Search in sources :

Example 16 with SamlToken

use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.

the class StaxAsymmetricBindingHandler method doSignBeforeEncrypt.

private void doSignBeforeEncrypt() {
    try {
        AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
        if (initiatorWrapper == null) {
            initiatorWrapper = abinding.getInitiatorToken();
        }
        if (initiatorWrapper != null) {
            assertTokenWrapper(initiatorWrapper);
            AbstractToken initiatorToken = initiatorWrapper.getToken();
            if (initiatorToken instanceof IssuedToken) {
                SecurityToken sigTok = getSecurityToken();
                addIssuedToken(initiatorToken, sigTok, false, true);
                if (sigTok != null) {
                    storeSecurityToken(initiatorToken, sigTok);
                    outboundSecurityContext.remove(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
                }
                // Set up CallbackHandler which wraps the configured Handler
                WSSSecurityProperties properties = getProperties();
                TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
                properties.setCallbackHandler(callbackHandler);
            } else if (initiatorToken instanceof SamlToken) {
                addSamlToken((SamlToken) initiatorToken, false, true);
            }
            assertToken(initiatorToken);
        }
        // Add timestamp
        List<SecurePart> sigs = new ArrayList<>();
        if (timestampAdded) {
            SecurePart part = new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
            sigs.add(part);
        }
        sigs.addAll(this.getSignedParts());
        if (isRequestor() && initiatorWrapper != null) {
            doSignature(initiatorWrapper, sigs);
        } else if (!isRequestor()) {
            // confirm sig
            addSignatureConfirmation(sigs);
            AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
            if (recipientSignatureToken == null) {
                recipientSignatureToken = abinding.getRecipientToken();
            }
            if (recipientSignatureToken != null) {
                assertTokenWrapper(recipientSignatureToken);
                assertToken(recipientSignatureToken.getToken());
            }
            if (recipientSignatureToken != null && !sigs.isEmpty()) {
                doSignature(recipientSignatureToken, sigs);
            }
        }
        addSupportingTokens();
        removeSignatureIfSignedSAML();
        prependSignatureToSC();
        List<SecurePart> enc = getEncryptedParts();
        // Check for signature protection
        if (abinding.isEncryptSignature()) {
            SecurePart part = new SecurePart(new QName(XMLSecurityConstants.NS_DSIG, "Signature"), Modifier.Element);
            enc.add(part);
            if (signatureConfirmationAdded) {
                SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
                enc.add(securePart);
            }
            assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
        }
        // Do encryption
        AbstractTokenWrapper encToken;
        if (isRequestor()) {
            enc.addAll(encryptedTokensList);
            encToken = abinding.getRecipientEncryptionToken();
            if (encToken == null) {
                encToken = abinding.getRecipientToken();
            }
        } else {
            encToken = abinding.getInitiatorEncryptionToken();
            if (encToken == null) {
                encToken = abinding.getInitiatorToken();
            }
        }
        if (encToken != null) {
            assertTokenWrapper(encToken);
            assertToken(encToken.getToken());
        }
        doEncryption(encToken, enc, false);
        putCustomTokenAfterSignature();
    } catch (Exception e) {
        String reason = e.getMessage();
        LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
        throw new Fault(e);
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) SamlToken(org.apache.wss4j.policy.model.SamlToken) QName(javax.xml.namespace.QName) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) ArrayList(java.util.ArrayList) Fault(org.apache.cxf.interceptor.Fault) SOAPException(javax.xml.soap.SOAPException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) SecurePart(org.apache.xml.security.stax.ext.SecurePart) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler) AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper)

Example 17 with SamlToken

use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.

the class StaxAsymmetricBindingHandler method doSignature.

private void doSignature(AbstractTokenWrapper wrapper, List<SecurePart> sigParts) throws WSSecurityException, SOAPException {
    // Action
    WSSSecurityProperties properties = getProperties();
    WSSConstants.Action actionToPerform = XMLSecurityConstants.SIGNATURE;
    if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        actionToPerform = WSSConstants.SIGNATURE_WITH_DERIVED_KEY;
    }
    List<WSSConstants.Action> actionList = properties.getActions();
    // Add a Signature directly before Kerberos, otherwise just append it
    boolean actionAdded = false;
    for (int i = 0; i < actionList.size(); i++) {
        WSSConstants.Action action = actionList.get(i);
        if (action.equals(WSSConstants.KERBEROS_TOKEN)) {
            actionList.add(i, actionToPerform);
            actionAdded = true;
            break;
        }
    }
    if (!actionAdded) {
        actionList.add(actionToPerform);
    }
    properties.getSignatureSecureParts().addAll(sigParts);
    AbstractToken sigToken = wrapper.getToken();
    configureSignature(sigToken, false);
    if (abinding.isProtectTokens() && (sigToken instanceof X509Token) && sigToken.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER) {
        SecurePart securePart = new SecurePart(new QName(WSSConstants.NS_WSSE10, "BinarySecurityToken"), Modifier.Element);
        properties.addSignaturePart(securePart);
    } else if (sigToken instanceof IssuedToken || sigToken instanceof SecurityContextToken || sigToken instanceof SecureConversationToken || sigToken instanceof SpnegoContextToken || sigToken instanceof SamlToken) {
        properties.setIncludeSignatureToken(false);
    }
    if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        properties.setSignatureAlgorithm(abinding.getAlgorithmSuite().getSymmetricSignature());
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) WSSConstants(org.apache.wss4j.stax.ext.WSSConstants) SamlToken(org.apache.wss4j.policy.model.SamlToken) QName(javax.xml.namespace.QName) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurePart(org.apache.xml.security.stax.ext.SecurePart) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)

