Example 6 with SecurePart
use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.
the class AbstractStaxBindingHandler method getEncryptedParts.
/**
* Identifies the portions of the message to be encrypted
*/
protected List<SecurePart> getEncryptedParts() throws SOAPException {
EncryptedParts parts = null;
EncryptedElements elements = null;
ContentEncryptedElements celements = null;
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
parts = (EncryptedParts) ai.getAssertion();
ai.setAsserted(true);
}
}
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
elements = (EncryptedElements) ai.getAssertion();
ai.setAsserted(true);
}
}
ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
celements = (ContentEncryptedElements) ai.getAssertion();
ai.setAsserted(true);
}
}
List<SecurePart> encryptedParts = new ArrayList<>();
if (parts != null) {
if (parts.isBody()) {
QName soapBody = new QName(WSSConstants.NS_SOAP12, "Body");
SecurePart securePart = new SecurePart(soapBody, Modifier.Content);
encryptedParts.add(securePart);
}
for (Header head : parts.getHeaders()) {
String localName = head.getName();
if (localName == null) {
localName = "*";
}
QName qname = new QName(head.getNamespace(), localName);
SecurePart securePart = new SecurePart(qname, Modifier.Element);
securePart.setRequired(false);
encryptedParts.add(securePart);
}
Attachments attachments = parts.getAttachments();
if (attachments != null) {
SecurePart securePart = new SecurePart("cid:Attachments", Modifier.Element);
if (MessageUtils.getContextualBoolean(message, SecurityConstants.USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM, false)) {
securePart.setModifier(Modifier.Content);
}
securePart.setRequired(false);
encryptedParts.add(securePart);
}
}
if (elements != null && elements.getXPaths() != null) {
for (XPath xPath : elements.getXPaths()) {
List<QName> qnames = org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
if (!qnames.isEmpty()) {
SecurePart securePart = new SecurePart(qnames.get(qnames.size() - 1), Modifier.Element);
encryptedParts.add(securePart);
}
}
}
if (celements != null && celements.getXPaths() != null) {
for (XPath xPath : celements.getXPaths()) {
List<QName> qnames = org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
if (!qnames.isEmpty()) {
SecurePart securePart = new SecurePart(qnames.get(qnames.size() - 1), Modifier.Content);
encryptedParts.add(securePart);
}
}
}
return encryptedParts;
}
Also used :
XPath(org.apache.wss4j.policy.model.XPath)
EncryptedParts(org.apache.wss4j.policy.model.EncryptedParts)
AssertionInfo(org.apache.cxf.ws.policy.AssertionInfo)
ContentEncryptedElements(org.apache.wss4j.policy.model.ContentEncryptedElements)
QName(javax.xml.namespace.QName)
ArrayList(java.util.ArrayList)
Attachments(org.apache.wss4j.policy.model.Attachments)
AssertionInfoMap(org.apache.cxf.ws.policy.AssertionInfoMap)
ContentEncryptedElements(org.apache.wss4j.policy.model.ContentEncryptedElements)
EncryptedElements(org.apache.wss4j.policy.model.EncryptedElements)
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
Header(org.apache.wss4j.policy.model.Header)
Example 7 with SecurePart
use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.
the class StaxAsymmetricBindingHandler method doEncryptBeforeSign.
