org.apache.cxf.ws.security.trust.STSUtils Java Examples

The following examples show how to use org.apache.cxf.ws.security.trust.STSUtils. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: SimpleBatchSTSClient.java    From cxf with Apache License 2.0 6 votes vote down vote up
protected String writeKeyType(W3CDOMStreamWriter writer, String keyTypeToWrite)
    throws XMLStreamException {
    if (isSecureConv) {
        if (keyTypeToWrite == null) {
            writer.writeStartElement("wst", "TokenType", namespace);
            writer.writeCharacters(STSUtils.getTokenTypeSCT(namespace));
            writer.writeEndElement();
            keyTypeToWrite = namespace + "/SymmetricKey";
        }
    } else if (keyTypeToWrite == null && sendKeyType) {
        writer.writeStartElement("wst", "KeyType", namespace);
        writer.writeCharacters(namespace + "/SymmetricKey");
        writer.writeEndElement();
        keyTypeToWrite = namespace + "/SymmetricKey";
    } else if (keyTypeToWrite != null) {
        writer.writeStartElement("wst", "KeyType", namespace);
        writer.writeCharacters(keyTypeToWrite);
        writer.writeEndElement();
    }
    return keyTypeToWrite;
}
 
Example #2
Source File: STSClientAction.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
private Element createClaimsElement(List<RequestClaim> realmClaims)
    throws ParserConfigurationException, XMLStreamException {
    if (realmClaims == null || realmClaims.isEmpty()) {
        return null;
    }

    W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
    writer.writeStartElement("wst", "Claims", STSUtils.WST_NS_05_12);
    writer.writeNamespace("wst", STSUtils.WST_NS_05_12);
    writer.writeNamespace("ic", HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY);
    writer.writeAttribute("Dialect", HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY);

    if (!realmClaims.isEmpty()) {
        for (RequestClaim item : realmClaims) {
            LOG.debug("  {}", item.getClaimType().toString());
            writer.writeStartElement("ic", "ClaimType", HTTP_SCHEMAS_XMLSOAP_ORG_WS_2005_05_IDENTITY);
            writer.writeAttribute("Uri", item.getClaimType().toString());
            writer.writeAttribute("Optional", Boolean.toString(item.isOptional()));
            writer.writeEndElement();
        }
    }

    writer.writeEndElement();

    return writer.getDocument().getDocumentElement();
}
 
Example #3
Source File: AbstractSTSTest.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
protected Element createClaimsElement(List<String> realmClaims) throws Exception {
    if (realmClaims == null || realmClaims.isEmpty()) {
        return null;
    }

    W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
    writer.writeStartElement("wst", "Claims", STSUtils.WST_NS_05_12);
    writer.writeNamespace("wst", STSUtils.WST_NS_05_12);
    writer.writeNamespace("ic", "http://schemas.xmlsoap.org/ws/2005/05/identity");
    writer.writeAttribute("Dialect", "http://schemas.xmlsoap.org/ws/2005/05/identity");

    if (realmClaims != null && !realmClaims.isEmpty()) {
        for (String item : realmClaims) {
            writer.writeStartElement("ic", "ClaimType", "http://schemas.xmlsoap.org/ws/2005/05/identity");
            writer.writeAttribute("Uri", item);
            //writer.writeAttribute("Optional", "true");
            writer.writeEndElement();
        }
    }

    writer.writeEndElement();

    return writer.getDocument().getDocumentElement();
}
 
Example #4
Source File: STSInvoker.java    From cxf with Apache License 2.0 6 votes vote down vote up
private void doCancel(
    Exchange exchange,
    SecurityToken cancelToken,
    W3CDOMStreamWriter writer,
    String prefix,
    String namespace
) throws Exception {
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeStartElement(prefix, "RequestSecurityTokenResponseCollection", namespace);
    }
    writer.writeStartElement(prefix, "RequestSecurityTokenResponse", namespace);

    TokenStore store = (TokenStore)exchange.getEndpoint().getEndpointInfo()
            .getProperty(TokenStore.class.getName());
    store.remove(cancelToken.getId());
    // Put the token on the out message so that we can sign the response
    exchange.put(SecurityConstants.TOKEN, cancelToken);
    writer.writeEmptyElement(prefix, "RequestedTokenCancelled", namespace);

    writer.writeEndElement();
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeEndElement();
    }
}
 
Example #5
Source File: SCTProviderTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
/**
 * Create a SecurityContextToken and test the KeySize
 */
@org.junit.Test
public void testCreateSCTKeySize() throws Exception {
    TokenProvider sctTokenProvider = new SCTProvider();

