertionInfo ai : ais) {
KerberosToken kerberosTokenPolicy = (KerberosToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(kerberosTokenPolicy, parameters.getAssertionInfoMap());
if (!isTokenRequired(kerberosTokenPolicy, parameters.getMessage())) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssKerberosV5ApReqToken11"));
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11"));
continue;
}
if (!checkToken(parameters.getAssertionInfoMap(), kerberosTokenPolicy, kerberosToken)) {
asserted = false;
ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
continue;
}
}
if (asserted) {
SecurityToken token = createSecurityToken(kerberosToken);
token.setSecret((byte[]) kerberosResult.get(WSSecurityEngineResult.TAG_SECRET));
try {
TokenStoreUtils.getTokenStore(parameters.getMessage()).add(token);
} catch (TokenStoreException ex) {
LOG.warning(ex.getMessage());
}
parameters.getMessage().getExchange().put(SecurityConstants.TOKEN_ID, token.getId());
return;
}
}
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
KerberosSecurity(org.apache.wss4j.dom.message.token.KerberosSecurity)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
QName(javax.xml.namespace.QName)
TokenStoreException(org.apache.cxf.ws.security.tokenstore.TokenStoreException)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 23 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class UsernameTokenPolicyValidator method checkTokens.
/**
* All UsernameTokens must conform to the policy
*/
public boolean checkTokens(org.apache.wss4j.policy.model.UsernameToken usernameTokenPolicy, AssertionInfo ai, List<WSSecurityEngineResult> utResults) {
for (WSSecurityEngineResult result : utResults) {
UsernameToken usernameToken = (UsernameToken) result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
PasswordType passwordType = usernameTokenPolicy.getPasswordType();
boolean isHashPassword = passwordType == PasswordType.HashPassword;
boolean isNoPassword = passwordType == PasswordType.NoPassword;
if (isHashPassword != usernameToken.isHashed()) {
ai.setNotAsserted("Password hashing policy not enforced");
return false;
}
if (isNoPassword && (usernameToken.getPassword() != null)) {
ai.setNotAsserted("Username Token NoPassword policy not enforced");
return false;
} else if (!isNoPassword && (usernameToken.getPassword() == null) && isNonEndorsingSupportingToken(usernameTokenPolicy)) {
ai.setNotAsserted("Username Token No Password supplied");
return false;
}
if (usernameTokenPolicy.isCreated() && (usernameToken.getCreated() == null || usernameToken.isHashed())) {
ai.setNotAsserted("Username Token Created policy not enforced");
return false;
}
if (usernameTokenPolicy.isNonce() && (usernameToken.getNonce() == null || usernameToken.isHashed())) {
ai.setNotAsserted("Username Token Nonce policy not enforced");
return false;
}
}
return true;
}
Also used :
UsernameToken(org.apache.wss4j.dom.message.token.UsernameToken)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
PasswordType(org.apache.wss4j.policy.model.UsernameToken.PasswordType)
Example 24 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class WSS11PolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
List<WSSecurityEngineResult> scResults = parameters.getResults().getActionResults().get(WSConstants.SC);
for (AssertionInfo ai : ais) {
Wss11 wss11 = (Wss11) ai.getAssertion();
ai.setAsserted(true);
assertToken(wss11, parameters.getAssertionInfoMap());
if (!MessageUtils.isRequestor(parameters.getMessage())) {
continue;
}
if ((wss11.isRequireSignatureConfirmation() && (scResults == null || scResults.isEmpty())) || (!wss11.isRequireSignatureConfirmation() && !(scResults == null || scResults.isEmpty()))) {
ai.setNotAsserted("Signature Confirmation policy validation failed");
continue;
}
}
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
Wss11(org.apache.wss4j.policy.model.Wss11)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Example 25 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class AsymmetricBindingPolicyValidator method checkInitiatorTokens.
private boolean checkInitiatorTokens(AbstractTokenWrapper wrapper, AssertionInfo ai, AssertionInfoMap aim, boolean hasDerivedKeys, List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults) {
AbstractToken token = wrapper.getToken();
if (token instanceof X509Token) {
boolean foundCert = false;
for (WSSecurityEngineResult result : signedResults) {
X509Certificate cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (cert != null) {
foundCert = true;
break;
}
}
if (!foundCert && !signedResults.isEmpty()) {
String error = "An X.509 certificate was not used for the " + wrapper.getName();
unassertPolicy(aim, wrapper.getName(), error);
ai.setNotAsserted(error);
return false;
}
}
PolicyUtils.assertPolicy(aim, wrapper.getName());
if (!checkDerivedKeys(wrapper, hasDerivedKeys, signedResults, encryptedResults)) {
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
assertDerivedKeys(wrapper.getToken(), aim);
return true;
}
Also used :
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)89
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)42
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)35
Element (org.w3c.dom.Element)23
HashMap (java.util.HashMap)19
ArrayList (java.util.ArrayList)18
Test (org.junit.Test)18
QName (javax.xml.namespace.QName)17
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)16
X509Certificate (java.security.cert.X509Certificate)12
SOAPMessage (javax.xml.soap.SOAPMessage)12
SoapMessage (org.apache.cxf.binding.soap.SoapMessage)12
SecurityContext (org.apache.cxf.security.SecurityContext)12
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12
Message (org.apache.cxf.message.Message)9
WSDataRef (org.apache.wss4j.dom.WSDataRef)9
Document (org.w3c.dom.Document)9
AbstractSecurityTest (org.apache.cxf.ws.security.wss4j.AbstractSecurityTest)8
BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)8
RequestData (org.apache.wss4j.dom.handler.RequestData)8
