Search in sources :

Example 6 with SecurityEvent

use of org.apache.xml.security.stax.securityEvent.SecurityEvent in project cxf by apache.

the class StaxActionInInterceptor method handleMessage.

@Override
public void handleMessage(SoapMessage soapMessage) throws Fault {
    if (inActions == null || inActions.isEmpty()) {
        return;
    }
    @SuppressWarnings("unchecked") final List<SecurityEvent> incomingSecurityEventList = (List<SecurityEvent>) soapMessage.get(SecurityEvent.class.getName() + ".in");
    if (incomingSecurityEventList == null) {
        LOG.warning("Security processing failed (actions mismatch)");
        WSSecurityException ex = new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_ERROR);
        throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), ex);
    }
    // First check for a SOAP Fault with no security header if we are the client
    if (MessageUtils.isRequestor(soapMessage) && isEventInResults(WSSecurityEventConstants.NO_SECURITY, incomingSecurityEventList)) {
        OperationSecurityEvent securityEvent = (OperationSecurityEvent) findEvent(WSSecurityEventConstants.OPERATION, incomingSecurityEventList);
        if (securityEvent != null && soapMessage.getVersion().getFault().equals(securityEvent.getOperation())) {
            LOG.warning("Request does not contain Security header, but it's a fault.");
            return;
        }
    }
    for (XMLSecurityConstants.Action action : inActions) {
        Event requiredEvent = null;
        if (WSSConstants.TIMESTAMP.equals(action)) {
            requiredEvent = WSSecurityEventConstants.TIMESTAMP;
        } else if (WSSConstants.USERNAMETOKEN.equals(action)) {
            requiredEvent = WSSecurityEventConstants.USERNAME_TOKEN;
        } else if (XMLSecurityConstants.SIGNATURE.equals(action)) {
            requiredEvent = WSSecurityEventConstants.SignatureValue;
        } else if (WSSConstants.SAML_TOKEN_SIGNED.equals(action) || WSSConstants.SAML_TOKEN_UNSIGNED.equals(action)) {
            requiredEvent = WSSecurityEventConstants.SAML_TOKEN;
        }
        if (requiredEvent != null && !isEventInResults(requiredEvent, incomingSecurityEventList)) {
            LOG.warning("Security processing failed (actions mismatch)");
            WSSecurityException ex = new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_ERROR);
            throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), ex);
        }
        if (XMLSecurityConstants.ENCRYPT.equals(action)) {
            boolean foundEncryptionPart = isEventInResults(WSSecurityEventConstants.ENCRYPTED_PART, incomingSecurityEventList);
            if (!foundEncryptionPart) {
                foundEncryptionPart = isEventInResults(WSSecurityEventConstants.EncryptedElement, incomingSecurityEventList);
            }
            if (!foundEncryptionPart) {
                LOG.warning("Security processing failed (actions mismatch)");
                WSSecurityException ex = new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_ERROR);
                throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), ex);
            }
        }
    }
}
Also used : OperationSecurityEvent(org.apache.wss4j.stax.securityEvent.OperationSecurityEvent) SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) XMLSecurityConstants(org.apache.xml.security.stax.ext.XMLSecurityConstants) OperationSecurityEvent(org.apache.wss4j.stax.securityEvent.OperationSecurityEvent) Event(org.apache.xml.security.stax.securityEvent.SecurityEventConstants.Event) OperationSecurityEvent(org.apache.wss4j.stax.securityEvent.OperationSecurityEvent) SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) List(java.util.List) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)

Example 7 with SecurityEvent

use of org.apache.xml.security.stax.securityEvent.SecurityEvent in project cxf by apache.

the class StaxCryptoCoverageChecker method checkEncryptedUsernameToken.

private void checkEncryptedUsernameToken(List<SecurityEvent> results) throws WSSecurityException {
    if (!encryptUsernameToken) {
        return;
    }
    boolean isUsernameTokenEncrypted = false;
    for (SecurityEvent encryptedEvent : results) {
        AbstractSecuredElementSecurityEvent securedEvent = (AbstractSecuredElementSecurityEvent) encryptedEvent;
        if (!securedEvent.isEncrypted()) {
            continue;
        }
        List<QName> encryptedPath = securedEvent.getElementPath();
        if (isUsernameToken(encryptedPath)) {
            isUsernameTokenEncrypted = true;
            break;
        }
    }
    if (!isUsernameTokenEncrypted) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The UsernameToken is not encrypted"));
    }
}
Also used : SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent) AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent) QName(javax.xml.namespace.QName) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)

