Search in sources :

Example 16 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class SignedTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                continue;
            }
            boolean processingFailed = false;
            if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken) {
                if (!processSCTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the signed supporting token requirement");
                continue;
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SamlToken(org.apache.wss4j.policy.model.SamlToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken)

Example 17 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class AbstractBindingBuilder method handleSupportingTokens.

protected List<SupportingToken> handleSupportingTokens(SupportingTokens suppTokens, boolean endorse, List<SupportingToken> ret) throws WSSecurityException, SOAPException {
    if (suppTokens == null) {
        return ret;
    }
    for (AbstractToken token : suppTokens.getTokens()) {
        assertToken(token);
        if (!isTokenRequired(token.getIncludeTokenType())) {
            // Check for any SignedParts so as *not* to sign them
            getSignedParts(suppTokens);
            continue;
        }
        if (token instanceof UsernameToken) {
            handleUsernameTokenSupportingToken((UsernameToken) token, endorse, suppTokens.isEncryptedToken(), ret);
        } else if (token instanceof IssuedToken || token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
            // ws-trust/ws-sc stuff.......
            SecurityToken secToken = getSecurityToken();
            if (secToken == null) {
                unassertPolicy(token, "Could not find IssuedToken");
            }
            Element clone = cloneElement(secToken.getToken());
            secToken.setToken(clone);
            addSupportingElement(clone);
            String id = XMLUtils.getIDFromReference(secToken.getId());
            if (suppTokens.isEncryptedToken()) {
                WSEncryptionPart part = new WSEncryptionPart(id, "Element");
                part.setElement(clone);
                encryptedTokensList.add(part);
            }
            if (secToken.getX509Certificate() == null) {
                ret.add(new SupportingToken(token, new WSSecurityTokenHolder(secToken, secHeader), getSignedParts(suppTokens)));
            } else {
                ret.add(signSupportingToken(secToken, id, token, suppTokens));
            }
        } else if (token instanceof X509Token) {
            // We have to use a cert. Prepare X509 signature
            WSSecSignature sig = getSignatureBuilder(token, false, endorse);
            assertPolicy(suppTokens);
            Element bstElem = sig.getBinarySecurityTokenElement();
            if (bstElem != null) {
                if (lastEncryptedKeyElement != null) {
                    if (lastEncryptedKeyElement.getNextSibling() != null) {
                        secHeader.getSecurityHeaderElement().insertBefore(bstElem, lastEncryptedKeyElement.getNextSibling());
                    } else {
                        secHeader.getSecurityHeaderElement().appendChild(bstElem);
                    }
                } else {
                    sig.prependBSTElementToHeader();
                }
                if (suppTokens.isEncryptedToken()) {
                    WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
                    part.setElement(bstElem);
                    encryptedTokensList.add(part);
                }
            }
            ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
        } else if (token instanceof KeyValueToken) {
            WSSecSignature sig = getSignatureBuilder(token, false, endorse);
            assertPolicy(suppTokens);
            if (suppTokens.isEncryptedToken()) {
                WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
                encryptedTokensList.add(part);
            }
            ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
        } else if (token instanceof SamlToken) {
            SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
            if (assertionWrapper != null) {
                Element envelope = saaj.getSOAPPart().getEnvelope();
                envelope = (Element) DOMUtils.getDomElement(envelope);
                Element assertionElement = assertionWrapper.toDOM(envelope.getOwnerDocument());
                addSupportingElement(assertionElement);
                ret.add(new SupportingToken(token, assertionWrapper, getSignedParts(suppTokens)));
                if (suppTokens.isEncryptedToken()) {
                    WSEncryptionPart part = new WSEncryptionPart(assertionWrapper.getId(), "Element");
                    part.setElement(assertionElement);
                    encryptedTokensList.add(part);
                }
            }
        }
    }
    return ret;
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)

Example 18 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class AbstractBindingBuilder method getSignatureBuilder.

