Search in sources :

Example 36 with AbstractToken

use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.

the class EndorsingEncryptedTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available
    if (isTLSInUse(parameters.getMessage())) {
        AssertionInfo transportAi = PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), SPConstants.TRANSPORT_BINDING);
        super.setEnforceEncryptedTokens(transportAi == null);
    }
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
                assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                continue;
            }
            DerivedKeys derivedKeys = token.getDerivedKeys();
            boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
            boolean processingFailed = false;
            if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the endorsing encrypted " + "supporting token requirement");
                continue;
            }
            if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)

Example 37 with AbstractToken

use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.

the class AbstractBindingPolicyValidator method checkDerivedKeys.

/**
 * Check the derived key requirement.
 */
protected boolean checkDerivedKeys(AbstractTokenWrapper tokenWrapper, boolean hasDerivedKeys, List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults) {
    AbstractToken token = tokenWrapper.getToken();
    boolean isDerivedKeys = token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys;
    // If derived keys are not required then just return
    if (!(token instanceof X509Token && isDerivedKeys)) {
        return true;
    }
    if (tokenWrapper instanceof EncryptionToken && !hasDerivedKeys && !encryptedResults.isEmpty()) {
        return false;
    } else if (tokenWrapper instanceof SignatureToken && !hasDerivedKeys && !signedResults.isEmpty()) {
        return false;
    } else if (tokenWrapper instanceof ProtectionToken && !hasDerivedKeys && !(signedResults.isEmpty() || encryptedResults.isEmpty())) {
        return false;
    }
    return true;
}
Also used : AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SignatureToken(org.apache.wss4j.policy.model.SignatureToken) EncryptionToken(org.apache.wss4j.policy.model.EncryptionToken) ProtectionToken(org.apache.wss4j.policy.model.ProtectionToken)

Example 38 with AbstractToken

use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.

the class SignedEndorsingEncryptedTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available
    if (isTLSInUse(parameters.getMessage())) {
        AssertionInfo transportAi = PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), SPConstants.TRANSPORT_BINDING);
        super.setEnforceEncryptedTokens(transportAi == null);
    }
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
                assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                continue;
            }
            DerivedKeys derivedKeys = token.getDerivedKeys();
            boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
            boolean processingFailed = false;
            if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the signed endorsing encrypted " + "supporting token requirement");
                continue;
            }
            if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)

Example 39 with AbstractToken

use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.

the class AbstractBindingBuilder method handleSupportingTokens.