    TokenProviderParameters providerParameters =
        createProviderParameters(STSUtils.TOKEN_TYPE_SCT_05_12);

    assertTrue(sctTokenProvider.canHandleToken(STSUtils.TOKEN_TYPE_SCT_05_12));
    TokenProviderResponse providerResponse = sctTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    assertTrue(256L == providerResponse.getKeySize());

    // Test a custom KeySize
    KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
    keyRequirements.setKeySize(192);
    providerResponse = sctTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(192L == providerResponse.getKeySize());

    // Test a bad KeySize - it will just use the default keysize
    keyRequirements.setKeySize(64);
    providerResponse = sctTokenProvider.createToken(providerParameters);
    assertTrue(256L == providerResponse.getKeySize());
}
 
Example #6
Source File: SCTProviderTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
/**
 * Create a SecurityContextToken and test that it's stored in the cache
 */
@org.junit.Test
public void testCreateSCTCache() throws Exception {
    TokenProvider sctTokenProvider = new SCTProvider();

    TokenProviderParameters providerParameters =
        createProviderParameters(STSUtils.TOKEN_TYPE_SCT_05_12);

    assertTrue(sctTokenProvider.canHandleToken(STSUtils.TOKEN_TYPE_SCT_05_12));
    TokenProviderResponse providerResponse = sctTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    Element token = (Element)providerResponse.getToken();
    SecurityContextToken sctToken = new SecurityContextToken(token);
    String identifier = sctToken.getIdentifier();
    assertNotNull(tokenStore.getToken(identifier));
    assertNull(tokenStore.getToken(identifier + "1234"));
}
 
Example #7
Source File: SCTProviderTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
/**
 * Create a SecurityContextToken that returns (and doesn't return) Entropy
 */
@org.junit.Test
public void testCreateSCTReturnEntropy() throws Exception {
    TokenProvider sctTokenProvider = new SCTProvider();
    assertTrue(((SCTProvider)sctTokenProvider).isReturnEntropy());

    TokenProviderParameters providerParameters =
        createProviderParameters(STSUtils.TOKEN_TYPE_SCT_05_12);

    assertTrue(sctTokenProvider.canHandleToken(STSUtils.TOKEN_TYPE_SCT_05_12));
    TokenProviderResponse providerResponse = sctTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    assertTrue(providerResponse.getEntropy() != null && providerResponse.getEntropy().length > 0);

    ((SCTProvider)sctTokenProvider).setReturnEntropy(false);
    providerResponse = sctTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    assertNull(providerResponse.getEntropy());
}
 
Example #8
Source File: SCTProviderTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
/**
 * Create a SecurityContextToken with a different namespace
 */
@org.junit.Test
public void testCreateSCTDifferentNamespace() throws Exception {
    TokenProvider sctTokenProvider = new SCTProvider();

    TokenProviderParameters providerParameters =
        createProviderParameters(STSUtils.TOKEN_TYPE_SCT_05_02);

    assertTrue(sctTokenProvider.canHandleToken(STSUtils.TOKEN_TYPE_SCT_05_02));
    TokenProviderResponse providerResponse = sctTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    Element token = (Element)providerResponse.getToken();
    String tokenString = DOM2Writer.nodeToString(token);
    assertTrue(tokenString.contains(ConversationConstants.WSC_NS_05_02));
    assertFalse(tokenString.contains(ConversationConstants.WSC_NS_05_12));
}
 
Example #9
Source File: SCTProviderTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
/**
 * Create a SecurityContextToken
 */
@org.junit.Test
public void testCreateSCT() throws Exception {
    TokenProvider sctTokenProvider = new SCTProvider();

    TokenProviderParameters providerParameters =
        createProviderParameters(STSUtils.TOKEN_TYPE_SCT_05_12);

    assertTrue(sctTokenProvider.canHandleToken(STSUtils.TOKEN_TYPE_SCT_05_12));
    TokenProviderResponse providerResponse = sctTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    Element token = (Element)providerResponse.getToken();
    String tokenString = DOM2Writer.nodeToString(token);
    assertTrue(tokenString.contains(ConversationConstants.WSC_NS_05_12));
    assertFalse(tokenString.contains(ConversationConstants.WSC_NS_05_02));
}
 
Example #10
Source File: SCTInInterceptor.java    From cxf with Apache License 2.0 6 votes vote down vote up
public void handleMessage(SoapMessage message) throws Fault {

