use of org.apache.wss4j.policy.model.SupportingTokens in project cxf by apache.
the class SignedEndorsingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the signed endorsing supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
use of org.apache.wss4j.policy.model.SupportingTokens in project cxf by apache.
the class SignedTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
continue;
}
boolean processingFailed = false;
if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken) {
if (!processSCTokens(parameters, false)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, false)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the signed supporting token requirement");
continue;
}
}
}
}
use of org.apache.wss4j.policy.model.SupportingTokens in project cxf by apache.
the class SecureConversationTokenInterceptorProvider method setupClient.
static String setupClient(STSClient client, SoapMessage message, AssertionInfoMap aim, SecureConversationToken itok, boolean endorse) {
if (itok.getBootstrapPolicy() == null || itok.getBootstrapPolicy().getPolicy() == null) {
throw new Fault("The SecureConversationToken does not define a BootstrapPolicy", LOG);
}
client.setTrust(NegotiationUtils.getTrust10(aim));
client.setTrust(NegotiationUtils.getTrust13(aim));
Policy pol = itok.getBootstrapPolicy().getPolicy();
Policy p = new Policy();
ExactlyOne ea = new ExactlyOne();
p.addPolicyComponent(ea);
All all = new All();
all.addPolicyComponent(NegotiationUtils.getAddressingPolicy(aim, false));
ea.addPolicyComponent(all);
if (endorse) {
SupportingTokens st = new SupportingTokens(SPConstants.SPVersion.SP12, SP12Constants.ENDORSING_SUPPORTING_TOKENS, new Policy());
st.addToken(itok);
all.addPolicyComponent(st);
}
pol = p.merge(pol);
client.setPolicy(pol);
client.setSoap11(message.getVersion() == Soap11.getInstance());
client.setSecureConv(true);
String s = message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString();
client.setLocation(s);
AlgorithmSuite suite = NegotiationUtils.getAlgorithmSuite(aim);
if (suite != null) {
client.setAlgorithmSuite(suite);
int x = suite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength();
if (x < 256) {
client.setKeySize(x);
}
}
Map<String, Object> ctx = client.getRequestContext();
mapSecurityProps(message, ctx);
return s;
}
use of org.apache.wss4j.policy.model.SupportingTokens in project cxf by apache.
the class StaxTransportBindingHandler method handleNonEndorsingSupportingTokens.
/**
* Handle the non-endorsing supporting tokens
*/
private void handleNonEndorsingSupportingTokens(AssertionInfoMap aim) throws Exception {
Collection<AssertionInfo> ais;
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens sgndSuppTokens = (SupportingTokens) ai.getAssertion();
if (sgndSuppTokens != null) {
addSignedSupportingTokens(sgndSuppTokens);
}
ai.setAsserted(true);
}
}
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens sgndSuppTokens = (SupportingTokens) ai.getAssertion();
if (sgndSuppTokens != null) {
addSignedSupportingTokens(sgndSuppTokens);
}
ai.setAsserted(true);
}
}
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens encrSuppTokens = (SupportingTokens) ai.getAssertion();
if (encrSuppTokens != null) {
addSignedSupportingTokens(encrSuppTokens);
}
ai.setAsserted(true);
}
}
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens suppTokens = (SupportingTokens) ai.getAssertion();
if (suppTokens != null && suppTokens.getTokens() != null && suppTokens.getTokens().size() > 0) {
handleSupportingTokens(suppTokens, false, false);
}
ai.setAsserted(true);
}
}
}
use of org.apache.wss4j.policy.model.SupportingTokens in project cxf by apache.
the class TransportBindingHandler method handleNonEndorsingSupportingTokens.
/**
* Handle the non-endorsing supporting tokens
*/
private void handleNonEndorsingSupportingTokens() throws Exception {
Collection<AssertionInfo> ais;
ais = getAllAssertionsByLocalname(SPConstants.SIGNED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens sgndSuppTokens = (SupportingTokens) ai.getAssertion();
if (sgndSuppTokens != null) {
addSignedSupportingTokens(sgndSuppTokens);
}
ai.setAsserted(true);
}
}
ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens sgndSuppTokens = (SupportingTokens) ai.getAssertion();
if (sgndSuppTokens != null) {
addSignedSupportingTokens(sgndSuppTokens);
}
ai.setAsserted(true);
}
}
ais = getAllAssertionsByLocalname(SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens encrSuppTokens = (SupportingTokens) ai.getAssertion();
if (encrSuppTokens != null) {
addSignedSupportingTokens(encrSuppTokens);
}
ai.setAsserted(true);
}
}
ais = getAllAssertionsByLocalname(SPConstants.SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens suppTokens = (SupportingTokens) ai.getAssertion();
if (suppTokens != null && suppTokens.getTokens() != null && suppTokens.getTokens().size() > 0) {
handleSupportingTokens(suppTokens, false, new ArrayList<>());
}
ai.setAsserted(true);
}
}
}
Aggregations