Example 1 with SymmetricBinding
use of org.apache.wss4j.policy.model.SymmetricBinding in project cxf by apache.
the class SymmetricBindingPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
boolean hasDerivedKeys = parameters.getResults().getActionResults().containsKey(WSConstants.DKT);
for (AssertionInfo ai : ais) {
SymmetricBinding binding = (SymmetricBinding) ai.getAssertion();
ai.setAsserted(true);
// Check the protection order
if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai, parameters.getResults().getResults())) {
continue;
}
// Check various properties of the binding
if (!checkProperties(binding, ai, parameters.getAssertionInfoMap(), parameters.getResults(), parameters.getSignedResults(), parameters.getMessage())) {
continue;
}
// Check various tokens of the binding
if (!checkTokens(binding, ai, parameters.getAssertionInfoMap(), hasDerivedKeys, parameters.getSignedResults(), parameters.getEncryptedResults())) {
continue;
}
}
}
Also used :
SymmetricBinding(org.apache.wss4j.policy.model.SymmetricBinding)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
Example 2 with SymmetricBinding
use of org.apache.wss4j.policy.model.SymmetricBinding in project cxf by apache.
the class AbstractBindingBuilder method getSignatureBuilder.
protected WSSecSignature getSignatureBuilder(AbstractToken token, boolean attached, boolean endorse) throws WSSecurityException {
WSSecSignature sig = new WSSecSignature(secHeader);
sig.setIdAllocator(wssConfig.getIdAllocator());
sig.setCallbackLookup(callbackLookup);
sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
sig.setStoreBytesInAttachment(storeBytesInAttachment);
sig.setExpandXopInclude(isExpandXopInclude());
sig.setWsDocInfo(wsDocInfo);
checkForX509PkiPath(sig, token);
if (token instanceof IssuedToken || token instanceof SamlToken) {
assertToken(token);
SecurityToken securityToken = getSecurityToken();
String tokenType = securityToken.getTokenType();
Element ref;
if (attached) {
ref = securityToken.getAttachedReference();
} else {
ref = securityToken.getUnattachedReference();
}
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
sig.setSecurityTokenReference(secRef);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
int type = attached ? WSConstants.CUSTOM_SYMM_SIGNING : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSS4JConstants.SAML2_NS.equals(tokenType)) {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
sig.setCustomTokenValueType(tokenType);
sig.setKeyIdentifierType(type);
}
}
String sigTokId;
if (attached) {
sigTokId = securityToken.getWsuId();
if (sigTokId == null) {
sigTokId = securityToken.getId();
}
if (sigTokId.startsWith("#")) {
sigTokId = sigTokId.substring(1);
}
} else {
sigTokId = securityToken.getId();
}
sig.setCustomTokenId(sigTokId);
} else {
setKeyIdentifierType(sig, token);
// Find out do we also need to include the token as per the Inclusion requirement
if (token instanceof X509Token && token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER && (sig.getKeyIdentifierType() != WSConstants.BST_DIRECT_REFERENCE && sig.getKeyIdentifierType() != WSConstants.KEY_VALUE)) {
sig.setIncludeSignatureToken(true);
}
}
boolean encryptCrypto = false;
String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
String type = "signature";
if (binding instanceof SymmetricBinding && !endorse) {
encryptCrypto = ((SymmetricBinding) binding).getProtectionToken() != null;
userNameKey = SecurityConstants.ENCRYPT_USERNAME;
}
Crypto crypto = encryptCrypto ? getEncryptionCrypto() : getSignatureCrypto();
if (endorse && crypto == null && binding instanceof SymmetricBinding) {
type = "encryption";
userNameKey = SecurityConstants.ENCRYPT_USERNAME;
crypto = getEncryptionCrypto();
}
if (!encryptCrypto) {
message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
}
String user = (String) SecurityUtils.getSecurityPropertyValue(userNameKey, message);
if (StringUtils.isEmpty(user)) {
if (crypto != null) {
try {
user = crypto.getDefaultX509Identifier();
if (StringUtils.isEmpty(user)) {
unassertPolicy(token, "No configured " + type + " username detected");
return null;
}
} catch (WSSecurityException e1) {
LOG.log(Level.FINE, e1.getMessage(), e1);
