/** * Try to verify trust on the assertion. If it fails, then set a boolean and return. * @param assertion The signed Assertion * @param data The RequestData context * @return A Credential instance * @throws WSSecurityException */ @Override protected Credential verifySignedAssertion( SamlAssertionWrapper assertion, RequestData data ) throws WSSecurityException { try { Credential credential = super.verifySignedAssertion(assertion, data); trustVerificationSucceeded = true; return credential; } catch (WSSecurityException ex) { LOG.log(Level.WARNING, "Local trust verification of SAML assertion failed: " + ex.getMessage(), ex); trustVerificationSucceeded = false; return null; } }
/** * Try to verify trust on the assertion. If it fails, then set a boolean and return. * @param assertion The signed Assertion * @param data The RequestData context * @return A Credential instance * @throws WSSecurityException */ @Override protected Credential verifySignedAssertion( SamlAssertionWrapper assertion, RequestData data ) throws WSSecurityException { try { Credential credential = super.verifySignedAssertion(assertion, data); trustVerificationSucceeded = true; return credential; } catch (WSSecurityException ex) { LOG.log(Level.WARNING, "Local trust verification of SAML assertion failed: " + ex.getMessage(), ex); trustVerificationSucceeded = false; return null; } }
/** * This static method generates a 128 bit salt value as defined in WSS * Username Token Profile. * * @param useForMac If <code>true</code> define the Salt for use in a MAC * @return Returns the 128 bit salt value as byte array */ public static byte[] generateSalt(boolean useForMac) { byte[] saltValue = null; try { saltValue = generateNonce(16); } catch (WSSecurityException ex) { LOG.debug(ex.getMessage(), ex); return null; } if (useForMac) { saltValue[0] = 0x01; } else { saltValue[0] = 0x02; } return saltValue; }
/** * Creates and adds a Nonce element to this UsernameToken */ public void addNonce(Document doc) { if (elementNonce != null) { return; } byte[] nonceValue = null; try { nonceValue = WSSecurityUtil.generateNonce(16); } catch (WSSecurityException ex) { LOG.debug(ex.getMessage(), ex); return; } elementNonce = doc.createElementNS(WSConstants.WSSE_NS, "wsse:" + WSConstants.NONCE_LN); elementNonce.appendChild(doc.createTextNode(org.apache.xml.security.utils.XMLUtils.encodeToString(nonceValue))); elementNonce.setAttributeNS(null, "EncodingType", BASE64_ENCODING); element.appendChild(elementNonce); }
protected Crypto getSignatureCrypto() { if (signatureCrypto == null && signaturePropertiesFile != null) { Properties sigProperties = SecurityUtils.loadProperties(signaturePropertiesFile); if (sigProperties == null) { LOG.fine("Cannot load signature properties using: " + signaturePropertiesFile); return null; } try { signatureCrypto = CryptoFactory.getInstance(sigProperties); } catch (WSSecurityException ex) { LOG.fine("Error in loading the signature Crypto object: " + ex.getMessage()); return null; } } return signatureCrypto; }
/** * Get the signature Crypto object * @return the signature Crypto object */ public Crypto getSignatureCrypto() { if (signatureCrypto == null && signatureCryptoProperties != null) { Properties sigProperties = SecurityUtils.loadProperties(signatureCryptoProperties); if (sigProperties == null) { LOG.fine("Cannot load signature properties using: " + signatureCryptoProperties); throw new STSException("Configuration error: cannot load signature properties"); } try { signatureCrypto = CryptoFactory.getInstance(sigProperties); } catch (WSSecurityException ex) { LOG.fine("Error in loading the signature Crypto object: " + ex.getMessage()); throw new STSException(ex.getMessage()); } } return signatureCrypto; }
/** * Get the signature Crypto object * @return the signature Crypto object */ public Crypto getSignatureCrypto() { if (signatureCrypto == null && signatureCryptoProperties != null) { Properties sigProperties = SecurityUtils.loadProperties(signatureCryptoProperties); if (sigProperties == null) { LOG.fine("Cannot load signature properties using: " + signatureCryptoProperties); throw new STSException("Configuration error: cannot load signature properties"); } try { signatureCrypto = CryptoFactory.getInstance(sigProperties); } catch (WSSecurityException ex) { LOG.fine("Error in loading the signature Crypto object: " + ex.getMessage()); throw new STSException(ex.getMessage()); } } return signatureCrypto; }
