Example 1 with SecurePart
use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.
the class XmlSecOutInterceptor method configureEncryption.
private void configureEncryption(Message message, XMLSecurityProperties properties) throws Exception {
String symEncAlgo = encryptionProperties.getEncryptionSymmetricKeyAlgo() == null ? XMLCipher.AES_256 : encryptionProperties.getEncryptionSymmetricKeyAlgo();
properties.setEncryptionSymAlgorithm(symEncAlgo);
properties.setEncryptionKey(getSymmetricKey(symEncAlgo));
if (encryptSymmetricKey) {
X509Certificate sendingCert = null;
String userName = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
if (RSSecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName) && !MessageUtils.isRequestor(message)) {
sendingCert = message.getExchange().getInMessage().getContent(X509Certificate.class);
if (sendingCert == null) {
@SuppressWarnings("unchecked") final List<SecurityEvent> incomingSecurityEventList = (List<SecurityEvent>) message.getExchange().get(SecurityEvent.class.getName() + ".in");
sendingCert = getUseReqSigCert(incomingSecurityEventList);
}
} else {
CryptoLoader loader = new CryptoLoader();
Crypto crypto = loader.getCrypto(message, SecurityConstants.ENCRYPT_CRYPTO, SecurityConstants.ENCRYPT_PROPERTIES);
userName = RSSecurityUtils.getUserName(crypto, userName);
if (StringUtils.isEmpty(userName)) {
throw new Exception("User name is not available");
}
sendingCert = getCertificateFromCrypto(crypto, userName);
}
if (sendingCert == null) {
throw new Exception("Sending certificate is not available");
}
properties.setEncryptionUseThisCertificate(sendingCert);
properties.setEncryptionKeyIdentifier(convertKeyIdentifier(encryptionProperties.getEncryptionKeyIdType()));
properties.setEncryptionKeyName(encryptionProperties.getEncryptionKeyName());
if (encryptionProperties.getEncryptionKeyTransportAlgo() != null) {
properties.setEncryptionKeyTransportAlgorithm(encryptionProperties.getEncryptionKeyTransportAlgo());
}
if (encryptionProperties.getEncryptionDigestAlgo() != null) {
properties.setEncryptionKeyTransportDigestAlgorithm(encryptionProperties.getEncryptionDigestAlgo());
}
}
properties.addAction(XMLSecurityConstants.ENCRYPT);
if (elementsToEncrypt == null || elementsToEncrypt.isEmpty()) {
LOG.fine("No Elements to encrypt are specified, so the entire request is encrypt");
SecurePart securePart = new SecurePart((QName) null, SecurePart.Modifier.Element);
securePart.setSecureEntireRequest(true);
properties.addEncryptionPart(securePart);
} else {
for (QName element : elementsToEncrypt) {
SecurePart securePart = new SecurePart(element, SecurePart.Modifier.Element);
properties.addEncryptionPart(securePart);
}
}
}
Also used :
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
TokenSecurityEvent(org.apache.xml.security.stax.securityEvent.TokenSecurityEvent)
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
Crypto(org.apache.wss4j.common.crypto.Crypto)
QName(javax.xml.namespace.QName)
CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader)
ArrayList(java.util.ArrayList)
List(java.util.List)
X509Certificate(java.security.cert.X509Certificate)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
XMLStreamException(javax.xml.stream.XMLStreamException)
XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)
Example 2 with SecurePart
use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.
the class AbstractStaxBindingHandler method addSignatureConfirmation.
protected void addSignatureConfirmation(List<SecurePart> sigParts) {
Wss10 wss10 = getWss10();
if (!(wss10 instanceof Wss11) || !((Wss11) wss10).isRequireSignatureConfirmation()) {
// If we don't require sig confirmation simply go back :-)
return;
}
// Enable SignatureConfirmation
if (isRequestor()) {
properties.setEnableSignatureConfirmationVerification(true);
} else {
properties.getActions().add(WSSConstants.SIGNATURE_CONFIRMATION);
}
if (sigParts != null) {
SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
sigParts.add(securePart);
}
signatureConfirmationAdded = true;
}
Also used :
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
Wss11(org.apache.wss4j.policy.model.Wss11)
Wss10(org.apache.wss4j.policy.model.Wss10)
Example 3 with SecurePart
use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.
the class AbstractStaxBindingHandler method handleSupportingTokens.
protected Map<AbstractToken, SecurePart> handleSupportingTokens(Collection<AssertionInfo> tokenAssertions, boolean signed, boolean endorse) throws Exception {
if (tokenAssertions != null && !tokenAssertions.isEmpty()) {
Map<AbstractToken, SecurePart> ret = new HashMap<>();
for (AssertionInfo assertionInfo : tokenAssertions) {
if (assertionInfo.getAssertion() instanceof SupportingTokens) {
assertionInfo.setAsserted(true);
handleSupportingTokens((SupportingTokens) assertionInfo.getAssertion(), signed, endorse, ret);
}
}
return ret;
}
return Collections.emptyMap();
}
Also used :
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
HashMap(java.util.HashMap)
Example 4 with SecurePart
use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.
the class AbstractStaxBindingHandler method addKerberosToken.