private void doEncryptBeforeSign() {
try {
AbstractTokenWrapper wrapper;
AbstractToken encryptionToken = null;
if (isRequestor()) {
wrapper = abinding.getRecipientEncryptionToken();
if (wrapper == null) {
wrapper = abinding.getRecipientToken();
}
} else {
wrapper = abinding.getInitiatorEncryptionToken();
if (wrapper == null) {
wrapper = abinding.getInitiatorToken();
}
}
assertTokenWrapper(wrapper);
if (wrapper != null) {
encryptionToken = wrapper.getToken();
assertToken(encryptionToken);
}
AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
if (initiatorWrapper == null) {
initiatorWrapper = abinding.getInitiatorToken();
}
if (initiatorWrapper != null) {
assertTokenWrapper(initiatorWrapper);
AbstractToken initiatorToken = initiatorWrapper.getToken();
if (initiatorToken instanceof IssuedToken) {
SecurityToken sigTok = getSecurityToken();
addIssuedToken(initiatorToken, sigTok, false, true);
if (sigTok != null) {
storeSecurityToken(initiatorToken, sigTok);
outboundSecurityContext.remove(XMLSecurityConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
}
// Set up CallbackHandler which wraps the configured Handler
WSSSecurityProperties properties = getProperties();
TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
properties.setCallbackHandler(callbackHandler);
} else if (initiatorToken instanceof SamlToken) {
addSamlToken((SamlToken) initiatorToken, false, true);
}
}
List<SecurePart> encrParts = null;
List<SecurePart> sigParts = null;
try {
encrParts = getEncryptedParts();
// Signed parts are determined before encryption because encrypted signed headers
// will not be included otherwise
sigParts = getSignedParts();
} catch (SOAPException ex) {
throw new Fault(ex);
}
addSupportingTokens();
if (encryptionToken != null && !encrParts.isEmpty()) {
if (isRequestor()) {
encrParts.addAll(encryptedTokensList);
} else {
addSignatureConfirmation(sigParts);
}
// Check for signature protection
if (abinding.isEncryptSignature()) {
SecurePart part = new SecurePart(new QName(XMLSecurityConstants.NS_DSIG, "Signature"), Modifier.Element);
encrParts.add(part);
if (signatureConfirmationAdded) {
SecurePart securePart = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
encrParts.add(securePart);
}
assertPolicy(new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
doEncryption(wrapper, encrParts, true);
}
if (timestampAdded) {
SecurePart part = new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
sigParts.add(part);
}
if (!sigParts.isEmpty()) {
if (initiatorWrapper != null && isRequestor()) {
doSignature(initiatorWrapper, sigParts);
} else if (!isRequestor()) {
AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
if (recipientSignatureToken == null) {
recipientSignatureToken = abinding.getRecipientToken();
}
if (recipientSignatureToken != null) {
assertTokenWrapper(recipientSignatureToken);
assertToken(recipientSignatureToken.getToken());
doSignature(recipientSignatureToken, sigParts);
}
}
}
removeSignatureIfSignedSAML();
enforceEncryptBeforeSigningWithSignedSAML();
prependSignatureToSC();
putCustomTokenAfterSignature();
} catch (Exception e) {
String reason = e.getMessage();
LOG.log(Level.WARNING, "Encrypt before signing failed due to : " + reason);
throw new Fault(e);
}
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
SamlToken(org.apache.wss4j.policy.model.SamlToken)
QName(javax.xml.namespace.QName)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
Fault(org.apache.cxf.interceptor.Fault)
SOAPException(javax.xml.soap.SOAPException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
SOAPException(javax.xml.soap.SOAPException)
TokenStoreCallbackHandler(org.apache.cxf.ws.security.wss4j.TokenStoreCallbackHandler)
AbstractTokenWrapper(org.apache.wss4j.policy.model.AbstractTokenWrapper)
Example 8 with SecurePart
use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.
the class StaxSymmetricBindingHandler method doSignature.
private void doSignature(AbstractTokenWrapper wrapper, AbstractToken policyToken, SecurityToken tok, List<SecurePart> sigParts) throws WSSecurityException, SOAPException {
// Action
WSSSecurityProperties properties = getProperties();
WSSConstants.Action actionToPerform = XMLSecurityConstants.SIGNATURE;
if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
actionToPerform = WSSConstants.SIGNATURE_WITH_DERIVED_KEY;
if (MessageUtils.isRequestor(message) && policyToken instanceof X509Token) {
properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey);
} else {
properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.DirectReference);
}
AlgorithmSuiteType algSuiteType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
properties.setDerivedSignatureKeyLength(algSuiteType.getSignatureDerivedKeyLength() / 8);
}
if (policyToken.getVersion() == SPConstants.SPVersion.SP12) {
properties.setUse200512Namespace(true);
}
List<WSSConstants.Action> actionList = properties.getActions();
// Add a Signature directly before Kerberos, otherwise just append it
boolean actionAdded = false;
for (int i = 0; i < actionList.size(); i++) {
WSSConstants.Action action = actionList.get(i);
if (action.equals(WSSConstants.KERBEROS_TOKEN)) {
actionList.add(i, actionToPerform);
