Example 1 with Validator
use of org.apache.wss4j.dom.validate.Validator in project ddf by codice.
the class SimpleSign method validateSignature.
public void validateSignature(Signature signature, Document doc) throws SignatureException {
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(crypto.getSignatureCrypto());
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
SAMLKeyInfo samlKeyInfo = null;
KeyInfo keyInfo = signature.getKeyInfo();
if (keyInfo != null) {
try {
samlKeyInfo = SAMLUtil.getCredentialFromKeyInfo(keyInfo.getDOM(), new WSSSAMLKeyInfoProcessor(requestData, new WSDocInfo(doc)), crypto.getSignatureCrypto());
} catch (WSSecurityException e) {
throw new SignatureException("Unable to get KeyInfo.", e);
}
}
if (samlKeyInfo == null) {
throw new SignatureException("No KeyInfo supplied in the signature");
}
validateSignatureAndSamlKey(signature, samlKeyInfo);
Credential trustCredential = new Credential();
trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
trustCredential.setCertificates(samlKeyInfo.getCerts());
Validator signatureValidator = new SignatureTrustValidator();
try {
signatureValidator.validate(trustCredential, requestData);
} catch (WSSecurityException e) {
throw new SignatureException("Error validating signature", e);
}
}
Also used :
WSDocInfo(org.apache.wss4j.dom.WSDocInfo)
Credential(org.apache.wss4j.dom.validate.Credential)
BasicX509Credential(org.opensaml.security.x509.BasicX509Credential)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
KeyInfo(org.opensaml.xmlsec.signature.KeyInfo)
SAMLKeyInfo(org.apache.wss4j.common.saml.SAMLKeyInfo)
RequestData(org.apache.wss4j.dom.handler.RequestData)
SignatureTrustValidator(org.apache.wss4j.dom.validate.SignatureTrustValidator)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSSSAMLKeyInfoProcessor(org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor)
Validator(org.apache.wss4j.dom.validate.Validator)
SignatureValidator(org.opensaml.xmlsec.signature.support.SignatureValidator)
SAMLSignatureProfileValidator(org.opensaml.saml.security.impl.SAMLSignatureProfileValidator)
SignatureTrustValidator(org.apache.wss4j.dom.validate.SignatureTrustValidator)
Example 2 with Validator
use of org.apache.wss4j.dom.validate.Validator in project ddf by codice.
the class UPBSTValidator method validateToken.
/**
* Validate a Token using the given TokenValidatorParameters.
*
* @param tokenParameters
* @return TokenValidatorResponse
*/
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
LOGGER.trace("Validating UPBST Token");
if (parser == null) {
throw new IllegalStateException("XMLParser must be configured.");
}
if (failedLoginDelayer == null) {
throw new IllegalStateException("Failed Login Delayer must be configured");
}
STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
Crypto sigCrypto = stsProperties.getSignatureCrypto();
CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(sigCrypto);
requestData.setWssConfig(WSSConfig.getNewInstance());
requestData.setCallbackHandler(callbackHandler);
TokenValidatorResponse response = new TokenValidatorResponse();
ReceivedToken validateTarget = tokenParameters.getToken();
validateTarget.setState(STATE.INVALID);
response.setToken(validateTarget);
if (!validateTarget.isBinarySecurityToken()) {
return response;
}
BinarySecurityTokenType binarySecurityType = (BinarySecurityTokenType) validateTarget.getToken();
// Test the encoding type
String encodingType = binarySecurityType.getEncodingType();
if (!UPAuthenticationToken.BASE64_ENCODING.equals(encodingType)) {
LOGGER.trace("Bad encoding type attribute specified: {}", encodingType);
return response;
}
UPAuthenticationToken usernameToken = getUsernameTokenFromTarget(validateTarget);
if (usernameToken == null) {
return response;
}
UsernameTokenType usernameTokenType = getUsernameTokenType(usernameToken);
// Marshall the received JAXB object into a DOM Element
Element usernameTokenElement = null;
JAXBElement<UsernameTokenType> tokenType = new JAXBElement<>(QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameTokenType);
Document doc = DOMUtils.createDocument();
Element rootElement = doc.createElement("root-element");
List<String> ctxPath = new ArrayList<>(1);
ctxPath.add(UsernameTokenType.class.getPackage().getName());
ParserConfigurator configurator = parser.configureParser(ctxPath, UPBSTValidator.class.getClassLoader());
try {
parser.marshal(configurator, tokenType, rootElement);
} catch (ParserException ex) {
LOGGER.info("Unable to parse username token", ex);
return response;
}
usernameTokenElement = (Element) rootElement.getFirstChild();
//
// Validate the token