throw new Fault(e1);
}
} else {
unassertPolicy(token, "Security configuration could not be detected. " + "Potential cause: Make sure jaxws:client element with name " + "attribute value matching endpoint port is defined as well as a " + SecurityConstants.SIGNATURE_PROPERTIES + " element within it.");
return null;
}
}
String password = getPassword(user, token, WSPasswordCallback.SIGNATURE);
sig.setUserInfo(user, password);
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
sig.setDigestAlgo(algType.getDigest());
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
sig.setAddInclusivePrefixes(includePrefixes);
try {
sig.prepare(crypto);
} catch (WSSecurityException e) {
LOG.log(Level.FINE, e.getMessage(), e);
unassertPolicy(token, e);
}
return sig;
}
Also used :
SymmetricBinding(org.apache.wss4j.policy.model.SymmetricBinding)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
WSSecSignature(org.apache.wss4j.dom.message.WSSecSignature)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Element(org.w3c.dom.Element)
BSPEnforcer(org.apache.wss4j.common.bsp.BSPEnforcer)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Fault(org.apache.cxf.interceptor.Fault)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SecurityTokenReference(org.apache.wss4j.common.token.SecurityTokenReference)
X509Token(org.apache.wss4j.policy.model.X509Token)
AttachmentCallbackHandler(org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)
Example 3 with SymmetricBinding
use of org.apache.wss4j.policy.model.SymmetricBinding in project cxf by apache.
the class AbstractStaxBindingHandler method configureSignature.
protected void configureSignature(AbstractToken token, boolean attached) throws WSSecurityException {
if (token instanceof X509Token) {
X509Token x509Token = (X509Token) token;
TokenType tokenType = x509Token.getTokenType();
if (tokenType == TokenType.WssX509PkiPathV1Token10 || tokenType == TokenType.WssX509PkiPathV1Token11) {
properties.setUseSingleCert(false);
}
}
properties.setSignatureKeyIdentifier(getKeyIdentifierType(token));
// Find out do we also need to include the token as per the Inclusion requirement
WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getSignatureKeyIdentifier();
if (token instanceof X509Token && isTokenRequired(token.getIncludeTokenType()) && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier) || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(keyIdentifier))) {
properties.setIncludeSignatureToken(true);
} else {
properties.setIncludeSignatureToken(false);
}
String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
if (binding instanceof SymmetricBinding) {
userNameKey = SecurityConstants.ENCRYPT_USERNAME;
properties.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
} else {
properties.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
}
properties.setSignatureCanonicalizationAlgorithm(binding.getAlgorithmSuite().getC14n().getValue());
String sigUser = (String) SecurityUtils.getSecurityPropertyValue(userNameKey, message);
if (sigUser == null) {
sigUser = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
}
if (sigUser != null && properties.getSignatureUser() == null) {
properties.setSignatureUser(sigUser);
}
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setSignatureDigestAlgorithm(algType.getDigest());
// sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
boolean includePrefixes = MessageUtils.getContextualBoolean(message, SecurityConstants.ADD_INCLUSIVE_PREFIXES, true);
properties.setAddExcC14NInclusivePrefixes(includePrefixes);
}
Also used :
SymmetricBinding(org.apache.wss4j.policy.model.SymmetricBinding)
TokenType(org.apache.wss4j.policy.model.X509Token.TokenType)
IncludeTokenType(org.apache.wss4j.policy.SPConstants.IncludeTokenType)
SamlTokenType(org.apache.wss4j.policy.model.SamlToken.SamlTokenType)
X509Token(org.apache.wss4j.policy.model.X509Token)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
WSSecurityTokenConstants(org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants)
Example 4 with SymmetricBinding
use of org.apache.wss4j.policy.model.SymmetricBinding in project cxf by apache.
the class PolicyBasedWSS4JStaxOutInterceptor method configureProperties.
