Java Code Examples for org.apache.ws.security.WSConstants

The following examples show how to use org.apache.ws.security.WSConstants. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: steady   Source File: AbstractSTSClient.java    License: Apache License 2.0 6 votes vote down vote up
protected String getIDFromSTR(Element el) {
    Element child = DOMUtils.getFirstElement(el);
    if (child == null) {
        return null;
    }
    QName elName = DOMUtils.getElementQName(child);
    if (elName.equals(new QName(WSConstants.SIG_NS, "KeyInfo"))
        || elName.equals(new QName(WSConstants.WSSE_NS, "KeyIdentifier"))) {
        return DOMUtils.getContent(child);
    } else if (elName.equals(Reference.TOKEN)) {
        return child.getAttribute("URI");
    } else if (elName.equals(new QName(STSUtils.SCT_NS_05_02, "Identifier"))
               || elName.equals(new QName(STSUtils.SCT_NS_05_12, "Identifier"))) {
        return DOMUtils.getContent(child);
    }
    return null;
}
 
Example 2
Source Project: steady   Source File: IssuedTokenInterceptorProvider.java    License: Apache License 2.0 6 votes vote down vote up
private SecurityToken createSecurityToken(
    AssertionWrapper assertionWrapper
) {
    SecurityToken token = new SecurityToken(assertionWrapper.getId());

    SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
    if (subjectKeyInfo != null) {
        token.setSecret(subjectKeyInfo.getSecret());
        X509Certificate[] certs = subjectKeyInfo.getCerts();
        if (certs != null && certs.length > 0) {
            token.setX509Certificate(certs[0], null);
        }
    }
    if (assertionWrapper.getSaml1() != null) {
        token.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
    } else if (assertionWrapper.getSaml2() != null) {
        token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
    }
    token.setToken(assertionWrapper.getElement());

    return token;
}
 
Example 3
Source Project: steady   Source File: IssuedTokenInterceptorProvider.java    License: Apache License 2.0 6 votes vote down vote up
private SecurityToken createSecurityToken(
    AssertionWrapper assertionWrapper
) {
    SecurityToken token = new SecurityToken(assertionWrapper.getId());

    SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
    if (subjectKeyInfo != null) {
        token.setSecret(subjectKeyInfo.getSecret());
        X509Certificate[] certs = subjectKeyInfo.getCerts();
        if (certs != null && certs.length > 0) {
            token.setX509Certificate(certs[0], null);
        }
    }
    if (assertionWrapper.getSaml1() != null) {
        token.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
    } else if (assertionWrapper.getSaml2() != null) {
        token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
    }
    token.setToken(assertionWrapper.getElement());

    return token;
}
 
Example 4
Source Project: steady   Source File: STSInvoker.java    License: Apache License 2.0 6 votes vote down vote up
void writeLifetime(
    W3CDOMStreamWriter writer,
    Date created,
    Date expires,
    String prefix,
    String namespace
) throws Exception {
    XmlSchemaDateFormat fmt = new XmlSchemaDateFormat();
    writer.writeStartElement(prefix, "Lifetime", namespace);
    writer.writeNamespace("wsu", WSConstants.WSU_NS);
    writer.writeStartElement("wsu", "Created", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(created.getTime()));
    writer.writeEndElement();
    
    writer.writeStartElement("wsu", "Expires", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(expires.getTime()));
    writer.writeEndElement();
    writer.writeEndElement();
}
 
Example 5
Source Project: steady   Source File: AbstractSTSClient.java    License: Apache License 2.0 6 votes vote down vote up
protected String findID(Element rar, Element rur, Element rst) {
    String id = null;
    if (rst != null) {
        QName elName = DOMUtils.getElementQName(rst);
        if (elName.equals(new QName(WSConstants.SAML_NS, "Assertion"))
            && rst.hasAttributeNS(null, "AssertionID")) {
            id = rst.getAttributeNS(null, "AssertionID");
        } else if (elName.equals(new QName(WSConstants.SAML2_NS, "Assertion"))
            && rst.hasAttributeNS(null, "ID")) {
            id = rst.getAttributeNS(null, "ID");
        }
        if (id == null) {
            id = this.getIDFromSTR(rst);
        }
    }
    if (id == null && rar != null) {
        id = this.getIDFromSTR(rar);
    }
    if (id == null && rur != null) {
        id = this.getIDFromSTR(rur);
    }
    if (id == null && rst != null) {
        id = rst.getAttributeNS(WSConstants.WSU_NS, "Id");
    }
    return id;
}
 