protected List<SupportingToken> handleSupportingTokens(SupportingTokens suppTokens, boolean endorse, List<SupportingToken> ret) throws WSSecurityException, SOAPException, TokenStoreException {
    if (suppTokens == null) {
        return ret;
    }
    for (AbstractToken token : suppTokens.getTokens()) {
        assertToken(token);
        if (!isTokenRequired(token.getIncludeTokenType())) {
            // Check for any SignedParts so as *not* to sign them
            getSignedParts(suppTokens);
            continue;
        }
        if (token instanceof UsernameToken) {
            handleUsernameTokenSupportingToken((UsernameToken) token, endorse, suppTokens.isEncryptedToken(), ret);
        } else if (token instanceof IssuedToken || token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
            // ws-trust/ws-sc stuff.......
            SecurityToken secToken = getSecurityToken();
            if (secToken == null) {
                unassertPolicy(token, "Could not find IssuedToken");
            }
            Element clone = cloneElement(secToken.getToken());
            secToken.setToken(clone);
            addSupportingElement(clone);
            String id = XMLUtils.getIDFromReference(secToken.getId());
            if (suppTokens.isEncryptedToken()) {
                WSEncryptionPart part = new WSEncryptionPart(id, "Element");
                part.setElement(clone);
                encryptedTokensList.add(part);
            }
            if (secToken.getX509Certificate() == null) {
                ret.add(new SupportingToken(token, new WSSecurityTokenHolder(secToken, secHeader), getSignedParts(suppTokens)));
            } else {
                ret.add(signSupportingToken(secToken, id, token, suppTokens));
            }
        } else if (token instanceof X509Token) {
            // We have to use a cert. Prepare X509 signature
            WSSecSignature sig = getSignatureBuilder(token, false, endorse);
            assertPolicy(suppTokens);
            Element bstElem = sig.getBinarySecurityTokenElement();
            if (bstElem != null) {
                if (lastEncryptedKeyElement != null) {
                    if (lastEncryptedKeyElement.getNextSibling() != null) {
                        secHeader.getSecurityHeaderElement().insertBefore(bstElem, lastEncryptedKeyElement.getNextSibling());
                    } else {
                        secHeader.getSecurityHeaderElement().appendChild(bstElem);
                    }
                } else {
                    sig.prependBSTElementToHeader();
                }
                if (suppTokens.isEncryptedToken()) {
                    WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
                    part.setElement(bstElem);
                    encryptedTokensList.add(part);
                }
            }
            ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
        } else if (token instanceof KeyValueToken) {
            WSSecSignature sig = getSignatureBuilder(token, false, endorse);
            assertPolicy(suppTokens);
            if (suppTokens.isEncryptedToken()) {
                WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
                encryptedTokensList.add(part);
            }
            ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
        } else if (token instanceof SamlToken) {
            SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
            if (assertionWrapper != null) {
                Element envelope = saaj.getSOAPPart().getEnvelope();
                envelope = (Element) DOMUtils.getDomElement(envelope);
                Element assertionElement = assertionWrapper.toDOM(envelope.getOwnerDocument());
                addSupportingElement(assertionElement);
                ret.add(new SupportingToken(token, assertionWrapper, getSignedParts(suppTokens)));
                if (suppTokens.isEncryptedToken()) {
                    WSEncryptionPart part = new WSEncryptionPart(assertionWrapper.getId(), "Element");
                    part.setElement(assertionElement);
                    encryptedTokensList.add(part);
                }
            }
        }
    }
    return ret;
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)

Example 40 with AbstractToken

use of org.apache.wss4j.policy.model.AbstractToken in project cxf by apache.

the class AbstractStaxBindingHandler method addSignatureParts.

protected void addSignatureParts(Map<AbstractToken, SecurePart> tokenMap) {
    if (tokenMap != null) {
        for (Map.Entry<AbstractToken, SecurePart> entry : tokenMap.entrySet()) {
            SecurePart part = entry.getValue();
            QName name = part.getName();
            List<WSSConstants.Action> actionList = properties.getActions();
            // Don't add a signed SAML Token as a part, as it will be automatically signed by WSS4J
            if (!((WSSConstants.TAG_SAML_ASSERTION.equals(name) || WSSConstants.TAG_SAML2_ASSERTION.equals(name)) && actionList != null && actionList.contains(WSSConstants.SAML_TOKEN_SIGNED))) {
                properties.addSignaturePart(part);
            }
        }
    }
}
Also used : SecurePart(org.apache.xml.security.stax.ext.SecurePart) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) QName(javax.xml.namespace.QName) Map(java.util.Map) HashMap(java.util.HashMap) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)

Aggregations

AbstractToken (org.apache.wss4j.policy.model.AbstractToken)42 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)29 X509Token (org.apache.wss4j.policy.model.X509Token)23 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)21 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)21 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)20 SamlToken (org.apache.wss4j.policy.model.SamlToken)18 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)17 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)16 Element (org.w3c.dom.Element)14 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)13 QName (javax.xml.namespace.QName)12 SOAPException (javax.xml.soap.SOAPException)12 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)12 Fault (org.apache.cxf.interceptor.Fault)11 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)11 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)11 WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)11 TokenStoreException (org.apache.cxf.ws.security.tokenstore.TokenStoreException)10 AlgorithmSuite (org.apache.wss4j.policy.model.AlgorithmSuite)9