Example 6 with SpnegoContextToken
use of org.apache.wss4j.policy.model.SpnegoContextToken in project cxf by apache.
the class SymmetricBindingHandler method doEncryption.
private WSSecBase doEncryption(AbstractTokenWrapper recToken, SecurityToken encrTok, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) {
// Do encryption
if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
AbstractToken encrToken = recToken.getToken();
assertPolicy(recToken);
assertPolicy(encrToken);
AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
return doEncryptionDerived(recToken, encrTok, encrToken, attached, encrParts, atEnd);
}
try {
WSSecEncrypt encr = new WSSecEncrypt(secHeader);
encr.setEncryptionSerializer(new StaxSerializer());
encr.setIdAllocator(wssConfig.getIdAllocator());
encr.setCallbackLookup(callbackLookup);
encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
encr.setStoreBytesInAttachment(storeBytesInAttachment);
encr.setExpandXopInclude(isExpandXopInclude());
encr.setWsDocInfo(wsDocInfo);
String encrTokId = encrTok.getId();
if (attached) {
encrTokId = encrTok.getWsuId();
if (encrTokId == null && (encrToken instanceof SecureConversationToken || encrToken instanceof SecurityContextToken)) {
encr.setEncKeyIdDirectId(true);
encrTokId = encrTok.getId();
} else if (encrTokId == null) {
encrTokId = encrTok.getId();
}
if (encrTokId.startsWith("#")) {
encrTokId = encrTokId.substring(1);
}
} else {
encr.setEncKeyIdDirectId(true);
}
if (encrTok.getTokenType() != null) {
encr.setCustomReferenceValue(encrTok.getTokenType());
}
encr.setEncKeyId(encrTokId);
encr.setEphemeralKey(encrTok.getSecret());
Crypto crypto = getEncryptionCrypto();
if (crypto != null) {
setEncryptionUser(encr, encrToken, false, crypto);
}
encr.setEncryptSymmKey(false);
encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken || encrToken instanceof SecureConversationToken) {
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (attached) {
ref = encrTok.getAttachedReference();
} else {
ref = encrTok.getUnattachedReference();
}
String tokenType = encrTok.getTokenType();
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
encr.setSecurityTokenReference(secRef);
} else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
encr.setCustomReferenceValue(tokenType);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
}
} else if (encrToken instanceof UsernameToken) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
} else if (encrToken instanceof KerberosToken && !isRequestor()) {
encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
encr.setEncKeyId(encrTok.getSHA1());
} else if (!isRequestor() && encrTok.getSHA1() != null) {
encr.setCustomReferenceValue(encrTok.getSHA1());
encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
}
encr.prepare(crypto);
if (encr.getBSTTokenId() != null) {
encr.prependBSTElementToHeader();
}
Element refList = encr.encryptForRef(null, encrParts);
List<Element> attachments = encr.getAttachmentEncryptedDataElements();
addAttachmentsForEncryption(atEnd, refList, attachments);
return encr;
} catch (WSSecurityException e) {
LOG.log(Level.FINE, e.getMessage(), e);
unassertPolicy(recToken, e);
}
}
return null;
}
Also used :
WSSecEncrypt(org.apache.wss4j.dom.message.WSSecEncrypt)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite)
StaxSerializer(org.apache.cxf.ws.security.wss4j.StaxSerializer)
Crypto(org.apache.wss4j.common.crypto.Crypto)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
Example 7 with SpnegoContextToken
use of org.apache.wss4j.policy.model.SpnegoContextToken in project cxf by apache.
the class EndorsingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the endorsing supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)
Example 8 with SpnegoContextToken
use of org.apache.wss4j.policy.model.SpnegoContextToken in project cxf by apache.
the class SignedEndorsingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the signed endorsing supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)
Example 9 with SpnegoContextToken
use of org.apache.wss4j.policy.model.SpnegoContextToken in project cxf by apache.
the class AbstractBindingBuilder method handleSupportingTokens.
protected List<SupportingToken> handleSupportingTokens(SupportingTokens suppTokens, boolean endorse, List<SupportingToken> ret) throws WSSecurityException, SOAPException {
if (suppTokens == null) {
return ret;
}
for (AbstractToken token : suppTokens.getTokens()) {
assertToken(token);
if (!isTokenRequired(token.getIncludeTokenType())) {
// Check for any SignedParts so as *not* to sign them
getSignedParts(suppTokens);
continue;
}
if (token instanceof UsernameToken) {
handleUsernameTokenSupportingToken((UsernameToken) token, endorse, suppTokens.isEncryptedToken(), ret);
} else if (token instanceof IssuedToken || token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
// ws-trust/ws-sc stuff.......
