Search in sources :

Example 1 with SecurityEventListener

use of org.apache.xml.security.stax.securityEvent.SecurityEventListener in project cxf by apache.

the class XmlSecInInterceptor method configureSecurityEventListener.

protected SecurityEventListener configureSecurityEventListener(final Crypto sigCrypto, final Message msg, XMLSecurityProperties securityProperties) {
    final List<SecurityEvent> incomingSecurityEventList = new LinkedList<>();
    SecurityEventListener securityEventListener = new SecurityEventListener() {

        @Override
        public void registerSecurityEvent(SecurityEvent securityEvent) throws XMLSecurityException {
            if (securityEvent.getSecurityEventType() == SecurityEventConstants.AlgorithmSuite) {
                if (encryptionProperties != null) {
                    checkEncryptionAlgorithms((AlgorithmSuiteSecurityEvent) securityEvent);
                }
                if (sigProps != null) {
                    checkSignatureAlgorithms((AlgorithmSuiteSecurityEvent) securityEvent);
                }
            } else if (securityEvent.getSecurityEventType() != SecurityEventConstants.EncryptedKeyToken && securityEvent instanceof TokenSecurityEvent<?>) {
                checkSignatureTrust(sigCrypto, msg, (TokenSecurityEvent<?>) securityEvent);
            }
            incomingSecurityEventList.add(securityEvent);
        }
    };
    msg.getExchange().put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
    msg.put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
    return securityEventListener;
}
Also used : AlgorithmSuiteSecurityEvent(org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent) TokenSecurityEvent(org.apache.xml.security.stax.securityEvent.TokenSecurityEvent) SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) TokenSecurityEvent(org.apache.xml.security.stax.securityEvent.TokenSecurityEvent) LinkedList(java.util.LinkedList) SecurityEventListener(org.apache.xml.security.stax.securityEvent.SecurityEventListener)

Example 2 with SecurityEventListener

use of org.apache.xml.security.stax.securityEvent.SecurityEventListener in project santuario-java by apache.

the class AbstractSecurityContextImpl method forwardSecurityEvent.

protected void forwardSecurityEvent(SecurityEvent securityEvent) throws XMLSecurityException {
    for (int i = 0; i < securityEventListeners.size(); i++) {
        SecurityEventListener securityEventListener = securityEventListeners.get(i);
        securityEventListener.registerSecurityEvent(securityEvent);
    }
}
Also used : SecurityEventListener(org.apache.xml.security.stax.securityEvent.SecurityEventListener)

Example 3 with SecurityEventListener

use of org.apache.xml.security.stax.securityEvent.SecurityEventListener in project cxf by apache.

the class WSS4JStaxInInterceptor method configureSecurityEventListeners.

protected List<SecurityEventListener> configureSecurityEventListeners(SoapMessage msg, WSSSecurityProperties securityProperties) throws WSSPolicyException {
    final List<SecurityEvent> incomingSecurityEventList = new LinkedList<>();
    msg.getExchange().put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
    msg.put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
    final SecurityEventListener securityEventListener = new SecurityEventListener() {

        @Override
        public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
            if (securityEvent.getSecurityEventType() != WSSecurityEventConstants.AlgorithmSuite) {
                // Store events required for the security context setup, or the crypto coverage checker
                incomingSecurityEventList.add(securityEvent);
            }
        }
    };
    return Collections.singletonList(securityEventListener);
}
Also used : SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) LinkedList(java.util.LinkedList) SecurityEventListener(org.apache.xml.security.stax.securityEvent.SecurityEventListener)

Example 4 with SecurityEventListener

use of org.apache.xml.security.stax.securityEvent.SecurityEventListener in project cxf by apache.

the class WSS4JStaxInInterceptor method handleMessage.