Example 6
Source Project: steady   Source File: AbstractSTSClient.java    License: Apache License 2.0 6 votes vote down vote up
protected String getIDFromSTR(Element el) {
    Element child = DOMUtils.getFirstElement(el);
    if (child == null) {
        return null;
    }
    QName elName = DOMUtils.getElementQName(child);
    if (elName.equals(new QName(WSConstants.SIG_NS, "KeyInfo"))
        || elName.equals(new QName(WSConstants.WSSE_NS, "KeyIdentifier"))) {
        return DOMUtils.getContent(child);
    } else if (elName.equals(Reference.TOKEN)) {
        return child.getAttribute("URI");
    } else if (elName.equals(new QName(STSUtils.SCT_NS_05_02, "Identifier"))
               || elName.equals(new QName(STSUtils.SCT_NS_05_12, "Identifier"))) {
        return DOMUtils.getContent(child);
    }
    return null;
}
 
Example 7
Source Project: steady   Source File: AbstractBindingPolicyValidator.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Return true if the given id was encrypted
 */
private boolean isIdEncrypted(String sigId, List<WSSecurityEngineResult> results) {
    for (WSSecurityEngineResult wser : results) {
        Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt.intValue() == WSConstants.ENCR) {
            List<WSDataRef> el = 
                CastUtils.cast((List<?>)wser.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (el != null) {
                for (WSDataRef r : el) {
                    Element protectedElement = r.getProtectedElement();
                    if (protectedElement != null) {
                        String id = protectedElement.getAttribute("Id");
                        String wsuId = protectedElement.getAttributeNS(WSConstants.WSU_NS, "Id");
                        if (sigId.equals(id) || sigId.equals(wsuId)) {
                            return true;
                        }
                    }
                }
            }
        }
    }
    return false;
}
 
Example 8
Source Project: steady   Source File: AbstractBindingBuilder.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Scan through <code>WSHandlerResult<code> list for a Username token and return
 * the username if a Username Token found 
 * @param results
 * @return
 */
public static String getUsername(List<WSHandlerResult> results) {
    /*
     * Scan the results for a matching actor. Use results only if the
     * receiving Actor and the sending Actor match.
     */
    for (WSHandlerResult rResult : results) {
        List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
        /*
         * Scan the results for a username token. Use the username
         * of this token to set the alias for the encryption user
         */
        for (WSSecurityEngineResult wser : wsSecEngineResults) {
            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
            if (actInt.intValue() == WSConstants.UT) {
                WSUsernameTokenPrincipal principal 
                    = (WSUsernameTokenPrincipal)wser.get(WSSecurityEngineResult.TAG_PRINCIPAL);
                return principal.getName();
            }
        }
    }
     
    return null;
}
 
Example 9
Source Project: steady   Source File: AbstractBindingPolicyValidator.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Check to see if encryption was applied before signature.
 * Note that results are stored in the reverse order.
 */
private boolean isEncryptedBeforeSigned(List<WSSecurityEngineResult> results) {
    boolean encrypted = false;
    for (WSSecurityEngineResult result : results) {
        Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
        List<WSDataRef> el = 
            CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
        
        if (actInt.intValue() == WSConstants.ENCR && el != null) {
            encrypted = true;
        }
        // Don't count an endorsing signature
        if (actInt.intValue() == WSConstants.SIGN && el != null
            && !(el.size() == 1 && el.get(0).getName().equals(SIG_QNAME))) {
            if (encrypted) {
                return true;
            }
            return false;
        }
    }
    return false;
}
 
