use of org.apache.wss4j.dom.message.token.KerberosSecurity in project cxf by apache.
the class KerberosTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
List<WSSecurityEngineResult> kerberosResults = findKerberosResults(parameters.getResults().getActionResults().get(WSConstants.BST));
for (WSSecurityEngineResult kerberosResult : kerberosResults) {
KerberosSecurity kerberosToken = (KerberosSecurity) kerberosResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
boolean asserted = true;
for (AssertionInfo ai : ais) {
KerberosToken kerberosTokenPolicy = (KerberosToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(kerberosTokenPolicy, parameters.getAssertionInfoMap());
if (!isTokenRequired(kerberosTokenPolicy, parameters.getMessage())) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssKerberosV5ApReqToken11"));
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11"));
continue;
}
if (!checkToken(parameters.getAssertionInfoMap(), kerberosTokenPolicy, kerberosToken)) {
asserted = false;
ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
continue;
}
}
if (asserted) {
SecurityToken token = createSecurityToken(kerberosToken);
token.setSecret((byte[]) kerberosResult.get(WSSecurityEngineResult.TAG_SECRET));
TokenStoreUtils.getTokenStore(parameters.getMessage()).add(token);
parameters.getMessage().getExchange().put(SecurityConstants.TOKEN_ID, token.getId());
return;
}
}
}
use of org.apache.wss4j.dom.message.token.KerberosSecurity in project cxf by apache.
the class AbstractSupportingTokenPolicyValidator method processKerberosTokens.
/**
* Process Kerberos Tokens.
*/
protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean derived) {
List<WSSecurityEngineResult> tokenResults = null;
if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
tokenResults = new ArrayList<>();
for (WSSecurityEngineResult wser : parameters.getResults().getActionResults().get(WSConstants.BST)) {
BinarySecurity binarySecurity = (BinarySecurity) wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof KerberosSecurity) {
tokenResults.add(wser);
}
}
}
if (tokenResults == null || tokenResults.isEmpty()) {
return false;
}
if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage())) {
return false;
}
if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(), parameters.getMessage())) {
return false;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
byte[] secret = (byte[]) wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, parameters.getResults());
if (dktResult != null) {
dktResults.add(dktResult);
}
}
tokenResults.addAll(dktResults);
}
if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), parameters.getMessage(), parameters.getTimestampElement())) {
return false;
}
return validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage());
}
use of org.apache.wss4j.dom.message.token.KerberosSecurity in project cxf by apache.
the class KerberosClient method requestSecurityToken.
public SecurityToken requestSecurityToken() throws Exception {
// See if we have a delegated Credential to use
Message message = PhaseInterceptorChain.getCurrentMessage();
GSSCredential delegatedCredential = null;
if (message != null && useDelegatedCredential) {
Object obj = message.getContextualProperty(SecurityConstants.DELEGATED_CREDENTIAL);
if (obj instanceof GSSCredential) {
delegatedCredential = (GSSCredential) obj;
}
}
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Requesting Kerberos ticket for " + serviceName + " using JAAS Login Module: " + getContextName());
}
KerberosSecurity bst = createKerberosSecurity();
bst.retrieveServiceTicket(getContextName(), callbackHandler, serviceName, isUsernameServiceNameForm, requestCredentialDelegation, delegatedCredential);
bst.addWSUNamespace();
bst.setID(wssConfig.getIdAllocator().createSecureId("BST-", bst));
SecurityToken token = new SecurityToken(bst.getID());
token.setToken(bst.getElement());
token.setWsuId(bst.getID());
token.setData(bst.getToken());
SecretKey secretKey = bst.getSecretKey();
if (secretKey != null) {
token.setKey(secretKey);
token.setSecret(secretKey.getEncoded());
}
String sha1 = Base64.getMimeEncoder().encodeToString(KeyUtils.generateDigest(bst.getToken()));
token.setSHA1(sha1);
token.setTokenType(bst.getValueType());
return token;
}
Aggregations