SecurityToken secToken = getSecurityToken();
if (secToken == null) {
unassertPolicy(token, "Could not find IssuedToken");
}
Element clone = cloneElement(secToken.getToken());
secToken.setToken(clone);
addSupportingElement(clone);
String id = XMLUtils.getIDFromReference(secToken.getId());
if (suppTokens.isEncryptedToken()) {
WSEncryptionPart part = new WSEncryptionPart(id, "Element");
part.setElement(clone);
encryptedTokensList.add(part);
}
if (secToken.getX509Certificate() == null) {
ret.add(new SupportingToken(token, new WSSecurityTokenHolder(secToken, secHeader), getSignedParts(suppTokens)));
} else {
ret.add(signSupportingToken(secToken, id, token, suppTokens));
}
} else if (token instanceof X509Token) {
// We have to use a cert. Prepare X509 signature
WSSecSignature sig = getSignatureBuilder(token, false, endorse);
assertPolicy(suppTokens);
Element bstElem = sig.getBinarySecurityTokenElement();
if (bstElem != null) {
if (lastEncryptedKeyElement != null) {
if (lastEncryptedKeyElement.getNextSibling() != null) {
secHeader.getSecurityHeaderElement().insertBefore(bstElem, lastEncryptedKeyElement.getNextSibling());
} else {
secHeader.getSecurityHeaderElement().appendChild(bstElem);
}
} else {
sig.prependBSTElementToHeader();
}
if (suppTokens.isEncryptedToken()) {
WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
part.setElement(bstElem);
encryptedTokensList.add(part);
}
}
ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
} else if (token instanceof KeyValueToken) {
WSSecSignature sig = getSignatureBuilder(token, false, endorse);
assertPolicy(suppTokens);
if (suppTokens.isEncryptedToken()) {
WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
encryptedTokensList.add(part);
}
ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
} else if (token instanceof SamlToken) {
SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
if (assertionWrapper != null) {
Element envelope = saaj.getSOAPPart().getEnvelope();
envelope = (Element) DOMUtils.getDomElement(envelope);
Element assertionElement = assertionWrapper.toDOM(envelope.getOwnerDocument());
addSupportingElement(assertionElement);
ret.add(new SupportingToken(token, assertionWrapper, getSignedParts(suppTokens)));
if (suppTokens.isEncryptedToken()) {
WSEncryptionPart part = new WSEncryptionPart(assertionWrapper.getId(), "Element");
part.setElement(assertionElement);
encryptedTokensList.add(part);
}
}
}
}
return ret;
}
Also used :
WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
Example 10 with SpnegoContextToken
use of org.apache.wss4j.policy.model.SpnegoContextToken in project cxf by apache.
the class StaxAsymmetricBindingHandler method doSignature.
private void doSignature(AbstractTokenWrapper wrapper, List<SecurePart> sigParts) throws WSSecurityException, SOAPException {
// Action
WSSSecurityProperties properties = getProperties();
WSSConstants.Action actionToPerform = XMLSecurityConstants.SIGNATURE;
if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
actionToPerform = WSSConstants.SIGNATURE_WITH_DERIVED_KEY;
}
List<WSSConstants.Action> actionList = properties.getActions();
// Add a Signature directly before Kerberos, otherwise just append it
boolean actionAdded = false;
for (int i = 0; i < actionList.size(); i++) {
WSSConstants.Action action = actionList.get(i);
if (action.equals(WSSConstants.KERBEROS_TOKEN)) {
actionList.add(i, actionToPerform);
actionAdded = true;
break;
}
}
if (!actionAdded) {
actionList.add(actionToPerform);
}
properties.getSignatureSecureParts().addAll(sigParts);
AbstractToken sigToken = wrapper.getToken();
configureSignature(sigToken, false);
if (abinding.isProtectTokens() && (sigToken instanceof X509Token) && sigToken.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER) {
SecurePart securePart = new SecurePart(new QName(WSSConstants.NS_WSSE10, "BinarySecurityToken"), Modifier.Element);
properties.addSignaturePart(securePart);
} else if (sigToken instanceof IssuedToken || sigToken instanceof SecurityContextToken || sigToken instanceof SecureConversationToken || sigToken instanceof SpnegoContextToken || sigToken instanceof SamlToken) {
properties.setIncludeSignatureToken(false);
}
if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setSignatureAlgorithm(abinding.getAlgorithmSuite().getSymmetricSignature());
}
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
WSSConstants(org.apache.wss4j.stax.ext.WSSConstants)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
QName(javax.xml.namespace.QName)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
Aggregations
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)20
SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)20
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)19
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)19
X509Token (org.apache.wss4j.policy.model.X509Token)18
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)17
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)17
SamlToken (org.apache.wss4j.policy.model.SamlToken)13
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)12
KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)11
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)8
QName (javax.xml.namespace.QName)7
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)7
SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)7
WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)6
WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)6
Element (org.w3c.dom.Element)6
SOAPException (javax.xml.soap.SOAPException)5
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)5
WSSConstants (org.apache.wss4j.stax.ext.WSSConstants)5
