Search in sources :

Example 6 with KeyValueToken

use of org.apache.wss4j.policy.model.KeyValueToken in project cxf by apache.

the class AbstractBindingBuilder method handleSupportingTokens.

protected List<SupportingToken> handleSupportingTokens(SupportingTokens suppTokens, boolean endorse, List<SupportingToken> ret) throws WSSecurityException, SOAPException {
    if (suppTokens == null) {
        return ret;
    }
    for (AbstractToken token : suppTokens.getTokens()) {
        assertToken(token);
        if (!isTokenRequired(token.getIncludeTokenType())) {
            // Check for any SignedParts so as *not* to sign them
            getSignedParts(suppTokens);
            continue;
        }
        if (token instanceof UsernameToken) {
            handleUsernameTokenSupportingToken((UsernameToken) token, endorse, suppTokens.isEncryptedToken(), ret);
        } else if (token instanceof IssuedToken || token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
            // ws-trust/ws-sc stuff.......
            SecurityToken secToken = getSecurityToken();
            if (secToken == null) {
                unassertPolicy(token, "Could not find IssuedToken");
            }
            Element clone = cloneElement(secToken.getToken());
            secToken.setToken(clone);
            addSupportingElement(clone);
            String id = XMLUtils.getIDFromReference(secToken.getId());
            if (suppTokens.isEncryptedToken()) {
                WSEncryptionPart part = new WSEncryptionPart(id, "Element");
                part.setElement(clone);
                encryptedTokensList.add(part);
            }
            if (secToken.getX509Certificate() == null) {
                ret.add(new SupportingToken(token, new WSSecurityTokenHolder(secToken, secHeader), getSignedParts(suppTokens)));
            } else {
                ret.add(signSupportingToken(secToken, id, token, suppTokens));
            }
        } else if (token instanceof X509Token) {
            // We have to use a cert. Prepare X509 signature
            WSSecSignature sig = getSignatureBuilder(token, false, endorse);
            assertPolicy(suppTokens);
            Element bstElem = sig.getBinarySecurityTokenElement();
            if (bstElem != null) {
                if (lastEncryptedKeyElement != null) {
                    if (lastEncryptedKeyElement.getNextSibling() != null) {
                        secHeader.getSecurityHeaderElement().insertBefore(bstElem, lastEncryptedKeyElement.getNextSibling());
                    } else {
                        secHeader.getSecurityHeaderElement().appendChild(bstElem);
                    }
                } else {
                    sig.prependBSTElementToHeader();
                }
                if (suppTokens.isEncryptedToken()) {
                    WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
                    part.setElement(bstElem);
                    encryptedTokensList.add(part);
                }
            }
            ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
        } else if (token instanceof KeyValueToken) {
            WSSecSignature sig = getSignatureBuilder(token, false, endorse);
            assertPolicy(suppTokens);
            if (suppTokens.isEncryptedToken()) {
                WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
                encryptedTokensList.add(part);
            }
            ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
        } else if (token instanceof SamlToken) {
            SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
            if (assertionWrapper != null) {
                Element envelope = saaj.getSOAPPart().getEnvelope();
                envelope = (Element) DOMUtils.getDomElement(envelope);
                Element assertionElement = assertionWrapper.toDOM(envelope.getOwnerDocument());
                addSupportingElement(assertionElement);
                ret.add(new SupportingToken(token, assertionWrapper, getSignedParts(suppTokens)));
                if (suppTokens.isEncryptedToken()) {
                    WSEncryptionPart part = new WSEncryptionPart(assertionWrapper.getId(), "Element");
                    part.setElement(assertionElement);
                    encryptedTokensList.add(part);
                }
            }
        }
    }
    return ret;
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)

Example 7 with KeyValueToken

use of org.apache.wss4j.policy.model.KeyValueToken in project cxf by apache.

the class StaxTransportBindingHandler method handleEndorsingToken.

