Example 6 with SamlToken
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class EndorsingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the endorsing supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)
Example 7 with SamlToken
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class SamlTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken) ai.getAssertion();
ai.setAsserted(true);
assertToken(samlToken, parameters.getAssertionInfoMap());
if (!isTokenRequired(samlToken, parameters.getMessage())) {
PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name()));
continue;
}
if (parameters.getSamlResults().isEmpty()) {
ai.setNotAsserted("The received token does not match the token inclusion requirement");
continue;
}
// All of the received SAML Assertions must conform to the policy
for (WSSecurityEngineResult result : parameters.getSamlResults()) {
SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper) result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (!checkVersion(parameters.getAssertionInfoMap(), samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
continue;
}
TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
Certificate[] tlsCerts = null;
if (tlsInfo != null) {
tlsCerts = tlsInfo.getPeerCertificates();
}
if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts)) {
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(), parameters.getSignedResults())) {
ai.setNotAsserted("Assertion fails sender-vouches requirements");
continue;
}
/*
if (!checkIssuerName(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong IssuerName");
}
*/
}
}
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
QName(javax.xml.namespace.QName)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
TLSSessionInfo(org.apache.cxf.security.transport.TLSSessionInfo)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
Certificate(java.security.cert.Certificate)
Example 8 with SamlToken
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class SignedEndorsingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the signed endorsing supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)
Example 9 with SamlToken
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class SignedTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
continue;
}
boolean processingFailed = false;
if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken) {
if (!processSCTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the signed supporting token requirement");
continue;
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
Example 10 with SamlToken
use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.
the class SamlTokenInterceptor method addToken.
protected void addToken(SoapMessage message) {
WSSConfig.init();
SamlToken tok = (SamlToken) assertTokens(message);
Header h = findSecurityHeader(message, true);
try {
SamlAssertionWrapper wrapper = addSamlToken(tok, message);
if (wrapper == null) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
for (AssertionInfo ai : ais) {
if (ai.isAsserted()) {
ai.setAsserted(false);
}
}
return;
}
Element el = (Element) h.getObject();
el = (Element) DOMUtils.getDomElement(el);
el.appendChild(wrapper.toDOM(el.getOwnerDocument()));
} catch (WSSecurityException ex) {
policyNotAsserted(tok, ex.getMessage(), message);
}
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
Header(org.apache.cxf.headers.Header)
Element(org.w3c.dom.Element)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Aggregations
SamlToken (org.apache.wss4j.policy.model.SamlToken)25
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)20
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)17
X509Token (org.apache.wss4j.policy.model.X509Token)14
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)13
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)13
SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)13
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)13
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)12
KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)12
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)10
Element (org.w3c.dom.Element)10
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)9
SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)9
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)8
QName (javax.xml.namespace.QName)7
SOAPException (javax.xml.soap.SOAPException)6
Fault (org.apache.cxf.interceptor.Fault)6
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)5
ArrayList (java.util.ArrayList)4
