Search in sources :

Example 1 with SignedParts

use of org.apache.wss4j.policy.model.SignedParts in project cxf by apache.

the class AbstractBindingBuilder method getSignedParts.

public List<WSEncryptionPart> getSignedParts(SupportingTokens supportingToken) throws SOAPException {
    boolean isSignBody = false;
    SignedParts parts = null;
    SignedElements elements = null;
    if (supportingToken != null && supportingToken.isEndorsing()) {
        parts = supportingToken.getSignedParts();
        elements = supportingToken.getSignedElements();
        // Store them so that the main Signature doesn't sign them
        if (parts != null) {
            suppTokenParts.add(parts);
            this.assertPolicy(parts.getName());
        }
        if (elements != null) {
            suppTokenParts.add(elements);
            this.assertPolicy(elements.getName());
        }
    } else {
        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.SIGNED_PARTS);
        if (!ais.isEmpty()) {
            for (AssertionInfo ai : ais) {
                SignedParts signedParts = (SignedParts) ai.getAssertion();
                ai.setAsserted(true);
                if (!suppTokenParts.contains(signedParts)) {
                    parts = signedParts;
                }
            }
        }
        ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ELEMENTS);
        if (!ais.isEmpty()) {
            for (AssertionInfo ai : ais) {
                SignedElements signedElements = (SignedElements) ai.getAssertion();
                ai.setAsserted(true);
                if (!suppTokenParts.contains(signedElements)) {
                    elements = signedElements;
                }
            }
        }
    }
    if (parts == null && elements == null) {
        return new ArrayList<>();
    }
    List<WSEncryptionPart> signedParts = new ArrayList<>();
    if (parts != null) {
        isSignBody = parts.isBody();
        for (Header head : parts.getHeaders()) {
            WSEncryptionPart wep = new WSEncryptionPart(head.getName(), head.getNamespace(), "Header");
            signedParts.add(wep);
        }
        Attachments attachments = parts.getAttachments();
        if (attachments != null) {
            String modifier = "Element";
            if (attachments.isContentSignatureTransform()) {
                modifier = "Content";
            }
            WSEncryptionPart wep = new WSEncryptionPart("cid:Attachments", modifier);
            signedParts.add(wep);
        }
    }
    return getPartsAndElements(true, isSignBody, signedParts, elements == null ? null : elements.getXPaths(), null);
}
Also used : AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SOAPHeader(javax.xml.soap.SOAPHeader) Header(org.apache.wss4j.policy.model.Header) WSSecHeader(org.apache.wss4j.dom.message.WSSecHeader) SignedElements(org.apache.wss4j.policy.model.SignedElements) ArrayList(java.util.ArrayList) SignedParts(org.apache.wss4j.policy.model.SignedParts) Attachments(org.apache.wss4j.policy.model.Attachments)

Example 2 with SignedParts

use of org.apache.wss4j.policy.model.SignedParts in project cxf by apache.

the class AbstractStaxBindingHandler method getSignedParts.