Example 10
Source Project: steady   Source File: SpnegoContextTokenInInterceptor.java    License: Apache License 2.0 6 votes vote down vote up
private void writeProofToken(
    W3CDOMStreamWriter writer,
    String prefix, 
    String namespace,
    byte[] key
) throws Exception {
    // RequestedProofToken
    writer.writeStartElement(prefix, "RequestedProofToken", namespace);
    
    // EncryptedKey
    writer.writeStartElement(WSConstants.ENC_PREFIX, "EncryptedKey", WSConstants.ENC_NS);
    writer.writeStartElement(WSConstants.ENC_PREFIX, "EncryptionMethod", WSConstants.ENC_NS);
    writer.writeAttribute("Algorithm", namespace + "/spnego#GSS_Wrap");
    writer.writeEndElement();
    writer.writeStartElement(WSConstants.ENC_PREFIX, "CipherData", WSConstants.ENC_NS);
    writer.writeStartElement(WSConstants.ENC_PREFIX, "CipherValue", WSConstants.ENC_NS);

    writer.writeCharacters(Base64.encode(key));
    
    writer.writeEndElement();
    writer.writeEndElement();
    writer.writeEndElement();
    
    writer.writeEndElement();
}
 
Example 11
Source Project: steady   Source File: AbstractBindingBuilder.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Store a SAML Assertion as a SecurityToken
 */
protected void storeAssertionAsSecurityToken(AssertionWrapper assertion) {
    String id = findIDFromSamlToken(assertion.getElement());
    if (id == null) {
        return;
    }
    SecurityToken secToken = new SecurityToken(id);
    if (assertion.getSaml2() != null) {
        secToken.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
    } else {
        secToken.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
    }
    secToken.setToken(assertion.getElement());
    getTokenStore().add(secToken);
    message.setContextualProperty(SecurityConstants.TOKEN_ID, secToken.getId());
}
 
Example 12
Source Project: steady   Source File: AbstractSTSClient.java    License: Apache License 2.0 6 votes vote down vote up
protected String getIDFromSTR(Element el) {
    Element child = DOMUtils.getFirstElement(el);
    if (child == null) {
        return null;
    }
    QName elName = DOMUtils.getElementQName(child);
    if (elName.equals(new QName(WSConstants.SIG_NS, "KeyInfo"))
        || elName.equals(new QName(WSConstants.WSSE_NS, "KeyIdentifier"))) {
        return DOMUtils.getContent(child);
    } else if (elName.equals(Reference.TOKEN)) {
        return child.getAttribute("URI");
    } else if (elName.equals(new QName(STSUtils.SCT_NS_05_02, "Identifier"))
               || elName.equals(new QName(STSUtils.SCT_NS_05_12, "Identifier"))) {
        return DOMUtils.getContent(child);
    }
    return null;
}
 
Example 13
Source Project: steady   Source File: UsernameTokenInterceptor.java    License: Apache License 2.0 6 votes vote down vote up
private Header findSecurityHeader(SoapMessage message, boolean create) {
    for (Header h : message.getHeaders()) {
        QName n = h.getName();
        if (n.getLocalPart().equals("Security")
            && (n.getNamespaceURI().equals(WSConstants.WSSE_NS) 
                || n.getNamespaceURI().equals(WSConstants.WSSE11_NS))) {
            return h;
        }
    }
    if (!create) {
        return null;
    }
    Document doc = DOMUtils.createDocument();
    Element el = doc.createElementNS(WSConstants.WSSE_NS, "wsse:Security");
    el.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:wsse", WSConstants.WSSE_NS);
    SoapHeader sh = new SoapHeader(new QName(WSConstants.WSSE_NS, "Security"), el);
    sh.setMustUnderstand(true);
    message.getHeaders().add(sh);
    return sh;
}
 