protected WSSecSignature getSignatureBuilder(AbstractToken token, boolean attached, boolean endorse) throws WSSecurityException {
    WSSecSignature sig = new WSSecSignature(secHeader);
    sig.setIdAllocator(wssConfig.getIdAllocator());
    sig.setCallbackLookup(callbackLookup);
    sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
    sig.setStoreBytesInAttachment(storeBytesInAttachment);
    sig.setExpandXopInclude(isExpandXopInclude());
    sig.setWsDocInfo(wsDocInfo);
    checkForX509PkiPath(sig, token);
    if (token instanceof IssuedToken || token instanceof SamlToken) {
        assertToken(token);
        SecurityToken securityToken = getSecurityToken();
        String tokenType = securityToken.getTokenType();
        Element ref;
        if (attached) {
            ref = securityToken.getAttachedReference();
        } else {
            ref = securityToken.getUnattachedReference();
        }
        if (ref != null) {
            SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
            sig.setSecurityTokenReference(secRef);
            sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
        } else {
            int type = attached ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
            if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
                sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
                sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            } else {
                sig.setCustomTokenValueType(tokenType);
                sig.setKeyIdentifierType(type);
            }
        }
        String sigTokId;
        if (attached) {
            sigTokId = securityToken.getWsuId();
            if (sigTokId == null) {
                sigTokId = securityToken.getId();
            }
            if (sigTokId.startsWith("#")) {
                sigTokId = sigTokId.substring(1);
            }
        } else {
            sigTokId = securityToken.getId();
        }
        sig.setCustomTokenId(sigTokId);
    } else {
        setKeyIdentifierType(sig, token);
        // Find out do we also need to include the token as per the Inclusion requirement
        if (token instanceof X509Token && token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER && (sig.getKeyIdentifierType() != WSConstants.BST_DIRECT_REFERENCE && sig.getKeyIdentifierType() != WSConstants.KEY_VALUE)) {
            sig.setIncludeSignatureToken(true);
        }
    }
    boolean encryptCrypto = false;
    String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
    String type = "signature";
    if (binding instanceof SymmetricBinding && !endorse) {
        encryptCrypto = ((SymmetricBinding) binding).getProtectionToken() != null;
        userNameKey = SecurityConstants.ENCRYPT_USERNAME;
    }
    Crypto crypto = encryptCrypto ? getEncryptionCrypto() : getSignatureCrypto();
    if (endorse && crypto == null && binding instanceof SymmetricBinding) {
        type = "encryption";
        userNameKey = SecurityConstants.ENCRYPT_USERNAME;
        crypto = getEncryptionCrypto();
    }
    if (!encryptCrypto) {
        message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
    }
    String user = (String) SecurityUtils.getSecurityPropertyValue(userNameKey, message);
    if (StringUtils.isEmpty(user)) {
        if (crypto != null) {
            try {
                user = crypto.getDefaultX509Identifier();
                if (StringUtils.isEmpty(user)) {
                    unassertPolicy(token, "No configured " + type + " username detected");
                    return null;
                }
            } catch (WSSecurityException e1) {
                LOG.log(Level.FINE, e1.getMessage(), e1);
                throw new Fault(e1);
            }
        } else {
            unassertPolicy(token, "Security configuration could not be detected. " + "Potential cause: Make sure jaxws:client element with name " + "attribute value matching endpoint port is defined as well as a " + SecurityConstants.SIGNATURE_PROPERTIES + " element within it.");
            return null;
        }
    }
    String password = getPassword(user, token, WSPasswordCallback.SIGNATURE);
    sig.setUserInfo(user, password);
    sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
    AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
    sig.setDigestAlgo(algType.getDigest());
    sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
    boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
    sig.setAddInclusivePrefixes(includePrefixes);
    try {
        sig.prepare(crypto);
    } catch (WSSecurityException e) {
        LOG.log(Level.FINE, e.getMessage(), e);
        unassertPolicy(token, e);
    }
    return sig;
}
Also used : SymmetricBinding(org.apache.wss4j.policy.model.SymmetricBinding) SamlToken(org.apache.wss4j.policy.model.SamlToken) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Fault(org.apache.cxf.interceptor.Fault) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Crypto(org.apache.wss4j.common.crypto.Crypto) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) X509Token(org.apache.wss4j.policy.model.X509Token) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Example 19 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class AsymmetricBindingHandler method doSignature.