        String s = (String)message.get(SoapBindingConstants.SOAP_ACTION);
        AddressingProperties inProps = (AddressingProperties)message
            .getContextualProperty(JAXWSAConstants.ADDRESSING_PROPERTIES_INBOUND);
        if (inProps != null && s == null) {
            //MS/WCF doesn't put a soap action out for this, must check the headers
            s = inProps.getAction().getValue();
        }

        if (s != null
            && s.contains("/RST/SCT")
            && (s.startsWith(STSUtils.WST_NS_05_02)
                || s.startsWith(STSUtils.WST_NS_05_12))) {
            message.put(org.apache.cxf.ws.addressing.MAPAggregator.ACTION_VERIFIED, Boolean.TRUE);
        }
    }
 
Example #11
Source File: SimpleBatchSTSClient.java    From cxf with Apache License 2.0 6 votes vote down vote up
protected String getIDFromSTR(Element el) {
    Element child = DOMUtils.getFirstElement(el);
    if (child == null) {
        return null;
    }
    QName elName = DOMUtils.getElementQName(child);
    if (elName.equals(new QName(WSS4JConstants.SIG_NS, "KeyInfo"))
        || elName.equals(new QName(WSS4JConstants.WSSE_NS, "KeyIdentifier"))) {
        return DOMUtils.getContent(child);
    } else if (elName.equals(Reference.TOKEN)) {
        return child.getAttributeNS(null, "URI");
    } else if (elName.equals(new QName(STSUtils.SCT_NS_05_02, "Identifier"))
               || elName.equals(new QName(STSUtils.SCT_NS_05_12, "Identifier"))) {
        return DOMUtils.getContent(child);
    }
    return null;
}
 
Example #12
Source File: STSInvoker.java    From steady with Apache License 2.0 6 votes vote down vote up
private void doCancel(
    Exchange exchange, 
    SecurityToken cancelToken, 
    W3CDOMStreamWriter writer,
    String prefix, 
    String namespace
) throws Exception {
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeStartElement(prefix, "RequestSecurityTokenResponseCollection", namespace);
    }
    writer.writeStartElement(prefix, "RequestSecurityTokenResponse", namespace);
    
    TokenStore store = (TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
            .getProperty(TokenStore.class.getName());
    store.remove(cancelToken.getId());
    writer.writeEmptyElement(prefix, "RequestedTokenCancelled", namespace);
    
    writer.writeEndElement();
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeEndElement();
    }
}
 
Example #13
Source File: STSInvoker.java    From steady with Apache License 2.0 6 votes vote down vote up
private void doCancel(
    Exchange exchange, 
    SecurityToken cancelToken, 
    W3CDOMStreamWriter writer,
    String prefix, 
    String namespace
) throws Exception {
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeStartElement(prefix, "RequestSecurityTokenResponseCollection", namespace);
    }
    writer.writeStartElement(prefix, "RequestSecurityTokenResponse", namespace);
    
    TokenStore store = (TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
            .getProperty(TokenStore.class.getName());
    store.remove(cancelToken.getId());
    writer.writeEmptyElement(prefix, "RequestedTokenCancelled", namespace);
    
    writer.writeEndElement();
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeEndElement();
    }
}
 
Example #14
Source File: STSInvoker.java    From steady with Apache License 2.0 6 votes vote down vote up
private void doCancel(
    Exchange exchange, 
    SecurityToken cancelToken, 
    W3CDOMStreamWriter writer,
    String prefix, 
    String namespace
) throws Exception {
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeStartElement(prefix, "RequestSecurityTokenResponseCollection", namespace);
    }
    writer.writeStartElement(prefix, "RequestSecurityTokenResponse", namespace);
    
    TokenStore store = (TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
            .getProperty(TokenStore.class.getName());
    store.remove(cancelToken.getId());
    writer.writeEmptyElement(prefix, "RequestedTokenCancelled", namespace);
    
    writer.writeEndElement();
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeEndElement();
    }
}
 
Example #15
Source File: STSInvoker.java    From steady with Apache License 2.0 6 votes vote down vote up
private void doCancel(
    Exchange exchange, 
    SecurityToken cancelToken, 
    W3CDOMStreamWriter writer,
    String prefix, 
    String namespace
) throws Exception {
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeStartElement(prefix, "RequestSecurityTokenResponseCollection", namespace);
    }
    writer.writeStartElement(prefix, "RequestSecurityTokenResponse", namespace);
    
