Examples with InboundSecurityContextImpl org.apache.xml.security.stax.impl.InboundSecurityContextImpl used on opensource projects

Example 1 with InboundSecurityContextImpl

use of org.apache.xml.security.stax.impl.InboundSecurityContextImpl in project santuario-java by apache.

the class SecurityTokenFactoryImplTest method testKeyNameTokenWithoutKeyInMap.

@Test
public void testKeyNameTokenWithoutKeyInMap() throws Exception {
    expectedException.expect(XMLSecurityException.class);
    expectedException.expectMessage("No key configured for KeyName: mykey");
    SecurityTokenFactory factory = new SecurityTokenFactoryImpl();
    SecurityTokenConstants.KeyUsage keyUsage = SecurityTokenConstants.KeyUsage_Signature_Verification;
    InboundSecurityContext inboundSecurityContext = new InboundSecurityContextImpl();
    factory.getSecurityToken(keyInfoType, keyUsage, xmlSecurityProperties, inboundSecurityContext);
}

Example 2 with InboundSecurityContextImpl

use of org.apache.xml.security.stax.impl.InboundSecurityContextImpl in project santuario-java by apache.

the class SecurityTokenFactoryImplTest method setUp.

@Before
public void setUp() throws Exception {
    Init.init(null, this.getClass());
    ObjectFactory of = new ObjectFactory();
    JAXBElement<String> keyname = of.createKeyName("mykey");
    keyInfoType = new KeyInfoType();
    keyInfoType.setId("KeyName");
    keyInfoType.getContent().add(keyname);
    xmlSecurityProperties = new XMLSecurityProperties();
    inboundSecurityContext = new InboundSecurityContextImpl();
}

Example 3 with InboundSecurityContextImpl

use of org.apache.xml.security.stax.impl.InboundSecurityContextImpl in project santuario-java by apache.

the class SecurityTokenFactoryImplTest method testKeyNameTokenWithWrongKeyInMap.

@Test
public void testKeyNameTokenWithWrongKeyInMap() throws Exception {
    expectedException.expect(XMLSecurityException.class);
    expectedException.expectMessage("Key of type DSAPrivateKey not supported for a KeyName lookup");
    SecurityTokenFactory factory = new SecurityTokenFactoryImpl();
    SecurityTokenConstants.KeyUsage keyUsage = SecurityTokenConstants.KeyUsage_Signature_Verification;
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA", "SUN");
    KeyPair keyPair = keyGen.generateKeyPair();
    Key privateKey = keyPair.getPrivate();
    xmlSecurityProperties.addKeyNameMapping("mykey", privateKey);
    InboundSecurityContext inboundSecurityContext = new InboundSecurityContextImpl();
    factory.getSecurityToken(keyInfoType, keyUsage, xmlSecurityProperties, inboundSecurityContext);
}

Example 4 with InboundSecurityContextImpl

use of org.apache.xml.security.stax.impl.InboundSecurityContextImpl in project santuario-java by apache.

the class InboundXMLSec method processInMessage.

