Search in sources :

Example 26 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class StaxTransportBindingHandler method handleBinding.

public void handleBinding() {
    AssertionInfoMap aim = getMessage().get(AssertionInfoMap.class);
    configureTimestamp(aim);
    if (this.isRequestor()) {
        if (tbinding != null) {
            assertPolicy(tbinding.getName());
            String asymSignatureAlgorithm = (String) getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
            if (asymSignatureAlgorithm != null && tbinding.getAlgorithmSuite() != null) {
                tbinding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
            }
            String symSignatureAlgorithm = (String) getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
            if (symSignatureAlgorithm != null && tbinding.getAlgorithmSuite() != null) {
                tbinding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm);
            }
            TransportToken token = tbinding.getTransportToken();
            if (token.getToken() instanceof IssuedToken) {
                SecurityToken secToken = getSecurityToken();
                if (secToken == null) {
                    unassertPolicy(token.getToken(), "No transport token id");
                    return;
                }
                addIssuedToken(token.getToken(), secToken, false, false);
            }
            assertToken(token.getToken());
            assertTokenWrapper(token);
        }
        try {
            handleNonEndorsingSupportingTokens(aim);
            handleEndorsingSupportingTokens(aim);
        } catch (Exception e) {
            LOG.log(Level.FINE, e.getMessage(), e);
            throw new Fault(e);
        }
    } else {
        try {
            handleNonEndorsingSupportingTokens(aim);
        } catch (Exception e) {
            LOG.log(Level.FINE, e.getMessage(), e);
            throw new Fault(e);
        }
        if (tbinding != null) {
            assertPolicy(tbinding.getName());
            if (tbinding.getTransportToken() != null) {
                assertTokenWrapper(tbinding.getTransportToken());
                assertToken(tbinding.getTransportToken().getToken());
                try {
                    handleEndorsingSupportingTokens(aim);
                } catch (Exception e) {
                    LOG.log(Level.FINE, e.getMessage(), e);
                    throw new Fault(e);
                }
            }
        }
        addSignatureConfirmation(null);
    }
    configureLayout(aim);
    if (tbinding != null) {
        assertAlgorithmSuite(tbinding.getAlgorithmSuite());
        assertWSSProperties(tbinding.getName().getNamespaceURI());
        assertTrustProperties(tbinding.getName().getNamespaceURI());
    }
    assertPolicy(SP12Constants.SIGNED_PARTS);
    assertPolicy(SP11Constants.SIGNED_PARTS);
    assertPolicy(SP12Constants.ENCRYPTED_PARTS);
    assertPolicy(SP11Constants.ENCRYPTED_PARTS);
    putCustomTokenAfterSignature();
}
Also used : TransportToken(org.apache.wss4j.policy.model.TransportToken) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Fault(org.apache.cxf.interceptor.Fault) SOAPException(javax.xml.soap.SOAPException) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)

Example 27 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class TransportBindingHandler method handleEndorsingToken.

private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
    assertToken(token);
    if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
        return;
    }
    if (token instanceof IssuedToken || token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
        addSig(doIssuedTokenSignature(token, wrapper));
    } else if (token instanceof X509Token || token instanceof KeyValueToken) {
        addSig(doX509TokenSignature(token, wrapper));
    } else if (token instanceof SamlToken) {
        SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
        Element envelope = saaj.getSOAPPart().getEnvelope();
        envelope = (Element) DOMUtils.getDomElement(envelope);
        assertionWrapper.toDOM(envelope.getOwnerDocument());
        storeAssertionAsSecurityToken(assertionWrapper);
        addSig(doIssuedTokenSignature(token, wrapper));
    } else if (token instanceof UsernameToken) {
        // Create a UsernameToken object for derived keys and store the security token
        WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken) token, true);
        String id = usernameToken.getId();
        byte[] secret = usernameToken.getDerivedKey();
        Instant created = Instant.now();
        Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
        SecurityToken tempTok = new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
        tempTok.setSecret(secret);
        getTokenStore().add(tempTok);
        message.put(SecurityConstants.TOKEN_ID, tempTok.getId());
        addSig(doIssuedTokenSignature(token, wrapper));
    }
}
Also used : SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) Instant(java.time.Instant) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)

Example 28 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class TransportBindingHandler method addSignedSupportingTokens.

private void addSignedSupportingTokens(SupportingTokens sgndSuppTokens) throws Exception {
    for (AbstractToken token : sgndSuppTokens.getTokens()) {
        assertToken(token);
        if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
            continue;
        }
        if (token instanceof UsernameToken) {
            WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken) token);
            if (utBuilder != null) {
                utBuilder.prepare();
                utBuilder.appendToHeader();
            }
        } else if (token instanceof IssuedToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
            SecurityToken secTok = getSecurityToken();
            if (isTokenRequired(token.getIncludeTokenType())) {
                // Add the token
                addEncryptedKeyElement(cloneElement(secTok.getToken()));
            }
        } else if (token instanceof SamlToken) {
            SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
            if (assertionWrapper != null) {
                Element envelope = saaj.getSOAPPart().getEnvelope();
                envelope = (Element) DOMUtils.getDomElement(envelope);
                addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
            }
        } else {
        // REVISIT - not supported for signed.  Exception?
        }
    }
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)

Example 29 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class ConcreteSupportingTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                continue;
            }
            boolean processingFailed = false;
            if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the supporting token requirement");
                continue;
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)

Example 30 with IssuedToken

use of org.apache.wss4j.policy.model.IssuedToken in project cxf by apache.

the class EncryptedTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available
    if (isTLSInUse(parameters.getMessage())) {
        AssertionInfo transportAi = PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), SPConstants.TRANSPORT_BINDING);
        super.setEnforceEncryptedTokens(transportAi == null);
    }
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                continue;
            }
            boolean processingFailed = false;
            if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the encrypted supporting token requirement");
                continue;
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)

Aggregations

IssuedToken (org.apache.wss4j.policy.model.IssuedToken)33 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)25 X509Token (org.apache.wss4j.policy.model.X509Token)21 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)20 SamlToken (org.apache.wss4j.policy.model.SamlToken)20 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)20 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)20 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)18 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)15 Element (org.w3c.dom.Element)14 SOAPException (javax.xml.soap.SOAPException)12 Fault (org.apache.cxf.interceptor.Fault)12 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)12 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)12 QName (javax.xml.namespace.QName)11 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)10 WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)9 AbstractTokenWrapper (org.apache.wss4j.policy.model.AbstractTokenWrapper)8 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)8