Search in sources :

Example 6 with SupportingTokens

use of org.apache.wss4j.policy.model.SupportingTokens in project cxf by apache.

the class SignedEndorsingTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
                assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                continue;
            }
            DerivedKeys derivedKeys = token.getDerivedKeys();
            boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
            boolean processingFailed = false;
            if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
                if (!processSCTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the signed endorsing supporting token requirement");
                continue;
            }
            if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
                assertDerivedKeys(token, parameters.getAssertionInfoMap());
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) SamlToken(org.apache.wss4j.policy.model.SamlToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken) SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)

Example 7 with SupportingTokens

use of org.apache.wss4j.policy.model.SupportingTokens in project cxf by apache.

the class SignedTokenPolicyValidator method validatePolicies.

/**
 * Validate policies.
 */
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
    for (AssertionInfo ai : ais) {
        SupportingTokens binding = (SupportingTokens) ai.getAssertion();
        ai.setAsserted(true);
        setSignedParts(binding.getSignedParts());
        setEncryptedParts(binding.getEncryptedParts());
        setSignedElements(binding.getSignedElements());
        setEncryptedElements(binding.getEncryptedElements());
        List<AbstractToken> tokens = binding.getTokens();
        for (AbstractToken token : tokens) {
            if (!isTokenRequired(token, parameters.getMessage())) {
                continue;
            }
            boolean processingFailed = false;
            if (token instanceof UsernameToken) {
                if (!processUsernameTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof SamlToken) {
                if (!processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KerberosToken) {
                if (!processKerberosTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof X509Token) {
                if (!processX509Tokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof KeyValueToken) {
                if (!processKeyValueTokens(parameters)) {
                    processingFailed = true;
                }
            } else if (token instanceof SecurityContextToken) {
                if (!processSCTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else if (token instanceof IssuedToken) {
                IssuedToken issuedToken = (IssuedToken) token;
                if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
                    processingFailed = true;
                }
            } else {
                processingFailed = true;
            }
            if (processingFailed) {
                ai.setNotAsserted("The received token does not match the signed supporting token requirement");
                continue;
            }
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) SamlToken(org.apache.wss4j.policy.model.SamlToken) X509Token(org.apache.wss4j.policy.model.X509Token) SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken) KerberosToken(org.apache.wss4j.policy.model.KerberosToken) KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken) IssuedToken(org.apache.wss4j.policy.model.IssuedToken) UsernameToken(org.apache.wss4j.policy.model.UsernameToken)

Example 8 with SupportingTokens

use of org.apache.wss4j.policy.model.SupportingTokens in project cxf by apache.

the class SecureConversationTokenInterceptorProvider method setupClient.

static String setupClient(STSClient client, SoapMessage message, AssertionInfoMap aim, SecureConversationToken itok, boolean endorse) {
    if (itok.getBootstrapPolicy() == null || itok.getBootstrapPolicy().getPolicy() == null) {
        throw new Fault("The SecureConversationToken does not define a BootstrapPolicy", LOG);
    }
    client.setTrust(NegotiationUtils.getTrust10(aim));
    client.setTrust(NegotiationUtils.getTrust13(aim));
    Policy pol = itok.getBootstrapPolicy().getPolicy();
    Policy p = new Policy();
    ExactlyOne ea = new ExactlyOne();
    p.addPolicyComponent(ea);
    All all = new All();
    all.addPolicyComponent(NegotiationUtils.getAddressingPolicy(aim, false));
    ea.addPolicyComponent(all);
    if (endorse) {
        SupportingTokens st = new SupportingTokens(SPConstants.SPVersion.SP12, SP12Constants.ENDORSING_SUPPORTING_TOKENS, new Policy());
        st.addToken(itok);
        all.addPolicyComponent(st);
    }
    pol = p.merge(pol);
    client.setPolicy(pol);
    client.setSoap11(message.getVersion() == Soap11.getInstance());
    client.setSecureConv(true);
    String s = message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString();
    client.setLocation(s);
    AlgorithmSuite suite = NegotiationUtils.getAlgorithmSuite(aim);
    if (suite != null) {
        client.setAlgorithmSuite(suite);
        int x = suite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength();
        if (x < 256) {
            client.setKeySize(x);
        }
    }
    Map<String, Object> ctx = client.getRequestContext();
    mapSecurityProps(message, ctx);
    return s;
}
Also used : Policy(org.apache.neethi.Policy) All(org.apache.neethi.All) SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AlgorithmSuite(org.apache.wss4j.policy.model.AlgorithmSuite) Fault(org.apache.cxf.interceptor.Fault) ExactlyOne(org.apache.neethi.ExactlyOne)

Example 9 with SupportingTokens

use of org.apache.wss4j.policy.model.SupportingTokens in project cxf by apache.

the class StaxTransportBindingHandler method handleNonEndorsingSupportingTokens.

