use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.
the class StaxAsymmetricBindingHandler method doSignBeforeEncrypt.
private void doSignBeforeEncrypt() {
try {
AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
if (initiatorWrapper == null) {
initiatorWrapper = abinding.getInitiatorToken();
}
if (initiatorWrapper != null) {
assertTokenWrapper(initiatorWrapper);
AbstractToken initiatorToken = initiatorWrapper.getToken();
if (initiatorToken instanceof IssuedToken) {
SecurityToken sigTok = getSecurityToken();
addIssuedToken(initiatorToken, sigTok, false, true);
if (sigTok != null) {
storeSecurityToken(initiatorToken, sigTok);
outboundSecurityContext.remove(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
}
// Set up CallbackHandler which wraps the configured Handler
WSSSecurityProperties properties = getProperties();
TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
properties.setCallbackHandler(callbackHandler);
} else if (initiatorToken instanceof SamlToken) {
addSamlToken((SamlToken) initiatorToken, false, true);
}
assertToken(initiatorToken);
}
// Add timestamp
List<SecurePart> sigs = new ArrayList<>();
if (timestampAdded) {
SecurePart part = new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
sigs.add(part);
}
sigs.addAll(this.getSignedParts());
if (isRequestor() && initiatorWrapper != null) {
doSignature(initiatorWrapper, sigs);
} else if (!isRequestor()) {
// confirm sig
addSignatureConfirmation(sigs);
AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
if (recipientSignatureToken == null) {
recipientSignatureToken = abinding.getRecipientToken();
}
if (recipientSignatureToken != null) {
assertTokenWrapper(recipientSignatureToken);
assertToken(recipientSignatureToken.getToken());
}
if (recipientSignatureToken != null && !sigs.isEmpty()) {
doSignature(recipientSignatureToken, sigs);
}
}
addSupportingTokens();
removeSignatureIfSignedSAML();
prependSignatureToSC();
List<SecurePart> enc = getEncryptedParts();
// Check for signature protection
if (abinding.isEncryptSignature()) {
SecurePart part = new SecurePart(new QName(XMLSecurityConstants.NS_DSIG, "Signature"), Modifier.Element);
enc.add(part);
if (signatureConfirmationAdded) {
SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
enc.add(securePart);
}
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
// Do encryption
AbstractTokenWrapper encToken;
if (isRequestor()) {
enc.addAll(encryptedTokensList);
encToken = abinding.getRecipientEncryptionToken();
if (encToken == null) {
encToken = abinding.getRecipientToken();
}
} else {
encToken = abinding.getInitiatorEncryptionToken();
if (encToken == null) {
encToken = abinding.getInitiatorToken();
}
}
if (encToken != null) {
assertTokenWrapper(encToken);
assertToken(encToken.getToken());
}
doEncryption(encToken, enc, false);
putCustomTokenAfterSignature();
} catch (Exception e) {
String reason = e.getMessage();
LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
throw new Fault(e);
}
}
use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.
the class StaxAsymmetricBindingHandler method doSignature.
private void doSignature(AbstractTokenWrapper wrapper, List<SecurePart> sigParts) throws WSSecurityException, SOAPException {
// Action
WSSSecurityProperties properties = getProperties();
WSSConstants.Action actionToPerform = XMLSecurityConstants.SIGNATURE;
if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
actionToPerform = WSSConstants.SIGNATURE_WITH_DERIVED_KEY;
}
List<WSSConstants.Action> actionList = properties.getActions();
// Add a Signature directly before Kerberos, otherwise just append it
boolean actionAdded = false;
for (int i = 0; i < actionList.size(); i++) {
WSSConstants.Action action = actionList.get(i);
if (action.equals(WSSConstants.KERBEROS_TOKEN)) {
actionList.add(i, actionToPerform);
actionAdded = true;
break;
}
}
if (!actionAdded) {
actionList.add(actionToPerform);
}
properties.getSignatureSecureParts().addAll(sigParts);
AbstractToken sigToken = wrapper.getToken();
configureSignature(sigToken, false);
if (abinding.isProtectTokens() && (sigToken instanceof X509Token) && sigToken.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER) {
SecurePart securePart = new SecurePart(new QName(WSSConstants.NS_WSSE10, "BinarySecurityToken"), Modifier.Element);
properties.addSignaturePart(securePart);
} else if (sigToken instanceof IssuedToken || sigToken instanceof SecurityContextToken || sigToken instanceof SecureConversationToken || sigToken instanceof SpnegoContextToken || sigToken instanceof SamlToken) {
properties.setIncludeSignatureToken(false);
}
if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setSignatureAlgorithm(abinding.getAlgorithmSuite().getSymmetricSignature());
}
}
use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.
