Search in sources :

Example 1 with SecurePart

use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.

the class XmlSecOutInterceptor method configureEncryption.

private void configureEncryption(Message message, XMLSecurityProperties properties) throws Exception {
    String symEncAlgo = encryptionProperties.getEncryptionSymmetricKeyAlgo() == null ? XMLCipher.AES_256 : encryptionProperties.getEncryptionSymmetricKeyAlgo();
    properties.setEncryptionSymAlgorithm(symEncAlgo);
    properties.setEncryptionKey(getSymmetricKey(symEncAlgo));
    if (encryptSymmetricKey) {
        X509Certificate sendingCert = null;
        String userName = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
        if (RSSecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName) && !MessageUtils.isRequestor(message)) {
            sendingCert = message.getExchange().getInMessage().getContent(X509Certificate.class);
            if (sendingCert == null) {
                @SuppressWarnings("unchecked") final List<SecurityEvent> incomingSecurityEventList = (List<SecurityEvent>) message.getExchange().get(SecurityEvent.class.getName() + ".in");
                sendingCert = getUseReqSigCert(incomingSecurityEventList);
            }
        } else {
            CryptoLoader loader = new CryptoLoader();
            Crypto crypto = loader.getCrypto(message, SecurityConstants.ENCRYPT_CRYPTO, SecurityConstants.ENCRYPT_PROPERTIES);
            userName = RSSecurityUtils.getUserName(crypto, userName);
            if (StringUtils.isEmpty(userName)) {
                throw new Exception("User name is not available");
            }
            sendingCert = getCertificateFromCrypto(crypto, userName);
        }
        if (sendingCert == null) {
            throw new Exception("Sending certificate is not available");
        }
        properties.setEncryptionUseThisCertificate(sendingCert);
        properties.setEncryptionKeyIdentifier(convertKeyIdentifier(encryptionProperties.getEncryptionKeyIdType()));
        properties.setEncryptionKeyName(encryptionProperties.getEncryptionKeyName());
        if (encryptionProperties.getEncryptionKeyTransportAlgo() != null) {
            properties.setEncryptionKeyTransportAlgorithm(encryptionProperties.getEncryptionKeyTransportAlgo());
        }
        if (encryptionProperties.getEncryptionDigestAlgo() != null) {
            properties.setEncryptionKeyTransportDigestAlgorithm(encryptionProperties.getEncryptionDigestAlgo());
        }
    }
    properties.addAction(XMLSecurityConstants.ENCRYPT);
    if (elementsToEncrypt == null || elementsToEncrypt.isEmpty()) {
        LOG.fine("No Elements to encrypt are specified, so the entire request is encrypt");
        SecurePart securePart = new SecurePart((QName) null, SecurePart.Modifier.Element);
        securePart.setSecureEntireRequest(true);
        properties.addEncryptionPart(securePart);
    } else {
        for (QName element : elementsToEncrypt) {
            SecurePart securePart = new SecurePart(element, SecurePart.Modifier.Element);
            properties.addEncryptionPart(securePart);
        }
    }
}
Also used : SecurePart(org.apache.xml.security.stax.ext.SecurePart) TokenSecurityEvent(org.apache.xml.security.stax.securityEvent.TokenSecurityEvent) SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) Crypto(org.apache.wss4j.common.crypto.Crypto) QName(javax.xml.namespace.QName) CryptoLoader(org.apache.cxf.rs.security.common.CryptoLoader) ArrayList(java.util.ArrayList) List(java.util.List) X509Certificate(java.security.cert.X509Certificate) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) XMLStreamException(javax.xml.stream.XMLStreamException) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)

Example 2 with SecurePart

use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.

the class AbstractStaxBindingHandler method addSignatureConfirmation.

protected void addSignatureConfirmation(List<SecurePart> sigParts) {
    Wss10 wss10 = getWss10();
    if (!(wss10 instanceof Wss11) || !((Wss11) wss10).isRequireSignatureConfirmation()) {
        // If we don't require sig confirmation simply go back :-)
        return;
    }
    // Enable SignatureConfirmation
    if (isRequestor()) {
        properties.setEnableSignatureConfirmationVerification(true);
    } else {
        properties.getActions().add(WSSConstants.SIGNATURE_CONFIRMATION);
    }
    if (sigParts != null) {
        SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
        sigParts.add(securePart);
    }
    signatureConfirmationAdded = true;
}
Also used : SecurePart(org.apache.xml.security.stax.ext.SecurePart) Wss11(org.apache.wss4j.policy.model.Wss11) Wss10(org.apache.wss4j.policy.model.Wss10)