/**
 * Handle the non-endorsing supporting tokens
 */
private void handleNonEndorsingSupportingTokens(AssertionInfoMap aim) throws Exception {
    Collection<AssertionInfo> ais;
    ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
    if (!ais.isEmpty()) {
        for (AssertionInfo ai : ais) {
            SupportingTokens sgndSuppTokens = (SupportingTokens) ai.getAssertion();
            if (sgndSuppTokens != null) {
                addSignedSupportingTokens(sgndSuppTokens);
            }
            ai.setAsserted(true);
        }
    }
    ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
    if (!ais.isEmpty()) {
        for (AssertionInfo ai : ais) {
            SupportingTokens sgndSuppTokens = (SupportingTokens) ai.getAssertion();
            if (sgndSuppTokens != null) {
                addSignedSupportingTokens(sgndSuppTokens);
            }
            ai.setAsserted(true);
        }
    }
    ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
    if (!ais.isEmpty()) {
        for (AssertionInfo ai : ais) {
            SupportingTokens encrSuppTokens = (SupportingTokens) ai.getAssertion();
            if (encrSuppTokens != null) {
                addSignedSupportingTokens(encrSuppTokens);
            }
            ai.setAsserted(true);
        }
    }
    ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
    if (!ais.isEmpty()) {
        for (AssertionInfo ai : ais) {
            SupportingTokens suppTokens = (SupportingTokens) ai.getAssertion();
            if (suppTokens != null && suppTokens.getTokens() != null && suppTokens.getTokens().size() > 0) {
                handleSupportingTokens(suppTokens, false, false);
            }
            ai.setAsserted(true);
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)

Example 10 with SupportingTokens

use of org.apache.wss4j.policy.model.SupportingTokens in project cxf by apache.

the class TransportBindingHandler method handleNonEndorsingSupportingTokens.

/**
 * Handle the non-endorsing supporting tokens
 */
private void handleNonEndorsingSupportingTokens() throws Exception {
    Collection<AssertionInfo> ais;
    ais = getAllAssertionsByLocalname(SPConstants.SIGNED_SUPPORTING_TOKENS);
    if (!ais.isEmpty()) {
        for (AssertionInfo ai : ais) {
            SupportingTokens sgndSuppTokens = (SupportingTokens) ai.getAssertion();
            if (sgndSuppTokens != null) {
                addSignedSupportingTokens(sgndSuppTokens);
            }
            ai.setAsserted(true);
        }
    }
    ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
    if (!ais.isEmpty()) {
        for (AssertionInfo ai : ais) {
            SupportingTokens sgndSuppTokens = (SupportingTokens) ai.getAssertion();
            if (sgndSuppTokens != null) {
                addSignedSupportingTokens(sgndSuppTokens);
            }
            ai.setAsserted(true);
        }
    }
    ais = getAllAssertionsByLocalname(SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
    if (!ais.isEmpty()) {
        for (AssertionInfo ai : ais) {
            SupportingTokens encrSuppTokens = (SupportingTokens) ai.getAssertion();
            if (encrSuppTokens != null) {
                addSignedSupportingTokens(encrSuppTokens);
            }
            ai.setAsserted(true);
        }
    }
    ais = getAllAssertionsByLocalname(SPConstants.SUPPORTING_TOKENS);
    if (!ais.isEmpty()) {
        for (AssertionInfo ai : ais) {
            SupportingTokens suppTokens = (SupportingTokens) ai.getAssertion();
            if (suppTokens != null && suppTokens.getTokens() != null && suppTokens.getTokens().size() > 0) {
                handleSupportingTokens(suppTokens, false, new ArrayList<>());
            }
            ai.setAsserted(true);
        }
    }
}
Also used : SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)

Aggregations

SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)16 AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)14 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)11 SamlToken (org.apache.wss4j.policy.model.SamlToken)9 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)8 KerberosToken (org.apache.wss4j.policy.model.KerberosToken)8 KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)8 SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)8 UsernameToken (org.apache.wss4j.policy.model.UsernameToken)8 X509Token (org.apache.wss4j.policy.model.X509Token)8 SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)7 DerivedKeys (org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)4 AbstractSecurityAssertion (org.apache.wss4j.policy.model.AbstractSecurityAssertion)2 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1 Fault (org.apache.cxf.interceptor.Fault)1 All (org.apache.neethi.All)1 ExactlyOne (org.apache.neethi.ExactlyOne)1 Policy (org.apache.neethi.Policy)1 AlgorithmSuite (org.apache.wss4j.common.crypto.AlgorithmSuite)1