Example 16 with KerberosToken
use of org.apache.wss4j.policy.model.KerberosToken in project cxf by apache.
the class StaxTransportBindingHandler method handleEndorsingToken.
private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
assertToken(token);
if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
return;
}
if (token instanceof IssuedToken) {
SecurityToken securityToken = getSecurityToken();
addIssuedToken(token, securityToken, false, true);
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
WSSSecurityProperties properties = getProperties();
if (securityToken != null && securityToken.getSecret() != null) {
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
} else {
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
}
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
} else if (token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
SecurityToken securityToken = getSecurityToken();
addIssuedToken(token, securityToken, false, true);
WSSSecurityProperties properties = getProperties();
if (securityToken != null) {
storeSecurityToken(token, securityToken);
// Set up CallbackHandler which wraps the configured Handler
TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
properties.setCallbackHandler(callbackHandler);
}
doSignature(token, wrapper);
properties.setIncludeSignatureToken(true);
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
} else if (token instanceof X509Token || token instanceof KeyValueToken) {
doSignature(token, wrapper);
} else if (token instanceof SamlToken) {
addSamlToken((SamlToken) token, false, true);
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
WSSSecurityProperties properties = getProperties();
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
} else if (token instanceof UsernameToken) {
throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
} else if (token instanceof KerberosToken) {
WSSSecurityProperties properties = getProperties();
properties.addAction(XMLSecurityConstants.SIGNATURE);
configureSignature(token, false);
addKerberosToken((KerberosToken) token, false, true, false);
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
}
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
SOAPException(javax.xml.soap.SOAPException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler)
Example 17 with KerberosToken
use of org.apache.wss4j.policy.model.KerberosToken in project cxf by apache.
the class SymmetricBindingHandler method doSignature.
private byte[] doSignature(List<WSEncryptionPart> sigs, AbstractTokenWrapper policyAbstractTokenWrapper, AbstractToken policyToken, SecurityToken tok, boolean included) throws WSSecurityException {
if (policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
return doSignatureDK(sigs, policyAbstractTokenWrapper, policyToken, tok, included);
}
WSSecSignature sig = new WSSecSignature(secHeader);
sig.setIdAllocator(wssConfig.getIdAllocator());
sig.setCallbackLookup(callbackLookup);
sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
sig.setStoreBytesInAttachment(storeBytesInAttachment);
sig.setExpandXopInclude(isExpandXopInclude());
sig.setWsDocInfo(wsDocInfo);
// If a EncryptedKeyToken is used, set the correct value type to
// be used in the wsse:Reference in ds:KeyInfo
int type = included ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
String sigTokId = tok.getId();
if (policyToken instanceof X509Token) {
if (isRequestor()) {
sig.setCustomTokenValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE);
sig.setKeyIdentifierType(type);
} else {
// the tok has to be an EncryptedKey token
sig.setEncrKeySha1value(tok.getSHA1());
sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
}
} else if (policyToken instanceof UsernameToken) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
sig.setKeyIdentifierType(type);
} else if (policyToken instanceof KerberosToken) {
if (isRequestor()) {
sig.setCustomTokenValueType(tok.getTokenType());
sig.setKeyIdentifierType(type);
} else {
sig.setCustomTokenValueType(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
sigTokId = tok.getSHA1();
}
} else {
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (included) {
ref = tok.getAttachedReference();
} else {
ref = tok.getUnattachedReference();
}
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
sig.setSecurityTokenReference(secRef);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
String tokenType = tok.getTokenType();
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
sig.setCustomTokenValueType(tokenType);
sig.setKeyIdentifierType(type);
}
}
}
if (included) {
sigTokId = tok.getWsuId();
if (sigTokId == null) {
if (policyToken instanceof SecureConversationToken || policyToken instanceof SecurityContextToken) {
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
}
sigTokId = tok.getId();
}
if (sigTokId.startsWith("#")) {
sigTokId = sigTokId.substring(1);
}
}
if (sbinding.isProtectTokens()) {
assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
if (included) {
sigs.add(new WSEncryptionPart(sigTokId));
}
}
sig.setCustomTokenId(sigTokId);
sig.setSecretKey(tok.getSecret());
sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
sig.setAddInclusivePrefixes(includePrefixes);
AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
sig.setDigestAlgo(algType.getDigest());
sig.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue());
Crypto crypto = null;
if (sbinding.getProtectionToken() != null) {
crypto = getEncryptionCrypto();
} else {
crypto = getSignatureCrypto();
}
this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
sig.prepare(crypto);
sig.getParts().addAll(sigs);
List<Reference> referenceList = sig.addReferencesToSign(sigs);
if (!referenceList.isEmpty()) {
// Do signature
if (bottomUpElement == null) {
sig.computeSignature(referenceList, false, null);
} else {
sig.computeSignature(referenceList, true, bottomUpElement);
}
bottomUpElement = sig.getSignatureElement();
this.mainSigId = sig.getId();
return sig.getSignatureValue();
}
return null;
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
QName(javax.xml.namespace.QName)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
Reference(javax.xml.crypto.dsig.Reference)
WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature)
Element(org.w3c.dom.Element)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
Crypto(org.apache.wss4j.common.crypto.Crypto)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
Example 18 with KerberosToken
use of org.apache.wss4j.policy.model.KerberosToken in project cxf by apache.