Example 8 with SecurityEvent

use of org.apache.xml.security.stax.securityEvent.SecurityEvent in project cxf by apache.

the class StaxCryptoCoverageChecker method checkEncryptedBody.

private void checkEncryptedBody(List<SecurityEvent> results) throws WSSecurityException {
    if (!encryptBody) {
        return;
    }
    boolean isBodyEncrypted = false;
    for (SecurityEvent signedEvent : results) {
        AbstractSecuredElementSecurityEvent securedEvent = (AbstractSecuredElementSecurityEvent) signedEvent;
        if (!securedEvent.isEncrypted()) {
            continue;
        }
        List<QName> encryptedPath = securedEvent.getElementPath();
        if (isBody(encryptedPath)) {
            isBodyEncrypted = true;
            break;
        }
    }
    if (!isBodyEncrypted) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The SOAP Body is not encrypted"));
    }
}
Also used : SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent) AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent) QName(javax.xml.namespace.QName) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)

Example 9 with SecurityEvent

use of org.apache.xml.security.stax.securityEvent.SecurityEvent in project cxf by apache.

the class StaxCryptoCoverageChecker method checkSignedUsernameToken.

private void checkSignedUsernameToken(List<SecurityEvent> results) throws WSSecurityException {
    if (!signUsernameToken) {
        return;
    }
    boolean isUsernameTokenSigned = false;
    for (SecurityEvent signedEvent : results) {
        AbstractSecuredElementSecurityEvent securedEvent = (AbstractSecuredElementSecurityEvent) signedEvent;
        if (!securedEvent.isSigned()) {
            continue;
        }
        List<QName> signedPath = securedEvent.getElementPath();
        if (isUsernameToken(signedPath)) {
            isUsernameTokenSigned = true;
            break;
        }
    }
    if (!isUsernameTokenSigned) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The UsernameToken is not signed"));
    }
}
Also used : SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent) AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent) QName(javax.xml.namespace.QName) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)

Example 10 with SecurityEvent

use of org.apache.xml.security.stax.securityEvent.SecurityEvent in project cxf by apache.

the class StaxCryptoCoverageChecker method checkSignedBody.

private void checkSignedBody(List<SecurityEvent> results) throws WSSecurityException {
    if (!signBody) {
        return;
    }
    boolean isBodySigned = false;
    for (SecurityEvent signedEvent : results) {
        AbstractSecuredElementSecurityEvent securedEvent = (AbstractSecuredElementSecurityEvent) signedEvent;
        if (!securedEvent.isSigned()) {
            continue;
        }
        List<QName> signedPath = securedEvent.getElementPath();
        if (isBody(signedPath)) {
            isBodySigned = true;
            break;
        }
    }
    if (!isBodySigned) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The SOAP Body is not signed"));
    }
}
Also used : SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent) AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent) QName(javax.xml.namespace.QName) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)

Aggregations

SecurityEvent (org.apache.xml.security.stax.securityEvent.SecurityEvent)18 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)11 AbstractSecuredElementSecurityEvent (org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent)8 List (java.util.List)7 QName (javax.xml.namespace.QName)7 LinkedList (java.util.LinkedList)5 XMLSecurityException (org.apache.xml.security.exceptions.XMLSecurityException)5 SecurityEventListener (org.apache.xml.security.stax.securityEvent.SecurityEventListener)5 TokenSecurityEvent (org.apache.xml.security.stax.securityEvent.TokenSecurityEvent)4 ArrayList (java.util.ArrayList)3 XMLStreamException (javax.xml.stream.XMLStreamException)3 X509Certificate (java.security.cert.X509Certificate)2 SecurityContext (org.apache.cxf.security.SecurityContext)2 WSSPolicyException (org.apache.wss4j.common.WSSPolicyException)2 Crypto (org.apache.wss4j.common.crypto.Crypto)2 WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)2 WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)2 Event (org.apache.xml.security.stax.securityEvent.SecurityEventConstants.Event)2 OutputStream (java.io.OutputStream)1 Principal (java.security.Principal)1