Search in sources :

Example 6 with SpnegoContextToken

use of org.apache.wss4j.policy.model.SpnegoContextToken in project cxf by apache.

the class SymmetricBindingHandler method doEncryption.

private WSSecBase doEncryption(AbstractTokenWrapper recToken, SecurityToken encrTok, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) {
    // Do encryption
    if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
        AbstractToken encrToken = recToken.getToken();
        assertPolicy(recToken);
        assertPolicy(encrToken);
        AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
        if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
            return doEncryptionDerived(recToken, encrTok, encrToken, attached, encrParts, atEnd);
        }
        try {
            WSSecEncrypt encr = new WSSecEncrypt(secHeader);
            encr.setEncryptionSerializer(new StaxSerializer());
            encr.setIdAllocator(wssConfig.getIdAllocator());
            encr.setCallbackLookup(callbackLookup);
            encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
            encr.setStoreBytesInAttachment(storeBytesInAttachment);
            encr.setExpandXopInclude(isExpandXopInclude());
            encr.setWsDocInfo(wsDocInfo);
            String encrTokId = encrTok.getId();
            if (attached) {
                encrTokId = encrTok.getWsuId();
                if (encrTokId == null && (encrToken instanceof SecureConversationToken || encrToken instanceof SecurityContextToken)) {
                    encr.setEncKeyIdDirectId(true);
                    encrTokId = encrTok.getId();
                } else if (encrTokId == null) {
                    encrTokId = encrTok.getId();
                }
                if (encrTokId.startsWith("#")) {
                    encrTokId = encrTokId.substring(1);
                }
            } else {
                encr.setEncKeyIdDirectId(true);
            }
            if (encrTok.getTokenType() != null) {
                encr.setCustomReferenceValue(encrTok.getTokenType());
            }
            encr.setEncKeyId(encrTokId);
            encr.setEphemeralKey(encrTok.getSecret());
            Crypto crypto = getEncryptionCrypto();
            if (crypto != null) {
                setEncryptionUser(encr, encrToken, false, crypto);
            }
            encr.setEncryptSymmKey(false);
            encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
            encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
            encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
            if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken || encrToken instanceof SecureConversationToken) {
                // Setting the AttachedReference or the UnattachedReference according to the flag
                Element ref;
                if (attached) {
                    ref = encrTok.getAttachedReference();
                } else {
                    ref = encrTok.getUnattachedReference();
                }
                String tokenType = encrTok.getTokenType();
                if (ref != null) {
                    SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
                    encr.setSecurityTokenReference(secRef);
                } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
                    encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
                    encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                } else {
                    encr.setCustomReferenceValue(tokenType);
                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                }
            } else if (encrToken instanceof UsernameToken) {
                encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
            } else if (encrToken instanceof KerberosToken && !isRequestor()) {
                encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
                encr.setEncKeyId(encrTok.getSHA1());
            } else if (!isRequestor() && encrTok.getSHA1() != null) {
                encr.setCustomReferenceValue(encrTok.getSHA1());
                encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
            }
            encr.prepare(crypto);
            if (encr.getBSTTokenId() != null) {
                encr.prependBSTElementToHeader();
            }
            Element refList = encr.encryptForRef(null, encrParts);
            List<Element> attachments = encr.getAttachmentEncryptedDataElements();
            addAttachmentsForEncryption(atEnd, refList, attachments);
            return encr;
        } catch (WSSecurityException e) {
            LOG.log(Level.FINE, e.getMessage(), e);
            unassertPolicy(recToken, e);
        }
    }
    return null;
}
Also used : WSSecEncrypt(org.apache.wss4j.dom.message.WSSecEncrypt) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) StaxSerializer(org.apache.cxf.ws.security.wss4j.StaxSerializer) Crypto(org.apache.wss4j.common.crypto.Crypto) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)

Example 7 with SpnegoContextToken

use of org.apache.wss4j.policy.model.SpnegoContextToken in project cxf by apache.

the class EndorsingTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
                assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                continue;
            }
            DerivedKeys derivedKeys = token.getDerivedKeys();
            boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
            boolean processingFailed = false;
            if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the endorsing supporting token requirement");
                continue;
            }
            if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)

Example 8 with SpnegoContextToken

use of org.apache.wss4j.policy.model.SpnegoContextToken in project cxf by apache.

the class SignedEndorsingTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
                assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                continue;
            }
            DerivedKeys derivedKeys = token.getDerivedKeys();
            boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
            boolean processingFailed = false;
            if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the signed endorsing supporting token requirement");
                continue;
            }
            if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)

Example 9 with SpnegoContextToken

use of org.apache.wss4j.policy.model.SpnegoContextToken in project cxf by apache.

the class AbstractBindingBuilder method handleSupportingTokens.

