Example 1 with ProtectionToken
use of org.apache.wss4j.policy.model.ProtectionToken in project cxf by apache.
the class WSSCUnitTest method createSymmetricBindingPolicy.
// mock up a SymmetricBinding policy to talk to the STS
private Policy createSymmetricBindingPolicy() {
// Add Addressing policy
Policy p = new Policy();
ExactlyOne ea = new ExactlyOne();
p.addPolicyComponent(ea);
All all = new All();
all.addPolicyComponent(new PrimitiveAssertion(MetadataConstants.USING_ADDRESSING_2006_QNAME, false));
ea.addPolicyComponent(all);
// X509 Token
final X509Token x509Token = new X509Token(SPConstants.SPVersion.SP12, SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER, null, null, null, new Policy());
Policy x509Policy = new Policy();
ExactlyOne x509PolicyEa = new ExactlyOne();
x509Policy.addPolicyComponent(x509PolicyEa);
All x509PolicyAll = new All();
x509PolicyAll.addPolicyComponent(x509Token);
x509PolicyEa.addPolicyComponent(x509PolicyAll);
// AlgorithmSuite
Policy algSuitePolicy = new Policy();
ExactlyOne algSuitePolicyEa = new ExactlyOne();
algSuitePolicy.addPolicyComponent(algSuitePolicyEa);
All algSuitePolicyAll = new All();
algSuitePolicyAll.addAssertion(new PrimitiveAssertion(new QName(SP12Constants.SP_NS, SPConstants.ALGO_SUITE_BASIC128)));
algSuitePolicyEa.addPolicyComponent(algSuitePolicyAll);
AlgorithmSuite algorithmSuite = new AlgorithmSuite(SPConstants.SPVersion.SP12, algSuitePolicy);
// Symmetric Binding
Policy bindingPolicy = new Policy();
ExactlyOne bindingPolicyEa = new ExactlyOne();
bindingPolicy.addPolicyComponent(bindingPolicyEa);
All bindingPolicyAll = new All();
bindingPolicyAll.addPolicyComponent(new ProtectionToken(SPConstants.SPVersion.SP12, x509Policy));
bindingPolicyAll.addPolicyComponent(algorithmSuite);
bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.INCLUDE_TIMESTAMP));
bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
bindingPolicyEa.addPolicyComponent(bindingPolicyAll);
DefaultSymmetricBinding binding = new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, bindingPolicy);
binding.setOnlySignEntireHeadersAndBody(true);
binding.setProtectTokens(false);
all.addPolicyComponent(binding);
List<Header> headers = new ArrayList<>();
SignedParts signedParts = new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false);
all.addPolicyComponent(signedParts);
return p;
}
Also used :
Policy(org.apache.neethi.Policy)
All(org.apache.neethi.All)
PrimitiveAssertion(org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion)
QName(javax.xml.namespace.QName)
ArrayList(java.util.ArrayList)
DefaultSymmetricBinding(org.apache.cxf.ws.security.trust.DefaultSymmetricBinding)
ExactlyOne(org.apache.neethi.ExactlyOne)
AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite)
X509Token(org.apache.wss4j.policy.model.X509Token)
Header(org.apache.wss4j.policy.model.Header)
SignedParts(org.apache.wss4j.policy.model.SignedParts)
ProtectionToken(org.apache.wss4j.policy.model.ProtectionToken)
Example 2 with ProtectionToken
use of org.apache.wss4j.policy.model.ProtectionToken in project cxf by apache.
the class SecureConversationInInterceptor method handleMessageForAction.