/**
 * Identifies the portions of the message to be signed
 */
protected List<SecurePart> getSignedParts() throws SOAPException {
    SignedParts parts = null;
    SignedElements elements = null;
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    AssertionInfo assertionInfo = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SIGNED_PARTS);
    if (assertionInfo != null) {
        parts = (SignedParts) assertionInfo.getAssertion();
        assertionInfo.setAsserted(true);
    }
    assertionInfo = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
    if (assertionInfo != null) {
        elements = (SignedElements) assertionInfo.getAssertion();
        assertionInfo.setAsserted(true);
    }
    List<SecurePart> signedParts = new ArrayList<>();
    if (parts != null) {
        if (parts.isBody()) {
            QName soapBody = new QName(WSSConstants.NS_SOAP12, "Body");
            SecurePart securePart = new SecurePart(soapBody, Modifier.Element);
            signedParts.add(securePart);
        }
        for (Header head : parts.getHeaders()) {
            String localName = head.getName();
            if (localName == null) {
                localName = "*";
            }
            QName qname = new QName(head.getNamespace(), localName);
            SecurePart securePart = new SecurePart(qname, Modifier.Element);
            securePart.setRequired(false);
            signedParts.add(securePart);
        }
        Attachments attachments = parts.getAttachments();
        if (attachments != null) {
            Modifier modifier = Modifier.Element;
            if (attachments.isContentSignatureTransform()) {
                modifier = Modifier.Content;
            }
            SecurePart securePart = new SecurePart("cid:Attachments", modifier);
            securePart.setRequired(false);
            signedParts.add(securePart);
        }
    }
    if (elements != null && elements.getXPaths() != null) {
        for (XPath xPath : elements.getXPaths()) {
            List<QName> qnames = org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
            if (!qnames.isEmpty()) {
                SecurePart securePart = new SecurePart(qnames.get(qnames.size() - 1), Modifier.Element);
                signedParts.add(securePart);
            }
        }
    }
    return signedParts;
}
Also used : XPath(org.apache.wss4j.policy.model.XPath) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) QName(javax.xml.namespace.QName) SignedElements(org.apache.wss4j.policy.model.SignedElements) ArrayList(java.util.ArrayList) Attachments(org.apache.wss4j.policy.model.Attachments) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap) SecurePart(org.apache.xml.security.stax.ext.SecurePart) Header(org.apache.wss4j.policy.model.Header) SignedParts(org.apache.wss4j.policy.model.SignedParts) Modifier(org.apache.xml.security.stax.ext.SecurePart.Modifier)

Example 3 with SignedParts

use of org.apache.wss4j.policy.model.SignedParts in project cxf by apache.

the class AbstractSTSClient method cancel.

/**
 * Make an "Cancel" invocation and return the response as a STSResponse Object
 */
protected STSResponse cancel(SecurityToken token) throws Exception {
    createClient();
    client.getRequestContext().clear();
    client.getRequestContext().putAll(ctx);
    client.getRequestContext().put(SecurityConstants.TOKEN, token);
    BindingOperationInfo boi = findOperation("/RST/Cancel");
    boolean attachTokenDirectly = true;
    if (boi == null) {
        attachTokenDirectly = false;
        boi = findOperation("/RST/Issue");
        Policy cancelPolicy = new Policy();
        ExactlyOne one = new ExactlyOne();
        cancelPolicy.addPolicyComponent(one);
        All all = new All();
        one.addPolicyComponent(all);
        all.addAssertion(getAddressingAssertion());
        final SecureConversationToken secureConversationToken = new SecureConversationToken(SPConstants.SPVersion.SP12, SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT, null, null, null, null);
        secureConversationToken.setOptional(true);
        class InternalProtectionToken extends ProtectionToken {