the class StaxSymmetricBindingHandler method doSignBeforeEncrypt.
private void doSignBeforeEncrypt() {
AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
assertTokenWrapper(sigAbstractTokenWrapper);
AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
String sigTokId = null;
try {
SecurityToken sigTok = null;
if (sigToken != null) {
if (sigToken instanceof KerberosToken) {
sigTok = getSecurityToken();
if (isRequestor()) {
addKerberosToken((KerberosToken) sigToken, false, true, true);
}
} else if (sigToken instanceof IssuedToken) {
sigTok = getSecurityToken();
addIssuedToken(sigToken, sigTok, false, true);
if (sigTok == null && !isRequestor()) {
org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findInboundSecurityToken(WSSecurityEventConstants.SAML_TOKEN);
sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
}
} else if (sigToken instanceof SecureConversationToken || sigToken instanceof SecurityContextToken || sigToken instanceof SpnegoContextToken) {
sigTok = getSecurityToken();
if (sigTok != null && isRequestor()) {
WSSSecurityProperties properties = getProperties();
WSSConstants.Action actionToPerform = WSSConstants.CUSTOM_TOKEN;
properties.addAction(actionToPerform);
} else if (sigTok == null && !isRequestor()) {
org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findInboundSecurityToken(WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN);
sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
}
} else if (sigToken instanceof X509Token) {
if (isRequestor()) {
sigTokId = setupEncryptedKey(sigAbstractTokenWrapper, sigToken);
} else {
org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findEncryptedKeyToken();
sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
}
} else if (sigToken instanceof UsernameToken) {
unassertPolicy(sbinding, "UsernameTokens not supported with Symmetric binding");
return;
}
assertToken(sigToken);
} else {
unassertPolicy(sbinding, "No signature token");
return;
}
if (sigTok == null && StringUtils.isEmpty(sigTokId)) {
unassertPolicy(sigAbstractTokenWrapper, "No signature token id");
return;
}
if (sigTok == null) {
sigTok = TokenStoreUtils.getTokenStore(message).getToken(sigTokId);
}
// Store key
if (!(MessageUtils.isRequestor(message) && sigToken instanceof KerberosToken)) {
storeSecurityToken(sigToken, sigTok);
}
// Add timestamp
List<SecurePart> sigs = new ArrayList<>();
if (timestampAdded) {
SecurePart part = new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
sigs.add(part);
}
sigs.addAll(this.getSignedParts());
if (!isRequestor()) {
addSignatureConfirmation(sigs);
}
if (!sigs.isEmpty()) {
doSignature(sigAbstractTokenWrapper, sigToken, sigTok, sigs);
}
addSupportingTokens();
removeSignatureIfSignedSAML();
prependSignatureToSC();
// Encryption
List<SecurePart> enc = getEncryptedParts();
// Check for signature protection
if (sbinding.isEncryptSignature()) {
SecurePart part = new SecurePart(new QName(XMLSecurityConstants.NS_DSIG, "Signature"), Modifier.Element);
enc.add(part);
if (signatureConfirmationAdded) {
part = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
enc.add(part);
}
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
// Do encryption
if (isRequestor()) {
enc.addAll(encryptedTokensList);
}
AbstractTokenWrapper encrAbstractTokenWrapper = getEncryptionToken();
doEncryption(encrAbstractTokenWrapper, enc, false);
putCustomTokenAfterSignature();
} catch (Exception e) {
throw new Fault(e);
}
}
use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.
the class StaxSymmetricBindingHandler method doEncryptBeforeSign.