private void doSignature(AbstractTokenWrapper wrapper, List<WSEncryptionPart> sigParts, boolean attached) throws WSSecurityException, SOAPException {
    if (!isRequestor()) {
        assertUnusedTokens(abinding.getInitiatorToken());
        assertUnusedTokens(abinding.getInitiatorEncryptionToken());
        assertUnusedTokens(abinding.getInitiatorSignatureToken());
    } else {
        assertUnusedTokens(abinding.getRecipientToken());
        assertUnusedTokens(abinding.getRecipientEncryptionToken());
        assertUnusedTokens(abinding.getRecipientSignatureToken());
    }
    AbstractToken sigToken = wrapper.getToken();
    if (sigParts.isEmpty()) {
        // Add the BST to the security header if required
        if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) {
            WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
            sig.appendBSTElementToHeader();
        }
        return;
    }
    if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        // Set up the encrypted key to use
        setupEncryptedKey(wrapper, sigToken);
        WSSecDKSign dkSign = new WSSecDKSign(secHeader);
        dkSign.setIdAllocator(wssConfig.getIdAllocator());
        dkSign.setCallbackLookup(callbackLookup);
        dkSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
        dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
        dkSign.setExpandXopInclude(isExpandXopInclude());
        dkSign.setWsDocInfo(wsDocInfo);
        if (wrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
            dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
        }
        dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
        // Set the algo info
        dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getSymmetricSignature());
        dkSign.setSigCanonicalization(abinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = abinding.getAlgorithmSuite().getAlgorithmSuiteType();
        dkSign.setDigestAlgorithm(algType.getDigest());
        dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
        dkSign.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
        boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
        dkSign.setAddInclusivePrefixes(includePrefixes);
        try {
            dkSign.prepare();
            if (abinding.isProtectTokens()) {
                assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
                if (bstElement != null) {
                    WSEncryptionPart bstPart = new WSEncryptionPart(bstElement.getAttributeNS(WSS4JConstants.WSU_NS, "Id"));
                    bstPart.setElement(bstElement);
                    sigParts.add(bstPart);
                } else {
                    WSEncryptionPart ekPart = new WSEncryptionPart(encrKey.getId());
                    ekPart.setElement(encrKey.getEncryptedKeyElement());
                    sigParts.add(ekPart);
                }
            }
            dkSign.getParts().addAll(sigParts);
            List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
            if (!referenceList.isEmpty()) {
                // Add elements to header
                addDerivedKeyElement(dkSign.getdktElement());
                // Do signature
                if (bottomUpElement == null) {
                    dkSign.computeSignature(referenceList, false, null);
                } else {
                    dkSign.computeSignature(referenceList, true, bottomUpElement);
                }
                bottomUpElement = dkSign.getSignatureElement();
                addSig(dkSign.getSignatureValue());
                mainSigId = dkSign.getSignatureId();
            }
        } catch (Exception ex) {
            LOG.log(Level.FINE, ex.getMessage(), ex);
            throw new Fault(ex);
        }
    } else {
        WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
        if (abinding.isProtectTokens()) {
            assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
            if (sig.getCustomTokenId() != null && (sigToken instanceof SamlToken || sigToken instanceof IssuedToken)) {
                WSEncryptionPart samlPart = new WSEncryptionPart(sig.getCustomTokenId());
                sigParts.add(samlPart);
            } else if (sig.getBSTTokenId() != null) {
                // This action must occur before sig.prependBSTElementToHeader
                WSEncryptionPart bstPart = new WSEncryptionPart(sig.getBSTTokenId());
                bstPart.setElement(sig.getBinarySecurityTokenElement());
                sigParts.add(bstPart);
                sig.prependBSTElementToHeader();
            }
        }
        List<Reference> referenceList = sig.addReferencesToSign(sigParts);
        if (!referenceList.isEmpty()) {
            // Do signature
            if (bottomUpElement == null) {
                sig.computeSignature(referenceList, false, null);
            } else {
                sig.computeSignature(referenceList, true, bottomUpElement);
            }
            bottomUpElement = sig.getSignatureElement();
            if (!abinding.isProtectTokens()) {
                Element bstElement = sig.getBinarySecurityTokenElement();
                if (bstElement != null) {
                    secHeader.getSecurityHeaderElement().insertBefore(bstElement, bottomUpElement);
                }
            }
            addSig(sig.getSignatureValue());
            mainSigId = sig.getId();
        }
    }
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SamlToken(org.apache.wss4j.policy.model.SamlToken) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) QName(javax.xml.namespace.QName) Reference(javax.xml.crypto.dsig.Reference) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) Fault(org.apache.cxf.interceptor.Fault) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) WSSecDKSign(org.apache.wss4j.dom.message.WSSecDKSign) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Example 20 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class AsymmetricBindingHandler method doEncryptBeforeSign.