Example 18 with SamlToken

use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.

the class StaxTransportBindingHandler method handleEndorsingToken.

private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
    assertToken(token);
    if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
        return;
    }
    if (token instanceof IssuedToken) {
        SecurityToken securityToken = getSecurityToken();
        addIssuedToken(token, securityToken, false, true);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        WSSSecurityProperties properties = getProperties();
        if (securityToken != null && securityToken.getSecret() != null) {
            properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        } else {
            properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
        }
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
        SecurityToken securityToken = getSecurityToken();
        addIssuedToken(token, securityToken, false, true);
        WSSSecurityProperties properties = getProperties();
        if (securityToken != null) {
            storeSecurityToken(token, securityToken);
            // Set up CallbackHandler which wraps the configured Handler
            TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
            properties.setCallbackHandler(callbackHandler);
        }
        doSignature(token, wrapper);
        properties.setIncludeSignatureToken(true);
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof X509Token || token instanceof KeyValueToken) {
        doSignature(token, wrapper);
    } else if (token instanceof SamlToken) {
        addSamlToken((SamlToken) token, false, true);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        WSSSecurityProperties properties = getProperties();
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    } else if (token instanceof UsernameToken) {
        throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
    } else if (token instanceof KerberosToken) {
        WSSSecurityProperties properties = getProperties();
        properties.addAction(XMLSecurityConstants.SIGNATURE);
        configureSignature(token, false);
        addKerberosToken((KerberosToken) token, false, true, false);
        signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
        properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
        properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
        AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setSignatureDigestAlgorithm(algType.getDigest());
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) SamlToken(org.apache.wss4j.policy.model.SamlToken) AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SOAPException(javax.xml.soap.SOAPException) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler)

Example 19 with SamlToken

use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.

the class TransportBindingHandler method handleEndorsingToken.

private void handleEndorsingToken(AbstractToken token, SupportingTokens wrapper) throws Exception {
    assertToken(token);
    if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
        return;
    }
    if (token instanceof IssuedToken || token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
        addSig(doIssuedTokenSignature(token, wrapper));
    } else if (token instanceof X509Token || token instanceof KeyValueToken) {
        addSig(doX509TokenSignature(token, wrapper));
    } else if (token instanceof SamlToken) {
        SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
        Element envelope = saaj.getSOAPPart().getEnvelope();
        envelope = (Element) DOMUtils.getDomElement(envelope);
        assertionWrapper.toDOM(envelope.getOwnerDocument());
        storeAssertionAsSecurityToken(assertionWrapper);
        addSig(doIssuedTokenSignature(token, wrapper));
    } else if (token instanceof UsernameToken) {
        // Create a UsernameToken object for derived keys and store the security token
        WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken) token, true);
        String id = usernameToken.getId();
        byte[] secret = usernameToken.getDerivedKey();
        Instant created = Instant.now();
        Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
        SecurityToken tempTok = new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
        tempTok.setSecret(secret);
        getTokenStore().add(tempTok);
        message.put(SecurityConstants.TOKEN_ID, tempTok.getId());
        addSig(doIssuedTokenSignature(token, wrapper));
    }
}
Also used : SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) Instant(java.time.Instant) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)

Example 20 with SamlToken

use of org.apache.wss4j.policy.model.SamlToken in project cxf by apache.

the class TransportBindingHandler method addSignedSupportingTokens.

private void addSignedSupportingTokens(SupportingTokens sgndSuppTokens) throws Exception {
    for (AbstractToken token : sgndSuppTokens.getTokens()) {
        assertToken(token);
        if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
            continue;
        }
        if (token instanceof UsernameToken) {
            WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken) token);
            if (utBuilder != null) {
                utBuilder.prepare();
                utBuilder.appendToHeader();
            }
        } else if (token instanceof IssuedToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
            SecurityToken secTok = getSecurityToken();
            if (isTokenRequired(token.getIncludeTokenType())) {
                // Add the token
                addEncryptedKeyElement(cloneElement(secTok.getToken()));
            }
        } else if (token instanceof SamlToken) {
            SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
            if (assertionWrapper != null) {
                Element envelope = saaj.getSOAPPart().getEnvelope();
                envelope = (Element) DOMUtils.getDomElement(envelope);
                addSupportingElement(assertionWrapper.toDOM(envelope.getOwnerDocument()));
            }
        } else {
        // REVISIT - not supported for signed.  Exception?
        }
    }
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)

Aggregations

SamlToken (org.apache.wss4j.policy.model.SamlToken)25 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)20 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)17 X509Token (org.apache.wss4j.policy.model.X509Token)14 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)13 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)13 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)13 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)13 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)12 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)12 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)10 Element (org.w3c.dom.Element)10 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)9 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)9 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)8 QName (javax.xml.namespace.QName)7 SOAPException (javax.xml.soap.SOAPException)6 Fault (org.apache.cxf.interceptor.Fault)6 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)5 ArrayList (java.util.ArrayList)4