Example 11 with UsernameToken
use of org.apache.wss4j.policy.model.UsernameToken in project cxf by apache.
the class EndorsingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the endorsing supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)
Example 12 with UsernameToken
use of org.apache.wss4j.policy.model.UsernameToken in project cxf by apache.
the class SignedEndorsingTokenPolicyValidator method validatePolicies.
/**
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
for (AssertionInfo ai : ais) {
SupportingTokens binding = (SupportingTokens) ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
setEncryptedParts(binding.getEncryptedParts());
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
DerivedKeys derivedKeys = token.getDerivedKeys();
boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
if (!processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
if (!processX509Tokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof KeyValueToken) {
if (!processKeyValueTokens(parameters)) {
processingFailed = true;
}
} else if (token instanceof UsernameToken) {
if (!processUsernameTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken || token instanceof SpnegoContextToken) {
if (!processSCTokens(parameters, derived)) {
processingFailed = true;
}
} else if (token instanceof IssuedToken) {
IssuedToken issuedToken = (IssuedToken) token;
if (isSamlTokenRequiredForIssuedToken(issuedToken) && !processSAMLTokens(parameters, derived)) {
processingFailed = true;
}
} else {
processingFailed = true;
}
if (processingFailed) {
ai.setNotAsserted("The received token does not match the signed endorsing supporting token requirement");
continue;
}
if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
assertDerivedKeys(token, parameters.getAssertionInfoMap());
}
}
}
}
Also used :
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
X509Token(org.apache.wss4j.policy.model.X509Token)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
KeyValueToken(org.apache.wss4j.policy.model.KeyValueToken)
DerivedKeys(org.apache.wss4j.policy.model.AbstractToken.DerivedKeys)
Example 13 with UsernameToken
use of org.apache.wss4j.policy.model.UsernameToken in project cxf by apache.
the class UsernameTokenInterceptor method addToken.
protected void addToken(SoapMessage message) {
UsernameToken tok = assertTokens(message);
Header h = findSecurityHeader(message, true);
Element el = (Element) h.getObject();
Document doc = el.getOwnerDocument();
WSSecUsernameToken utBuilder = addUsernameToken(message, doc, tok);
if (utBuilder == null) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
for (AssertionInfo ai : ais) {
if (ai.isAsserted()) {
ai.setAsserted(false);
}
}
return;
}
utBuilder.prepare();
el.appendChild(utBuilder.getUsernameTokenElement());
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
Header(org.apache.cxf.headers.Header)
Element(org.w3c.dom.Element)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
Document(org.w3c.dom.Document)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 14 with UsernameToken
use of org.apache.wss4j.policy.model.UsernameToken in project cxf by apache.
the class UsernameTokenInterceptor method assertTokens.
private UsernameToken assertTokens(SoapMessage message, UsernameTokenPrincipal princ, boolean signed) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
UsernameToken tok = null;
for (AssertionInfo ai : ais) {
tok = (UsernameToken) ai.getAssertion();
ai.setAsserted(true);
if ((tok.getPasswordType() == UsernameToken.PasswordType.HashPassword) && (princ == null || !princ.isPasswordDigest())) {
ai.setNotAsserted("Password hashing policy not enforced");
} else {
PolicyUtils.assertPolicy(aim, SPConstants.HASH_PASSWORD);
}
if ((tok.getPasswordType() != UsernameToken.PasswordType.NoPassword) && isNonEndorsingSupportingToken(tok) && (princ == null || princ.getPassword() == null)) {
ai.setNotAsserted("Username Token No Password supplied");
} else {
PolicyUtils.assertPolicy(aim, SPConstants.NO_PASSWORD);
}
if (tok.isCreated() && (princ == null || princ.getCreatedTime() == null)) {
ai.setNotAsserted("No Created Time");
} else {
PolicyUtils.assertPolicy(aim, SP13Constants.CREATED);
}
if (tok.isNonce() && princ.getNonce() == null) {
ai.setNotAsserted("No Nonce");
} else {
PolicyUtils.assertPolicy(aim, SP13Constants.NONCE);
}
}
PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
PolicyUtils.assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
if (signed || isTLSInUse(message)) {
PolicyUtils.assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
}
return tok;
}
Also used :
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Example 15 with UsernameToken
use of org.apache.wss4j.policy.model.UsernameToken in project cxf by apache.
the class UsernameTokenInterceptor method assertTokens.
protected UsernameToken assertTokens(SoapMessage message) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
PolicyUtils.assertPolicy(aim, SPConstants.HASH_PASSWORD);
PolicyUtils.assertPolicy(aim, SPConstants.NO_PASSWORD);
PolicyUtils.assertPolicy(aim, SP13Constants.NONCE);
PolicyUtils.assertPolicy(aim, SP13Constants.CREATED);
return (UsernameToken) assertTokens(message, SPConstants.USERNAME_TOKEN, true);
}
Also used :
UsernameToken(org.apache.wss4j.policy.model.UsernameToken)
WSSecUsernameToken(org.apache.wss4j.dom.message.WSSecUsernameToken)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
Aggregations
UsernameToken (org.apache.wss4j.policy.model.UsernameToken)31
KerberosToken (org.apache.wss4j.policy.model.KerberosToken)23
SecurityContextToken (org.apache.wss4j.policy.model.SecurityContextToken)22
WSSecUsernameToken (org.apache.wss4j.dom.message.WSSecUsernameToken)19
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)19
SpnegoContextToken (org.apache.wss4j.policy.model.SpnegoContextToken)18
X509Token (org.apache.wss4j.policy.model.X509Token)18
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)17
Element (org.w3c.dom.Element)16
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)14
SamlToken (org.apache.wss4j.policy.model.SamlToken)13
KeyValueToken (org.apache.wss4j.policy.model.KeyValueToken)12
SecurityTokenReference (org.apache.wss4j.common.token.SecurityTokenReference)11
AssertionInfo (org.apache.cxf.ws.policy.AssertionInfo)10
AttachmentCallbackHandler (org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler)10
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)10
AlgorithmSuiteType (org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)10
SOAPException (javax.xml.soap.SOAPException)9
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)8
SupportingTokens (org.apache.wss4j.policy.model.SupportingTokens)8
