protected WSSecurityEngineResult getEncryptedKeyResult() { List<WSHandlerResult> results = CastUtils.cast((List<?>)message.getExchange().getInMessage() .get(WSHandlerConstants.RECV_RESULTS)); for (WSHandlerResult rResult : results) { List<WSSecurityEngineResult> encryptedResults = rResult.getActionResults().get(WSConstants.ENCR); if (encryptedResults != null) { for (WSSecurityEngineResult wser : encryptedResults) { String encryptedKeyID = (String)wser.get(WSSecurityEngineResult.TAG_ID); if (encryptedKeyID != null && encryptedKeyID.length() != 0) { return wser; } } } } return null; }
public List<WSSecurityEngineResult> handleToken( Element elem, RequestData data ) throws WSSecurityException { LOG.debug("Found reference list element"); List<WSDataRef> dataRefs = handleReferenceList(elem, data); WSSecurityEngineResult result = new WSSecurityEngineResult(WSConstants.ENCR, dataRefs); String tokenId = elem.getAttributeNS(null, "Id"); if (!"".equals(tokenId)) { result.put(WSSecurityEngineResult.TAG_ID, tokenId); } data.getWsDocInfo().addTokenElement(elem); data.getWsDocInfo().addResult(result); return Collections.singletonList(result); }
/** * Get the certificate that was used to sign the request */ public static X509Certificate getReqSigCert(List<WSHandlerResult> results) { if (results == null || results.isEmpty()) { return null; } for (WSHandlerResult rResult : results) { List<WSSecurityEngineResult> signedResults = rResult.getActionResults().get(WSConstants.SIGN); if (signedResults != null && !signedResults.isEmpty()) { for (WSSecurityEngineResult signedResult : signedResults) { if (signedResult.containsKey(WSSecurityEngineResult.TAG_X509_CERTIFICATE)) { return (X509Certificate)signedResult.get( WSSecurityEngineResult.TAG_X509_CERTIFICATE); } } } } return null; } }
private void storeResults(UsernameTokenPrincipal principal, Subject subject, SoapMessage message) { List<WSSecurityEngineResult> v = new ArrayList<>(); int action = WSConstants.UT; if (principal.getPassword() == null) { action = WSConstants.UT_NOPASSWORD; } WSSecurityEngineResult result = new WSSecurityEngineResult(action, principal, null, null, null); if (subject != null) { result.put(WSSecurityEngineResult.TAG_SUBJECT, subject); } v.add(0, result); List<WSHandlerResult> results = CastUtils.cast((List<?>)message .get(WSHandlerConstants.RECV_RESULTS)); if (results == null) { results = new ArrayList<>(); message.put(WSHandlerConstants.RECV_RESULTS, results); } WSHandlerResult rResult = new WSHandlerResult(null, v, Collections.singletonMap(action, v)); results.add(0, rResult); assertTokens(message, principal, false); }
data.getBSPEnforcer().handleBSPRule(BSPRule.R5402); if (!(SecurityTokenReference.SECURITY_TOKEN_REFERENCE.equals(child.getLocalName()) && WSConstants.WSSE_NS.equals(child.getNamespaceURI()))) { && publicKey == null) { LOG.debug("No certificates or keys were found with which to validate the signature"); throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK); WSSecurityEngineResult result = new WSSecurityEngineResult( actionPerformed, principal, certs, dataRefs, signatureValue); result.put(WSSecurityEngineResult.TAG_SIGNATURE_METHOD, signatureMethod); result.put(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD, c14nMethod); result.put(WSSecurityEngineResult.TAG_ID, tokenId); result.put(WSSecurityEngineResult.TAG_SECRET, secretKey); result.put(WSSecurityEngineResult.TAG_PUBLIC_KEY, publicKey); result.put(WSSecurityEngineResult.TAG_X509_REFERENCE_TYPE, referenceType); result.put(WSSecurityEngineResult.TAG_TOKEN_ELEMENT, elem); if (validator != null) { result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE); if (credential != null) { result.put(WSSecurityEngineResult.TAG_SUBJECT, credential.getSubject());
for (Node currentChild = elem.getFirstChild(); currentChild != null; currentChild = currentChild.getNextSibling() @SuppressWarnings("unchecked") List<WSDataRef> dataRefs = (List<WSDataRef>)r.get(WSSecurityEngineResult.TAG_DATA_REF_URIS); if (dataRefs != null) { for (WSDataRef dataRef : dataRefs) { QName el = new QName(decryptedElem.getNamespaceURI(), decryptedElem.getLocalName()); Processor proc = request.getWssConfig().getProcessor(el); if (proc != null) { LOG.debug("Processing decrypted element with: {}", proc.getClass().getName()); String typeStr = encryptedDataElement.getAttributeNS(null, "Type"); if (typeStr != null && !(WSConstants.ENC_NS + "Element").equals(typeStr)) { throw new WSSecurityException( WSSecurityException.ErrorCode.INVALID_SECURITY, "badElement", new Object[] {"Element", typeStr} new QName(encryptedDataElement.getNamespaceURI(), encryptedDataElement.getLocalName()); Processor proc = request.getWssConfig().getProcessor(el); if (proc != null) { LOG.debug("Processing decrypted element with: {}", proc.getClass().getName());