protected SecurePart addKerberosToken(KerberosToken token, boolean signed, boolean endorsing, boolean encrypting) throws WSSecurityException {
assertToken(token);
IncludeTokenType includeToken = token.getIncludeTokenType();
if (!isTokenRequired(includeToken)) {
return null;
}
final SecurityToken secToken = getSecurityToken();
if (secToken == null) {
unassertPolicy(token, "Could not find KerberosToken");
}
// Convert to WSS4J token
final KerberosClientSecurityToken wss4jToken = new KerberosClientSecurityToken(secToken.getData(), secToken.getKey(), secToken.getId()) {
@Override
public Key getSecretKey(String algorithmURI) throws XMLSecurityException {
if (secToken.getSecret() != null && algorithmURI != null && !"".equals(algorithmURI)) {
return KeyUtils.prepareSecretKey(algorithmURI, secToken.getSecret());
}
return secToken.getKey();
}
};
wss4jToken.setSha1Identifier(secToken.getSHA1());
final SecurityTokenProvider<OutboundSecurityToken> kerberosSecurityTokenProvider = new SecurityTokenProvider<OutboundSecurityToken>() {
@Override
public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
return wss4jToken;
}
@Override
public String getId() {
return wss4jToken.getId();
}
};
outboundSecurityContext.registerSecurityTokenProvider(kerberosSecurityTokenProvider.getId(), kerberosSecurityTokenProvider);
outboundSecurityContext.put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS, kerberosSecurityTokenProvider.getId());
if (encrypting) {
outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, kerberosSecurityTokenProvider.getId());
}
if (endorsing) {
outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, kerberosSecurityTokenProvider.getId());
}
// Action
properties.addAction(WSSConstants.KERBEROS_TOKEN);
/*
if (endorsing) {
String action = (String)config.get(ConfigurationConstants.ACTION);
config.put(ConfigurationConstants.ACTION,
ConfigurationConstants.SIGNATURE_WITH_KERBEROS_TOKEN + " " + action);
// config.put(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
}
*/
SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE_BINARY_SECURITY_TOKEN, Modifier.Element);
securePart.setIdToSign(wss4jToken.getId());
return securePart;
}
Also used :
GenericOutboundSecurityToken(org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
KerberosClientSecurityToken(org.apache.wss4j.stax.impl.securityToken.KerberosClientSecurityToken)
OutboundSecurityToken(org.apache.xml.security.stax.securityToken.OutboundSecurityToken)
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
GenericOutboundSecurityToken(org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken)
OutboundSecurityToken(org.apache.xml.security.stax.securityToken.OutboundSecurityToken)
IncludeTokenType(org.apache.wss4j.policy.SPConstants.IncludeTokenType)
KerberosClientSecurityToken(org.apache.wss4j.stax.impl.securityToken.KerberosClientSecurityToken)
SecurityTokenProvider(org.apache.xml.security.stax.securityToken.SecurityTokenProvider)
Example 5 with SecurePart
use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.
the class AbstractStaxBindingHandler method getSignedParts.
/**
* Identifies the portions of the message to be signed
*/
protected List<SecurePart> getSignedParts() throws SOAPException {
SignedParts parts = null;
SignedElements elements = null;
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
AssertionInfo assertionInfo = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SIGNED_PARTS);
if (assertionInfo != null) {
parts = (SignedParts) assertionInfo.getAssertion();
assertionInfo.setAsserted(true);
}
assertionInfo = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
if (assertionInfo != null) {
elements = (SignedElements) assertionInfo.getAssertion();
assertionInfo.setAsserted(true);
}
List<SecurePart> signedParts = new ArrayList<>();
if (parts != null) {
if (parts.isBody()) {
QName soapBody = new QName(WSSConstants.NS_SOAP12, "Body");
SecurePart securePart = new SecurePart(soapBody, Modifier.Element);
signedParts.add(securePart);
}
for (Header head : parts.getHeaders()) {
String localName = head.getName();
if (localName == null) {
localName = "*";
}
QName qname = new QName(head.getNamespace(), localName);
SecurePart securePart = new SecurePart(qname, Modifier.Element);
securePart.setRequired(false);
signedParts.add(securePart);
}
Attachments attachments = parts.getAttachments();
if (attachments != null) {
Modifier modifier = Modifier.Element;
if (attachments.isContentSignatureTransform()) {
modifier = Modifier.Content;
}
SecurePart securePart = new SecurePart("cid:Attachments", modifier);
securePart.setRequired(false);
signedParts.add(securePart);
}
}
if (elements != null && elements.getXPaths() != null) {
for (XPath xPath : elements.getXPaths()) {
List<QName> qnames = org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
if (!qnames.isEmpty()) {
SecurePart securePart = new SecurePart(qnames.get(qnames.size() - 1), Modifier.Element);
signedParts.add(securePart);
}
}
}
return signedParts;
}
Also used :
XPath(org.apache.wss4j.policy.model.XPath)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
QName(javax.xml.namespace.QName)
SignedElements(org.apache.wss4j.policy.model.SignedElements)
ArrayList(java.util.ArrayList)
Attachments(org.apache.wss4j.policy.model.Attachments)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
Header(org.apache.wss4j.policy.model.Header)
SignedParts(org.apache.wss4j.policy.model.SignedParts)
Modifier(org.apache.xml.security.stax.ext.SecurePart.Modifier)
Aggregations
SecurePart (org.apache.xml.security.stax.ext.SecurePart)30
QName (javax.xml.namespace.QName)26
WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)19
WSSConstants (org.apache.wss4j.stax.ext.WSSConstants)18
ArrayList (java.util.ArrayList)17
Properties (java.util.Properties)12
Client (org.apache.cxf.endpoint.Client)12
LoggingInInterceptor (org.apache.cxf.ext.logging.LoggingInInterceptor)12
LoggingOutInterceptor (org.apache.cxf.ext.logging.LoggingOutInterceptor)12
Service (org.apache.cxf.service.Service)12
Test (org.junit.Test)12
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)8
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)7
HashMap (java.util.HashMap)6
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)6
SOAPException (javax.xml.soap.SOAPException)5
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)5
Fault (org.apache.cxf.interceptor.Fault)4
AbstractTokenWrapper (org.apache.wss4j.policy.model.AbstractTokenWrapper)4
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)4
