public Validator getValidator() { if (validator != null) { return validator; } return new UsernameTokenValidator(); }
/** * Verify a UsernameToken containing a plaintext password. It does this by querying a * CallbackHandler instance to obtain a password for the given username, and then comparing * it against the received password. * This method currently uses the same LOG.c as the verifyDigestPassword case, but it in * a separate protected method to allow users to override the validation of the plaintext * password specific case. * @param usernameToken The UsernameToken instance to verify * @throws WSSecurityException on a failed authentication. */ protected void verifyPlaintextPassword(UsernameToken usernameToken, RequestData data) throws WSSecurityException { verifyDigestPassword(usernameToken, data); }
/** * Verify a UsernameToken containing a password of some unknown (but specified) password * type. It does this by querying a CallbackHandler instance to obtain a password for the * given username, and then comparing it against the received password. * This method currently uses the same LOG.c as the verifyPlaintextPassword case, but it in * a separate protected method to allow users to override the validation of the custom * password type specific case. * @param usernameToken The UsernameToken instance to verify * @throws WSSecurityException on a failed authentication. */ protected void verifyCustomPassword(UsernameToken usernameToken, RequestData data) throws WSSecurityException { verifyPlaintextPassword(usernameToken, data); }
public void validateTrust(Crypto crypto, X509Certificate cert, PublicKey publicKey, Collection<Pattern> subjectCertConstraints) throws WSSecurityException { SignatureTrustValidator validator = new SignatureTrustValidator(); RequestData data = new RequestData(); data.setSigVerCrypto(crypto); data.setSubjectCertConstraints(subjectCertConstraints); Credential trustCredential = new Credential(); trustCredential.setPublicKey(publicKey); if (cert != null) { trustCredential.setCertificates(new X509Certificate[]{cert}); } validator.validate(trustCredential, data); } }
public Credential handleSAMLToken( SamlAssertionWrapper samlAssertion, RequestData data, Validator validator ) throws WSSecurityException { // Parse the subject if it exists samlAssertion.parseSubject( new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto(), data.getCallbackHandler() ); // Now delegate the rest of the verification to the Validator Credential credential = new Credential(); credential.setSamlAssertion(samlAssertion); if (validator != null) { return validator.validate(credential, data); } return credential; }
public Login(){ System.out.println("Login called"); credential = new Credential(); }
public static Urlshortener newUrlshortener() { Credential credential = new Credential(); credential.setAccessToken("{accessToken}"); return new Urlshortener.Builder(new UrlFetchTransport(), new JacksonFactory(), credential) .build(); }
/** * Validate the credential argument. It must contain a non-null SamlAssertionWrapper. * A Crypto and a CallbackHandler implementation is also required to be set. * * @param credential the Credential to be validated * @param data the RequestData associated with the request * @throws WSSecurityException on a failed validation */ public Credential validate(Credential credential, RequestData data) throws WSSecurityException { if (credential == null || credential.getSamlAssertion() == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential"); } SamlAssertionWrapper samlAssertion = credential.getSamlAssertion(); // Check the Subject Confirmation requirements verifySubjectConfirmationMethod(samlAssertion); // Check conditions checkConditions(samlAssertion, data.getAudienceRestrictions()); // Check the AuthnStatements of the assertion (if any) checkAuthnStatements(samlAssertion); // Check OneTimeUse Condition checkOneTimeUse(samlAssertion, data); // Validate the assertion against schemas/profiles validateAssertion(samlAssertion); // Verify trust on the signature if (samlAssertion.isSigned()) { verifySignedAssertion(samlAssertion, data); } return credential; }
@Override public Credential validate(Credential credential, RequestData data) throws WSSecurityException { super.validate(credential, data); log.debug("Entering OJB saml assertion validator"); SamlAssertionWrapper assertion = credential.getSamlAssertion(); if (assertion == null) { log.error("Error: Unable to find assertion."); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } //Confirm that the assertion is signed, the framework confirms the validity of the signature if (!assertion.isSigned()) { log.error("Error: Assertion is not signed."); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } return credential; }
protected boolean isValidatedLocally(Credential credential, RequestData data) throws WSSecurityException { if (!alwaysValidateToSts && credential.getSamlAssertion() != null) { try { samlValidator.validate(credential, data); return samlValidator.isTrustVerificationSucceeded(); } catch (RuntimeException e) { throw e; } catch (Exception e) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "invalidSAMLsecurity"); } } return false; }
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential"); X509Certificate[] certs = credential.getCertificates(); PublicKey publicKey = credential.getPublicKey(); Crypto crypto = getCrypto(data); if (crypto == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noSigCryptoFile"); validateCertificates(certs); verifyTrustInCerts(certs, crypto, data, data.isRevocationEnabled()); return credential; validatePublicKey(publicKey, crypto); return credential;
