Example 11 with IssuedToken
use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.
the class TransportBindingHandler method handleBinding.
public void handleBinding() {
WSSecTimestamp timestamp = createTimestamp();
handleLayout(timestamp);
try {
if (this.isRequestor()) {
TransportToken transportTokenWrapper = tbinding.getTransportToken();
if (transportTokenWrapper != null) {
AbstractToken transportToken = transportTokenWrapper.getToken();
if (transportToken instanceof IssuedToken) {
SecurityToken secToken = getSecurityToken();
if (secToken == null) {
unassertPolicy(transportToken, "No transport token id");
return;
}
assertPolicy(transportToken);
if (isTokenRequired(transportToken.getIncludeTokenType())) {
Element el = secToken.getToken();
addEncryptedKeyElement(cloneElement(el));
}
}
assertToken(transportToken);
assertTokenWrapper(transportTokenWrapper);
}
handleNonEndorsingSupportingTokens();
if (transportTokenWrapper != null) {
handleEndorsingSupportingTokens();
}
} else {
handleNonEndorsingSupportingTokens();
if (tbinding != null && tbinding.getTransportToken() != null) {
assertTokenWrapper(tbinding.getTransportToken());
assertToken(tbinding.getTransportToken().getToken());
handleEndorsingSupportingTokens();
}
addSignatureConfirmation(null);
}
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
if (tbinding != null) {
assertPolicy(tbinding.getName());
assertAlgorithmSuite(tbinding.getAlgorithmSuite());
assertWSSProperties(tbinding.getName().getNamespaceURI());
assertTrustProperties(tbinding.getName().getNamespaceURI());
}
assertPolicy(SP12Constants.SIGNED_PARTS);
assertPolicy(SP11Constants.SIGNED_PARTS);
assertPolicy(SP12Constants.ENCRYPTED_PARTS);
assertPolicy(SP11Constants.ENCRYPTED_PARTS);
}
Also used :
TransportToken(org.apache.wss4j.policy.model.TransportToken)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
Fault(org.apache.cxf.interceptor.Fault)
WSSecTimestamp(org.apache.wss4j.dom.message.WSSecTimestamp)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Example 12 with IssuedToken
use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.
the class EndorsingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the endorsing supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)
Example 13 with IssuedToken
use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.
the class IssuedTokenPolicyValidator method validateSAMLToken.
private boolean validateSAMLToken(PolicyValidatorParameters parameters, SamlAssertionWrapper samlAssertion, Collection<AssertionInfo> ais) {
boolean asserted = true;
for (AssertionInfo ai : ais) {
IssuedToken issuedToken = (IssuedToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(issuedToken, parameters.getAssertionInfoMap());
if (!isTokenRequired(issuedToken, parameters.getMessage())) {
continue;
}
if (samlAssertion == null) {
asserted = false;
ai.setNotAsserted("The received token does not match the token inclusion requirement");
continue;
}
Element template = issuedToken.getRequestSecurityTokenTemplate();
if (template != null && !checkIssuedTokenTemplate(template, samlAssertion)) {
asserted = false;
ai.setNotAsserted("Error in validating the IssuedToken policy");
continue;
}
Element claims = issuedToken.getClaims();
if (claims != null) {
String dialect = claims.getAttributeNS(null, "Dialect");
if (claimsValidator.getDialect().equals(dialect) && !claimsValidator.validatePolicy(claims, samlAssertion)) {
asserted = false;
ai.setNotAsserted("Error in validating the Claims policy");
continue;
}
}
TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
Certificate[] tlsCerts = null;
if (tlsInfo != null) {
tlsCerts = tlsInfo.getPeerCertificates();
}
if (!checkHolderOfKey(samlAssertion, parameters.getSignedResults(), tlsCerts)) {
asserted = false;
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
}
return asserted;
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 14 with IssuedToken
use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.
the class IssuedTokenPolicyValidator method validateBinarySecurityToken.
private boolean validateBinarySecurityToken(PolicyValidatorParameters parameters, BinarySecurity binarySecurity, Collection<AssertionInfo> ais) {
boolean asserted = true;
for (AssertionInfo ai : ais) {
IssuedToken issuedToken = (IssuedToken) ai.getAssertion();
ai.setAsserted(true);
asserted = true;
assertToken(issuedToken, parameters.getAssertionInfoMap());
if (!isTokenRequired(issuedToken, parameters.getMessage())) {
continue;
}
if (binarySecurity == null) {
asserted = false;
ai.setNotAsserted("The received token does not match the token inclusion requirement");
continue;
}
Element template = issuedToken.getRequestSecurityTokenTemplate();
if (template != null && !checkIssuedTokenTemplate(template, binarySecurity)) {
asserted = false;
ai.setNotAsserted("Error in validating the IssuedToken policy");
continue;
}
}
return asserted;
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
Example 15 with IssuedToken
use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.
the class SignedEndorsingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the signed endorsing supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)
Aggregations
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)33
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)25
X509Token (org.apache.wss4j.policy.model.X509Token)21
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)20
SamlToken (org.apache.wss4j.policy.model.SamlToken)20
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)20
SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)20
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)18
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)15
Element (org.w3c.dom.Element)14
SOAPException (javax.xml.soap.SOAPException)12
Fault (org.apache.cxf.interceptor.Fault)12
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12
KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)12
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)12
QName (javax.xml.namespace.QName)11
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)10
WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)9
AbstractTokenWrapper (org.apache.wss4j.policy.model.AbstractTokenWrapper)8
SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)8
