Example 11 with SecurityEvent
use of org.apache.xml.security.stax.securityEvent.SecurityEvent in project cxf by apache.
the class StaxCryptoCoverageChecker method checkSignedAddressing.
private void checkSignedAddressing(List<SecurityEvent> results, AddressingProperties addressingProperties) throws WSSecurityException {
if (!signAddressingHeaders || addressingProperties == null || (addressingProperties.getReplyTo() == null && addressingProperties.getFaultTo() == null)) {
return;
}
boolean isReplyToSigned = false;
boolean isFaultToSigned = false;
for (SecurityEvent signedEvent : results) {
AbstractSecuredElementSecurityEvent securedEvent = (AbstractSecuredElementSecurityEvent) signedEvent;
if (!securedEvent.isSigned()) {
continue;
}
List<QName> signedPath = securedEvent.getElementPath();
if (isReplyTo(signedPath)) {
isReplyToSigned = true;
}
if (isFaultTo(signedPath)) {
isFaultToSigned = true;
}
if (isReplyToSigned && isFaultToSigned) {
break;
}
}
if (!isReplyToSigned && (addressingProperties.getReplyTo() != null)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The Addressing headers are not signed"));
}
if (!isFaultToSigned && (addressingProperties.getFaultTo() != null)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception("The Addressing headers are not signed"));
}
}
Also used :
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent)
AbstractSecuredElementSecurityEvent(org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent)
QName(javax.xml.namespace.QName)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Example 12 with SecurityEvent
use of org.apache.xml.security.stax.securityEvent.SecurityEvent in project cxf by apache.
the class StaxSecurityContextInInterceptor method doResults.
private void doResults(SoapMessage msg, List<SecurityEvent> incomingSecurityEventList) throws WSSecurityException {
// Now go through the results in a certain order to set up a security context. Highest priority is first.
List<Event> desiredSecurityEvents = new ArrayList<>();
desiredSecurityEvents.add(WSSecurityEventConstants.SAML_TOKEN);
desiredSecurityEvents.add(WSSecurityEventConstants.USERNAME_TOKEN);
desiredSecurityEvents.add(WSSecurityEventConstants.KERBEROS_TOKEN);
desiredSecurityEvents.add(WSSecurityEventConstants.X509Token);
desiredSecurityEvents.add(WSSecurityEventConstants.KeyValueToken);
for (Event desiredEvent : desiredSecurityEvents) {
SubjectAndPrincipalSecurityToken token = null;
try {
token = getSubjectPrincipalToken(incomingSecurityEventList, desiredEvent, msg);
} catch (XMLSecurityException ex) {
// proceed
}
if (token != null) {
Principal p = token.getPrincipal();
Subject subject = token.getSubject();
if (subject != null) {
String roleClassifier = (String) msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER);
if (roleClassifier != null && !"".equals(roleClassifier)) {
String roleClassifierType = (String) msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER_TYPE);
if (roleClassifierType == null || "".equals(roleClassifierType)) {
roleClassifierType = "prefix";
}
msg.put(SecurityContext.class, new RolePrefixSecurityContextImpl(subject, roleClassifier, roleClassifierType));
} else {
msg.put(SecurityContext.class, new DefaultSecurityContext(subject));
}
break;
} else if (p != null) {
Object receivedAssertion = null;
if (desiredEvent == WSSecurityEventConstants.SAML_TOKEN) {
String roleAttributeName = (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg);
if (roleAttributeName == null || roleAttributeName.length() == 0) {
roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
}
receivedAssertion = ((SAMLTokenPrincipal) token.getPrincipal()).getToken();
if (receivedAssertion != null) {
ClaimCollection claims = SAMLUtils.getClaims((SamlAssertionWrapper) receivedAssertion);
Set<Principal> roles = SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
SAMLSecurityContext context = new SAMLSecurityContext(p, roles, claims);
msg.put(SecurityContext.class, context);
}
} else {
msg.put(SecurityContext.class, createSecurityContext(p));
}
break;
}
}
}
}
Also used :
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
Set(java.util.Set)
SubjectAndPrincipalSecurityToken(org.apache.wss4j.stax.securityToken.SubjectAndPrincipalSecurityToken)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
ArrayList(java.util.ArrayList)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)
Subject(javax.security.auth.Subject)
RolePrefixSecurityContextImpl(org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl)
SAMLSecurityContext(org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext)
DefaultSecurityContext(org.apache.cxf.interceptor.security.DefaultSecurityContext)
SecurityContext(org.apache.cxf.security.SecurityContext)
SamlTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent)
KerberosTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent)
KeyValueTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.KeyValueTokenSecurityEvent)
Event(org.apache.xml.security.stax.securityEvent.SecurityEventConstants.Event)
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
X509TokenSecurityEvent(org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent)
UsernameTokenSecurityEvent(org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent)
ClaimCollection(org.apache.cxf.rt.security.claims.ClaimCollection)
SAMLTokenPrincipal(org.apache.wss4j.common.principal.SAMLTokenPrincipal)
Principal(java.security.Principal)
Example 13 with SecurityEvent
use of org.apache.xml.security.stax.securityEvent.SecurityEvent in project cxf by apache.