void handleMessageForAction(SoapMessage message, String s, AssertionInfoMap aim, Collection<AssertionInfo> ais) {
String addNs = null;
AddressingProperties inProps = (AddressingProperties) message.getContextualProperty(JAXWSAConstants.ADDRESSING_PROPERTIES_INBOUND);
if (inProps != null) {
addNs = inProps.getNamespaceURI();
if (s == null) {
// MS/WCF doesn't put a soap action out for this, must check the headers
s = inProps.getAction().getValue();
}
}
if (s != null && s.contains("/RST/SCT") && (s.startsWith(STSUtils.WST_NS_05_02) || s.startsWith(STSUtils.WST_NS_05_12))) {
SecureConversationToken tok = (SecureConversationToken) ais.iterator().next().getAssertion();
Policy pol = tok.getBootstrapPolicy().getPolicy();
if (s.endsWith("Cancel")) {
// Cancel just sign with the token
Policy p = new Policy();
ExactlyOne ea = new ExactlyOne();
p.addPolicyComponent(ea);
All all = new All();
Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
all.addPolicyComponent(ass);
ea.addPolicyComponent(all);
final SecureConversationToken secureConversationToken = new SecureConversationToken(SPConstants.SPVersion.SP12, SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER, null, null, null, new Policy());
Policy sctPolicy = new Policy();
ExactlyOne sctPolicyEa = new ExactlyOne();
sctPolicy.addPolicyComponent(sctPolicyEa);
All sctPolicyAll = new All();
sctPolicyAll.addPolicyComponent(secureConversationToken);
sctPolicyEa.addPolicyComponent(sctPolicyAll);
Policy bindingPolicy = new Policy();
ExactlyOne bindingPolicyEa = new ExactlyOne();
bindingPolicy.addPolicyComponent(bindingPolicyEa);
All bindingPolicyAll = new All();
AbstractBinding origBinding = PolicyUtils.getSecurityBinding(aim);
bindingPolicyAll.addPolicyComponent(origBinding.getAlgorithmSuite());
bindingPolicyAll.addPolicyComponent(new ProtectionToken(SPConstants.SPVersion.SP12, sctPolicy));
bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.INCLUDE_TIMESTAMP));
bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
bindingPolicyEa.addPolicyComponent(bindingPolicyAll);
DefaultSymmetricBinding binding = new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, bindingPolicy);
binding.setOnlySignEntireHeadersAndBody(true);
binding.setProtectTokens(false);
all.addPolicyComponent(binding);
SignedParts signedParts = getSignedParts(aim, addNs);
all.addPolicyComponent(signedParts);
pol = p;
message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
} else {
Policy p = new Policy();
ExactlyOne ea = new ExactlyOne();
p.addPolicyComponent(ea);
All all = new All();
Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
all.addPolicyComponent(ass);
ea.addPolicyComponent(all);
pol = p.merge(pol);
}
// setup SCT endpoint and forward to it.
unmapSecurityProps(message);
String ns = STSUtils.WST_NS_05_12;
if (s.startsWith(STSUtils.WST_NS_05_02)) {
ns = STSUtils.WST_NS_05_02;
}
NegotiationUtils.recalcEffectivePolicy(message, ns, pol, new SecureConversationSTSInvoker(), true);
// recalc based on new endpoint
SoapActionInInterceptor.getAndSetOperation(message, s);
} else {
message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
}
assertPolicies(aim);
}
Also used :
Policy(org.apache.neethi.Policy)
All(org.apache.neethi.All)
PrimitiveAssertion(org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion)
Assertion(org.apache.neethi.Assertion)
PrimitiveAssertion(org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion)
DefaultSymmetricBinding(org.apache.cxf.ws.security.trust.DefaultSymmetricBinding)
AbstractBinding(org.apache.wss4j.policy.model.AbstractBinding)
ExactlyOne(org.apache.neethi.ExactlyOne)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
AddressingProperties(org.apache.cxf.ws.addressing.AddressingProperties)
SignedParts(org.apache.wss4j.policy.model.SignedParts)
ProtectionToken(org.apache.wss4j.policy.model.ProtectionToken)
Example 3 with ProtectionToken
use of org.apache.wss4j.policy.model.ProtectionToken in project cxf by apache.
the class AbstractSTSClient method cancel.
/**
* Make an "Cancel" invocation and return the response as a STSResponse Object
*/
protected STSResponse cancel(SecurityToken token) throws Exception {
createClient();
client.getRequestContext().clear();
client.getRequestContext().putAll(ctx);
client.getRequestContext().put(SecurityConstants.TOKEN, token);
BindingOperationInfo boi = findOperation("/RST/Cancel");
boolean attachTokenDirectly = true;
if (boi == null) {
attachTokenDirectly = false;
boi = findOperation("/RST/Issue");
Policy cancelPolicy = new Policy();
ExactlyOne one = new ExactlyOne();
cancelPolicy.addPolicyComponent(one);
All all = new All();
one.addPolicyComponent(all);
all.addAssertion(getAddressingAssertion());
final SecureConversationToken secureConversationToken = new SecureConversationToken(SPConstants.SPVersion.SP12, SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT, null, null, null, null);
secureConversationToken.setOptional(true);
class InternalProtectionToken extends ProtectionToken {
InternalProtectionToken(SPVersion version, Policy nestedPolicy) {
super(version, nestedPolicy);
super.setToken(secureConversationToken);
}
}
DefaultSymmetricBinding binding = new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, new Policy());
all.addAssertion(binding);