    TokenStore store = (TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
            .getProperty(TokenStore.class.getName());
    store.remove(cancelToken.getId());
    writer.writeEmptyElement(prefix, "RequestedTokenCancelled", namespace);
    
    writer.writeEndElement();
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeEndElement();
    }
}
 
Example #16
Source File: ValidateSCTUnitTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
private TokenProviderResponse createSCT() throws WSSecurityException {
    TokenProvider sctTokenProvider = new SCTProvider();

    TokenProviderParameters providerParameters =
        createProviderParameters(STSUtils.TOKEN_TYPE_SCT_05_12);

    assertTrue(sctTokenProvider.canHandleToken(STSUtils.TOKEN_TYPE_SCT_05_12));
    TokenProviderResponse providerResponse = sctTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    return providerResponse;
}
 
Example #17
Source File: SCTValidatorTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
private TokenProviderResponse getSecurityContextToken() throws Exception {
    TokenProvider sctTokenProvider = new SCTProvider();

    TokenProviderParameters providerParameters =
        createProviderParameters(STSUtils.TOKEN_TYPE_SCT_05_12);

    return sctTokenProvider.createToken(providerParameters);
}
 
Example #18
Source File: CancelSCTUnitTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
private TokenProviderResponse createSCT() throws WSSecurityException {
    TokenProvider sctTokenProvider = new SCTProvider();

    TokenProviderParameters providerParameters =
        createProviderParameters(STSUtils.TOKEN_TYPE_SCT_05_12);

    assertTrue(sctTokenProvider.canHandleToken(STSUtils.TOKEN_TYPE_SCT_05_12));
    TokenProviderResponse providerResponse = sctTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    return providerResponse;
}
 
Example #19
Source File: SCTCancellerTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
private TokenProviderResponse getSecurityContextToken() throws Exception {
    TokenProvider sctTokenProvider = new SCTProvider();

    TokenProviderParameters providerParameters =
        createProviderParameters(STSUtils.TOKEN_TYPE_SCT_05_12);

    return sctTokenProvider.createToken(providerParameters);
}
 
Example #20
Source File: SCTCanceller.java    From cxf with Apache License 2.0 5 votes vote down vote up
/**
 * Return true if this TokenCanceller implementation is capable of cancelling the
 * ReceivedToken argument.
 */
public boolean canHandleToken(ReceivedToken targetToken) {
    Object token = targetToken.getToken();
    if (token instanceof Element) {
        Element tokenElement = (Element)token;
        String namespace = tokenElement.getNamespaceURI();
        String localname = tokenElement.getLocalName();
        if ((STSUtils.SCT_NS_05_02.equals(namespace)
            || STSUtils.SCT_NS_05_12.equals(namespace))
            && "SecurityContextToken".equals(localname)) {
            return true;
        }
    }
    return false;
}
 
Example #21
Source File: SCTValidator.java    From cxf with Apache License 2.0 5 votes vote down vote up
/**
 * Return true if this TokenValidator implementation is capable of validating the
 * ReceivedToken argument. The realm is ignored in this token Validator.
 */
public boolean canHandleToken(ReceivedToken validateTarget, String realm) {
    Object token = validateTarget.getToken();
    if (token instanceof Element) {
        Element tokenElement = (Element)token;
        String namespace = tokenElement.getNamespaceURI();
        String localname = tokenElement.getLocalName();
        if ((STSUtils.SCT_NS_05_02.equals(namespace)
            || STSUtils.SCT_NS_05_12.equals(namespace))
            && "SecurityContextToken".equals(localname)) {
            return true;
        }
    }
    return false;
}
 
Example #22
Source File: NegotiationUtils.java    From steady with Apache License 2.0 4 votes vote down vote up
static void recalcEffectivePolicy(
    SoapMessage message, 
    String namespace, 
    Policy policy,
    Invoker invoker,
    boolean secConv
) {
    Exchange ex = message.getExchange();
    Bus bus = ex.getBus();
    PolicyEngine pe = bus.getExtension(PolicyEngine.class);
    if (null == pe) {
        return;
    }
    Destination destination = ex.getDestination();
    try {
        Endpoint endpoint = message.getExchange().getEndpoint();