the class WSS4JStaxInInterceptor method configureSecurityEventListeners.
protected List<SecurityEventListener> configureSecurityEventListeners(SoapMessage msg, WSSSecurityProperties securityProperties) throws WSSPolicyException {
final List<SecurityEvent> incomingSecurityEventList = new LinkedList<>();
msg.getExchange().put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
msg.put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
final SecurityEventListener securityEventListener = new SecurityEventListener() {
@Override
public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
if (securityEvent.getSecurityEventType() != WSSecurityEventConstants.AlgorithmSuite) {
// Store events required for the security context setup, or the crypto coverage checker
incomingSecurityEventList.add(securityEvent);
}
}
};
return Collections.singletonList(securityEventListener);
}
Also used :
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
LinkedList(java.util.LinkedList)
SecurityEventListener(org.apache.xml.security.stax.securityEvent.SecurityEventListener)
Example 14 with SecurityEvent
use of org.apache.xml.security.stax.securityEvent.SecurityEvent in project cxf by apache.
the class WSS4JStaxInInterceptor method handleMessage.
@Override
public void handleMessage(SoapMessage soapMessage) throws Fault {
if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage)) {
return;
}
soapMessage.getInterceptorChain().add(new StaxStartBodyInterceptor());
XMLStreamReader originalXmlStreamReader = soapMessage.getContent(XMLStreamReader.class);
XMLStreamReader newXmlStreamReader;
soapMessage.getInterceptorChain().add(new StaxSecurityContextInInterceptor());
try {
@SuppressWarnings("unchecked") List<SecurityEvent> requestSecurityEvents = (List<SecurityEvent>) soapMessage.getExchange().get(SecurityEvent.class.getName() + ".out");
WSSSecurityProperties secProps = createSecurityProperties();
translateProperties(soapMessage, secProps);
configureCallbackHandler(soapMessage, secProps);
configureProperties(soapMessage, secProps);
if (secProps.getActions() != null && secProps.getActions().size() > 0) {
soapMessage.getInterceptorChain().add(new StaxActionInInterceptor(secProps.getActions()));
}
if (secProps.getAttachmentCallbackHandler() == null) {
secProps.setAttachmentCallbackHandler(new AttachmentCallbackHandler(soapMessage));
}
final TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(secProps.getCallbackHandler(), TokenStoreUtils.getTokenStore(soapMessage));
secProps.setCallbackHandler(callbackHandler);
setTokenValidators(secProps, soapMessage);
secProps.setMsgContext(soapMessage);
final List<SecurityEventListener> securityEventListeners = configureSecurityEventListeners(soapMessage, secProps);
boolean returnSecurityError = MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.RETURN_SECURITY_ERROR, false);
final InboundWSSec inboundWSSec = WSSec.getInboundWSSec(secProps, MessageUtils.isRequestor(soapMessage), returnSecurityError);
newXmlStreamReader = inboundWSSec.processInMessage(originalXmlStreamReader, requestSecurityEvents, securityEventListeners);
final Object provider = soapMessage.getExchange().get(Provider.class);
if (provider != null && ThreadLocalSecurityProvider.isInstalled()) {
newXmlStreamReader = new StreamReaderDelegate(newXmlStreamReader) {
@Override
public int next() throws XMLStreamException {
try {
ThreadLocalSecurityProvider.setProvider((Provider) provider);
return super.next();
} finally {
ThreadLocalSecurityProvider.unsetProvider();
}
}
};
}
soapMessage.setContent(XMLStreamReader.class, newXmlStreamReader);
// Warning: The exceptions which can occur here are not security relevant exceptions
// but configuration-errors. To catch security relevant exceptions you have to catch
// them e.g.in the FaultOutInterceptor. Why? Because we do streaming security. This
// interceptor doesn't handle the ws-security stuff but just setup the relevant stuff
// for it. Exceptions will be thrown as a wrapped XMLStreamException during further
// processing in the WS-Stack.
soapMessage.put(SECURITY_PROCESSED, Boolean.TRUE);
} catch (WSSecurityException e) {
throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), e);
} catch (XMLSecurityException e) {
throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender());
} catch (WSSPolicyException e) {
throw new SoapFault(e.getMessage(), e, soapMessage.getVersion().getSender());
} catch (XMLStreamException e) {
throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender());
}
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
SoapFault(org.apache.cxf.binding.soap.SoapFault)
XMLStreamReader(javax.xml.stream.XMLStreamReader)
Message(org.apache.cxf.common.i18n.Message)
SoapMessage(org.apache.cxf.binding.soap.SoapMessage)
LinkedList(java.util.LinkedList)
List(java.util.List)
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException)
Provider(java.security.Provider)
ThreadLocalSecurityProvider(org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider)
XMLStreamException(javax.xml.stream.XMLStreamException)
StreamReaderDelegate(javax.xml.stream.util.StreamReaderDelegate)
WSSPolicyException(org.apache.wss4j.common.WSSPolicyException)
SecurityEventListener(org.apache.xml.security.stax.securityEvent.SecurityEventListener)
InboundWSSec(org.apache.wss4j.stax.setup.InboundWSSec)
Example 15 with SecurityEvent
use of org.apache.xml.security.stax.securityEvent.SecurityEvent in project cxf by apache.
