Search in sources :

Example 1 with KerberosSecurity

use of org.apache.wss4j.dom.message.token.KerberosSecurity in project cxf by apache.

the class KerberosTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    List<WSSecurityEngineResult> kerberosResults = findKerberosResults(parameters.getResults().getActionResults().get(WSConstants.BST));
    for (WSSecurityEngineResult kerberosResult : kerberosResults) {
        KerberosSecurity kerberosToken = (KerberosSecurity) kerberosResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
        boolean asserted = true;
        for (AssertionInfo ai : ais) {
            KerberosToken kerberosTokenPolicy = (KerberosToken) ai.getAssertion();
            ai.setAsserted(true);
            assertToken(kerberosTokenPolicy, parameters.getAssertionInfoMap());
            if (!isTokenRequired(kerberosTokenPolicy, parameters.getMessage())) {
                PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssKerberosV5ApReqToken11"));
                PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11"));
                continue;
            }
            if (!checkToken(parameters.getAssertionInfoMap(), kerberosTokenPolicy, kerberosToken)) {
                asserted = false;
                ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
                continue;
            }
        }
        if (asserted) {
            SecurityToken token = createSecurityToken(kerberosToken);
            token.setSecret((byte[]) kerberosResult.get(WSSecurityEngineResult.TAG_SECRET));
            TokenStoreUtils.getTokenStore(parameters.getMessage()).add(token);
            parameters.getMessage().getExchange().put(SecurityConstants.TOKEN_ID, token.getId());
            return;
        }
    }
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) KerberosSecurity(org.apache.wss4j.dom.message.token.KerberosSecurity) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) QName(javax.xml.namespace.QName) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)

Example 2 with KerberosSecurity

use of org.apache.wss4j.dom.message.token.KerberosSecurity in project cxf by apache.

the class AbstractSupportingTokenPolicyValidator method processKerberosTokens.

/**
 * Process Kerberos Tokens.
 */
protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean derived) {
    List<WSSecurityEngineResult> tokenResults = null;
    if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
        tokenResults = new ArrayList<>();
        for (WSSecurityEngineResult wser : parameters.getResults().getActionResults().get(WSConstants.BST)) {
            BinarySecurity binarySecurity = (BinarySecurity) wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if (binarySecurity instanceof KerberosSecurity) {
                tokenResults.add(wser);
            }
        }
    }
    if (tokenResults == null || tokenResults.isEmpty()) {
        return false;
    }
    if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage())) {
        return false;
    }
    if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(), parameters.getMessage())) {
        return false;
    }
    if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
        List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
        for (WSSecurityEngineResult wser : tokenResults) {
            byte[] secret = (byte[]) wser.get(WSSecurityEngineResult.TAG_SECRET);
            WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, parameters.getResults());
            if (dktResult != null) {
                dktResults.add(dktResult);
            }
        }
        tokenResults.addAll(dktResults);
    }
    if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), parameters.getMessage(), parameters.getTimestampElement())) {
        return false;
    }
    return validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), parameters.getEncryptedResults(), parameters.getMessage());
}
Also used : KerberosSecurity(org.apache.wss4j.dom.message.token.KerberosSecurity) BinarySecurity(org.apache.wss4j.common.token.BinarySecurity) ArrayList(java.util.ArrayList) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)

Example 3 with KerberosSecurity

use of org.apache.wss4j.dom.message.token.KerberosSecurity in project cxf by apache.

the class KerberosClient method requestSecurityToken.

public SecurityToken requestSecurityToken() throws Exception {
    // See if we have a delegated Credential to use
    Message message = PhaseInterceptorChain.getCurrentMessage();
    GSSCredential delegatedCredential = null;
    if (message != null && useDelegatedCredential) {
        Object obj = message.getContextualProperty(SecurityConstants.DELEGATED_CREDENTIAL);
        if (obj instanceof GSSCredential) {
            delegatedCredential = (GSSCredential) obj;
        }
    }
    if (LOG.isLoggable(Level.FINE)) {
        LOG.fine("Requesting Kerberos ticket for " + serviceName + " using JAAS Login Module: " + getContextName());
    }
    KerberosSecurity bst = createKerberosSecurity();
    bst.retrieveServiceTicket(getContextName(), callbackHandler, serviceName, isUsernameServiceNameForm, requestCredentialDelegation, delegatedCredential);
    bst.addWSUNamespace();
    bst.setID(wssConfig.getIdAllocator().createSecureId("BST-", bst));
    SecurityToken token = new SecurityToken(bst.getID());
    token.setToken(bst.getElement());
    token.setWsuId(bst.getID());
    token.setData(bst.getToken());
    SecretKey secretKey = bst.getSecretKey();
    if (secretKey != null) {
        token.setKey(secretKey);
        token.setSecret(secretKey.getEncoded());
    }
    String sha1 = Base64.getMimeEncoder().encodeToString(KeyUtils.generateDigest(bst.getToken()));
    token.setSHA1(sha1);
    token.setTokenType(bst.getValueType());
    return token;
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) KerberosSecurity(org.apache.wss4j.dom.message.token.KerberosSecurity) SecretKey(javax.crypto.SecretKey) Message(org.apache.cxf.message.Message) GSSCredential(org.ietf.jgss.GSSCredential)

Aggregations

KerberosSecurity (org.apache.wss4j.dom.message.token.KerberosSecurity)3 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)2 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)2 ArrayList (java.util.ArrayList)1 SecretKey (javax.crypto.SecretKey)1 QName (javax.xml.namespace.QName)1 Message (org.apache.cxf.message.Message)1 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)1 BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)1 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)1 GSSCredential (org.ietf.jgss.GSSCredential)1