//
WSSConfig wssConfig = WSSConfig.getNewInstance();
try {
boolean allowNamespaceQualifiedPasswordTypes = requestData.isAllowNamespaceQualifiedPasswordTypes();
UsernameToken ut = new UsernameToken(usernameTokenElement, allowNamespaceQualifiedPasswordTypes, new BSPEnforcer());
// The parsed principal is set independent whether validation is successful or not
response.setPrincipal(new CustomTokenPrincipal(ut.getName()));
if (ut.getPassword() == null) {
return response;
}
String tokenId = String.format("%s:%s:%s", usernameToken.getUsername(), usernameToken.getPassword(), usernameToken.getRealm());
// See if the UsernameToken is stored in the cache
int hash = tokenId.hashCode();
SecurityToken secToken = null;
if (tokenParameters.getTokenStore() != null) {
secToken = tokenParameters.getTokenStore().getToken(Integer.toString(hash));
if (secToken != null && secToken.getTokenHash() != hash) {
secToken = null;
} else if (secToken != null) {
validateTarget.setState(STATE.VALID);
}
}
if (secToken == null) {
Credential credential = new Credential();
credential.setUsernametoken(ut);
if (usernameToken.getRealm() != null && !"*".equals(usernameToken.getRealm())) {
Validator validator = validators.get(usernameToken.getRealm());
if (validator != null) {
try {
validator.validate(credential, requestData);
validateTarget.setState(STATE.VALID);
LOGGER.debug("Validated user against realm {}", usernameToken.getRealm());
} catch (WSSecurityException ex) {
LOGGER.debug("Not able to validate user against realm {}", usernameToken.getRealm());
}
}
} else {
Set<Map.Entry<String, Validator>> entries = validators.entrySet();
for (Map.Entry<String, Validator> entry : entries) {
try {
entry.getValue().validate(credential, requestData);
validateTarget.setState(STATE.VALID);
LOGGER.debug("Validated user against realm {}", entry.getKey());
break;
} catch (WSSecurityException ex) {
LOGGER.debug("Not able to validate user against realm {}", entry.getKey());
}
}
}
}
Principal principal = createPrincipal(ut.getName(), ut.getPassword(), ut.getPasswordType(), ut.getNonce(), ut.getCreated());
// Store the successfully validated token in the cache
if (tokenParameters.getTokenStore() != null && secToken == null && STATE.VALID.equals(validateTarget.getState())) {
secToken = new SecurityToken(ut.getID());
secToken.setToken(ut.getElement());
int hashCode = tokenId.hashCode();
String identifier = Integer.toString(hashCode);
secToken.setTokenHash(hashCode);
tokenParameters.getTokenStore().add(identifier, secToken);
}
response.setPrincipal(principal);
response.setTokenRealm(null);
validateTarget.setPrincipal(principal);
} catch (WSSecurityException ex) {
LOGGER.debug("Unable to validate token.", ex);
}
if (response.getToken().getState() != STATE.VALID) {
failedLoginDelayer.delay(response.getToken().getPrincipal().getName());
}
return response;
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
JAXBElement(javax.xml.bind.JAXBElement)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
UsernameToken(org.apache.wss4j.dom.message.token.UsernameToken)
AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString)
PasswordString(org.apache.cxf.ws.security.sts.provider.model.secext.PasswordString)
Document(org.w3c.dom.Document)
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
BinarySecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.BinarySecurityTokenType)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
RequestData(org.apache.wss4j.dom.handler.RequestData)
UPAuthenticationToken(org.codice.ddf.security.handler.api.UPAuthenticationToken)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
ParserException(org.codice.ddf.parser.ParserException)
Credential(org.apache.wss4j.dom.validate.Credential)
UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType)
BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
JAXBElement(javax.xml.bind.JAXBElement)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
ParserConfigurator(org.codice.ddf.parser.ParserConfigurator)
Crypto(org.apache.wss4j.common.crypto.Crypto)
STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
Map(java.util.Map)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
Validator(org.apache.wss4j.dom.validate.Validator)
JAASUsernameTokenValidator(org.apache.wss4j.dom.validate.JAASUsernameTokenValidator)
TokenValidator(org.apache.cxf.sts.token.validator.TokenValidator)
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
Principal(java.security.Principal)
Example 3 with Validator
use of org.apache.wss4j.dom.validate.Validator in project ddf by codice.
the class UsernameTokenValidator method validateToken.
