Example 1 with WSSecUsernameToken
use of org.apache.wss4j.dom.message.WSSecUsernameToken in project cxf by apache.
the class UsernameTokenInterceptor method addToken.
protected void addToken(SoapMessage message) {
UsernameToken tok = assertTokens(message);
Header h = findSecurityHeader(message, true);
Element el = (Element) h.getObject();
Document doc = el.getOwnerDocument();
WSSecUsernameToken utBuilder = addUsernameToken(message, doc, tok);
if (utBuilder == null) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
for (AssertionInfo ai : ais) {
if (ai.isAsserted()) {
ai.setAsserted(false);
}
}
return;
}
utBuilder.prepare();
el.appendChild(utBuilder.getUsernameTokenElement());
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
Header(org.apache.cxf.headers.Header)
Element(org.w3c.dom.Element)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
Document(org.w3c.dom.Document)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 2 with WSSecUsernameToken
use of org.apache.wss4j.dom.message.WSSecUsernameToken in project cxf by apache.
the class AbstractBindingBuilder method doEndorsedSignatures.
protected void doEndorsedSignatures(List<SupportingToken> tokenList, boolean isTokenProtection, boolean isSigProtect) {
for (SupportingToken supportingToken : tokenList) {
Object tempTok = supportingToken.getTokenImplementation();
List<WSEncryptionPart> sigParts = new ArrayList<>();
WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId);
sigPart.setElement(bottomUpElement);
sigParts.add(sigPart);
if (supportingToken.getSignedParts() != null) {
for (WSEncryptionPart signedPart : supportingToken.getSignedParts()) {
sigParts.add(signedPart);
}
}
if (tempTok instanceof WSSecSignature) {
WSSecSignature sig = (WSSecSignature) tempTok;
if (isTokenProtection && sig.getBSTTokenId() != null) {
WSEncryptionPart bstPart = new WSEncryptionPart(sig.getBSTTokenId());
bstPart.setElement(sig.getBinarySecurityTokenElement());
sigParts.add(bstPart);
}
try {
List<Reference> referenceList = sig.addReferencesToSign(sigParts);
sig.computeSignature(referenceList, false, null);
addSig(sig.getSignatureValue());
if (isSigProtect) {
WSEncryptionPart part = new WSEncryptionPart(sig.getId(), "Element");
encryptedTokensList.add(part);
}
} catch (WSSecurityException e) {
unassertPolicy(supportingToken.getToken(), e);
}
} else if (tempTok instanceof WSSecurityTokenHolder) {
SecurityToken token = ((WSSecurityTokenHolder) tempTok).getToken();
if (isTokenProtection) {
sigParts.add(new WSEncryptionPart(token.getId()));
}
try {
if (supportingToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
doSymmSignatureDerived(supportingToken.getToken(), token, sigParts, isTokenProtection, isSigProtect);
} else {
doSymmSignature(supportingToken.getToken(), token, sigParts, isTokenProtection, isSigProtect);
}
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
}
} else if (tempTok instanceof WSSecUsernameToken) {
WSSecUsernameToken utBuilder = (WSSecUsernameToken) tempTok;
String id = utBuilder.getId();
Instant created = Instant.now();
Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
SecurityToken secToken = new SecurityToken(id, utBuilder.getUsernameTokenElement(), created, expires);
if (isTokenProtection) {
sigParts.add(new WSEncryptionPart(secToken.getId()));
}
try {
byte[] secret = utBuilder.getDerivedKey();
secToken.setSecret(secret);
if (supportingToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
doSymmSignatureDerived(supportingToken.getToken(), secToken, sigParts, isTokenProtection, isSigProtect);
} else {
doSymmSignature(supportingToken.getToken(), secToken, sigParts, isTokenProtection, isSigProtect);
}
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
}
}
}
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
Reference(javax.xml.crypto.dsig.Reference)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature)
Instant(java.time.Instant)
ArrayList(java.util.ArrayList)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
XMLStreamException(javax.xml.stream.XMLStreamException)
XPathExpressionException(javax.xml.xpath.XPathExpressionException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
Example 3 with WSSecUsernameToken
use of org.apache.wss4j.dom.message.WSSecUsernameToken in project cxf by apache.
the class AbstractBindingBuilder method addSignatureParts.