/**
 * Warning:
 * configure your xmlStreamReader correctly. Otherwise you can create a security hole.
 * At minimum configure the following properties:
 * xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
 * xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
 * xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, false);
 * xmlInputFactory.setProperty(WstxInputProperties.P_MIN_TEXT_SEGMENT, new Integer(8192));
 * <p></p>
 * This method is the entry point for the incoming security-engine.
 * Hand over the original XMLStreamReader and use the returned one for further processing
 *
 * @param xmlStreamReader The original XMLStreamReader
 * @param requestSecurityEvents A List of requested SecurityEvents
 * @param securityEventListener A SecurityEventListener to receive security-relevant events.
 * @return A new XMLStreamReader which does transparently the security processing.
 * @throws XMLStreamException  thrown when a streaming error occurs
 */
public XMLStreamReader processInMessage(XMLStreamReader xmlStreamReader, List<SecurityEvent> requestSecurityEvents, SecurityEventListener securityEventListener) throws XMLStreamException {
    if (requestSecurityEvents == null) {
        requestSecurityEvents = Collections.emptyList();
    }
    final InboundSecurityContextImpl inboundSecurityContext = new InboundSecurityContextImpl();
    inboundSecurityContext.putList(SecurityEvent.class, requestSecurityEvents);
    inboundSecurityContext.addSecurityEventListener(securityEventListener);
    inboundSecurityContext.put(XMLSecurityConstants.XMLINPUTFACTORY, xmlInputFactory);
    DocumentContextImpl documentContext = new DocumentContextImpl();
    documentContext.setEncoding(xmlStreamReader.getEncoding() != null ? xmlStreamReader.getEncoding() : java.nio.charset.StandardCharsets.UTF_8.name());
    // woodstox 3.2.9 returns null when used with a DOMSource
    Location location = xmlStreamReader.getLocation();
    if (location != null) {
        documentContext.setBaseURI(location.getSystemId());
    }
    InputProcessorChainImpl inputProcessorChain = new InputProcessorChainImpl(inboundSecurityContext, documentContext);
    inputProcessorChain.addProcessor(new XMLEventReaderInputProcessor(securityProperties, xmlStreamReader));
    List<InputProcessor> additionalInputProcessors = securityProperties.getInputProcessorList();
    if (!additionalInputProcessors.isEmpty()) {
        Iterator<InputProcessor> inputProcessorIterator = additionalInputProcessors.iterator();
        while (inputProcessorIterator.hasNext()) {
            InputProcessor inputProcessor = inputProcessorIterator.next();
            inputProcessorChain.addProcessor(inputProcessor);
        }
    }
    inputProcessorChain.addProcessor(new XMLSecurityInputProcessor(securityProperties));
    if (LOG.isTraceEnabled()) {
        LogInputProcessor LOGInputProcessor = new LogInputProcessor(securityProperties);
        LOGInputProcessor.addAfterProcessor(XMLSecurityInputProcessor.class.getName());
        inputProcessorChain.addProcessor(LOGInputProcessor);
    }
    return new XMLSecurityStreamReader(inputProcessorChain, securityProperties);
}

Example 5 with InboundSecurityContextImpl

use of org.apache.xml.security.stax.impl.InboundSecurityContextImpl in project santuario-java by apache.

the class InputProcessorChainTest method testAddProcessorPhase2.

@Test
public void testAddProcessorPhase2() {
    InputProcessorChainImpl inputProcessorChain = new InputProcessorChainImpl(new InboundSecurityContextImpl());
    AbstractInputProcessor inputProcessor1 = new AbstractInputProcessor() {
    };
    inputProcessorChain.addProcessor(inputProcessor1);
    AbstractInputProcessor inputProcessor2 = new AbstractInputProcessor() {
    };
    inputProcessor2.setPhase(XMLSecurityConstants.Phase.PREPROCESSING);
    inputProcessorChain.addProcessor(inputProcessor2);
    AbstractInputProcessor inputProcessor3 = new AbstractInputProcessor() {
    };
    inputProcessor3.setPhase(XMLSecurityConstants.Phase.POSTPROCESSING);
    inputProcessorChain.addProcessor(inputProcessor3);
    AbstractInputProcessor inputProcessor4 = new AbstractInputProcessor() {
    };
    inputProcessor4.setPhase(XMLSecurityConstants.Phase.POSTPROCESSING);
    inputProcessorChain.addProcessor(inputProcessor4);
    AbstractInputProcessor inputProcessor5 = new AbstractInputProcessor() {
    };
    inputProcessor5.setPhase(XMLSecurityConstants.Phase.PREPROCESSING);
    inputProcessorChain.addProcessor(inputProcessor5);
    AbstractInputProcessor inputProcessor6 = new AbstractInputProcessor() {
    };
    inputProcessorChain.addProcessor(inputProcessor6);
    Assert.assertEquals(inputProcessorChain.getProcessors().get(0), inputProcessor4);
    Assert.assertEquals(inputProcessorChain.getProcessors().get(1), inputProcessor3);
    Assert.assertEquals(inputProcessorChain.getProcessors().get(2), inputProcessor6);
    Assert.assertEquals(inputProcessorChain.getProcessors().get(3), inputProcessor1);
    Assert.assertEquals(inputProcessorChain.getProcessors().get(4), inputProcessor5);
    Assert.assertEquals(inputProcessorChain.getProcessors().get(5), inputProcessor2);
}