Example 14
Source Project: steady   Source File: STSInvoker.java    License: Apache License 2.0 6 votes vote down vote up
void writeLifetime(
    W3CDOMStreamWriter writer,
    Date created,
    Date expires,
    String prefix,
    String namespace
) throws Exception {
    XmlSchemaDateFormat fmt = new XmlSchemaDateFormat();
    writer.writeStartElement(prefix, "Lifetime", namespace);
    writer.writeNamespace("wsu", WSConstants.WSU_NS);
    writer.writeStartElement("wsu", "Created", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(created.getTime()));
    writer.writeEndElement();
    
    writer.writeStartElement("wsu", "Expires", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(expires.getTime()));
    writer.writeEndElement();
    writer.writeEndElement();
}
 
Example 15
Source Project: steady   Source File: AbstractSTSClient.java    License: Apache License 2.0 6 votes vote down vote up
protected void addLifetime(XMLStreamWriter writer) throws XMLStreamException {
    Date creationTime = new Date();
    Date expirationTime = new Date();
    expirationTime.setTime(creationTime.getTime() + ((long)ttl * 1000L));

    XmlSchemaDateFormat fmt = new XmlSchemaDateFormat();
    writer.writeStartElement("wst", "Lifetime", namespace);
    writer.writeNamespace("wsu", WSConstants.WSU_NS);
    writer.writeStartElement("wsu", "Created", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(creationTime));
    writer.writeEndElement();

    writer.writeStartElement("wsu", "Expires", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(expirationTime));
    writer.writeEndElement();
    writer.writeEndElement();
}
 
Example 16
Source Project: steady   Source File: KerberosTokenInterceptorProvider.java    License: Apache License 2.0 6 votes vote down vote up
private List<WSSecurityEngineResult> findKerberosResults(
    List<WSSecurityEngineResult> wsSecEngineResults
) {
    List<WSSecurityEngineResult> results = new ArrayList<WSSecurityEngineResult>();
    for (WSSecurityEngineResult wser : wsSecEngineResults) {
        Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt.intValue() == WSConstants.BST) {
            BinarySecurity binarySecurity = 
                (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if (binarySecurity instanceof KerberosSecurity) {
                results.add(wser);
            }
        }
    }
    return results;
}
 
Example 17
Source Project: steady   Source File: AsymmetricBindingHandler.java    License: Apache License 2.0 6 votes vote down vote up
public static String getRequestEncryptedKeyId(List<WSHandlerResult> results) {
    
    for (WSHandlerResult rResult : results) {
        List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
        /*
         * Scan the results for the first Signature action. Use the
         * certificate of this Signature to set the certificate for the
         * encryption action :-).
         */
        for (WSSecurityEngineResult wser : wsSecEngineResults) {
            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
            String encrKeyId = (String)wser.get(WSSecurityEngineResult.TAG_ID);
            if (actInt.intValue() == WSConstants.ENCR && encrKeyId != null) {
                return encrKeyId;
            }
        }
    }
    
    return null;
}
 
Example 18
Source Project: steady   Source File: AbstractPolicySecurityTest.java    License: Apache License 2.0 6 votes vote down vote up
protected void verifyWss4jEncResults(SoapMessage inmsg) {
    //
    // There should be exactly 1 (WSS4J) HandlerResult
    //
    final List<WSHandlerResult> handlerResults = 
        CastUtils.cast((List<?>)inmsg.get(WSHandlerConstants.RECV_RESULTS));
    assertNotNull(handlerResults);
    assertSame(handlerResults.size(), 1);

    List<WSSecurityEngineResult> protectionResults = new Vector<WSSecurityEngineResult>();
    WSSecurityUtil.fetchAllActionResults(handlerResults.get(0).getResults(),
            WSConstants.ENCR, protectionResults);
    assertNotNull(protectionResults);
    
    //
    // This result should contain a reference to the decrypted element
    //
    final Map<String, Object> result = protectionResults
            .get(0);
    final List<WSDataRef> protectedElements = 
        CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
    assertNotNull(protectedElements);
}
 