protected void addSignatureParts(List<SupportingToken> tokenList, List<WSEncryptionPart> sigParts) {
boolean useSTRTransform = MessageUtils.getContextualBoolean(message, SecurityConstants.USE_STR_TRANSFORM, true);
for (SupportingToken supportingToken : tokenList) {
Object tempTok = supportingToken.getTokenImplementation();
WSEncryptionPart part = null;
if (tempTok instanceof WSSecSignature) {
WSSecSignature tempSig = (WSSecSignature) tempTok;
SecurityTokenReference secRef = tempSig.getSecurityTokenReference();
if (WSS4JConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType()) || WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
Element secRefElement = cloneElement(secRef.getElement());
addSupportingElement(secRefElement);
part = new WSEncryptionPart("STRTransform", null, "Element");
part.setId(tempSig.getSecurityTokenReferenceURI());
part.setElement(secRefElement);
} else {
if (tempSig.getBSTTokenId() != null) {
part = new WSEncryptionPart(tempSig.getBSTTokenId());
part.setElement(tempSig.getBinarySecurityTokenElement());
}
}
} else if (tempTok instanceof WSSecUsernameToken) {
WSSecUsernameToken unt = (WSSecUsernameToken) tempTok;
part = new WSEncryptionPart(unt.getId());
part.setElement(unt.getUsernameTokenElement());
} else if (tempTok instanceof BinarySecurity) {
BinarySecurity bst = (BinarySecurity) tempTok;
part = new WSEncryptionPart(bst.getID());
part.setElement(bst.getElement());
} else if (tempTok instanceof SamlAssertionWrapper) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) tempTok;
Document doc = assertionWrapper.getElement().getOwnerDocument();
boolean saml1 = assertionWrapper.getSaml1() != null;
if (useSTRTransform) {
// TODO We only support using a KeyIdentifier for the moment
SecurityTokenReference secRef = createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false);
Element clone = cloneElement(secRef.getElement());
addSupportingElement(clone);
part = new WSEncryptionPart("STRTransform", null, "Element");
part.setId(secRef.getID());
part.setElement(clone);
} else {
part = new WSEncryptionPart(assertionWrapper.getId());
part.setElement(assertionWrapper.getElement());
}
} else if (tempTok instanceof WSSecurityTokenHolder) {
SecurityToken token = ((WSSecurityTokenHolder) tempTok).getToken();
String tokenType = token.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType) || WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
Document doc = token.getToken().getOwnerDocument();
boolean saml1 = WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType);
String id = token.getId();
if (id == null || "".equals(id)) {
if (saml1) {
id = token.getToken().getAttributeNS(null, "AssertionID");
} else {
id = token.getToken().getAttributeNS(null, "ID");
}
}
if (useSTRTransform) {
SecurityTokenReference secRef = createSTRForSamlAssertion(doc, id, saml1, false);
Element clone = cloneElement(secRef.getElement());
addSupportingElement(clone);
part = new WSEncryptionPart("STRTransform", null, "Element");
part.setId(secRef.getID());
part.setElement(clone);
} else {
part = new WSEncryptionPart(id);
part.setElement(token.getToken());
}
} else {
String id = XMLUtils.getIDFromReference(token.getId());
part = new WSEncryptionPart(id);
part.setElement(token.getToken());
}
} else {
unassertPolicy(supportingToken.getToken(), "UnsupportedTokenInSupportingToken: " + tempTok);
}
if (part != null) {
sigParts.add(part);
}
}
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
BinarySecurity(org.apache.wss4j.common.token.BinarySecurity)
WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
Document(org.w3c.dom.Document)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
Example 4 with WSSecUsernameToken
use of org.apache.wss4j.dom.message.WSSecUsernameToken in project cxf by apache.
the class SymmetricBindingHandler method setupUTDerivedKey.
private String setupUTDerivedKey(UsernameToken sigToken) throws WSSecurityException {
boolean useMac = hasSignedPartsOrElements();
WSSecUsernameToken usernameToken = addDKUsernameToken(sigToken, useMac);
String id = usernameToken.getId();
byte[] secret = usernameToken.getDerivedKey();
Instant created = Instant.now();
Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
SecurityToken tempTok = new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
tempTok.setSecret(secret);
tokenStore.add(tempTok);
return id;
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Instant(java.time.Instant)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
Example 5 with WSSecUsernameToken
use of org.apache.wss4j.dom.message.WSSecUsernameToken in project cxf by apache.
the class UsernameTokenInterceptor method addUsernameToken.
protected WSSecUsernameToken addUsernameToken(SoapMessage message, Document doc, UsernameToken token) {
String userName = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
WSSConfig wssConfig = (WSSConfig) message.getContextualProperty(WSSConfig.class.getName());
if (wssConfig == null) {
wssConfig = WSSConfig.getNewInstance();
}
if (!StringUtils.isEmpty(userName)) {
// If NoPassword property is set we don't need to set the password
if (token.getPasswordType() == UsernameToken.PasswordType.NoPassword) {
WSSecUsernameToken utBuilder = new WSSecUsernameToken(doc);
utBuilder.setIdAllocator(wssConfig.getIdAllocator());
utBuilder.setWsTimeSource(wssConfig.getCurrentTime());
utBuilder.setUserInfo(userName, null);
utBuilder.setPasswordType(null);
return utBuilder;
}
String password = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.PASSWORD, message);
if (StringUtils.isEmpty(password)) {
password = getPassword(userName, token, WSPasswordCallback.USERNAME_TOKEN, message);
}
if (!StringUtils.isEmpty(password)) {
// If the password is available then build the token
WSSecUsernameToken utBuilder = new WSSecUsernameToken(doc);
utBuilder.setIdAllocator(wssConfig.getIdAllocator());
utBuilder.setWsTimeSource(wssConfig.getCurrentTime());
if (token.getPasswordType() == UsernameToken.PasswordType.HashPassword) {
utBuilder.setPasswordType(WSS4JConstants.PASSWORD_DIGEST);
} else {
utBuilder.setPasswordType(WSS4JConstants.PASSWORD_TEXT);
}
if (token.isCreated()) {
utBuilder.addCreated();
}
if (token.isNonce()) {
utBuilder.addNonce();
}
utBuilder.setUserInfo(userName, password);
return utBuilder;
}
policyNotAsserted(token, "No username available", message);
} else {
policyNotAsserted(token, "No username available", message);
}
return null;
}
Also used :
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
Aggregations
WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)10
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)5
Element (org.w3c.dom.Element)4
Instant (java.time.Instant)3
WSEncryptionPart (org.apache.wss4j.common.WSEncryptionPart)3
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)3
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)3
SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)2
WSSecSignature (org.apache.wss4j.dom.message.WSSecSignature)2
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)2
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)2
SamlToken (org.apache.wss4j.policy.model.SamlToken)2
SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)2
Document (org.w3c.dom.Document)2
ArrayList (java.util.ArrayList)1
Reference (javax.xml.crypto.dsig.Reference)1
SOAPException (javax.xml.soap.SOAPException)1
XMLStreamException (javax.xml.stream.XMLStreamException)1
XPathExpressionException (javax.xml.xpath.XPathExpressionException)1
Header (org.apache.cxf.headers.Header)1