        TokenStore store = getTokenStore(message);
        if (secConv) {
            endpoint = STSUtils.createSCEndpoint(bus, 
                                                 namespace,
                                                 endpoint.getEndpointInfo().getTransportId(),
                                                 destination.getAddress().getAddress().getValue(),
                                                 message.getVersion().getBindingId(), 
                                                 policy);
        } else {
            endpoint = STSUtils.createSTSEndpoint(bus, 
                                                  namespace,
                                                  endpoint.getEndpointInfo().getTransportId(),
                                                  destination.getAddress().getAddress().getValue(),
                                                  message.getVersion().getBindingId(), 
                                                  policy,
                                                  null);
        } 
        endpoint.getEndpointInfo().setProperty(TokenStore.class.getName(), store);
        message.getExchange().put(TokenStore.class.getName(), store);

        EndpointPolicy ep = pe.getServerEndpointPolicy(endpoint.getEndpointInfo(), destination);
        List<Interceptor<? extends Message>> interceptors = ep.getInterceptors();
        for (Interceptor<? extends Message> i : interceptors) {
            message.getInterceptorChain().add(i);
        }

        Collection<Assertion> assertions = ep.getVocabulary();
        if (null != assertions) {
            message.put(AssertionInfoMap.class, new AssertionInfoMap(assertions));
        }
        endpoint.getService().setInvoker(invoker);
        ex.put(Endpoint.class, endpoint);
        ex.put(Service.class, endpoint.getService());
        ex.put(org.apache.cxf.binding.Binding.class, endpoint.getBinding());
        ex.remove(BindingOperationInfo.class);
        message.put(MAPAggregator.ACTION_VERIFIED, Boolean.TRUE);
    } catch (Exception exc) {
        throw new Fault(exc);
    }
}
 
Example #23
Source File: SecureConversationInInterceptor.java    From steady with Apache License 2.0 4 votes vote down vote up
void doIssue(
    Element requestEl,
    Exchange exchange,
    Element binaryExchange,
    W3CDOMStreamWriter writer,
    String prefix, 
    String namespace
) throws Exception {
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeStartElement(prefix, "RequestSecurityTokenResponseCollection", namespace);
    }
    writer.writeStartElement(prefix, "RequestSecurityTokenResponse", namespace);
    
    byte clientEntropy[] = null;
    int keySize = 256;
    long ttl = 300000L;
    String tokenType = null;
    Element el = DOMUtils.getFirstElement(requestEl);
    while (el != null) {
        String localName = el.getLocalName();
        if (namespace.equals(el.getNamespaceURI())) {
            if ("Entropy".equals(localName)) {
                Element bs = DOMUtils.getFirstElement(el);
                if (bs != null) {
                    clientEntropy = Base64.decode(bs.getTextContent());
                }
            } else if ("KeySize".equals(localName)) {
                keySize = Integer.parseInt(el.getTextContent());
            } else if ("TokenType".equals(localName)) {
                tokenType = el.getTextContent();
            }
        }
        
        el = DOMUtils.getNextElement(el);
    }
    
    // Check received KeySize
    if (keySize < 128 || keySize > 512) {
        keySize = 256;
    }
    
    writer.writeStartElement(prefix, "RequestedSecurityToken", namespace);
    SecurityContextToken sct =
        new SecurityContextToken(NegotiationUtils.getWSCVersion(tokenType), writer.getDocument());
    
    Date created = new Date();
    Date expires = new Date();
    expires.setTime(created.getTime() + ttl);
    
    SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires);
    token.setToken(sct.getElement());
    token.setTokenType(sct.getTokenType());
    
    writer.getCurrentNode().appendChild(sct.getElement());
    writer.writeEndElement();        
    
    writer.writeStartElement(prefix, "RequestedAttachedReference", namespace);
    token.setAttachedReference(
        writeSecurityTokenReference(writer, "#" + sct.getID(), tokenType)
    );
    writer.writeEndElement();
    
    writer.writeStartElement(prefix, "RequestedUnattachedReference", namespace);
    token.setUnattachedReference(
        writeSecurityTokenReference(writer, sct.getIdentifier(), tokenType)
    );
    writer.writeEndElement();
    
    writeLifetime(writer, created, expires, prefix, namespace);

    byte[] secret = writeProofToken(prefix, namespace, writer, clientEntropy, keySize);
    
    token.setSecret(secret);
    ((TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
            .getProperty(TokenStore.class.getName())).add(token);
    
    writer.writeEndElement();
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeEndElement();
    }
}
 