Example 3 with SecurePart

use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.

the class AbstractStaxBindingHandler method handleSupportingTokens.

protected Map<AbstractToken, SecurePart> handleSupportingTokens(Collection<AssertionInfo> tokenAssertions, boolean signed, boolean endorse) throws Exception {
    if (tokenAssertions != null && !tokenAssertions.isEmpty()) {
        Map<AbstractToken, SecurePart> ret = new HashMap<>();
        for (AssertionInfo assertionInfo : tokenAssertions) {
            if (assertionInfo.getAssertion() instanceof SupportingTokens) {
                assertionInfo.setAsserted(true);
                handleSupportingTokens((SupportingTokens) assertionInfo.getAssertion(), signed, endorse, ret);
            }
        }
        return ret;
    }
    return Collections.emptyMap();
}
Also used : SecurePart(org.apache.xml.security.stax.ext.SecurePart) SupportingTokens(org.apache.wss4j.policy.model.SupportingTokens) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) AbstractToken(org.apache.wss4j.policy.model.AbstractToken) HashMap(java.util.HashMap)

Example 4 with SecurePart

use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.

the class AbstractStaxBindingHandler method addKerberosToken.

protected SecurePart addKerberosToken(KerberosToken token, boolean signed, boolean endorsing, boolean encrypting) throws WSSecurityException {
    assertToken(token);
    IncludeTokenType includeToken = token.getIncludeTokenType();
    if (!isTokenRequired(includeToken)) {
        return null;
    }
    final SecurityToken secToken = getSecurityToken();
    if (secToken == null) {
        unassertPolicy(token, "Could not find KerberosToken");
    }
    // Convert to WSS4J token
    final KerberosClientSecurityToken wss4jToken = new KerberosClientSecurityToken(secToken.getData(), secToken.getKey(), secToken.getId()) {

        @Override
        public Key getSecretKey(String algorithmURI) throws XMLSecurityException {
            if (secToken.getSecret() != null && algorithmURI != null && !"".equals(algorithmURI)) {
                return KeyUtils.prepareSecretKey(algorithmURI, secToken.getSecret());
            }
            return secToken.getKey();
        }
    };
    wss4jToken.setSha1Identifier(secToken.getSHA1());
    final SecurityTokenProvider<OutboundSecurityToken> kerberosSecurityTokenProvider = new SecurityTokenProvider<OutboundSecurityToken>() {

        @Override
        public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
            return wss4jToken;
        }

        @Override
        public String getId() {
            return wss4jToken.getId();
        }
    };
    outboundSecurityContext.registerSecurityTokenProvider(kerberosSecurityTokenProvider.getId(), kerberosSecurityTokenProvider);
    outboundSecurityContext.put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS, kerberosSecurityTokenProvider.getId());
    if (encrypting) {
        outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, kerberosSecurityTokenProvider.getId());
    }
    if (endorsing) {
        outboundSecurityContext.put(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, kerberosSecurityTokenProvider.getId());
    }
    // Action
    properties.addAction(WSSConstants.KERBEROS_TOKEN);
    /*
        if (endorsing) {
            String action = (String)config.get(ConfigurationConstants.ACTION);
            config.put(ConfigurationConstants.ACTION,
                ConfigurationConstants.SIGNATURE_WITH_KERBEROS_TOKEN  + " " + action);
            // config.put(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
        }
        */
    SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE_BINARY_SECURITY_TOKEN, Modifier.Element);
    securePart.setIdToSign(wss4jToken.getId());
    return securePart;
}
Also used : GenericOutboundSecurityToken(org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) KerberosClientSecurityToken(org.apache.wss4j.stax.impl.securityToken.KerberosClientSecurityToken) OutboundSecurityToken(org.apache.xml.security.stax.securityToken.OutboundSecurityToken) SecurePart(org.apache.xml.security.stax.ext.SecurePart) GenericOutboundSecurityToken(org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken) OutboundSecurityToken(org.apache.xml.security.stax.securityToken.OutboundSecurityToken) IncludeTokenType(org.apache.wss4j.policy.SPConstants.IncludeTokenType) KerberosClientSecurityToken(org.apache.wss4j.stax.impl.securityToken.KerberosClientSecurityToken) SecurityTokenProvider(org.apache.xml.security.stax.securityToken.SecurityTokenProvider)

Example 5 with SecurePart

use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.

the class AbstractStaxBindingHandler method getSignedParts.