public static String getDefaultX509Identifier( WSSSecurityProperties properties, boolean signature ) { try { Crypto crypto = null; if (signature) { crypto = properties.getSignatureCrypto(); } else { crypto = properties.getEncryptionCrypto(); } if (crypto != null) { return crypto.getDefaultX509Identifier(); } } catch (WSSecurityException e) { LOG.debug(e.getMessage(), e); } return null; }
/** * Validate the received SAML Response as per the protocol */ private void validateSamlResponseProtocol( org.opensaml.saml.saml2.core.Response samlResponse, Crypto crypto, TrustedIdp trustedIdp ) { try { SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator(); protocolValidator.setKeyInfoMustBeAvailable( isBooleanPropertyConfigured(trustedIdp, REQUIRE_KEYINFO, true)); protocolValidator.validateSamlResponse(samlResponse, crypto, null); } catch (WSSecurityException ex) { LOG.debug(ex.getMessage(), ex); throw ExceptionUtils.toBadRequestException(null, null); } }
/** * Create a SoapFault from a WSSecurityException, following the SOAP Message Security * 1.1 specification, chapter 12 "Error Handling". * * When the Soap version is 1.1 then set the Fault/Code/Value from the fault code * specified in the WSSecurityException (if it exists). * * Otherwise set the Fault/Code/Value to env:Sender and the Fault/Code/Subcode/Value * as the fault code from the WSSecurityException. */ private SoapFault createSoapFault(SoapVersion version, WSSecurityException e) { SoapFault fault; javax.xml.namespace.QName faultCode = e.getFaultCode(); if (version.getVersion() == 1.1 && faultCode != null) { fault = new SoapFault(e.getMessage(), e, faultCode); } else { fault = new SoapFault(e.getMessage(), e, version.getSender()); if (version.getVersion() != 1.1 && faultCode != null) { fault.setSubCode(faultCode); } } return fault; }
/** * Create a SoapFault from a WSSecurityException, following the SOAP Message Security * 1.1 specification, chapter 12 "Error Handling". * * When the Soap version is 1.1 then set the Fault/Code/Value from the fault code * specified in the WSSecurityException (if it exists). * * Otherwise set the Fault/Code/Value to env:Sender and the Fault/Code/Subcode/Value * as the fault code from the WSSecurityException. */ private SoapFault createSoapFault(SoapVersion version, WSSecurityException e) { SoapFault fault; javax.xml.namespace.QName faultCode = e.getFaultCode(); if (version.getVersion() == 1.1 && faultCode != null) { fault = new SoapFault(e.getMessage(), e, faultCode); } else { fault = new SoapFault(e.getMessage(), e, version.getSender()); if (version.getVersion() != 1.1 && faultCode != null) { fault.setSubCode(faultCode); } } return fault; } }
/** * Validate the received SAML Response as per the protocol */ protected void validateSamlResponseProtocol( org.opensaml.saml.saml2.core.Response samlResponse ) { try { SAMLProtocolResponseValidator protocolValidator = new SAMLProtocolResponseValidator(); protocolValidator.setKeyInfoMustBeAvailable(keyInfoMustBeAvailable); protocolValidator.validateSamlResponse(samlResponse, getSignatureCrypto(), getCallbackHandler()); } catch (WSSecurityException ex) { LOG.log(Level.FINE, ex.getMessage(), ex); reportError("INVALID_SAML_RESPONSE"); throw ExceptionUtils.toBadRequestException(null, null); } }
/** * Get an AttributeStatementBean using the given parameters. */ public AttributeStatementBean getStatement(TokenProviderParameters providerParameters) { AttributeStatementBean attrBean = new AttributeStatementBean(); TokenRequirements tokenRequirements = providerParameters.getTokenRequirements(); ReceivedToken actAs = tokenRequirements.getActAs(); try { if (actAs != null) { List<AttributeBean> attributeList = new ArrayList<>(); String tokenType = tokenRequirements.getTokenType(); AttributeBean parameterBean = handleAdditionalParameters(actAs.getToken(), tokenType); if (!parameterBean.getAttributeValues().isEmpty()) { attributeList.add(parameterBean); } attrBean.setSamlAttributes(attributeList); } } catch (WSSecurityException ex) { throw new STSException(ex.getMessage(), ex); } return attrBean; }