            InternalProtectionToken(SPVersion version, Policy nestedPolicy) {
                super(version, nestedPolicy);
                super.setToken(secureConversationToken);
            }
        }
        DefaultSymmetricBinding binding = new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, new Policy());
        all.addAssertion(binding);
        all.addAssertion(getAddressingAssertion());
        binding.setProtectionToken(new InternalProtectionToken(SPConstants.SPVersion.SP12, new Policy()));
        binding.setIncludeTimestamp(true);
        binding.setOnlySignEntireHeadersAndBody(true);
        binding.setProtectTokens(false);
        String addrNamespace = addressingNamespace;
        if (addrNamespace == null) {
            addrNamespace = "http://www.w3.org/2005/08/addressing";
        }
        List<Header> headers = new ArrayList<>();
        headers.add(new Header("To", addrNamespace));
        headers.add(new Header("From", addrNamespace));
        headers.add(new Header("FaultTo", addrNamespace));
        headers.add(new Header("ReplyTo", addrNamespace));
        headers.add(new Header("Action", addrNamespace));
        headers.add(new Header("MessageID", addrNamespace));
        headers.add(new Header("RelatesTo", addrNamespace));
        SignedParts parts = new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false);
        parts.setOptional(true);
        all.addPolicyComponent(parts);
        client.getRequestContext().put(PolicyConstants.POLICY_OVERRIDE, cancelPolicy);
    }
    if (isSecureConv) {
        client.getRequestContext().put(SoapBindingConstants.SOAP_ACTION, namespace + "/RST/SCT/Cancel");
    } else {
        client.getRequestContext().put(SoapBindingConstants.SOAP_ACTION, namespace + "/RST/Cancel");
    }
    W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
    writer.writeStartElement("wst", "RequestSecurityToken", namespace);
    writer.writeNamespace("wst", namespace);
    writer.writeStartElement("wst", "RequestType", namespace);
    writer.writeCharacters(namespace + "/Cancel");
    writer.writeEndElement();
    writer.writeStartElement("wst", "CancelTarget", namespace);
    Element el = null;
    if (attachTokenDirectly) {
        el = token.getToken();
    } else {
        el = token.getUnattachedReference();
        if (el == null) {
            el = token.getAttachedReference();
        }
    }
    StaxUtils.copy(el, writer);
    writer.writeEndElement();
    writer.writeEndElement();
    Object[] obj = client.invoke(boi, new DOMSource(writer.getDocument().getDocumentElement()));
    return new STSResponse((DOMSource) obj[0], null);
}
Also used : Policy(org.apache.neethi.Policy) EffectivePolicy(org.apache.cxf.ws.policy.EffectivePolicy) All(org.apache.neethi.All) SPVersion(org.apache.wss4j.policy.SPConstants.SPVersion) W3CDOMStreamWriter(org.apache.cxf.staxutils.W3CDOMStreamWriter) BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo) DOMSource(javax.xml.transform.dom.DOMSource) ExtensibilityElement(javax.wsdl.extensions.ExtensibilityElement) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) ModCountCopyOnWriteArrayList(org.apache.cxf.common.util.ModCountCopyOnWriteArrayList) ExactlyOne(org.apache.neethi.ExactlyOne) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) Header(org.apache.wss4j.policy.model.Header) SignedParts(org.apache.wss4j.policy.model.SignedParts) ProtectionToken(org.apache.wss4j.policy.model.ProtectionToken)

Example 4 with SignedParts

use of org.apache.wss4j.policy.model.SignedParts in project cxf by apache.

the class WSSCUnitTest method createSymmetricBindingPolicy.