public Credential validate(Credential credential, RequestData data) throws WSSecurityException { Credential cred = super.validate(credential, data); UsernameToken ut = credential.getUsernametoken(); WSUsernameTokenPrincipalImpl principal = new WSUsernameTokenPrincipalImpl(ut.getName(), ut.isHashed()); principal.setCreatedTime(ut.getCreated()); principal.setNonce(principal.getNonce()); principal.setPassword(ut.getPassword()); principal.setPasswordType(ut.getPasswordType()); Subject subject = new Subject(); subject.getPrincipals().add(principal); if ("Alice".equals(ut.getName())) { subject.getPrincipals().add(new SimpleGroup("manager", ut.getName())); } subject.getPrincipals().add(new SimpleGroup("worker", ut.getName())); cred.setSubject(subject); return cred; } }
/** * @return the WSSecurityEngine in use by this interceptor. * This engine is defined to be the secEngineOverride * instance, if defined in this class (and supplied through * construction); otherwise, it is taken to be the default * WSSecEngine instance (currently defined in the WSHandler * base class). */ protected WSSecurityEngine getSecurityEngine(boolean utWithCallbacks) { if (secEngineOverride != null) { return secEngineOverride; } if (!utWithCallbacks) { WSSConfig config = WSSConfig.getNewInstance(); config.setValidator(WSConstants.USERNAME_TOKEN, new NoOpValidator()); WSSecurityEngine ret = new WSSecurityEngine(); ret.setWssConfig(config); return ret; } return null; }
/** * Check the Conditions of the Assertion. */ protected void checkConditions( SamlAssertionWrapper samlAssertion, List<String> audienceRestrictions ) throws WSSecurityException { checkConditions(samlAssertion); samlAssertion.checkAudienceRestrictions(audienceRestrictions); }
public void validateTrust(Crypto crypto, X509Certificate cert, PublicKey publicKey, Collection<Pattern> subjectCertConstraints) throws WSSecurityException { SignatureTrustValidator validator = new SignatureTrustValidator(); RequestData data = new RequestData(); data.setSigVerCrypto(crypto); data.setSubjectCertConstraints(subjectCertConstraints); Credential trustCredential = new Credential(); trustCredential.setPublicKey(publicKey); if (cert != null) { trustCredential.setCertificates(new X509Certificate[]{cert}); } validator.validate(trustCredential, data); } }
@Override public Credential validate(Credential credential, RequestData data) throws WSSecurityException { Credential validatedCredential = super.validate(credential, data); SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion(); if (!"sts".equals(assertion.getIssuerString())) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } Assertion saml2Assertion = assertion.getSaml2(); if (saml2Assertion == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements(); if (attributeStatements == null || attributeStatements.isEmpty()) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } return validatedCredential; }
protected boolean isValidatedLocally(Credential credential, RequestData data) throws WSSecurityException { if (!alwaysValidateToSts && credential.getSamlAssertion() != null) { try { samlValidator.validate(credential, data); return samlValidator.isTrustVerificationSucceeded(); } catch (RuntimeException e) { throw e; } catch (Exception e) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "invalidSAMLsecurity"); } } return false; }
/** * @return the WSSecurityEngine in use by this interceptor. * This engine is defined to be the secEngineOverride * instance, if defined in this class (and supplied through * construction); otherwise, it is taken to be the default * WSSecEngine instance (currently defined in the WSHandler * base class). */ protected WSSecurityEngine getSecurityEngine(boolean utWithCallbacks) { if (secEngineOverride != null) { return secEngineOverride; } if (!utWithCallbacks) { WSSConfig config = WSSConfig.getNewInstance(); config.setValidator(WSConstants.USERNAME_TOKEN, new NoOpValidator()); WSSecurityEngine ret = new WSSecurityEngine(); ret.setWssConfig(config); return ret; } return null; }
/** * Verify trust in the signature of a signed Assertion. This method is separate so that * the user can override if if they want. * @param samlAssertion The signed Assertion * @param data The RequestData context * @return A Credential instance * @throws WSSecurityException */ protected Credential verifySignedAssertion( SamlAssertionWrapper samlAssertion, RequestData data ) throws WSSecurityException { Credential trustCredential = new Credential(); SAMLKeyInfo samlKeyInfo = samlAssertion.getSignatureKeyInfo(); trustCredential.setPublicKey(samlKeyInfo.getPublicKey()); trustCredential.setCertificates(samlKeyInfo.getCerts()); return super.validate(trustCredential, data); }
/** Verifies the trust of a certificate. * @param result*/ protected void verifyCertificateTrust(WSHandlerResult result) throws WSSecurityException { List<WSSecurityEngineResult> results = result.getActionResults().get(WSConstants.SIGN); if (!CollectionUtils.isEmpty(results)) { WSSecurityEngineResult actionResult = results.get(0); X509Certificate returnCert = (X509Certificate) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); Credential credential = new Credential(); credential.setCertificates(new X509Certificate[] { returnCert}); RequestData requestData = new RequestData(); requestData.setSigVerCrypto(validationSignatureCrypto); requestData.setEnableRevocation(enableRevocation); SignatureTrustValidator validator = new SignatureTrustValidator(); validator.validate(credential, requestData); } }