actionAdded = true;
break;
}
}
if (!actionAdded) {
actionList.add(actionToPerform);
}
properties.getSignatureSecureParts().addAll(sigParts);
AbstractToken sigToken = wrapper.getToken();
if (sbinding.isProtectTokens() && sigToken instanceof X509Token && isRequestor()) {
SecurePart securePart = new SecurePart(new QName(XMLSecurityConstants.NS_XMLENC, "EncryptedKey"), Modifier.Element);
properties.addSignaturePart(securePart);
}
configureSignature(sigToken, false);
if (policyToken instanceof X509Token) {
properties.setIncludeSignatureToken(false);
if (isRequestor()) {
properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_EncryptedKey);
} else {
properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
}
}
} else if (policyToken instanceof KerberosToken) {
if (isRequestor()) {
properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
} else {
if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
} else {
properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
}
properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
}
} else if (policyToken instanceof IssuedToken || policyToken instanceof SecurityContextToken || policyToken instanceof SecureConversationToken || policyToken instanceof SpnegoContextToken) {
if (!isRequestor()) {
properties.setIncludeSignatureToken(false);
} else {
properties.setIncludeSignatureToken(true);
}
properties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
}
if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
}
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
WSSConstants(org.apache.wss4j.stax.ext.WSSConstants)
AlgorithmSuiteType(org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType)
QName(javax.xml.namespace.QName)
KerberosToken(org.apache.wss4j.policy.model.KerberosToken)
IssuedToken(org.apache.wss4j.policy.model.IssuedToken)
SecureConversationToken(org.apache.wss4j.policy.model.SecureConversationToken)
SpnegoContextToken(org.apache.wss4j.policy.model.SpnegoContextToken)
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
X509Token(org.apache.wss4j.policy.model.X509Token)
AbstractToken(org.apache.wss4j.policy.model.AbstractToken)
SecurityContextToken(org.apache.wss4j.policy.model.SecurityContextToken)
Example 9 with SecurePart
use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.
the class StaxCryptoCoverageCheckerTest method testSignedUsernameToken.
@Test
public void testSignedUsernameToken() throws Exception {
// Create + configure service
Service service = createService();
WSSSecurityProperties inProperties = new WSSSecurityProperties();
inProperties.setCallbackHandler(new TestPwdCallback());
Properties cryptoProperties = CryptoFactory.getProperties("insecurity.properties", this.getClass().getClassLoader());
inProperties.setSignatureVerificationCryptoProperties(cryptoProperties);
WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties);
service.getInInterceptors().add(inhandler);
StaxCryptoCoverageChecker checker = new StaxCryptoCoverageChecker();
checker.setSignBody(false);
checker.setSignUsernameToken(true);
service.getInInterceptors().add(checker);
// Create + configure client
Echo echo = createClientProxy();
Client client = ClientProxy.getClient(echo);
client.getInInterceptors().add(new LoggingInInterceptor());
client.getOutInterceptors().add(new LoggingOutInterceptor());
WSSSecurityProperties properties = new WSSSecurityProperties();
List<WSSConstants.Action> actions = new ArrayList<WSSConstants.Action>();
actions.add(WSSConstants.USERNAMETOKEN);
actions.add(XMLSecurityConstants.SIGNATURE);
properties.setActions(actions);
properties.setSignatureUser("myalias");
properties.addSignaturePart(new SecurePart(new QName(WSSConstants.NS_WSSE10, "UsernameToken"), SecurePart.Modifier.Element));
properties.addSignaturePart(new SecurePart(new QName(WSSConstants.NS_SOAP11, "Body"), SecurePart.Modifier.Element));
Properties outCryptoProperties = CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
properties.setSignatureCryptoProperties(outCryptoProperties);
properties.setTokenUser("username");
properties.setCallbackHandler(new TestPwdCallback());
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(properties);
client.getOutInterceptors().add(ohandler);
checker.setEncryptUsernameToken(false);
assertEquals("test", echo.echo("test"));
checker.setEncryptUsernameToken(true);
try {
echo.echo("test");
fail("Failure expected as UsernameToken isn't encrypted");
} catch (javax.xml.ws.soap.SOAPFaultException ex) {
// expected
}
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
WSSConstants(org.apache.wss4j.stax.ext.WSSConstants)
QName(javax.xml.namespace.QName)
ArrayList(java.util.ArrayList)
Service(org.apache.cxf.service.Service)
Properties(java.util.Properties)
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
LoggingOutInterceptor(org.apache.cxf.ext.logging.LoggingOutInterceptor)
LoggingInInterceptor(org.apache.cxf.ext.logging.LoggingInInterceptor)
Client(org.apache.cxf.endpoint.Client)
Test(org.junit.Test)
Example 10 with SecurePart
use of org.apache.xml.security.stax.ext.SecurePart in project cxf by apache.
the class StaxRoundTripActionTest method testEncryptUsernameToken.