// mock up a SymmetricBinding policy to talk to the STS
private Policy createSymmetricBindingPolicy() {
    // Add Addressing policy
    Policy p = new Policy();
    ExactlyOne ea = new ExactlyOne();
    p.addPolicyComponent(ea);
    All all = new All();
    all.addPolicyComponent(new PrimitiveAssertion(MetadataConstants.USING_ADDRESSING_2006_QNAME, false));
    ea.addPolicyComponent(all);
    // X509 Token
    final X509Token x509Token = new X509Token(SPConstants.SPVersion.SP12, SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER, null, null, null, new Policy());
    Policy x509Policy = new Policy();
    ExactlyOne x509PolicyEa = new ExactlyOne();
    x509Policy.addPolicyComponent(x509PolicyEa);
    All x509PolicyAll = new All();
    x509PolicyAll.addPolicyComponent(x509Token);
    x509PolicyEa.addPolicyComponent(x509PolicyAll);
    // AlgorithmSuite
    Policy algSuitePolicy = new Policy();
    ExactlyOne algSuitePolicyEa = new ExactlyOne();
    algSuitePolicy.addPolicyComponent(algSuitePolicyEa);
    All algSuitePolicyAll = new All();
    algSuitePolicyAll.addAssertion(new PrimitiveAssertion(new QName(SP12Constants.SP_NS, SPConstants.ALGO_SUITE_BASIC128)));
    algSuitePolicyEa.addPolicyComponent(algSuitePolicyAll);
    AlgorithmSuite algorithmSuite = new AlgorithmSuite(SPConstants.SPVersion.SP12, algSuitePolicy);
    // Symmetric Binding
    Policy bindingPolicy = new Policy();
    ExactlyOne bindingPolicyEa = new ExactlyOne();
    bindingPolicy.addPolicyComponent(bindingPolicyEa);
    All bindingPolicyAll = new All();
    bindingPolicyAll.addPolicyComponent(new ProtectionToken(SPConstants.SPVersion.SP12, x509Policy));
    bindingPolicyAll.addPolicyComponent(algorithmSuite);
    bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.INCLUDE_TIMESTAMP));
    bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
    bindingPolicyEa.addPolicyComponent(bindingPolicyAll);
    DefaultSymmetricBinding binding = new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, bindingPolicy);
    binding.setOnlySignEntireHeadersAndBody(true);
    binding.setProtectTokens(false);
    all.addPolicyComponent(binding);
    List<Header> headers = new ArrayList<>();
    SignedParts signedParts = new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false);
    all.addPolicyComponent(signedParts);
    return p;
}
Also used : Policy(org.apache.neethi.Policy) All(org.apache.neethi.All) PrimitiveAssertion(org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion) QName(javax.xml.namespace.QName) ArrayList(java.util.ArrayList) DefaultSymmetricBinding(org.apache.cxf.ws.security.trust.DefaultSymmetricBinding) ExactlyOne(org.apache.neethi.ExactlyOne) AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) X509Token(org.apache.wss4j.policy.model.X509Token) Header(org.apache.wss4j.policy.model.Header) SignedParts(org.apache.wss4j.policy.model.SignedParts) ProtectionToken(org.apache.wss4j.policy.model.ProtectionToken)

Example 5 with SignedParts

use of org.apache.wss4j.policy.model.SignedParts in project cxf by apache.

the class SecureConversationInInterceptor method handleMessageForAction.