/**
* Validate a Token using the given TokenValidatorParameters.
*/
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
LOGGER.debug("Validating UsernameToken");
if (parser == null) {
throw new IllegalStateException("XMLParser must be configured.");
}
if (failedLoginDelayer == null) {
throw new IllegalStateException("Failed Login Delayer must be configured");
}
STSPropertiesMBean stsProperties = tokenParameters.getStsProperties();
Crypto sigCrypto = stsProperties.getSignatureCrypto();
CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
RequestData requestData = new RequestData();
requestData.setSigVerCrypto(sigCrypto);
WSSConfig wssConfig = WSSConfig.getNewInstance();
requestData.setWssConfig(wssConfig);
requestData.setCallbackHandler(callbackHandler);
TokenValidatorResponse response = new TokenValidatorResponse();
ReceivedToken validateTarget = tokenParameters.getToken();
validateTarget.setState(ReceivedToken.STATE.INVALID);
response.setToken(validateTarget);
if (!validateTarget.isUsernameToken()) {
return response;
}
//
// Turn the JAXB UsernameTokenType into a DOM Element for validation
//
UsernameTokenType usernameTokenType = (UsernameTokenType) validateTarget.getToken();
JAXBElement<UsernameTokenType> tokenType = new JAXBElement<>(QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameTokenType);
Document doc = DOMUtils.createDocument();
Element rootElement = doc.createElement("root-element");
List<String> ctxPath = new ArrayList<>(1);
ctxPath.add(UsernameTokenType.class.getPackage().getName());
Element usernameTokenElement = null;
ParserConfigurator configurator = parser.configureParser(ctxPath, UsernameTokenValidator.class.getClassLoader());
try {
parser.marshal(configurator, tokenType, rootElement);
usernameTokenElement = (Element) rootElement.getFirstChild();
} catch (ParserException ex) {
LOGGER.info("Unable to parse username token", ex);
return response;
}
//
try {
boolean allowNamespaceQualifiedPasswordTypes = requestData.isAllowNamespaceQualifiedPasswordTypes();
UsernameToken ut = new UsernameToken(usernameTokenElement, allowNamespaceQualifiedPasswordTypes, new BSPEnforcer());
// The parsed principal is set independent whether validation is successful or not
response.setPrincipal(new CustomTokenPrincipal(ut.getName()));
if (ut.getPassword() == null) {
failedLoginDelayer.delay(ut.getName());
return response;
}
Credential credential = new Credential();
credential.setUsernametoken(ut);
//Only this section is new, the rest is copied from the apache class
Set<Map.Entry<String, Validator>> entries = validators.entrySet();
for (Map.Entry<String, Validator> entry : entries) {
try {
entry.getValue().validate(credential, requestData);
validateTarget.setState(ReceivedToken.STATE.VALID);
break;
} catch (WSSecurityException ex) {
LOGGER.debug("Unable to validate user against {}" + entry.getKey(), ex);
}
}
if (ReceivedToken.STATE.INVALID.equals(validateTarget.getState())) {
failedLoginDelayer.delay(ut.getName());
return response;
}
//end new section
Principal principal = createPrincipal(ut.getName(), ut.getPassword(), ut.getPasswordType(), ut.getNonce(), ut.getCreated());
response.setPrincipal(principal);
response.setTokenRealm(null);
validateTarget.setState(ReceivedToken.STATE.VALID);
validateTarget.setPrincipal(principal);
} catch (WSSecurityException ex) {
LOGGER.debug("Unable to validate token.", ex);
}
return response;
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
JAXBElement(javax.xml.bind.JAXBElement)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
UsernameToken(org.apache.wss4j.dom.message.token.UsernameToken)
Document(org.w3c.dom.Document)
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
JAASUsernameTokenValidator(org.apache.wss4j.dom.validate.JAASUsernameTokenValidator)
RequestData(org.apache.wss4j.dom.handler.RequestData)
ReceivedToken(org.apache.cxf.sts.request.ReceivedToken)
ParserException(org.codice.ddf.parser.ParserException)
Credential(org.apache.wss4j.dom.validate.Credential)
UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType)
BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
JAXBElement(javax.xml.bind.JAXBElement)
ParserConfigurator(org.codice.ddf.parser.ParserConfigurator)
Crypto(org.apache.wss4j.common.crypto.Crypto)
STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean)
TokenValidatorResponse(org.apache.cxf.sts.token.validator.TokenValidatorResponse)
Map(java.util.Map)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
Validator(org.apache.wss4j.dom.validate.Validator)
JAASUsernameTokenValidator(org.apache.wss4j.dom.validate.JAASUsernameTokenValidator)
TokenValidator(org.apache.cxf.sts.token.validator.TokenValidator)
CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal)
Principal(java.security.Principal)
Example 4 with Validator
use of org.apache.wss4j.dom.validate.Validator in project ddf by codice.