protected List<SupportingToken> handleSupportingTokens(SupportingTokens suppTokens, boolean endorse, List<SupportingToken> ret) throws WSSecurityException, SOAPException {
    if (suppTokens == null) {
        return ret;
    }
    for (AbstractToken token : suppTokens.getTokens()) {
        assertToken(token);
        if (!isTokenRequired(token.getIncludeTokenType())) {
            // Check for any SignedParts so as *not* to sign them
            getSignedParts(suppTokens);
            continue;
        }
        if (token instanceof UsernameToken) {
            handleUsernameTokenSupportingToken((UsernameToken) token, endorse, suppTokens.isEncryptedToken(), ret);
        } else if (token instanceof IssuedToken || token instanceof SecureConversationToken || token instanceof SecurityContextToken || token instanceof KerberosToken || token instanceof SpnegoContextToken) {
            // ws-trust/ws-sc stuff.......
            SecurityToken secToken = getSecurityToken();
            if (secToken == null) {
                unassertPolicy(token, "Could not find IssuedToken");
            }
            Element clone = cloneElement(secToken.getToken());
            secToken.setToken(clone);
            addSupportingElement(clone);
            String id = XMLUtils.getIDFromReference(secToken.getId());
            if (suppTokens.isEncryptedToken()) {
                WSEncryptionPart part = new WSEncryptionPart(id, "Element");
                part.setElement(clone);
                encryptedTokensList.add(part);
            }
            if (secToken.getX509Certificate() == null) {
                ret.add(new SupportingToken(token, new WSSecurityTokenHolder(secToken, secHeader), getSignedParts(suppTokens)));
            } else {
                ret.add(signSupportingToken(secToken, id, token, suppTokens));
            }
        } else if (token instanceof X509Token) {
            // We have to use a cert. Prepare X509 signature
            WSSecSignature sig = getSignatureBuilder(token, false, endorse);
            assertPolicy(suppTokens);
            Element bstElem = sig.getBinarySecurityTokenElement();
            if (bstElem != null) {
                if (lastEncryptedKeyElement != null) {
                    if (lastEncryptedKeyElement.getNextSibling() != null) {
                        secHeader.getSecurityHeaderElement().insertBefore(bstElem, lastEncryptedKeyElement.getNextSibling());
                    } else {
                        secHeader.getSecurityHeaderElement().appendChild(bstElem);
                    }
                } else {
                    sig.prependBSTElementToHeader();
                }
                if (suppTokens.isEncryptedToken()) {
                    WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
                    part.setElement(bstElem);
                    encryptedTokensList.add(part);
                }
            }
            ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
        } else if (token instanceof KeyValueToken) {
            WSSecSignature sig = getSignatureBuilder(token, false, endorse);
            assertPolicy(suppTokens);
            if (suppTokens.isEncryptedToken()) {
                WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
                encryptedTokensList.add(part);
            }
            ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
        } else if (token instanceof SamlToken) {
            SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken) token);
            if (assertionWrapper != null) {
                Element envelope = saaj.getSOAPPart().getEnvelope();
                envelope = (Element) DOMUtils.getDomElement(envelope);
                Element assertionElement = assertionWrapper.toDOM(envelope.getOwnerDocument());
                addSupportingElement(assertionElement);
                ret.add(new SupportingToken(token, assertionWrapper, getSignedParts(suppTokens)));
                if (suppTokens.isEncryptedToken()) {
                    WSEncryptionPart part = new WSEncryptionPart(assertionWrapper.getId(), "Element");
                    part.setElement(assertionElement);
                    encryptedTokensList.add(part);
                }
            }
        }
    }
    return ret;
}
Also used : WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) Element(org.w3c.dom.Element) WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature) WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)

Example 10 with SpnegoContextToken

use of org.apache.wss4j.policy.model.SpnegoContextToken in project cxf by apache.

the class StaxAsymmetricBindingHandler method doSignature.

private void doSignature(AbstractTokenWrapper wrapper, List<SecurePart> sigParts) throws WSSecurityException, SOAPException {
    // Action
    WSSSecurityProperties properties = getProperties();
    WSSConstants.Action actionToPerform = XMLSecurityConstants.SIGNATURE;
    if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        actionToPerform = WSSConstants.SIGNATURE_WITH_DERIVED_KEY;
    }
    List<WSSConstants.Action> actionList = properties.getActions();
    // Add a Signature directly before Kerberos, otherwise just append it
    boolean actionAdded = false;
    for (int i = 0; i < actionList.size(); i++) {
        WSSConstants.Action action = actionList.get(i);
        if (action.equals(WSSConstants.KERBEROS_TOKEN)) {
            actionList.add(i, actionToPerform);
            actionAdded = true;
            break;
        }
    }
    if (!actionAdded) {
        actionList.add(actionToPerform);
    }
    properties.getSignatureSecureParts().addAll(sigParts);
    AbstractToken sigToken = wrapper.getToken();
    configureSignature(sigToken, false);
    if (abinding.isProtectTokens() && (sigToken instanceof X509Token) && sigToken.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER) {
        SecurePart securePart = new SecurePart(new QName(WSSConstants.NS_WSSE10, "BinarySecurityToken"), Modifier.Element);
        properties.addSignaturePart(securePart);
    } else if (sigToken instanceof IssuedToken || sigToken instanceof SecurityContextToken || sigToken instanceof SecureConversationToken || sigToken instanceof SpnegoContextToken || sigToken instanceof SamlToken) {
        properties.setIncludeSignatureToken(false);
    }
    if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        properties.setSignatureAlgorithm(abinding.getAlgorithmSuite().getSymmetricSignature());
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) WSSConstants(org.apache.wss4j.stax.ext.WSSConstants) SamlToken(org.apache.wss4j.policy.model.SamlToken) QName(javax.xml.namespace.QName) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) SecurePart(org.apache.xml.security.stax.ext.SecurePart) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)

Aggregations

IssuedToken (org.apache.wss4j.policy.model.IssuedToken)20 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)20 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)19 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)19 X509Token (org.apache.wss4j.policy.model.X509Token)18 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)17 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)17 SamlToken (org.apache.wss4j.policy.model.SamlToken)13 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)12 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)11 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)8 QName (javax.xml.namespace.QName)7 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)7 SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)7 WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)6 WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)6 Element (org.w3c.dom.Element)6 SOAPException (javax.xml.soap.SOAPException)5 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)5 WSSConstants (org.apache.wss4j.stax.ext.WSSConstants)5