Example #24
Source File: SpnegoContextTokenInInterceptor.java    From steady with Apache License 2.0 4 votes vote down vote up
public void handleMessage(SoapMessage message) throws Fault {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    // extract Assertion information
    if (aim != null) {
        Collection<AssertionInfo> ais = aim.get(SP12Constants.SPNEGO_CONTEXT_TOKEN);
        if (ais == null || ais.isEmpty()) {
            return;
        }
        if (isRequestor(message)) {
            //client side should be checked on the way out
            for (AssertionInfo ai : ais) {
                ai.setAsserted(true);
            }      
            return;
        }
        String s = (String)message.get(SoapBindingConstants.SOAP_ACTION);
        AddressingProperties inProps = (AddressingProperties)message
            .getContextualProperty(JAXWSAConstants.SERVER_ADDRESSING_PROPERTIES_INBOUND);
        if (inProps != null && s == null) {
            //MS/WCF doesn't put a soap action out for this, must check the headers
            s = inProps.getAction().getValue();
        }

        if (s != null 
            && s.contains("/RST/Issue")
            && (s.startsWith(STSUtils.WST_NS_05_02)
                || s.startsWith(STSUtils.WST_NS_05_12))) {

            Policy p = new Policy();
            ExactlyOne ea = new ExactlyOne();
            p.addPolicyComponent(ea);
            All all = new All();
            Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
            all.addPolicyComponent(ass);
            ea.addPolicyComponent(all);
            
            //setup endpoint and forward to it.
            unmapSecurityProps(message);
            String ns = STSUtils.WST_NS_05_12;
            if (s.startsWith(STSUtils.WST_NS_05_02)) {
                ns = STSUtils.WST_NS_05_02;
            }
            NegotiationUtils.recalcEffectivePolicy(message, ns, p, new SpnegoSTSInvoker(), false);
        } else {
            message.getInterceptorChain().add(SpnegoContextTokenFinderInterceptor.INSTANCE);
        }
    }
}
 
Example #25
Source File: NegotiationUtils.java    From steady with Apache License 2.0 4 votes vote down vote up
static void recalcEffectivePolicy(
    SoapMessage message, 
    String namespace, 
    Policy policy,
    Invoker invoker,
    boolean secConv
) {
    Exchange ex = message.getExchange();
    Bus bus = ex.getBus();
    PolicyEngine pe = bus.getExtension(PolicyEngine.class);
    if (null == pe) {
        return;
    }
    Destination destination = ex.getDestination();
    try {
        Endpoint endpoint = message.getExchange().getEndpoint();

        TokenStore store = getTokenStore(message);
        if (secConv) {
            endpoint = STSUtils.createSCEndpoint(bus, 
                                                 namespace,
                                                 endpoint.getEndpointInfo().getTransportId(),
                                                 destination.getAddress().getAddress().getValue(),
                                                 message.getVersion().getBindingId(), 
                                                 policy);
        } else {
            endpoint = STSUtils.createSTSEndpoint(bus, 
                                                  namespace,
                                                  endpoint.getEndpointInfo().getTransportId(),
                                                  destination.getAddress().getAddress().getValue(),
                                                  message.getVersion().getBindingId(), 
                                                  policy,
                                                  null);
        } 
        endpoint.getEndpointInfo().setProperty(TokenStore.class.getName(), store);
        message.getExchange().put(TokenStore.class.getName(), store);

        EndpointPolicy ep = pe.getServerEndpointPolicy(endpoint.getEndpointInfo(), destination);
        List<Interceptor<? extends Message>> interceptors = ep.getInterceptors();
        for (Interceptor<? extends Message> i : interceptors) {
            message.getInterceptorChain().add(i);
        }

        Collection<Assertion> assertions = ep.getVocabulary();
        if (null != assertions) {
            message.put(AssertionInfoMap.class, new AssertionInfoMap(assertions));
        }
        endpoint.getService().setInvoker(invoker);
        ex.put(Endpoint.class, endpoint);
        ex.put(Service.class, endpoint.getService());
        ex.put(org.apache.cxf.binding.Binding.class, endpoint.getBinding());
        ex.remove(BindingOperationInfo.class);
        message.put(MAPAggregator.ACTION_VERIFIED, Boolean.TRUE);
    } catch (Exception exc) {
        throw new Fault(exc);
    }
}
 