the class WSS4JStaxOutInterceptor method handleMessage.
public void handleMessage(SoapMessage mc) throws Fault {
OutputStream os = mc.getContent(OutputStream.class);
String encoding = getEncoding(mc);
XMLStreamWriter newXMLStreamWriter;
try {
WSSSecurityProperties secProps = createSecurityProperties();
translateProperties(mc, secProps);
configureCallbackHandler(mc, secProps);
final OutboundSecurityContext outboundSecurityContext = new OutboundSecurityContextImpl();
configureProperties(mc, outboundSecurityContext, secProps);
if (secProps.getActions() == null || secProps.getActions().isEmpty()) {
// If no actions configured then return
return;
}
handleSecureMTOM(mc, secProps);
if (secProps.getAttachmentCallbackHandler() == null) {
secProps.setAttachmentCallbackHandler(new AttachmentCallbackHandler(mc));
}
SecurityEventListener securityEventListener = configureSecurityEventListener(mc, secProps);
OutboundWSSec outboundWSSec = WSSec.getOutboundWSSec(secProps);
@SuppressWarnings("unchecked") final List<SecurityEvent> requestSecurityEvents = (List<SecurityEvent>) mc.getExchange().get(SecurityEvent.class.getName() + ".in");
outboundSecurityContext.putList(SecurityEvent.class, requestSecurityEvents);
outboundSecurityContext.addSecurityEventListener(securityEventListener);
newXMLStreamWriter = outboundWSSec.processOutMessage(os, encoding, outboundSecurityContext);
mc.setContent(XMLStreamWriter.class, newXMLStreamWriter);
} catch (WSSecurityException e) {
throw new Fault(e);
} catch (WSSPolicyException e) {
throw new Fault(e);
}
mc.put(AbstractOutDatabindingInterceptor.DISABLE_OUTPUTSTREAM_OPTIMIZATION, Boolean.TRUE);
try {
newXMLStreamWriter.writeStartDocument(encoding, "1.0");
} catch (XMLStreamException e) {
throw new Fault(e);
}
mc.removeContent(OutputStream.class);
mc.put(OUTPUT_STREAM_HOLDER, os);
// Add a final interceptor to write end elements
mc.getInterceptorChain().add(ending);
}
Also used :
WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties)
TokenSecurityEvent(org.apache.xml.security.stax.securityEvent.TokenSecurityEvent)
SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent)
OutputStream(java.io.OutputStream)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
Fault(org.apache.cxf.interceptor.Fault)
OutboundSecurityContextImpl(org.apache.xml.security.stax.impl.OutboundSecurityContextImpl)
OutboundSecurityContext(org.apache.xml.security.stax.ext.OutboundSecurityContext)
OutboundWSSec(org.apache.wss4j.stax.setup.OutboundWSSec)
XMLStreamException(javax.xml.stream.XMLStreamException)
XMLStreamWriter(javax.xml.stream.XMLStreamWriter)
LinkedList(java.util.LinkedList)
List(java.util.List)
WSSPolicyException(org.apache.wss4j.common.WSSPolicyException)
SecurityEventListener(org.apache.xml.security.stax.securityEvent.SecurityEventListener)
Aggregations
SecurityEvent (org.apache.xml.security.stax.securityEvent.SecurityEvent)18
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)11
AbstractSecuredElementSecurityEvent (org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent)8
List (java.util.List)7
QName (javax.xml.namespace.QName)7
LinkedList (java.util.LinkedList)5
XMLSecurityException (org.apache.xml.security.exceptions.XMLSecurityException)5
SecurityEventListener (org.apache.xml.security.stax.securityEvent.SecurityEventListener)5
TokenSecurityEvent (org.apache.xml.security.stax.securityEvent.TokenSecurityEvent)4
ArrayList (java.util.ArrayList)3
XMLStreamException (javax.xml.stream.XMLStreamException)3
X509Certificate (java.security.cert.X509Certificate)2
SecurityContext (org.apache.cxf.security.SecurityContext)2
WSSPolicyException (org.apache.wss4j.common.WSSPolicyException)2
Crypto (org.apache.wss4j.common.crypto.Crypto)2
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)2
WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)2
Event (org.apache.xml.security.stax.securityEvent.SecurityEventConstants.Event)2
OutputStream (java.io.OutputStream)1
Principal (java.security.Principal)1