Example 19
Source Project: steady   Source File: KerberosTokenInterceptorProvider.java    License: Apache License 2.0 6 votes vote down vote up
private List<WSSecurityEngineResult> findKerberosResults(
    List<WSSecurityEngineResult> wsSecEngineResults
) {
    List<WSSecurityEngineResult> results = new ArrayList<WSSecurityEngineResult>();
    for (WSSecurityEngineResult wser : wsSecEngineResults) {
        Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt.intValue() == WSConstants.BST) {
            BinarySecurity binarySecurity = 
                (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if (binarySecurity instanceof KerberosSecurity) {
                results.add(wser);
            }
        }
    }
    return results;
}
 
Example 20
Source Project: steady   Source File: AbstractBindingBuilder.java    License: Apache License 2.0 6 votes vote down vote up
private static X509Certificate getReqSigCert(List<WSHandlerResult> results) {
    /*
    * Scan the results for a matching actor. Use results only if the
    * receiving Actor and the sending Actor match.
    */
    for (WSHandlerResult rResult : results) {
        List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
        /*
        * Scan the results for the first Signature action. Use the
        * certificate of this Signature to set the certificate for the
        * encryption action :-).
        */
        for (WSSecurityEngineResult wser : wsSecEngineResults) {
            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
            if (actInt.intValue() == WSConstants.SIGN) {
                return (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            }
        }
    }
    
    return null;
}
 
Example 21
Source Project: steady   Source File: AbstractBindingPolicyValidator.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Check to see if encryption was applied before signature.
 * Note that results are stored in the reverse order.
 */
private boolean isEncryptedBeforeSigned(List<WSSecurityEngineResult> results) {
    boolean encrypted = false;
    for (WSSecurityEngineResult result : results) {
        Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
        List<WSDataRef> el = 
            CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
        
        if (actInt.intValue() == WSConstants.ENCR && el != null) {
            encrypted = true;
        }
        // Don't count an endorsing signature
        if (actInt.intValue() == WSConstants.SIGN && el != null
            && !(el.size() == 1 && el.get(0).getName().equals(SIG_QNAME))) {
            if (encrypted) {
                return true;
            }
            return false;
        }
    }
    return false;
}
 
Example 22
Source Project: steady   Source File: AbstractBindingPolicyValidator.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Return true if the given id was encrypted
 */
private boolean isIdEncrypted(String sigId, List<WSSecurityEngineResult> results) {
    for (WSSecurityEngineResult wser : results) {
        Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt.intValue() == WSConstants.ENCR) {
            List<WSDataRef> el = 
                CastUtils.cast((List<?>)wser.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (el != null) {
                for (WSDataRef r : el) {
                    Element protectedElement = r.getProtectedElement();
                    if (protectedElement != null) {
                        String id = protectedElement.getAttribute("Id");
                        String wsuId = protectedElement.getAttributeNS(WSConstants.WSU_NS, "Id");
                        if (sigId.equals(id) || sigId.equals(wsuId)) {
                            return true;
                        }
                    }
                }
            }
        }
    }
    return false;
}
 
Example 23
Source Project: steady   Source File: WSS4JOutInterceptorTest.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testUsernameTokenText() throws Exception {
    SOAPMessage saaj = readSAAJDocument("wsse-request-clean.xml");

    WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor();
    PhaseInterceptor<SoapMessage> handler = ohandler.createEndingInterceptor();

    SoapMessage msg = new SoapMessage(new MessageImpl());
    Exchange ex = new ExchangeImpl();
    ex.setInMessage(msg);

    msg.setContent(SOAPMessage.class, saaj);

    msg.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
    msg.put(WSHandlerConstants.SIG_PROP_FILE, "outsecurity.properties");
    msg.put(WSHandlerConstants.USER, "username");
    msg.put("password", "myAliasPassword");
    msg.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
    handler.handleMessage(msg);

    SOAPPart doc = saaj.getSOAPPart();
    assertValid("//wsse:Security", doc);
    assertValid("//wsse:Security/wsse:UsernameToken", doc);
    assertValid("//wsse:Security/wsse:UsernameToken/wsse:Username[text()='username']", doc);
    // Test to see that the plaintext password is used in the header
    assertValid("//wsse:Security/wsse:UsernameToken/wsse:Password[text()='myAliasPassword']", doc);
}
 