private void doEncryptBeforeSign() {
try {
AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
assertTokenWrapper(encryptionWrapper);
AbstractToken encryptionToken = encryptionWrapper.getToken();
String tokenId = null;
SecurityToken tok = null;
if (encryptionToken instanceof KerberosToken) {
tok = getSecurityToken();
if (MessageUtils.isRequestor(message)) {
addKerberosToken((KerberosToken) encryptionToken, false, true, true);
}
} else if (encryptionToken instanceof IssuedToken) {
tok = getSecurityToken();
addIssuedToken(encryptionToken, tok, false, true);
if (tok == null && !isRequestor()) {
org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findInboundSecurityToken(WSSecurityEventConstants.SAML_TOKEN);
tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
}
} else if (encryptionToken instanceof SecureConversationToken || encryptionToken instanceof SecurityContextToken || encryptionToken instanceof SpnegoContextToken) {
tok = getSecurityToken();
if (tok != null && isRequestor()) {
WSSSecurityProperties properties = getProperties();
WSSConstants.Action actionToPerform = WSSConstants.CUSTOM_TOKEN;
properties.addAction(actionToPerform);
} else if (tok == null && !isRequestor()) {
org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findInboundSecurityToken(WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN);
tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
}
} else if (encryptionToken instanceof X509Token) {
if (isRequestor()) {
tokenId = setupEncryptedKey(encryptionWrapper, encryptionToken);
} else {
org.apache.xml.security.stax.securityToken.SecurityToken securityToken = findEncryptedKeyToken();
tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
}
} else if (encryptionToken instanceof UsernameToken) {
unassertPolicy(sbinding, "UsernameTokens not supported with Symmetric binding");
return;
}
assertToken(encryptionToken);
if (tok == null) {
tokenId = XMLUtils.getIDFromReference(tokenId);
// Get hold of the token from the token storage
tok = TokenStoreUtils.getTokenStore(message).getToken(tokenId);
}
// Store key
if (!(MessageUtils.isRequestor(message) && encryptionToken instanceof KerberosToken)) {
storeSecurityToken(encryptionToken, tok);
}
List<SecurePart> encrParts = null;
List<SecurePart> sigParts = null;
try {
encrParts = getEncryptedParts();
// Signed parts are determined before encryption because encrypted signed headers
// will not be included otherwise
sigParts = getSignedParts();
} catch (SOAPException ex) {
throw new Fault(ex);
}
addSupportingTokens();
if (encryptionToken != null && !encrParts.isEmpty()) {
if (isRequestor()) {
encrParts.addAll(encryptedTokensList);
}
// Check for signature protection
if (sbinding.isEncryptSignature()) {
SecurePart part = new SecurePart(new QName(XMLSecurityConstants.NS_DSIG, "Signature"), Modifier.Element);
encrParts.add(part);
if (signatureConfirmationAdded) {
part = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
encrParts.add(part);
}
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
doEncryption(encryptionWrapper, encrParts, true);
}
if (timestampAdded) {
SecurePart part = new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
sigParts.add(part);
}
sigParts.addAll(this.getSignedParts());
if (!sigParts.isEmpty()) {
AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
if (sigAbstractTokenWrapper != null) {
AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
if (isRequestor()) {
doSignature(sigAbstractTokenWrapper, sigToken, tok, sigParts);
} else {
addSignatureConfirmation(sigParts);
doSignature(sigAbstractTokenWrapper, sigToken, tok, sigParts);
}
}
}
removeSignatureIfSignedSAML();
enforceEncryptBeforeSigningWithSignedSAML();
prependSignatureToSC();
putCustomTokenAfterSignature();
} catch (RuntimeException ex) {
throw ex;
} catch (Exception ex) {
throw new Fault(ex);
}
}
use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.
the class StaxTransportBindingHandler method handleEndorsingToken.
private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
assertToken(token);
if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
return;
}
if (token instanceof IssuedToken) {
SecurityToken securityToken = getSecurityToken();
addIssuedToken(token, securityToken, false, true);
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
WSSSecurityProperties properties = getProperties();
if (securityToken != null && securityToken.getSecret() != null) {
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
} else {
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
}
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
} else if (token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
SecurityToken securityToken = getSecurityToken();
addIssuedToken(token, securityToken, false, true);
WSSSecurityProperties properties = getProperties();
if (securityToken != null) {
storeSecurityToken(token, securityToken);
// Set up CallbackHandler which wraps the configured Handler
TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
properties.setCallbackHandler(callbackHandler);
}
doSignature(token, wrapper);
properties.setIncludeSignatureToken(true);
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
} else if (token instanceof X509Token || token instanceof KeyValueToken) {
doSignature(token, wrapper);
} else if (token instanceof SamlToken) {
addSamlToken((SamlToken) token, false, true);
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
WSSSecurityProperties properties = getProperties();
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
} else if (token instanceof UsernameToken) {
throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
} else if (token instanceof KerberosToken) {
WSSSecurityProperties properties = getProperties();
properties.addAction(XMLSecurityConstants.SIGNATURE);
configureSignature(token, false);
addKerberosToken((KerberosToken) token, false, true, false);
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
}
}
Aggregations