Element child = DOMUtils.getFirstElement(el); while (child != null) { if (WSS4JConstants.BINARY_TOKEN_LN.equals(child.getLocalName()) && WSS4JConstants.WSSE_NS.equals(child.getNamespaceURI())) { try { List<WSSecurityEngineResult> bstResults = processToken(child, message); if (bstResults != null) { List<WSHandlerResult> results = CastUtils.cast((List<?>)message .get(WSHandlerConstants.RECV_RESULTS)); if (results == null) { results = new ArrayList<>(); message.put(WSHandlerConstants.RECV_RESULTS, results); new WSHandlerResult(null, bstResults, Collections.singletonMap(WSConstants.BST, bstResults)); results.add(0, rResult); (Principal)bstResults.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL); SecurityContext sc = message.get(SecurityContext.class); if (sc == null || sc.getUserPrincipal() == null) { message.put(SecurityContext.class, new DefaultSecurityContext(principal, null));
LOG.debug("Found EncryptedData element"); final String encryptedDataId = elem.getAttributeNS(null, "Id"); throw new WSSecurityException( WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "noKeyinfo" ); checkBSPCompliance(symEncAlgo, data.getBSPEnforcer()); ); encrKeyResults = encrKeyProc.handleToken(encryptedKeyElement, data); byte[] symmKey = (byte[])encrKeyResults.get(0).get(WSSecurityEngineResult.TAG_SECRET); key = KeyUtils.prepareSecretKey(symEncAlgo, symmKey); } else if (retrievalMethodElement != null && "http://www.w3.org/2001/04/xmlenc#EncryptedKey".equals( retrievalMethodElement.getAttributeNS(null, "Type"))) { String uri = retrievalMethodElement.getAttributeNS(null, "URI"); byte[] symmKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET); key = KeyUtils.prepareSecretKey(symEncAlgo, symmKey); new WSSecurityEngineResult(WSConstants.ENCR, Collections.singletonList(dataRef)); if (!"".equals(encryptedDataId)) { result.put(WSSecurityEngineResult.TAG_ID, encryptedDataId);
private boolean isEncryptedTokenSigned(Element token, WSDataRef signedRef, List<WSSecurityEngineResult> encryptedResults) { if (signedRef.getProtectedElement() != null && "EncryptedData".equals(signedRef.getProtectedElement().getLocalName()) && WSS4JConstants.ENC_NS.equals(signedRef.getProtectedElement().getNamespaceURI())) { String encryptedDataId = signedRef.getProtectedElement().getAttributeNS(null, "Id"); for (WSSecurityEngineResult result : encryptedResults) { List<WSDataRef> encryptedDataRefs = CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); if (encryptedDataRefs != null) { for (WSDataRef encryptedDataRef : encryptedDataRefs) { if (token == encryptedDataRef.getProtectedElement() && (encryptedDataRef.getWsuId() != null && encryptedDataRef.getWsuId().equals(encryptedDataId))) { return true; } } } } } return false; }
String id = elem.getAttributeNS(null, "Id"); if (!"".equals(id)) { WSSecurityEngineResult result = data.getWsDocInfo().getResult(id); if (result != null && WSConstants.ENCR == (Integer)result.get(WSSecurityEngineResult.TAG_ACTION) ) { return Collections.singletonList(result); if (data.getCallbackHandler() == null) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCallback"); WSSecurityEngineResult result = new WSSecurityEngineResult( WSConstants.ENCR, decryptedBytes, certs ); result.put( WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD, encryptedKeyTransportMethod ); result.put(WSSecurityEngineResult.TAG_TOKEN_ELEMENT, elem); result.put(WSSecurityEngineResult.TAG_ID, tokenId); result.put(WSSecurityEngineResult.TAG_X509_REFERENCE_TYPE, referenceType); result.put(WSSecurityEngineResult.TAG_PUBLIC_KEY, publicKey);