@Override public Crypto create(String keystorePropsPath) { try { Properties keystoreProps = SecurityUtils.loadProperties(keystorePropsPath); if (keystoreProps == null) { throw new CryptoProviderException("Cannot load security properties: " + keystorePropsPath); } Crypto defaultCrypto = CryptoFactory.getInstance(keystoreProps); return new XkmsCryptoProvider(xkmsConsumer, defaultCrypto); } catch (WSSecurityException e) { throw new CryptoProviderException("Cannot instantiate crypto factory: " + e.getMessage(), e); } } }
@Override public Crypto create(String keystorePropsPath) { try { Properties keystoreProps = SecurityUtils.loadProperties(keystorePropsPath); if (keystoreProps == null) { throw new CryptoProviderException("Cannot load security properties: " + keystorePropsPath); } Crypto defaultCrypto = CryptoFactory.getInstance(keystoreProps); return new XkmsCryptoProvider(xkmsConsumer, defaultCrypto); } catch (WSSecurityException e) { throw new CryptoProviderException("Cannot instantiate crypto factory: " + e.getMessage(), e); } } }
@Override public Crypto create(Message message) { Object crypto = SecurityUtils .getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.SIGNATURE_CRYPTO, message); if (crypto instanceof Crypto) { new XkmsCryptoProvider(xkmsConsumer, (Crypto)crypto); } Properties keystoreProps = CryptoProviderUtils .loadKeystoreProperties(message, org.apache.cxf.rt.security.SecurityConstants.SIGNATURE_PROPERTIES); try { Crypto defaultCrypto = CryptoFactory.getInstance(keystoreProps); return new XkmsCryptoProvider(xkmsConsumer, defaultCrypto); } catch (WSSecurityException e) { throw new CryptoProviderException("Cannot instantiate crypto factory: " + e.getMessage(), e); } }
@Override public Crypto create(Message message) { Object crypto = SecurityUtils .getSecurityPropertyValue(org.apache.cxf.rt.security.SecurityConstants.SIGNATURE_CRYPTO, message); if (crypto instanceof Crypto) { new XkmsCryptoProvider(xkmsConsumer, (Crypto)crypto); } Properties keystoreProps = CryptoProviderUtils .loadKeystoreProperties(message, org.apache.cxf.rt.security.SecurityConstants.SIGNATURE_PROPERTIES); try { Crypto defaultCrypto = CryptoFactory.getInstance(keystoreProps); return new XkmsCryptoProvider(xkmsConsumer, defaultCrypto); } catch (WSSecurityException e) { throw new CryptoProviderException("Cannot instantiate crypto factory: " + e.getMessage(), e); } }
protected void addToken(SoapMessage message) { WSSConfig.init(); SamlToken tok = (SamlToken)assertTokens(message); Header h = findSecurityHeader(message, true); try { SamlAssertionWrapper wrapper = addSamlToken(tok, message); if (wrapper == null) { AssertionInfoMap aim = message.get(AssertionInfoMap.class); Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN); for (AssertionInfo ai : ais) { if (ai.isAsserted()) { ai.setAsserted(false); } } return; } Element el = (Element)h.getObject(); el = (Element)DOMUtils.getDomElement(el); el.appendChild(wrapper.toDOM(el.getOwnerDocument())); } catch (WSSecurityException ex) { policyNotAsserted(tok, ex.getMessage(), message); } }
protected void addToken(SoapMessage message) { WSSConfig.init(); SamlToken tok = (SamlToken)assertTokens(message); Header h = findSecurityHeader(message, true); try { SamlAssertionWrapper wrapper = addSamlToken(tok, message); if (wrapper == null) { AssertionInfoMap aim = message.get(AssertionInfoMap.class); Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN); for (AssertionInfo ai : ais) { if (ai.isAsserted()) { ai.setAsserted(false); } } return; } Element el = (Element)h.getObject(); el = (Element)DOMUtils.getDomElement(el); el.appendChild(wrapper.toDOM(el.getOwnerDocument())); } catch (WSSecurityException ex) { policyNotAsserted(tok, ex.getMessage(), message); } }
@Override public void handleMessage(Message message) throws Fault { // Create a SAML Token SAMLCallback samlCallback = new SAMLCallback(); SAMLUtil.doSAMLCallback(new SamlCallbackHandler(), samlCallback); try { SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); Document doc = DOMUtils.createDocument(); Element token = assertion.toDOM(doc); message.put(SAMLConstants.SAML_TOKEN_ELEMENT, token); } catch (WSSecurityException ex) { StringWriter sw = new StringWriter(); ex.printStackTrace(new PrintWriter(sw)); throw new Fault(new RuntimeException(ex.getMessage() + ", stacktrace: " + sw.toString())); } } }