the class TestX509PathTokenValidator method setUp.
@Before
public void setUp() {
x509PathTokenValidator = new X509PathTokenValidator();
x509PathTokenValidator.merlin = mock(Merlin.class);
try {
X509Certificate mockCert = mock(X509Certificate.class);
X509Certificate[] x509Certificates = new X509Certificate[] { mockCert };
when(x509PathTokenValidator.merlin.getCertificatesFromBytes(any(byte[].class))).thenReturn(x509Certificates);
when(x509PathTokenValidator.merlin.loadCertificate(any(InputStream.class))).thenReturn(mockCert);
} catch (WSSecurityException e) {
//ignore
}
validator = mock(Validator.class);
}
Also used :
InputStream(java.io.InputStream)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Merlin(org.apache.wss4j.common.crypto.Merlin)
X509Certificate(java.security.cert.X509Certificate)
Validator(org.apache.wss4j.dom.validate.Validator)
X509TokenValidator(org.apache.cxf.sts.token.validator.X509TokenValidator)
Before(org.junit.Before)
Example 5 with Validator
use of org.apache.wss4j.dom.validate.Validator in project cxf by apache.
the class WSS4JInInterceptor method createSecurityEngine.
/**
* @return a freshly minted WSSecurityEngine instance, using the
* (non-null) processor map, to be used to initialize the
* WSSecurityEngine instance.
*/
protected static WSSecurityEngine createSecurityEngine(final Map<QName, Object> map) {
assert map != null;
final WSSConfig config = WSSConfig.getNewInstance();
for (Map.Entry<QName, Object> entry : map.entrySet()) {
final QName key = entry.getKey();
Object val = entry.getValue();
if (val instanceof Class<?>) {
config.setProcessor(key, (Class<?>) val);
} else if (val instanceof Processor) {
config.setProcessor(key, (Processor) val);
} else if (val instanceof Validator) {
config.setValidator(key, (Validator) val);
} else if (val == null) {
config.setProcessor(key, (Class<?>) null);
}
}
final WSSecurityEngine ret = new WSSecurityEngine();
ret.setWssConfig(config);
return ret;
}
Also used :
Processor(org.apache.wss4j.dom.processor.Processor)
WSSConfig(org.apache.wss4j.dom.engine.WSSConfig)
QName(javax.xml.namespace.QName)
WSSecurityEngine(org.apache.wss4j.dom.engine.WSSecurityEngine)
Map(java.util.Map)
HashMap(java.util.HashMap)
NoOpValidator(org.apache.wss4j.dom.validate.NoOpValidator)
Validator(org.apache.wss4j.dom.validate.Validator)
Aggregations
Validator (org.apache.wss4j.dom.validate.Validator)7
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)5
WSSConfig (org.apache.wss4j.dom.engine.WSSConfig)5
RequestData (org.apache.wss4j.dom.handler.RequestData)4
Credential (org.apache.wss4j.dom.validate.Credential)4
Map (java.util.Map)3
Principal (java.security.Principal)2
ArrayList (java.util.ArrayList)2
HashMap (java.util.HashMap)2
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)2
CallbackHandler (javax.security.auth.callback.CallbackHandler)2
JAXBElement (javax.xml.bind.JAXBElement)2
QName (javax.xml.namespace.QName)2
STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)2
ReceivedToken (org.apache.cxf.sts.request.ReceivedToken)2
TokenValidator (org.apache.cxf.sts.token.validator.TokenValidator)2
TokenValidatorResponse (org.apache.cxf.sts.token.validator.TokenValidatorResponse)2
UsernameTokenType (org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType)2
BSPEnforcer (org.apache.wss4j.common.bsp.BSPEnforcer)2
Crypto (org.apache.wss4j.common.crypto.Crypto)2