private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
    assertToken(token);
    if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
        return;
    }
    if (token instanceof IssuedToken) {
        SecurityToken securityToken = getSecurityToken();
        addIssuedToken(token, securityToken, false, true);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        WSSSecurityProperties properties = getProperties();
        if (securityToken != null && securityToken.getSecret() != null) {
            properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        } else {
            properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
        }
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
        SecurityToken securityToken = getSecurityToken();
        addIssuedToken(token, securityToken, false, true);
        WSSSecurityProperties properties = getProperties();
        if (securityToken != null) {
            storeSecurityToken(token, securityToken);
            // Set up CallbackHandler which wraps the configured Handler
            TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
            properties.setCallbackHandler(callbackHandler);
        }
        doSignature(token, wrapper);
        properties.setIncludeSignatureToken(true);
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof X509Token || token instanceof KeyValueToken) {
        doSignature(token, wrapper);
    } else if (token instanceof SamlToken) {
        addSamlToken((SamlToken) token, false, true);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        WSSSecurityProperties properties = getProperties();
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof UsernameToken) {
        throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
    } else if (token instanceof KerberosToken) {
        WSSSecurityProperties properties = getProperties();
        properties.addAction(XMLSecurityConstants.SIGNATURE);
        configureSignature(token, false);
        addKerberosToken((KerberosToken) token, false, true, false);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) SamlToken(org.apache.wss4j.policy.model.SamlToken) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SOAPException(javax.xml.soap.SOAPException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler)

Example 8 with KeyValueToken

use of org.apache.wss4j.policy.model.KeyValueToken in project cxf by apache.

the class TransportBindingHandler method handleEndorsingToken.

private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
    assertToken(token);
    if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
        return;
    }
    if (token instanceof IssuedToken || token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
        addSig(doIssuedTokenSignature(token, wrapper));
    } else if (token instanceof X509Token || token instanceof KeyValueToken) {
        addSig(doX509TokenSignature(token, wrapper));
    } else if (token instanceof SamlToken) {
        SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
        Element envelope = saaj.getSOAPPart().getEnvelope();
        envelope = (Element) DOMUtils.getDomElement(envelope);
        assertionWrapper.toDOM(envelope.getOwnerDocument());
        storeAssertionAsSecurityToken(assertionWrapper);
        addSig(doIssuedTokenSignature(token, wrapper));
    } else if (token instanceof UsernameToken) {
        // Create a UsernameToken object for derived keys and store the security token
        WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken) token, true);
        String id = usernameToken.getId();
        byte[] secret = usernameToken.getDerivedKey();
        Instant created = Instant.now();
        Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
        SecurityToken tempTok = new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
        tempTok.setSecret(secret);
        getTokenStore().add(tempTok);
        message.put(SecurityConstants.TOKEN_ID, tempTok.getId());
        addSig(doIssuedTokenSignature(token, wrapper));
    }
}
Also used : SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) Instant(java.time.Instant) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)

Example 9 with KeyValueToken

use of org.apache.wss4j.policy.model.KeyValueToken in project cxf by apache.

the class ConcreteSupportingTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                continue;
            }
            boolean processingFailed = false;
            if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the supporting token requirement");
                continue;
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)

Example 10 with KeyValueToken

use of org.apache.wss4j.policy.model.KeyValueToken in project cxf by apache.

the class EncryptedTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available
    if (isTLSInUse(parameters.getMessage())) {
        AssertionInfo transportAi = PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), SPConstants.TRANSPORT_BINDING);
        super.setEnforceEncryptedTokens(transportAi == null);
    }
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                continue;
            }
            boolean processingFailed = false;
            if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the encrypted supporting token requirement");
                continue;
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)

Aggregations

KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)13 X509Token (org.apache.wss4j.policy.model.X509Token)13 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)12 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)12 SamlToken (org.apache.wss4j.policy.model.SamlToken)12 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)12 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)12 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)11 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)9 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)8 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)8 DerivedKeys (org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)4 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)4 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)3 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)2 WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)2 Element (org.w3c.dom.Element)2 Instant (java.time.Instant)1 QName (javax.xml.namespace.QName)1 SOAPException (javax.xml.soap.SOAPException)1