void handleMessageForAction(SoapMessage message, String s, AssertionInfoMap aim, Collection<AssertionInfo> ais) {
    String addNs = null;
    AddressingProperties inProps = (AddressingProperties) message.getContextualProperty(JAXWSAConstants.ADDRESSING_PROPERTIES_INBOUND);
    if (inProps != null) {
        addNs = inProps.getNamespaceURI();
        if (s == null) {
            // MS/WCF doesn't put a soap action out for this, must check the headers
            s = inProps.getAction().getValue();
        }
    }
    if (s != null && s.contains("/RST/SCT") && (s.startsWith(STSUtils.WST_NS_05_02) || s.startsWith(STSUtils.WST_NS_05_12))) {
        SecureConversationToken tok = (SecureConversationToken) ais.iterator().next().getAssertion();
        Policy pol = tok.getBootstrapPolicy().getPolicy();
        if (s.endsWith("Cancel")) {
            // Cancel just sign with the token
            Policy p = new Policy();
            ExactlyOne ea = new ExactlyOne();
            p.addPolicyComponent(ea);
            All all = new All();
            Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
            all.addPolicyComponent(ass);
            ea.addPolicyComponent(all);
            final SecureConversationToken secureConversationToken = new SecureConversationToken(SPConstants.SPVersion.SP12, SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER, null, null, null, new Policy());
            Policy sctPolicy = new Policy();
            ExactlyOne sctPolicyEa = new ExactlyOne();
            sctPolicy.addPolicyComponent(sctPolicyEa);
            All sctPolicyAll = new All();
            sctPolicyAll.addPolicyComponent(secureConversationToken);
            sctPolicyEa.addPolicyComponent(sctPolicyAll);
            Policy bindingPolicy = new Policy();
            ExactlyOne bindingPolicyEa = new ExactlyOne();
            bindingPolicy.addPolicyComponent(bindingPolicyEa);
            All bindingPolicyAll = new All();
            AbstractBinding origBinding = PolicyUtils.getSecurityBinding(aim);
            bindingPolicyAll.addPolicyComponent(origBinding.getAlgorithmSuite());
            bindingPolicyAll.addPolicyComponent(new ProtectionToken(SPConstants.SPVersion.SP12, sctPolicy));
            bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.INCLUDE_TIMESTAMP));
            bindingPolicyAll.addAssertion(new PrimitiveAssertion(SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
            bindingPolicyEa.addPolicyComponent(bindingPolicyAll);
            DefaultSymmetricBinding binding = new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, bindingPolicy);
            binding.setOnlySignEntireHeadersAndBody(true);
            binding.setProtectTokens(false);
            all.addPolicyComponent(binding);
            SignedParts signedParts = getSignedParts(aim, addNs);
            all.addPolicyComponent(signedParts);
            pol = p;
            message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
        } else {
            Policy p = new Policy();
            ExactlyOne ea = new ExactlyOne();
            p.addPolicyComponent(ea);
            All all = new All();
            Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
            all.addPolicyComponent(ass);
            ea.addPolicyComponent(all);
            pol = p.merge(pol);
        }
        // setup SCT endpoint and forward to it.
        unmapSecurityProps(message);
        String ns = STSUtils.WST_NS_05_12;
        if (s.startsWith(STSUtils.WST_NS_05_02)) {
            ns = STSUtils.WST_NS_05_02;
        }
        NegotiationUtils.recalcEffectivePolicy(message, ns, pol, new SecureConversationSTSInvoker(), true);
        // recalc based on new endpoint
        SoapActionInInterceptor.getAndSetOperation(message, s);
    } else {
        message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
    }
    assertPolicies(aim);
}
Also used : Policy(org.apache.neethi.Policy) All(org.apache.neethi.All) PrimitiveAssertion(org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion) Assertion(org.apache.neethi.Assertion) PrimitiveAssertion(org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion) DefaultSymmetricBinding(org.apache.cxf.ws.security.trust.DefaultSymmetricBinding) AbstractBinding(org.apache.wss4j.policy.model.AbstractBinding) ExactlyOne(org.apache.neethi.ExactlyOne) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) AddressingProperties(org.apache.cxf.ws.addressing.AddressingProperties) SignedParts(org.apache.wss4j.policy.model.SignedParts) ProtectionToken(org.apache.wss4j.policy.model.ProtectionToken)

Aggregations

SignedParts (org.apache.wss4j.policy.model.SignedParts)6 ArrayList (java.util.ArrayList)5 Header (org.apache.wss4j.policy.model.Header)5 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)3 All (org.apache.neethi.All)3 ExactlyOne (org.apache.neethi.ExactlyOne)3 Policy (org.apache.neethi.Policy)3 ProtectionToken (org.apache.wss4j.policy.model.ProtectionToken)3 QName (javax.xml.namespace.QName)2 PrimitiveAssertion (org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion)2 DefaultSymmetricBinding (org.apache.cxf.ws.security.trust.DefaultSymmetricBinding)2 Attachments (org.apache.wss4j.policy.model.Attachments)2 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)2 SignedElements (org.apache.wss4j.policy.model.SignedElements)2 ExtensibilityElement (javax.wsdl.extensions.ExtensibilityElement)1 SOAPHeader (javax.xml.soap.SOAPHeader)1 DOMSource (javax.xml.transform.dom.DOMSource)1 ModCountCopyOnWriteArrayList (org.apache.cxf.common.util.ModCountCopyOnWriteArrayList)1 BindingOperationInfo (org.apache.cxf.service.model.BindingOperationInfo)1 W3CDOMStreamWriter (org.apache.cxf.staxutils.W3CDOMStreamWriter)1