&& "EncryptedKey".equals(((Element)entropyObject).getLocalName())) { EncryptedKeyProcessor processor = new EncryptedKeyProcessor(); Element entropyElement = (Element)entropyObject; RequestData requestData = new RequestData(); requestData.setDecCrypto(stsProperties.getSignatureCrypto()); requestData.setCallbackHandler(stsProperties.getCallbackHandler()); requestData.setWssConfig(WSSConfig.getNewInstance()); requestData.setWsDocInfo(new WSDocInfo(entropyElement.getOwnerDocument())); try { List<WSSecurityEngineResult> results = processor.handleToken(entropyElement, requestData); Entropy entropy = new Entropy(); entropy.setDecryptedKey((byte[])results.get(0).get(WSSecurityEngineResult.TAG_SECRET)); return entropy; } catch (WSSecurityException e) { LOG.log(Level.WARNING, "", e); throw new STSException(e.getMessage(), e, STSException.INVALID_REQUEST);
) throws WSSecurityException { new WSSecurityEngineResult(WSConstants.BST, token, certs); result.put(WSSecurityEngineResult.TAG_ID, id); result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE); result.put(WSSecurityEngineResult.TAG_SECRET, returnedCredential.getSecretKey()); result.put( WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN, returnedCredential.getTransformedToken() ); if (credential.getPrincipal() != null) { result.put(WSSecurityEngineResult.TAG_PRINCIPAL, credential.getPrincipal()); } else { SAMLTokenPrincipalImpl samlPrincipal = new SAMLTokenPrincipalImpl(credential.getTransformedToken()); result.put(WSSecurityEngineResult.TAG_PRINCIPAL, samlPrincipal); result.put(WSSecurityEngineResult.TAG_PRINCIPAL, credential.getPrincipal()); } else if (certs != null && certs[0] != null) { result.put(WSSecurityEngineResult.TAG_PRINCIPAL, certs[0].getSubjectX500Principal()); result.put(WSSecurityEngineResult.TAG_SUBJECT, credential.getSubject()); result.put(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL, credential.getDelegationCredential());
Element body = SAAJUtils.getBody(doc); if (body != null) { document = body.getOwnerDocument(); if (elem != null && elem.getOwnerDocument() != null && elem.getOwnerDocument().getDocumentElement() != null) { node = elem.getOwnerDocument(). getDocumentElement().getFirstChild().getNextSibling().getFirstChild(); elem.getOwnerDocument().getDocumentElement().getFirstChild(). getNextSibling().replaceChild(newNode, node); List<WSSecurityEngineResult> encryptResults = wsResult.getActionResults().get(WSConstants.ENCR); if (encryptResults != null) { for (WSSecurityEngineResult result : wsResult.getActionResults().get(WSConstants.ENCR)) { List<WSDataRef> dataRefs = CastUtils.cast((List<?>)result .get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); for (WSDataRef dataRef : dataRefs) { if (dataRef.getProtectedElement() == node) { if (wsResult.getActionResults().containsKey(WSConstants.SIGN)) { signedResults.addAll(wsResult.getActionResults().get(WSConstants.SIGN)); List<WSDataRef> dataRefs = CastUtils.cast((List<?>)result .get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); for (WSDataRef dataRef :dataRefs) { if (dataRef.getProtectedElement() == node) {
data.getValidator(new QName(elem.getNamespaceURI(), elem.getLocalName())); WSSecurityEngineResult result = null; if (samlAssertion.isSigned()) { result = new WSSecurityEngineResult(WSConstants.ST_SIGNED, samlAssertion); result.put(WSSecurityEngineResult.TAG_DATA_REF_URIS, dataRefs); } else { result = new WSSecurityEngineResult(WSConstants.ST_UNSIGNED, samlAssertion); result.put(WSSecurityEngineResult.TAG_ID, id); result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE); if (credential.getTransformedToken() != null) { result.put( WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN, credential.getTransformedToken() ); if (credential.getPrincipal() != null) { result.put(WSSecurityEngineResult.TAG_PRINCIPAL, credential.getPrincipal()); } else { SAMLTokenPrincipalImpl samlPrincipal = new SAMLTokenPrincipalImpl(credential.getTransformedToken()); result.put(WSSecurityEngineResult.TAG_PRINCIPAL, samlPrincipal); result.put(WSSecurityEngineResult.TAG_PRINCIPAL, credential.getPrincipal()); } else { result.put(WSSecurityEngineResult.TAG_PRINCIPAL, new SAMLTokenPrincipalImpl(samlAssertion)); result.put(WSSecurityEngineResult.TAG_SUBJECT, credential.getSubject());
data.getValidator(new QName(elem.getNamespaceURI(), elem.getLocalName())); new WSSecurityEngineResult(WSConstants.SCT, sct); if (validator != null) { result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE); String tokenId = sct.getID(); if (!"".equals(tokenId)) { result.put(WSSecurityEngineResult.TAG_ID, tokenId); result.put(WSSecurityEngineResult.TAG_SECRET, returnedCredential.getSecretKey()); } else { String id = sct.getID(); secret = getSecret(data.getCallbackHandler(), sct.getIdentifier()); } catch (WSSecurityException ex) { secret = getSecret(data.getCallbackHandler(), id); secret = getSecret(data.getCallbackHandler(), id); result.put(WSSecurityEngineResult.TAG_ID, sct.getID()); result.put(WSSecurityEngineResult.TAG_SECRET, secret);
