Search in sources :

Example 1 with UsernameSecurityTokenImpl

use of org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl in project cxf by apache.

the class STSStaxTokenValidator method validate.

@SuppressWarnings("unchecked")
@Override
public <T extends UsernameSecurityToken & InboundSecurityToken> T validate(UsernameTokenType usernameTokenType, TokenContext tokenContext) throws WSSecurityException {
    // If the UsernameToken is to be used for key derivation, the (1.1)
    // spec says that it cannot contain a password, and it must contain
    // an Iteration element
    final byte[] salt = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE11_SALT);
    PasswordString passwordType = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE_PASSWORD);
    final Long iteration = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE11_ITERATION);
    if (salt != null && (passwordType != null || iteration == null)) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01");
    }
    boolean handleCustomPasswordTypes = tokenContext.getWssSecurityProperties().getHandleCustomPasswordTypes();
    boolean allowUsernameTokenNoPassword = tokenContext.getWssSecurityProperties().isAllowUsernameTokenNoPassword() || Boolean.parseBoolean((String) tokenContext.getWsSecurityContext().get(WSSConstants.PROP_ALLOW_USERNAMETOKEN_NOPASSWORD));
    // Check received password type against required type
    WSSConstants.UsernameTokenPasswordType requiredPasswordType = tokenContext.getWssSecurityProperties().getUsernameTokenPasswordType();
    if (requiredPasswordType != null) {
        if (passwordType == null || passwordType.getType() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
        WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType = WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(passwordType.getType());
        if (requiredPasswordType != usernameTokenPasswordType) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
        }
    }
    WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType = WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE;
    if (passwordType != null && passwordType.getType() != null) {
        usernameTokenPasswordType = WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(passwordType.getType());
    }
    final AttributedString username = usernameTokenType.getUsername();
    if (username == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01");
    }
    final EncodedString encodedNonce = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE_NONCE);
    byte[] nonceVal = null;
    if (encodedNonce != null && encodedNonce.getValue() != null) {
        nonceVal = Base64.decodeBase64(encodedNonce.getValue());
    }
    final AttributedDateTime attributedDateTimeCreated = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSU_CREATED);
    String created = null;
    if (attributedDateTimeCreated != null) {
        created = attributedDateTimeCreated.getValue();
    }
    // Validate to STS if required
    boolean valid = false;
    final SoapMessage message = (SoapMessage) tokenContext.getWssSecurityProperties().getMsgContext();
    if (alwaysValidateToSts) {
        Element tokenElement = convertToDOM(username.getValue(), passwordType.getValue(), passwordType.getType(), usernameTokenType.getId());
        validateTokenToSTS(tokenElement, message);
        valid = true;
    }
    if (!valid) {
        try {
            if (usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
                if (encodedNonce == null || attributedDateTimeCreated == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01");
                }
                if (!WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING.equals(encodedNonce.getEncodingType())) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN, "badTokenType01");
                }
                verifyDigestPassword(username.getValue(), passwordType, nonceVal, created, tokenContext);
            } else if (usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT || passwordType != null && passwordType.getValue() != null && usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
                verifyPlaintextPassword(username.getValue(), passwordType, tokenContext);
            } else if (passwordType != null && passwordType.getValue() != null) {
                if (!handleCustomPasswordTypes) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
                }
                verifyPlaintextPassword(username.getValue(), passwordType, tokenContext);
            } else {
                if (!allowUsernameTokenNoPassword) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
                }
            }
        } catch (WSSecurityException ex) {
            Element tokenElement = convertToDOM(username.getValue(), passwordType.getValue(), passwordType.getType(), usernameTokenType.getId());
            validateTokenToSTS(tokenElement, message);
        }
    }
    final String password;
    if (passwordType != null) {
        password = passwordType.getValue();
    } else if (salt != null) {
        WSPasswordCallback pwCb = new WSPasswordCallback(username.getValue(), WSPasswordCallback.USERNAME_TOKEN);
        try {
            WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
        } catch (WSSecurityException e) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
        }
        password = pwCb.getPassword();
    } else {
        password = null;
    }
    UsernameSecurityTokenImpl usernameSecurityToken = new UsernameSecurityTokenImpl(usernameTokenPasswordType, username.getValue(), password, created, nonceVal, salt, iteration, tokenContext.getWsSecurityContext(), usernameTokenType.getId(), WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
    usernameSecurityToken.setElementPath(tokenContext.getElementPath());
    usernameSecurityToken.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
    return (T) usernameSecurityToken;
}
Also used : WSSConstants(org.apache.wss4j.stax.ext.WSSConstants) UsernameSecurityTokenImpl(org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) AttributedString(org.apache.wss4j.binding.wss10.AttributedString) EncodedString(org.apache.wss4j.binding.wss10.EncodedString) PasswordString(org.apache.wss4j.binding.wss10.PasswordString) AttributedDateTime(org.apache.wss4j.binding.wsu10.AttributedDateTime) SoapMessage(org.apache.cxf.binding.soap.SoapMessage) PasswordString(org.apache.wss4j.binding.wss10.PasswordString) AttributedString(org.apache.wss4j.binding.wss10.AttributedString) EncodedString(org.apache.wss4j.binding.wss10.EncodedString) WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)

Example 2 with UsernameSecurityTokenImpl

use of org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl in project cxf by apache.

the class CustomStaxUTValidator method validate.

@SuppressWarnings("unchecked")
@Override
public <T extends UsernameSecurityToken & InboundSecurityToken> T validate(UsernameTokenType usernameTokenType, TokenContext tokenContext) throws WSSecurityException {
    UsernameSecurityTokenImpl token = super.</*fake @see above*/
    UsernameSecurityTokenImpl>validate(usernameTokenType, tokenContext);
    Subject subject = new Subject();
    subject.getPrincipals().add(token.getPrincipal());
    if ("Alice".equals(token.getUsername())) {
        subject.getPrincipals().add(new SimpleGroup("manager", token.getUsername()));
    }
    subject.getPrincipals().add(new SimpleGroup("worker", token.getUsername()));
    token.setSubject(subject);
    return (T) token;
}
Also used : UsernameSecurityTokenImpl(org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl) SimpleGroup(org.apache.cxf.common.security.SimpleGroup) Subject(javax.security.auth.Subject)

Aggregations

UsernameSecurityTokenImpl (org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl)2 Subject (javax.security.auth.Subject)1 JAXBElement (javax.xml.bind.JAXBElement)1 SoapMessage (org.apache.cxf.binding.soap.SoapMessage)1 SimpleGroup (org.apache.cxf.common.security.SimpleGroup)1 AttributedString (org.apache.wss4j.binding.wss10.AttributedString)1 EncodedString (org.apache.wss4j.binding.wss10.EncodedString)1 PasswordString (org.apache.wss4j.binding.wss10.PasswordString)1 AttributedDateTime (org.apache.wss4j.binding.wsu10.AttributedDateTime)1 WSPasswordCallback (org.apache.wss4j.common.ext.WSPasswordCallback)1 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)1 WSSConstants (org.apache.wss4j.stax.ext.WSSConstants)1 Element (org.w3c.dom.Element)1