@Override
public void handleMessage(SoapMessage soapMessage) throws Fault {
    if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage)) {
        return;
    }
    soapMessage.getInterceptorChain().add(new StaxStartBodyInterceptor());
    XMLStreamReader originalXmlStreamReader = soapMessage.getContent(XMLStreamReader.class);
    XMLStreamReader newXmlStreamReader;
    soapMessage.getInterceptorChain().add(new StaxSecurityContextInInterceptor());
    try {
        @SuppressWarnings("unchecked") List<SecurityEvent> requestSecurityEvents = (List<SecurityEvent>) soapMessage.getExchange().get(SecurityEvent.class.getName() + ".out");
        WSSSecurityProperties secProps = createSecurityProperties();
        translateProperties(soapMessage, secProps);
        configureCallbackHandler(soapMessage, secProps);
        configureProperties(soapMessage, secProps);
        if (secProps.getActions() != null && secProps.getActions().size() > 0) {
            soapMessage.getInterceptorChain().add(new StaxActionInInterceptor(secProps.getActions()));
        }
        if (secProps.getAttachmentCallbackHandler() == null) {
            secProps.setAttachmentCallbackHandler(new AttachmentCallbackHandler(soapMessage));
        }
        final TokenStoreCallbackHandler callbackHandler = new TokenStoreCallbackHandler(secProps.getCallbackHandler(), TokenStoreUtils.getTokenStore(soapMessage));
        secProps.setCallbackHandler(callbackHandler);
        setTokenValidators(secProps, soapMessage);
        secProps.setMsgContext(soapMessage);
        final List<SecurityEventListener> securityEventListeners = configureSecurityEventListeners(soapMessage, secProps);
        boolean returnSecurityError = MessageUtils.getContextualBoolean(soapMessage, SecurityConstants.RETURN_SECURITY_ERROR, false);
        final InboundWSSec inboundWSSec = WSSec.getInboundWSSec(secProps, MessageUtils.isRequestor(soapMessage), returnSecurityError);
        newXmlStreamReader = inboundWSSec.processInMessage(originalXmlStreamReader, requestSecurityEvents, securityEventListeners);
        final Object provider = soapMessage.getExchange().get(Provider.class);
        if (provider != null && ThreadLocalSecurityProvider.isInstalled()) {
            newXmlStreamReader = new StreamReaderDelegate(newXmlStreamReader) {

                @Override
                public int next() throws XMLStreamException {
                    try {
                        ThreadLocalSecurityProvider.setProvider((Provider) provider);
                        return super.next();
                    } finally {
                        ThreadLocalSecurityProvider.unsetProvider();
                    }
                }
            };
        }
        soapMessage.setContent(XMLStreamReader.class, newXmlStreamReader);
        // Warning: The exceptions which can occur here are not security relevant exceptions
        // but configuration-errors. To catch security relevant exceptions you have to catch
        // them e.g.in the FaultOutInterceptor. Why? Because we do streaming security. This
        // interceptor doesn't handle the ws-security stuff but just setup the relevant stuff
        // for it. Exceptions will be thrown as a wrapped XMLStreamException during further
        // processing in the WS-Stack.
        soapMessage.put(SECURITY_PROCESSED, Boolean.TRUE);
    } catch (WSSecurityException e) {
        throw WSS4JUtils.createSoapFault(soapMessage, soapMessage.getVersion(), e);
    } catch (XMLSecurityException e) {
        throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender());
    } catch (WSSPolicyException e) {
        throw new SoapFault(e.getMessage(), e, soapMessage.getVersion().getSender());
    } catch (XMLStreamException e) {
        throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender());
    }
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) SoapFault(org.apache.cxf.binding.soap.SoapFault) XMLStreamReader(javax.xml.stream.XMLStreamReader) Message(org.apache.cxf.common.i18n.Message) SoapMessage(org.apache.cxf.binding.soap.SoapMessage) LinkedList(java.util.LinkedList) List(java.util.List) SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) XMLSecurityException(org.apache.xml.security.exceptions.XMLSecurityException) Provider(java.security.Provider) ThreadLocalSecurityProvider(org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider) XMLStreamException(javax.xml.stream.XMLStreamException) StreamReaderDelegate(javax.xml.stream.util.StreamReaderDelegate) WSSPolicyException(org.apache.wss4j.common.WSSPolicyException) SecurityEventListener(org.apache.xml.security.stax.securityEvent.SecurityEventListener) InboundWSSec(org.apache.wss4j.stax.setup.InboundWSSec)

Example 5 with SecurityEventListener

use of org.apache.xml.security.stax.securityEvent.SecurityEventListener in project cxf by apache.

the class WSS4JStaxOutInterceptor method handleMessage.