@Override
protected void configureProperties(SoapMessage msg, OutboundSecurityContext outboundSecurityContext, WSSSecurityProperties securityProperties) throws WSSecurityException {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
AssertionInfo asymAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (asymAis != null) {
checkAsymmetricBinding(msg, securityProperties);
asymAis.setAsserted(true);
}
AssertionInfo symAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (symAis != null) {
checkSymmetricBinding(msg, securityProperties);
symAis.setAsserted(true);
}
AssertionInfo transAis = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING);
if (transAis != null) {
checkTransportBinding(msg, securityProperties);
transAis.setAsserted(true);
}
super.configureProperties(msg, outboundSecurityContext, securityProperties);
if (transAis != null) {
TransportBinding binding = (TransportBinding) transAis.getAssertion();
new StaxTransportBindingHandler(securityProperties, msg, binding, outboundSecurityContext).handleBinding();
} else if (asymAis != null) {
AsymmetricBinding binding = (AsymmetricBinding) asymAis.getAssertion();
new StaxAsymmetricBindingHandler(securityProperties, msg, binding, outboundSecurityContext).handleBinding();
} else if (symAis != null) {
SymmetricBinding binding = (SymmetricBinding) symAis.getAssertion();
new StaxSymmetricBindingHandler(securityProperties, msg, binding, outboundSecurityContext).handleBinding();
} else {
// Fall back to Transport Binding
new StaxTransportBindingHandler(securityProperties, msg, null, outboundSecurityContext).handleBinding();
}
}
Also used :
SymmetricBinding(org.apache.wss4j.policy.model.SymmetricBinding)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
AsymmetricBinding(org.apache.wss4j.policy.model.AsymmetricBinding)
StaxSymmetricBindingHandler(org.apache.cxf.ws.security.wss4j.policyhandlers.StaxSymmetricBindingHandler)
StaxTransportBindingHandler(org.apache.cxf.ws.security.wss4j.policyhandlers.StaxTransportBindingHandler)
StaxAsymmetricBindingHandler(org.apache.cxf.ws.security.wss4j.policyhandlers.StaxAsymmetricBindingHandler)
TransportBinding(org.apache.wss4j.policy.model.TransportBinding)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Aggregations
SymmetricBinding (org.apache.wss4j.policy.model.SymmetricBinding)4
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)2
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)2
X509Token (org.apache.wss4j.policy.model.X509Token)2
Fault (org.apache.cxf.interceptor.Fault)1
AssertionInfoMap (org.apache.cxf.ws.policy.AssertionInfoMap)1
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)1
AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)1
StaxAsymmetricBindingHandler (org.apache.cxf.ws.security.wss4j.policyhandlers.StaxAsymmetricBindingHandler)1
StaxSymmetricBindingHandler (org.apache.cxf.ws.security.wss4j.policyhandlers.StaxSymmetricBindingHandler)1
StaxTransportBindingHandler (org.apache.cxf.ws.security.wss4j.policyhandlers.StaxTransportBindingHandler)1
BSPEnforcer (org.apache.wss4j.common.bsp.BSPEnforcer)1
Crypto (org.apache.wss4j.common.crypto.Crypto)1
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)1
SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)1
WSSecSignature (org.apache.wss4j.dom.message.WSSecSignature)1
IncludeTokenType (org.apache.wss4j.policy.SPConstants.IncludeTokenType)1
AsymmetricBinding (org.apache.wss4j.policy.model.AsymmetricBinding)1
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)1
SamlToken (org.apache.wss4j.policy.model.SamlToken)1