/**
 * Identifies the portions of the message to be signed
 */
protected List<SecurePart> getSignedParts() throws SOAPException {
    SignedParts parts = null;
    SignedElements elements = null;
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    AssertionInfo assertionInfo = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SIGNED_PARTS);
    if (assertionInfo != null) {
        parts = (SignedParts) assertionInfo.getAssertion();
        assertionInfo.setAsserted(true);
    }
    assertionInfo = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
    if (assertionInfo != null) {
        elements = (SignedElements) assertionInfo.getAssertion();
        assertionInfo.setAsserted(true);
    }
    List<SecurePart> signedParts = new ArrayList<>();
    if (parts != null) {
        if (parts.isBody()) {
            QName soapBody = new QName(WSSConstants.NS_SOAP12, "Body");
            SecurePart securePart = new SecurePart(soapBody, Modifier.Element);
            signedParts.add(securePart);
        }
        for (Header head : parts.getHeaders()) {
            String localName = head.getName();
            if (localName == null) {
                localName = "*";
            }
            QName qname = new QName(head.getNamespace(), localName);
            SecurePart securePart = new SecurePart(qname, Modifier.Element);
            securePart.setRequired(false);
            signedParts.add(securePart);
        }
        Attachments attachments = parts.getAttachments();
        if (attachments != null) {
            Modifier modifier = Modifier.Element;
            if (attachments.isContentSignatureTransform()) {
                modifier = Modifier.Content;
            }
            SecurePart securePart = new SecurePart("cid:Attachments", modifier);
            securePart.setRequired(false);
            signedParts.add(securePart);
        }
    }
    if (elements != null && elements.getXPaths() != null) {
        for (XPath xPath : elements.getXPaths()) {
            List<QName> qnames = org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
            if (!qnames.isEmpty()) {
                SecurePart securePart = new SecurePart(qnames.get(qnames.size() - 1), Modifier.Element);
                signedParts.add(securePart);
            }
        }
    }
    return signedParts;
}
Also used : XPath(org.apache.wss4j.policy.model.XPath) AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo) QName(javax.xml.namespace.QName) SignedElements(org.apache.wss4j.policy.model.SignedElements) ArrayList(java.util.ArrayList) Attachments(org.apache.wss4j.policy.model.Attachments) AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap) SecurePart(org.apache.xml.security.stax.ext.SecurePart) Header(org.apache.wss4j.policy.model.Header) SignedParts(org.apache.wss4j.policy.model.SignedParts) Modifier(org.apache.xml.security.stax.ext.SecurePart.Modifier)

Aggregations

SecurePart (org.apache.xml.security.stax.ext.SecurePart)30 QName (javax.xml.namespace.QName)26 WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)19 WSSConstants (org.apache.wss4j.stax.ext.WSSConstants)18 ArrayList (java.util.ArrayList)17 Properties (java.util.Properties)12 Client (org.apache.cxf.endpoint.Client)12 LoggingInInterceptor (org.apache.cxf.ext.logging.LoggingInInterceptor)12 LoggingOutInterceptor (org.apache.cxf.ext.logging.LoggingOutInterceptor)12 Service (org.apache.cxf.service.Service)12 Test (org.junit.Test)12 AbstractToken (org.apache.wss4j.policy.model.AbstractToken)8 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)7 HashMap (java.util.HashMap)6 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)6 SOAPException (javax.xml.soap.SOAPException)5 SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)5 Fault (org.apache.cxf.interceptor.Fault)4 AbstractTokenWrapper (org.apache.wss4j.policy.model.AbstractTokenWrapper)4 SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)4