@Test
public void testEncryptUsernameToken() throws Exception {
// Create + configure service
Service service = createService();
WSSSecurityProperties inProperties = new WSSSecurityProperties();
inProperties.setCallbackHandler(new TestPwdCallback());
List<WSSConstants.Action> actions = new ArrayList<WSSConstants.Action>();
actions.add(XMLSecurityConstants.ENCRYPT);
actions.add(WSSConstants.USERNAMETOKEN);
inProperties.setActions(actions);
Properties cryptoProperties = CryptoFactory.getProperties("insecurity.properties", this.getClass().getClassLoader());
inProperties.setDecryptionCryptoProperties(cryptoProperties);
WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties);
service.getInInterceptors().add(inhandler);
// Create + configure client
Echo echo = createClientProxy();
Client client = ClientProxy.getClient(echo);
client.getInInterceptors().add(new LoggingInInterceptor());
client.getOutInterceptors().add(new LoggingOutInterceptor());
WSSSecurityProperties properties = new WSSSecurityProperties();
actions = new ArrayList<WSSConstants.Action>();
actions.add(WSSConstants.USERNAMETOKEN);
actions.add(XMLSecurityConstants.ENCRYPT);
properties.setActions(actions);
properties.addEncryptionPart(new SecurePart(new QName(WSSConstants.NS_WSSE10, "UsernameToken"), SecurePart.Modifier.Element));
properties.setEncryptionUser("myalias");
properties.setTokenUser("username");
properties.setEncryptionSymAlgorithm(XMLSecurityConstants.NS_XENC_AES128);
Properties outCryptoProperties = CryptoFactory.getProperties("outsecurity.properties", this.getClass().getClassLoader());
properties.setEncryptionCryptoProperties(outCryptoProperties);
properties.setCallbackHandler(new TestPwdCallback());
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(properties);
client.getOutInterceptors().add(ohandler);
assertEquals("test", echo.echo("test"));
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
WSSConstants(org.apache.wss4j.stax.ext.WSSConstants)
QName(javax.xml.namespace.QName)
ArrayList(java.util.ArrayList)
Service(org.apache.cxf.service.Service)
Properties(java.util.Properties)
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
SecurePart(org.apache.xml.security.stax.ext.SecurePart)
LoggingOutInterceptor(org.apache.cxf.ext.logging.LoggingOutInterceptor)
LoggingInInterceptor(org.apache.cxf.ext.logging.LoggingInInterceptor)
Client(org.apache.cxf.endpoint.Client)
Test(org.junit.Test)
Aggregations
SecurePart (org.apache.xml.security.stax.ext.SecurePart)30
QName (javax.xml.namespace.QName)26
WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)19
WSSConstants (org.apache.wss4j.stax.ext.WSSConstants)18
ArrayList (java.util.ArrayList)17
Properties (java.util.Properties)12
Client (org.apache.cxf.endpoint.Client)12
LoggingInInterceptor (org.apache.cxf.ext.logging.LoggingInInterceptor)12
LoggingOutInterceptor (org.apache.cxf.ext.logging.LoggingOutInterceptor)12
Service (org.apache.cxf.service.Service)12
Test (org.junit.Test)12
AbstractToken (org.apache.wss4j.policy.model.AbstractToken)8
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)7
HashMap (java.util.HashMap)6
IssuedToken (org.apache.wss4j.policy.model.IssuedToken)6
SOAPException (javax.xml.soap.SOAPException)5
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)5
Fault (org.apache.cxf.interceptor.Fault)4
AbstractTokenWrapper (org.apache.wss4j.policy.model.AbstractTokenWrapper)4
SecureConversationToken (org.apache.wss4j.policy.model.SecureConversationToken)4