the class TransportBindingHandler method handleEndorsingToken.
private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
assertToken(token);
if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
return;
}
if (token instanceof IssuedToken || token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
addSig(doIssuedTokenSignature(token, wrapper));
} else if (token instanceof X509Token || token instanceof KeyValueToken) {
addSig(doX509TokenSignature(token, wrapper));
} else if (token instanceof SamlToken) {
SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
Element envelope = saaj.getSOAPPart().getEnvelope();
envelope = (Element) DOMUtils.getDomElement(envelope);
assertionWrapper.toDOM(envelope.getOwnerDocument());
storeAssertionAsSecurityToken(assertionWrapper);
addSig(doIssuedTokenSignature(token, wrapper));
} else if (token instanceof UsernameToken) {
// Create a UsernameToken object for derived keys and store the security token
WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken) token, true);
String id = usernameToken.getId();
byte[] secret = usernameToken.getDerivedKey();
Instant created = Instant.now();
Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
SecurityToken tempTok = new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
tempTok.setSecret(secret);
getTokenStore().add(tempTok);
message.put(SecurityConstants.TOKEN_ID, tempTok.getId());
addSig(doIssuedTokenSignature(token, wrapper));
}
}
Also used :
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
Instant(java.time.Instant)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
Example 19 with KerberosToken
use of org.apache.wss4j.policy.model.KerberosToken in project cxf by apache.
the class TransportBindingHandler method addSignedSupportingTokens.
private void addSignedSupportingTokens(SupportingTokens sgndSuppTokens) throws Exception {
for (AbstractToken token : sgndSuppTokens.getTokens()) {
assertToken(token);
if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
continue;
}
if (token instanceof UsernameToken) {
WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken) token);
if (utBuilder != null) {
utBuilder.prepare();
utBuilder.appendToHeader();
}
} else if (token instanceof IssuedToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
SecurityToken secTok = getSecurityToken();
if (isTokenRequired(token.getIncludeTokenType())) {
// Add the token
addEncryptedKeyElement(cloneElement(secTok.getToken()));
}
} else if (token instanceof SamlToken) {
SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
if (assertionWrapper != null) {
Element envelope = saaj.getSOAPPart().getEnvelope();
envelope = (Element) DOMUtils.getDomElement(envelope);
addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
}
} else {
// REVISIT - not supported for signed. Exception?
}
}
}
Also used :
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
Example 20 with KerberosToken
use of org.apache.wss4j.policy.model.KerberosToken in project cxf by apache.
the class ConcreteSupportingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
continue;
}
boolean processingFailed = false;
if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the supporting token requirement");
continue;
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
Aggregations
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)24
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)22
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)21
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)20
SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)19
X509Token (org.apache.wss4j.policy.model.X509Token)19
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)17
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)14
SamlToken (org.apache.wss4j.policy.model.SamlToken)13
KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)12
QName (javax.xml.namespace.QName)9
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)9
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)9
WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)9
Element (org.w3c.dom.Element)9
SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)8
SOAPException (javax.xml.soap.SOAPException)6
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)6
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)6
WSEncryptionPart (org.apache.wss4j.common.WSEncryptionPart)5
