Example 26 with AbstractToken
use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.
the class TransportBindingHandler method addSignedSupportingTokens.
private void addSignedSupportingTokens(SupportingTokens sgndSuppTokens) throws Exception {
for (AbstractToken token : sgndSuppTokens.getTokens()) {
assertToken(token);
if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
continue;
}
if (token instanceof UsernameToken) {
WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken) token);
if (utBuilder != null) {
utBuilder.prepare();
utBuilder.appendToHeader();
}
} else if (token instanceof IssuedToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
SecurityToken secTok = getSecurityToken();
if (isTokenRequired(token.getIncludeTokenType())) {
// Add the token
addEncryptedKeyElement(cloneElement(secTok.getToken()));
}
} else if (token instanceof SamlToken) {
SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
if (assertionWrapper != null) {
Element envelope = saaj.getSOAPPart().getEnvelope();
envelope = (Element) DOMUtils.getDomElement(envelope);
addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
}
} else {
// REVISIT - not supported for signed. Exception?
}
}
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
Example 27 with AbstractToken
use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.
the class AbstractBindingPolicyValidator method checkDerivedKeys.
/**
* Check the derived key requirement.
*/
protected boolean checkDerivedKeys(AbstractTokenWrapper tokenWrapper, boolean hasDerivedKeys, List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults) {
AbstractToken token = tokenWrapper.getToken();
boolean isDerivedKeys = token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys;
// If derived keys are not required then just return
if (!(token instanceof X509Token && isDerivedKeys)) {
return true;
}
if (tokenWrapper instanceof EncryptionToken && !hasDerivedKeys && !encryptedResults.isEmpty()) {
return false;
} else if (tokenWrapper instanceof SignatureToken && !hasDerivedKeys && !signedResults.isEmpty()) {
return false;
} else if (tokenWrapper instanceof ProtectionToken && !hasDerivedKeys && !(signedResults.isEmpty() || encryptedResults.isEmpty())) {
return false;
}
return true;
}
Also used :
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SignatureToken(org.apache.wss4j.policy.model.SignatureToken)
EncryptionToken(org.apache.wss4j.policy.model.EncryptionToken)
ProtectionToken(org.apache.wss4j.policy.model.ProtectionToken)
Example 28 with AbstractToken
use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.
the class AsymmetricBindingPolicyValidator method checkInitiatorTokens.
private boolean checkInitiatorTokens(AbstractTokenWrapper wrapper, AsymmetricBinding binding, AssertionInfo ai, AssertionInfoMap aim, boolean hasDerivedKeys, List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults) {
AbstractToken token = wrapper.getToken();
if (token instanceof X509Token) {
boolean foundCert = false;
for (WSSecurityEngineResult result : signedResults) {
X509Certificate cert = (X509Certificate) result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (cert != null) {
foundCert = true;
break;
}
}
if (!foundCert && !signedResults.isEmpty()) {
String error = "An X.509 certificate was not used for the " + wrapper.getName();
unassertPolicy(aim, wrapper.getName(), error);
ai.setNotAsserted(error);
return false;
}
}
PolicyUtils.assertPolicy(aim, wrapper.getName());
if (!checkDerivedKeys(wrapper, hasDerivedKeys, signedResults, encryptedResults)) {
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
assertDerivedKeys(wrapper.getToken(), aim);
return true;
}
Also used :
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
X509Certificate(java.security.cert.X509Certificate)
Example 29 with AbstractToken
use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.
the class ConcreteSupportingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
continue;
}
boolean processingFailed = false;
if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the supporting token requirement");
continue;
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
Example 30 with AbstractToken
use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.
the class EncryptedTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
// Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available
if (isTLSInUse(parameters.getMessage())) {
AssertionInfo transportAi = PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), SPConstants.TRANSPORT_BINDING);
super.setEnforceEncryptedTokens(transportAi == null);
}
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
continue;
}
boolean processingFailed = false;
if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the encrypted supporting token requirement");
continue;
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
Aggregations
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)33
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)25
X509Token (org.apache.wss4j.policy.model.X509Token)19
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)17
SamlToken (org.apache.wss4j.policy.model.SamlToken)17
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)17
SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)17
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)15
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)12
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)12
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12
QName (javax.xml.namespace.QName)11
SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)11
SOAPException (javax.xml.soap.SOAPException)10
Fault (org.apache.cxf.interceptor.Fault)10
Element (org.w3c.dom.Element)10
KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)9
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)9
AbstractTokenWrapper (org.apache.wss4j.policy.model.AbstractTokenWrapper)8
WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)8