all.addAssertion(getAddressingAssertion());
binding.setProtectionToken(new InternalProtectionToken(SPConstants.SPVersion.SP12, new Policy()));
binding.setIncludeTimestamp(true);
binding.setOnlySignEntireHeadersAndBody(true);
binding.setProtectTokens(false);
String addrNamespace = addressingNamespace;
if (addrNamespace == null) {
addrNamespace = "http://www.w3.org/2005/08/addressing";
}
List<Header> headers = new ArrayList<>();
headers.add(new Header("To", addrNamespace));
headers.add(new Header("From", addrNamespace));
headers.add(new Header("FaultTo", addrNamespace));
headers.add(new Header("ReplyTo", addrNamespace));
headers.add(new Header("Action", addrNamespace));
headers.add(new Header("MessageID", addrNamespace));
headers.add(new Header("RelatesTo", addrNamespace));
SignedParts parts = new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false);
parts.setOptional(true);
all.addPolicyComponent(parts);
client.getRequestContext().put(PolicyConstants.POLICY_OVERRIDE, cancelPolicy);
}
if (isSecureConv) {
client.getRequestContext().put(SoapBindingConstants.SOAP_ACTION, namespace + "/RST/SCT/Cancel");
} else {
client.getRequestContext().put(SoapBindingConstants.SOAP_ACTION, namespace + "/RST/Cancel");
}
W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
writer.writeStartElement("wst", "RequestSecurityToken", namespace);
writer.writeNamespace("wst", namespace);
writer.writeStartElement("wst", "RequestType", namespace);
writer.writeCharacters(namespace + "/Cancel");
writer.writeEndElement();
writer.writeStartElement("wst", "CancelTarget", namespace);
Element el = null;
if (attachTokenDirectly) {
el = token.getToken();
} else {
el = token.getUnattachedReference();
if (el == null) {
el = token.getAttachedReference();
}
}
StaxUtils.copy(el, writer);
writer.writeEndElement();
writer.writeEndElement();
Object[] obj = client.invoke(boi, new DOMSource(writer.getDocument().getDocumentElement()));
return new STSResponse((DOMSource) obj[0], null);
}
Also used :
Policy(org.apache.neethi.Policy)
EffectivePolicy(org.apache.cxf.ws.policy.EffectivePolicy)
All(org.apache.neethi.All)
SPVersion(org.apache.wss4j.policy.SPConstants.SPVersion)
W3CDOMStreamWriter(org.apache.cxf.staxutils.W3CDOMStreamWriter)
BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo)
DOMSource(javax.xml.transform.dom.DOMSource)
ExtensibilityElement(javax.wsdl.extensions.ExtensibilityElement)
Element(org.w3c.dom.Element)
ArrayList(java.util.ArrayList)
ModCountCopyOnWriteArrayList(org.apache.cxf.common.util.ModCountCopyOnWriteArrayList)
ExactlyOne(org.apache.neethi.ExactlyOne)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
Header(org.apache.wss4j.policy.model.Header)
SignedParts(org.apache.wss4j.policy.model.SignedParts)
ProtectionToken(org.apache.wss4j.policy.model.ProtectionToken)
Example 4 with ProtectionToken
use of org.apache.wss4j.policy.model.ProtectionToken in project cxf by apache.
the class AbstractBindingPolicyValidator method checkDerivedKeys.
/**
* Check the derived key requirement.
*/
protected boolean checkDerivedKeys(AbstractTokenWrapper tokenWrapper, boolean hasDerivedKeys, List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults) {
AbstractToken token = tokenWrapper.getToken();
boolean isDerivedKeys = token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys;
// If derived keys are not required then just return
if (!(token instanceof X509Token && isDerivedKeys)) {
return true;
}
if (tokenWrapper instanceof EncryptionToken && !hasDerivedKeys && !encryptedResults.isEmpty()) {
return false;
} else if (tokenWrapper instanceof SignatureToken && !hasDerivedKeys && !signedResults.isEmpty()) {
return false;
} else if (tokenWrapper instanceof ProtectionToken && !hasDerivedKeys && !(signedResults.isEmpty() || encryptedResults.isEmpty())) {
return false;
}
return true;
}
Also used :
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SignatureToken(org.apache.wss4j.policy.model.SignatureToken)
EncryptionToken(org.apache.wss4j.policy.model.EncryptionToken)
ProtectionToken(org.apache.wss4j.policy.model.ProtectionToken)
Aggregations
ProtectionToken (org.apache.wss4j.policy.model.ProtectionToken)4
All (org.apache.neethi.All)3
ExactlyOne (org.apache.neethi.ExactlyOne)3
Policy (org.apache.neethi.Policy)3
SignedParts (org.apache.wss4j.policy.model.SignedParts)3
ArrayList (java.util.ArrayList)2
PrimitiveAssertion (org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion)2
DefaultSymmetricBinding (org.apache.cxf.ws.security.trust.DefaultSymmetricBinding)2
Header (org.apache.wss4j.policy.model.Header)2
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)2
X509Token (org.apache.wss4j.policy.model.X509Token)2
ExtensibilityElement (javax.wsdl.extensions.ExtensibilityElement)1
QName (javax.xml.namespace.QName)1
DOMSource (javax.xml.transform.dom.DOMSource)1
ModCountCopyOnWriteArrayList (org.apache.cxf.common.util.ModCountCopyOnWriteArrayList)1
BindingOperationInfo (org.apache.cxf.service.model.BindingOperationInfo)1
W3CDOMStreamWriter (org.apache.cxf.staxutils.W3CDOMStreamWriter)1
AddressingProperties (org.apache.cxf.ws.addressing.AddressingProperties)1
EffectivePolicy (org.apache.cxf.ws.policy.EffectivePolicy)1
Assertion (org.apache.neethi.Assertion)1