String keyIdentifierValue = secRef.getKeyIdentifierValue(); String type = secRef.getKeyIdentifierValueType(); WSSecurityEngineResult result = request.getWsDocInfo().getResult(keyIdentifierValue); if (result != null) { samlAssertion = (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); return samlAssertion; } else { token = findProcessedTokenElement( strElement.getOwnerDocument(), request.getWsDocInfo(), request.getCallbackHandler(), keyIdentifierValue, type ); if (token != null) { if (!"Assertion".equals(token.getLocalName())) { throw new WSSecurityException( WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity" ); List<WSSecurityEngineResult> samlResult = proc.handleToken(token, request); return (SamlAssertionWrapper)samlResult.get(0).get( WSSecurityEngineResult.TAG_SAML_ASSERTION );
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noCipher"); WSDocInfo docInfo = new WSDocInfo(child.getOwnerDocument()); RequestData data = new RequestData(); data.setWssConfig(WSSConfig.getNewInstance()); data.setDecCrypto(createCrypto(true)); data.setCallbackHandler(createHandler()); data.setWsDocInfo(docInfo); List<WSSecurityEngineResult> result = proc.handleToken(child, data); return (byte[])result.get(0).get( WSSecurityEngineResult.TAG_SECRET );
Element tokenElement = (Element) targetToken; NodeList refList = tokenElement.getElementsByTagNameNS(STSConstants.WSSE_EXT_04_01, "Reference"); if (refList.getLength() == 0) { throw new STSException( CastUtils.cast((List<?>) messageContext.get(WSHandlerConstants.RECV_RESULTS)); List<WSSecurityEngineResult> engineResults = handlerResult.getResults(); Integer actInt = (Integer)engineResult.get(WSSecurityEngineResult.TAG_ACTION); String id = (String)engineResult.get(WSSecurityEngineResult.TAG_ID); if (referenceURI.equals(id)) { Element tokenElement = (Element)engineResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT); if (tokenElement == null) { throw new STSException( engineResult.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN); if (referenceURI.equals(sct.getIdentifier())) { return sct.getElement();
WSSecurityEngineResult result = new WSSecurityEngineResult(action, token); String tokenId = token.getID(); if (!"".equals(tokenId)) { result.put(WSSecurityEngineResult.TAG_ID, tokenId); result.put(WSSecurityEngineResult.TAG_SECRET, secretKey); result.put(WSSecurityEngineResult.TAG_VALIDATED_TOKEN, Boolean.TRUE); if (credential.getTransformedToken() != null) { result.put( WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN, credential.getTransformedToken() ); if (credential.getPrincipal() != null) { result.put(WSSecurityEngineResult.TAG_PRINCIPAL, credential.getPrincipal()); } else { SAMLTokenPrincipalImpl samlPrincipal = new SAMLTokenPrincipalImpl(credential.getTransformedToken()); result.put(WSSecurityEngineResult.TAG_PRINCIPAL, samlPrincipal); result.put(WSSecurityEngineResult.TAG_PRINCIPAL, credential.getPrincipal()); } else { WSUsernameTokenPrincipalImpl principal = principal.setCreatedTime(token.getCreated()); principal.setPasswordType(token.getPasswordType()); result.put(WSSecurityEngineResult.TAG_PRINCIPAL, principal); result.put(WSSecurityEngineResult.TAG_SUBJECT, credential.getSubject());
for (WSSecurityEngineResult result : bstResults) { BinarySecurity binarySecurityToken = (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN); if (binarySecurityToken != null && requiredType.equals(binarySecurityToken.getValueType())) { if (v3certRequired && binarySecurityToken instanceof X509Security) { LOG.log(Level.FINE, e.getMessage()); for (WSSecurityEngineResult result : signedResults) { STRParser.REFERENCE_TYPE referenceType = (STRParser.REFERENCE_TYPE)result.get(WSSecurityEngineResult.TAG_X509_REFERENCE_TYPE); if (STRParser.REFERENCE_TYPE.KEY_IDENTIFIER == referenceType) { Element signatureElement = (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT); Element keyIdentifier = getKeyIdentifier(signatureElement); if (keyIdentifier != null && X509_V3_VALUETYPE.equals(keyIdentifier.getAttributeNS(null, "ValueType"))) { try { X509Security token = LOG.log(Level.FINE, e.getMessage());