Example 24
Source Project: steady   Source File: CryptoCoverageUtil.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Determines if {@code signedRef} points to the encrypted content represented by
 * {@code encryptedRef} using the following algorithm.
 *
 * <ol>
 * <li>Check that the signed content is an XML Encryption element.</li>
 * <li>Check that the reference Ids of the signed content and encrypted content
 * (not the decrypted version of the encrypted content) match.  Check that the
 * reference Id of the signed content matches the reference Id of the encrypted
 * content prepended with a #.
 * <li>Check for other Id attributes on the signed element that may match the
 * referenced identifier for the encrypted content.  This is a workaround for
 * WSS-242.</li>
 * </ol>
 *
 * @param encryptedRef the ref representing the encrpted content
 * @param signedRef the ref representing the signed content
 */
private static boolean isSignedEncryptionRef(WSDataRef encryptedRef, WSDataRef signedRef) {
    
    // Don't even bother if the signed element wasn't an XML Enc element.
    if (!WSConstants.ENC_NS.equals(signedRef.getProtectedElement()
                                   .getNamespaceURI())) {
        return false;
    }
    
    if (signedRef.getWsuId().equals(encryptedRef.getWsuId())
        || signedRef.getWsuId().equals("#" + encryptedRef.getWsuId())) {
        return true;
    }
    
    // There should be no other Ids on an EncryptedData or EncryptedKey element;
    // however, WSS4J will happily add them on the outbound side.  See WSS-242.
    // The following code looks for the specific behavior that exists in
    // 1.5.8 and earlier version.
    
    String wsuId = signedRef.getProtectedElement().getAttributeNS(
            WSConstants.WSU_NS, "Id");
    
    if (signedRef.getWsuId().equals(wsuId)
        || signedRef.getWsuId().equals("#" + wsuId)) {
        return true;
    }
    
    return false;
}
 
Example 25
Source Project: steady   Source File: WSS4JInOutTest.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testUsernameToken() throws Exception {
    Map<String, String> outProperties = new HashMap<String, String>();
    outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
    outProperties.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
    outProperties.put(WSHandlerConstants.USER, "alice");
    outProperties.put("password", "alicePassword");
    
    Map<String, String> inProperties = new HashMap<String, String>();
    inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
    inProperties.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST);
    inProperties.put(WSHandlerConstants.PASSWORD_TYPE_STRICT, "false");
    inProperties.put(
        WSHandlerConstants.PW_CALLBACK_CLASS, 
        "org.apache.cxf.ws.security.wss4j.TestPwdCallback"
    );
    
    List<String> xpaths = new ArrayList<String>();
    xpaths.add("//wsse:Security");

    //
    // This should pass, as even though passwordType is set to digest, we are 
    // overriding the default handler behaviour of requiring a strict password
    // type
    //
    makeInvocation(outProperties, xpaths, inProperties);
    
    //
    // This should fail, as we are requiring a digest password type
    //
    inProperties.put(WSHandlerConstants.PASSWORD_TYPE_STRICT, "true");
    try {
        makeInvocation(outProperties, xpaths, inProperties);
        fail("Failure expected on the wrong password type");
    } catch (org.apache.cxf.interceptor.Fault fault) {
        // expected
    }
}
 
Example 26
Source Project: steady   Source File: IssuedTokenInterceptorProvider.java    License: Apache License 2.0 5 votes vote down vote up
private String getIdFromToken(Element token) {
    if (token != null) {
        // Try to find the "Id" on the token.
        if (token.hasAttributeNS(WSConstants.WSU_NS, "Id")) {
            return token.getAttributeNS(WSConstants.WSU_NS, "Id");
        } else if (token.hasAttributeNS(null, "ID")) {
            return token.getAttributeNS(null, "ID");
        } else if (token.hasAttributeNS(null, "AssertionID")) {
            return token.getAttributeNS(null, "AssertionID");
        }
    }
    return "";
}
 