Example #26
Source File: SecureConversationInInterceptor.java    From steady with Apache License 2.0 4 votes vote down vote up
void doIssue(
    Element requestEl,
    Exchange exchange,
    Element binaryExchange,
    W3CDOMStreamWriter writer,
    String prefix, 
    String namespace
) throws Exception {
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeStartElement(prefix, "RequestSecurityTokenResponseCollection", namespace);
    }
    writer.writeStartElement(prefix, "RequestSecurityTokenResponse", namespace);
    
    byte clientEntropy[] = null;
    int keySize = 256;
    long ttl = 300000L;
    String tokenType = null;
    Element el = DOMUtils.getFirstElement(requestEl);
    while (el != null) {
        String localName = el.getLocalName();
        if (namespace.equals(el.getNamespaceURI())) {
            if ("Entropy".equals(localName)) {
                Element bs = DOMUtils.getFirstElement(el);
                if (bs != null) {
                    clientEntropy = Base64.decode(bs.getTextContent());
                }
            } else if ("KeySize".equals(localName)) {
                keySize = Integer.parseInt(el.getTextContent());
            } else if ("TokenType".equals(localName)) {
                tokenType = el.getTextContent();
            }
        }
        
        el = DOMUtils.getNextElement(el);
    }
    
    // Check received KeySize
    if (keySize < 128 || keySize > 512) {
        keySize = 256;
    }
    
    writer.writeStartElement(prefix, "RequestedSecurityToken", namespace);
    SecurityContextToken sct =
        new SecurityContextToken(NegotiationUtils.getWSCVersion(tokenType), writer.getDocument());
    
    Date created = new Date();
    Date expires = new Date();
    expires.setTime(created.getTime() + ttl);
    
    SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires);
    token.setToken(sct.getElement());
    token.setTokenType(sct.getTokenType());
    
    writer.getCurrentNode().appendChild(sct.getElement());
    writer.writeEndElement();        
    
    writer.writeStartElement(prefix, "RequestedAttachedReference", namespace);
    token.setAttachedReference(
        writeSecurityTokenReference(writer, "#" + sct.getID(), tokenType)
    );
    writer.writeEndElement();
    
    writer.writeStartElement(prefix, "RequestedUnattachedReference", namespace);
    token.setUnattachedReference(
        writeSecurityTokenReference(writer, sct.getIdentifier(), tokenType)
    );
    writer.writeEndElement();
    
    writeLifetime(writer, created, expires, prefix, namespace);

    byte[] secret = writeProofToken(prefix, namespace, writer, clientEntropy, keySize);
    
    token.setSecret(secret);
    ((TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
            .getProperty(TokenStore.class.getName())).add(token);
    
    writer.writeEndElement();
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeEndElement();
    }
}
 
Example #27
Source File: STSTokenOutInterceptor.java    From cxf with Apache License 2.0 4 votes vote down vote up
public STSTokenOutInterceptor(String phase, STSAuthParams authParams, String stsWsdlLocation, Bus bus) {
    super(phase);
    this.stsClient = STSUtils.createSTSClient(authParams, stsWsdlLocation, bus);
    this.tokenParams = new TokenRequestParams();
}
 
Example #28
Source File: NegotiationUtils.java    From cxf with Apache License 2.0 4 votes vote down vote up
static void recalcEffectivePolicy(
    SoapMessage message,
    String namespace,
    Policy policy,
    Invoker invoker,
    boolean secConv
) {
    Exchange ex = message.getExchange();
    Bus bus = ex.getBus();
    PolicyEngine pe = bus.getExtension(PolicyEngine.class);
    if (null == pe) {
        return;
    }
    Destination destination = ex.getDestination();
    try {
        Endpoint endpoint = message.getExchange().getEndpoint();

        TokenStore store = TokenStoreUtils.getTokenStore(message);
        if (secConv) {
            endpoint = STSUtils.createSCEndpoint(bus,
                                                 namespace,
                                                 endpoint.getEndpointInfo().getTransportId(),
                                                 destination.getAddress().getAddress().getValue(),
                                                 message.getVersion().getBindingId(),
                                                 policy);
        } else {
            endpoint = STSUtils.createSTSEndpoint(bus,
                                                  namespace,
                                                  endpoint.getEndpointInfo().getTransportId(),
                                                  destination.getAddress().getAddress().getValue(),
                                                  message.getVersion().getBindingId(),
                                                  policy,
                                                  null);
        }
        endpoint.getEndpointInfo().setProperty(TokenStore.class.getName(), store);
        message.getExchange().put(TokenStore.class.getName(), store);

        EndpointPolicy ep = pe.getServerEndpointPolicy(endpoint.getEndpointInfo(), destination, message);
        List<Interceptor<? extends Message>> interceptors = ep.getInterceptors(message);
        message.getInterceptorChain().add(interceptors);