private void doEncryptBeforeSign() {
    AbstractTokenWrapper wrapper = getEncryptBeforeSignWrapper();
    AbstractToken encryptionToken = null;
    if (wrapper != null) {
        encryptionToken = wrapper.getToken();
        assertToken(encryptionToken);
    }
    AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
    if (initiatorWrapper == null) {
        initiatorWrapper = abinding.getInitiatorToken();
    }
    assertTokenWrapper(initiatorWrapper);
    boolean attached = false;
    if (initiatorWrapper != null) {
        AbstractToken initiatorToken = initiatorWrapper.getToken();
        if (initiatorToken instanceof IssuedToken) {
            SecurityToken secToken = getSecurityToken();
            if (secToken == null) {
                unassertPolicy(initiatorToken, "Security token is not found or expired");
                return;
            } else if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
                Element el = secToken.getToken();
                this.addEncryptedKeyElement(cloneElement(el));
                attached = true;
            }
        } else if (initiatorToken instanceof SamlToken && isRequestor()) {
            try {
                SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) initiatorToken);
                if (assertionWrapper != null && isTokenRequired(initiatorToken.getIncludeTokenType())) {
                    Element envelope = saaj.getSOAPPart().getEnvelope();
                    envelope = (Element) DOMUtils.getDomElement(envelope);
                    addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
                    storeAssertionAsSecurityToken(assertionWrapper);
                }
            } catch (Exception e) {
                String reason = e.getMessage();
                LOG.log(Level.WARNING, "Encrypt before sign failed due to : " + reason);
                LOG.log(Level.FINE, e.getMessage(), e);
                throw new Fault(e);
            }
        } else if (initiatorToken instanceof SamlToken) {
            String tokenId = getSAMLToken();
            if (tokenId == null) {
                unassertPolicy(initiatorToken, "Security token is not found or expired");
                return;
            }
        }
    }
    List<WSEncryptionPart> sigParts = new ArrayList<>();
    if (timestampEl != null) {
        WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
        sigParts.add(timestampPart);
    }
    try {
        addSupportingTokens(sigParts);
    } catch (WSSecurityException ex) {
        LOG.log(Level.FINE, ex.getMessage(), ex);
        unassertPolicy(encryptionToken, ex);
    }
    List<WSEncryptionPart> encrParts = null;
    try {
        encrParts = getEncryptedParts();
        // Signed parts are determined before encryption because encrypted signed headers
        // will not be included otherwise
        sigParts.addAll(this.getSignedParts(null));
    } catch (SOAPException ex) {
        LOG.log(Level.FINE, ex.getMessage(), ex);
        throw new Fault(ex);
    }
    WSSecBase encrBase = null;
    if (encryptionToken != null && !encrParts.isEmpty()) {
        encrBase = doEncryption(wrapper, encrParts, true);
        handleEncryptedSignedHeaders(encrParts, sigParts);
    }
    if (!isRequestor()) {
        addSignatureConfirmation(sigParts);
    }
    try {
        if (!sigParts.isEmpty()) {
            if (initiatorWrapper != null && isRequestor()) {
                doSignature(initiatorWrapper, sigParts, attached);
            } else if (!isRequestor()) {
                AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
                if (recipientSignatureToken == null) {
                    recipientSignatureToken = abinding.getRecipientToken();
                }
                if (recipientSignatureToken != null) {
                    assertTokenWrapper(recipientSignatureToken);
                    assertToken(recipientSignatureToken.getToken());
                    doSignature(recipientSignatureToken, sigParts, attached);
                }
            }
        }
    } catch (WSSecurityException ex) {
        LOG.log(Level.FINE, ex.getMessage(), ex);
        throw new Fault(ex);
    } catch (SOAPException ex) {
        LOG.log(Level.FINE, ex.getMessage(), ex);
        throw new Fault(ex);
    }
    if (isRequestor()) {
        doEndorse();
    }
    if (encrBase != null) {
        encryptTokensInSecurityHeader(encryptionToken, encrBase);
    }
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SamlToken(org.apache.wss4j.policy.model.SamlToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) Fault(org.apache.cxf.interceptor.Fault) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) WSSecBase(org.apache.wss4j.dom.message.WSSecBase) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SOAPException(javax.xml.soap.SOAPException) AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper)

Aggregations

IssuedToken (org.apache.wss4j.policy.model.IssuedToken)33 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)25 X509Token (org.apache.wss4j.policy.model.X509Token)21 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)20 SamlToken (org.apache.wss4j.policy.model.SamlToken)20 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)20 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)20 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)18 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)15 Element (org.w3c.dom.Element)14 SOAPException (javax.xml.soap.SOAPException)12 Fault (org.apache.cxf.interceptor.Fault)12 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)12 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)12 QName (javax.xml.namespace.QName)11 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)10 WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)9 AbstractTokenWrapper (org.apache.wss4j.policy.model.AbstractTokenWrapper)8 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)8