Example 27
/**
 * Process Security Context Tokens.
 */
protected boolean processSCTokens() {
    List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
    List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
    for (WSSecurityEngineResult wser : results) {
        Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt.intValue() == WSConstants.SCT) {
            if (derived) {
                byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
                if (dktResult != null) {
                    dktResults.add(dktResult);
                }
            }
            tokenResults.add(wser);
        }
    }
    
    if (tokenResults.isEmpty()) {
        return false;
    }
    
    if (signed && !areTokensSigned(tokenResults)) {
        return false;
    }
    if (encrypted && !areTokensEncrypted(tokenResults)) {
        return false;
    }
    tokenResults.addAll(dktResults);
    if (endorsed && !checkEndorsed(tokenResults)) {
        return false;
    }
    
    if (!validateSignedEncryptedPolicies(tokenResults)) {
        return false;
    }
    
    return true;
}
 
Example 28
Source Project: steady   Source File: NegotiationUtils.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * Return true on successfully parsing a SecurityContextToken result
 */
static boolean parseSCTResult(SoapMessage message) {
    List<WSHandlerResult> results = 
        CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
    if (results == null) {
        return false;
    }
    
    for (WSHandlerResult rResult : results) {
        List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();

        for (WSSecurityEngineResult wser : wsSecEngineResults) {
            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
            if (actInt.intValue() == WSConstants.SCT) {
                SecurityContextToken tok = 
                    (SecurityContextToken)wser.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
                message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
                
                byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                if (secret != null) {
                    SecurityToken token = new SecurityToken(tok.getIdentifier());
                    token.setToken(tok.getElement());
                    token.setSecret(secret);
                    token.setTokenType(tok.getTokenType());
                    getTokenStore(message).add(token);
                }
                return true;
            }
        }
    }
    return false;
}
 
Example 29
Source Project: steady   Source File: IssuedTokenInterceptorProvider.java    License: Apache License 2.0 5 votes vote down vote up
private List<AssertionWrapper> findSamlTokenResults(
    List<WSSecurityEngineResult> wsSecEngineResults
) {
    List<AssertionWrapper> results = new ArrayList<AssertionWrapper>();
    for (WSSecurityEngineResult wser : wsSecEngineResults) {
        Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt.intValue() == WSConstants.ST_SIGNED
            || actInt.intValue() == WSConstants.ST_UNSIGNED) {
            results.add((AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION));
        }
    }
    return results;
}
 
Example 30
Source Project: steady   Source File: WSS4JOutInterceptorTest.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testAddCustomAction() throws Exception {
    SOAPMessage saaj = readSAAJDocument("wsse-request-clean.xml");

    WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor();
    PhaseInterceptor<SoapMessage> handler = ohandler.createEndingInterceptor();

    SoapMessage msg = new SoapMessage(new MessageImpl());
    Exchange ex = new ExchangeImpl();
    ex.setInMessage(msg);

    msg.setContent(SOAPMessage.class, saaj);
    
    CountingUsernameTokenAction action = new CountingUsernameTokenAction();
    Map<Object, Object> customActions = new HashMap<Object, Object>(1);
    customActions.put(12345, action);
            
    msg.put(WSHandlerConstants.ACTION, "12345");
    msg.put(WSHandlerConstants.SIG_PROP_FILE, "outsecurity.properties");
    msg.put(WSHandlerConstants.USER, "username");
    msg.put("password", "myAliasPassword");
    msg.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
    msg.put(WSS4JOutInterceptor.WSS4J_ACTION_MAP, customActions);
    handler.handleMessage(msg);

    SOAPPart doc = saaj.getSOAPPart();
    assertValid("//wsse:Security", doc);
    assertValid("//wsse:Security/wsse:UsernameToken", doc);
    assertValid("//wsse:Security/wsse:UsernameToken/wsse:Username[text()='username']", doc);
    // Test to see that the plaintext password is used in the header
    assertValid("//wsse:Security/wsse:UsernameToken/wsse:Password[text()='myAliasPassword']", doc);
    assertEquals(1, action.getExecutions());
}