        Collection<Assertion> assertions = ep.getVocabulary(message);
        if (null != assertions) {
            message.put(AssertionInfoMap.class, new AssertionInfoMap(assertions));
        }
        endpoint.getService().setInvoker(invoker);
        ex.put(Endpoint.class, endpoint);
        ex.put(Service.class, endpoint.getService());
        ex.put(org.apache.cxf.binding.Binding.class, endpoint.getBinding());
        ex.remove(BindingOperationInfo.class);
        message.put(MAPAggregator.ACTION_VERIFIED, Boolean.TRUE);
    } catch (Exception exc) {
        throw new Fault(exc);
    }
}
 
Example #29
Source File: SpnegoContextTokenInInterceptor.java    From cxf with Apache License 2.0 4 votes vote down vote up
public void handleMessage(SoapMessage message) throws Fault {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    // extract Assertion information
    if (aim != null) {
        Collection<AssertionInfo> ais =
            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
        if (ais.isEmpty()) {
            return;
        }
        if (isRequestor(message)) {
            //client side should be checked on the way out
            for (AssertionInfo ai : ais) {
                ai.setAsserted(true);
            }
            return;
        }
        String s = (String)message.get(SoapBindingConstants.SOAP_ACTION);
        if (s == null) {
            s = SoapActionInInterceptor.getSoapAction(message);
        }
        AddressingProperties inProps = (AddressingProperties)message
            .getContextualProperty(JAXWSAConstants.ADDRESSING_PROPERTIES_INBOUND);
        if (inProps != null && s == null) {
            //MS/WCF doesn't put a soap action out for this, must check the headers
            s = inProps.getAction().getValue();
        }

        if (s != null
            && s.contains("/RST/Issue")
            && (s.startsWith(STSUtils.WST_NS_05_02)
                || s.startsWith(STSUtils.WST_NS_05_12))) {

            Policy p = new Policy();
            ExactlyOne ea = new ExactlyOne();
            p.addPolicyComponent(ea);
            All all = new All();
            Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
            all.addPolicyComponent(ass);
            ea.addPolicyComponent(all);

            //setup endpoint and forward to it.
            unmapSecurityProps(message);
            String ns = STSUtils.WST_NS_05_12;
            if (s.startsWith(STSUtils.WST_NS_05_02)) {
                ns = STSUtils.WST_NS_05_02;
            }
            NegotiationUtils.recalcEffectivePolicy(message, ns, p, new SpnegoSTSInvoker(), false);
        } else {
            message.getInterceptorChain().add(SpnegoContextTokenFinderInterceptor.INSTANCE);
        }
    }
}
 
Example #30
Source File: SpnegoContextTokenInInterceptor.java    From steady with Apache License 2.0 4 votes vote down vote up
public void handleMessage(SoapMessage message) throws Fault {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    // extract Assertion information
    if (aim != null) {
        Collection<AssertionInfo> ais = aim.get(SP12Constants.SPNEGO_CONTEXT_TOKEN);
        if (ais == null || ais.isEmpty()) {
            return;
        }
        if (isRequestor(message)) {
            //client side should be checked on the way out
            for (AssertionInfo ai : ais) {
                ai.setAsserted(true);
            }      
            return;
        }
        String s = (String)message.get(SoapBindingConstants.SOAP_ACTION);
        AddressingProperties inProps = (AddressingProperties)message
            .getContextualProperty(JAXWSAConstants.SERVER_ADDRESSING_PROPERTIES_INBOUND);
        if (inProps != null && s == null) {
            //MS/WCF doesn't put a soap action out for this, must check the headers
            s = inProps.getAction().getValue();
        }

        if (s != null 
            && s.contains("/RST/Issue")
            && (s.startsWith(STSUtils.WST_NS_05_02)
                || s.startsWith(STSUtils.WST_NS_05_12))) {

            Policy p = new Policy();
            ExactlyOne ea = new ExactlyOne();
            p.addPolicyComponent(ea);
            All all = new All();
            Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
            all.addPolicyComponent(ass);
            ea.addPolicyComponent(all);
            
            //setup endpoint and forward to it.
            unmapSecurityProps(message);
            String ns = STSUtils.WST_NS_05_12;
            if (s.startsWith(STSUtils.WST_NS_05_02)) {
                ns = STSUtils.WST_NS_05_02;
            }
            NegotiationUtils.recalcEffectivePolicy(message, ns, p, new SpnegoSTSInvoker(), false);
        } else {
            message.getInterceptorChain().add(SpnegoContextTokenFinderInterceptor.INSTANCE);
        }
    }
}