public void handleMessage(SoapMessage mc) throws Fault {
    OutputStream os = mc.getContent(OutputStream.class);
    String encoding = getEncoding(mc);
    XMLStreamWriter newXMLStreamWriter;
    try {
        WSSSecurityProperties secProps = createSecurityProperties();
        translateProperties(mc, secProps);
        configureCallbackHandler(mc, secProps);
        final OutboundSecurityContext outboundSecurityContext = new OutboundSecurityContextImpl();
        configureProperties(mc, outboundSecurityContext, secProps);
        if (secProps.getActions() == null || secProps.getActions().isEmpty()) {
            // If no actions configured then return
            return;
        }
        handleSecureMTOM(mc, secProps);
        if (secProps.getAttachmentCallbackHandler() == null) {
            secProps.setAttachmentCallbackHandler(new AttachmentCallbackHandler(mc));
        }
        SecurityEventListener securityEventListener = configureSecurityEventListener(mc, secProps);
        OutboundWSSec outboundWSSec = WSSec.getOutboundWSSec(secProps);
        @SuppressWarnings("unchecked") final List<SecurityEvent> requestSecurityEvents = (List<SecurityEvent>) mc.getExchange().get(SecurityEvent.class.getName() + ".in");
        outboundSecurityContext.putList(SecurityEvent.class, requestSecurityEvents);
        outboundSecurityContext.addSecurityEventListener(securityEventListener);
        newXMLStreamWriter = outboundWSSec.processOutMessage(os, encoding, outboundSecurityContext);
        mc.setContent(XMLStreamWriter.class, newXMLStreamWriter);
    } catch (WSSecurityException e) {
        throw new Fault(e);
    } catch (WSSPolicyException e) {
        throw new Fault(e);
    }
    mc.put(AbstractOutDatabindingInterceptor.DISABLE_OUTPUTSTREAM_OPTIMIZATION, Boolean.TRUE);
    try {
        newXMLStreamWriter.writeStartDocument(encoding, "1.0");
    } catch (XMLStreamException e) {
        throw new Fault(e);
    }
    mc.removeContent(OutputStream.class);
    mc.put(OUTPUT_STREAM_HOLDER, os);
    // Add a final interceptor to write end elements
    mc.getInterceptorChain().add(ending);
}
Also used : WSSSecurityProperties(org.apache.wss4j.stax.ext.WSSSecurityProperties) TokenSecurityEvent(org.apache.xml.security.stax.securityEvent.TokenSecurityEvent) SecurityEvent(org.apache.xml.security.stax.securityEvent.SecurityEvent) OutputStream(java.io.OutputStream) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Fault(org.apache.cxf.interceptor.Fault) OutboundSecurityContextImpl(org.apache.xml.security.stax.impl.OutboundSecurityContextImpl) OutboundSecurityContext(org.apache.xml.security.stax.ext.OutboundSecurityContext) OutboundWSSec(org.apache.wss4j.stax.setup.OutboundWSSec) XMLStreamException(javax.xml.stream.XMLStreamException) XMLStreamWriter(javax.xml.stream.XMLStreamWriter) LinkedList(java.util.LinkedList) List(java.util.List) WSSPolicyException(org.apache.wss4j.common.WSSPolicyException) SecurityEventListener(org.apache.xml.security.stax.securityEvent.SecurityEventListener)

Aggregations

SecurityEventListener (org.apache.xml.security.stax.securityEvent.SecurityEventListener)8 LinkedList (java.util.LinkedList)5 SecurityEvent (org.apache.xml.security.stax.securityEvent.SecurityEvent)5 XMLStreamException (javax.xml.stream.XMLStreamException)3 TokenSecurityEvent (org.apache.xml.security.stax.securityEvent.TokenSecurityEvent)3 List (java.util.List)2 XMLStreamReader (javax.xml.stream.XMLStreamReader)2 WSSPolicyException (org.apache.wss4j.common.WSSPolicyException)2 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)2 WSSSecurityProperties (org.apache.wss4j.stax.ext.WSSSecurityProperties)2 XMLSecurityException (org.apache.xml.security.exceptions.XMLSecurityException)2 IOException (java.io.IOException)1 InputStream (java.io.InputStream)1 OutputStream (java.io.OutputStream)1 Provider (java.security.Provider)1 ArrayList (java.util.ArrayList)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 XMLStreamWriter (javax.xml.stream.XMLStreamWriter)1 StreamReaderDelegate (javax.xml.stream.util.StreamReaderDelegate)1 SoapFault (org.apache.cxf.binding.soap.SoapFault)1