private boolean isUsedForPublicKeySignature( SubjectAndPrincipalSecurityToken token ) throws XMLSecurityException { if (token == null) { return false; } // Check first of all that the token is used for Signature List<TokenUsage> tokenUsages = token.getTokenUsages(); boolean usedForSignature = false; if (tokenUsages != null) { for (TokenUsage usage : tokenUsages) { if ("MainSignature".equals(usage.getName())) { usedForSignature = true; break; } } } if (!usedForSignature) { return false; } // Now check that a PublicKey/X509Certificate was used return token.getPublicKey() != null || (token.getX509Certificates() != null && token.getX509Certificates().length > 0); }
public WSSConstants.UsernameTokenPasswordType getUsernameTokenPasswordType() { return getSecurityToken().getUsernameTokenPasswordType(); }
public String getKerberosTokenValueType() { return getSecurityToken().getKerberosTokenValueType(); } }
private void storeKerberosToken(Message message, KerberosServiceSecurityToken kerberosToken) { SecurityToken token = new SecurityToken(kerberosToken.getId()); token.setTokenType(kerberosToken.getKerberosTokenValueType()); SecretKey secretKey = getSecretKeyFromToken(kerberosToken); token.setKey(secretKey); if (secretKey != null) { token.setSecret(secretKey.getEncoded()); } byte[] ticket = kerberosToken.getBinaryContent(); try { token.setSHA1(XMLUtils.encodeToString(KeyUtils.generateDigest(ticket))); } catch (WSSecurityException e) { // Just consume this for now as it isn't critical... } TokenStoreUtils.getTokenStore(message).add(token); message.getExchange().put(SecurityConstants.TOKEN_ID, token.getId()); }
private boolean isSamlEventAllowed(SamlTokenSecurityEvent event, Message msg) { if (event == null) { return false; } boolean allowUnsignedSamlPrincipals = SecurityUtils.getSecurityPropertyBoolean( SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg, false ); // The SAML Assertion must be signed by default return event.getSecurityToken() != null && event.getSecurityToken().getSamlAssertionWrapper() != null && (allowUnsignedSamlPrincipals || event.getSecurityToken().getSamlAssertionWrapper().isSigned()); }
String content = child.getTextContent(); if (content.endsWith("SymmetricKey")) { Map<String, Key> subjectKeys = samlTokenSecurityEvent.getSecurityToken().getSecretKey(); if (subjectKeys.isEmpty()) { return "Policy enforces SAML token with a symmetric key"; PublicKey publicKey = samlTokenSecurityEvent.getSecurityToken().getPublicKey(); X509Certificate[] x509Certificate = samlTokenSecurityEvent.getSecurityToken().getX509Certificates(); if (publicKey == null && x509Certificate == null) { return "Policy enforces SAML token with an asymmetric key";
Principal p = token.getPrincipal(); Subject subject = token.getSubject(); receivedAssertion = ((SAMLTokenPrincipal)token.getPrincipal()).getToken(); if (receivedAssertion != null) { ClaimCollection claims =
private boolean isUsernameTokenEventAllowed(UsernameTokenSecurityEvent event, Message msg) { if (event == null) { return false; } boolean allowUTNoPassword = SecurityUtils.getSecurityPropertyBoolean( SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, false ); // The "no password" case is not allowed by default return event.getSecurityToken() != null && (allowUTNoPassword || event.getSecurityToken().getPassword() != null); }
private SecretKey getSecretKeyFromToken(KerberosServiceSecurityToken kerberosToken) { try { Map<String, Key> secretKeys = kerberosToken.getSecretKey(); if (secretKeys != null) { SecretKey foundKey = null; for (Entry<String, Key> entry : kerberosToken.getSecretKey().entrySet()) { if (entry.getValue() instanceof SecretKey) { SecretKey secretKey = (SecretKey)entry.getValue(); if (foundKey == null || secretKey.getEncoded().length > foundKey.getEncoded().length) { foundKey = secretKey; } } } return foundKey; } } catch (XMLSecurityException e) { LOG.fine(e.getMessage()); } return null; } }
public SamlAssertionWrapper getSamlAssertionWrapper() throws WSSecurityException { return ((SAMLTokenPrincipal)getSecurityToken().getPrincipal()).getToken(); } }
KeyIdentifier kerberosKeyIdentifier = kerberosServiceSecurityToken.getKeyIdentifier(); if (!WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF.equals(kerberosKeyIdentifier)) { setErrorMessage("Policy enforces KeyIdentifierReference but we got " + kerberosKeyIdentifier);
private void storeKerberosToken(Message message, KerberosServiceSecurityToken kerberosToken) { SecurityToken token = new SecurityToken(kerberosToken.getId()); token.setTokenType(kerberosToken.getKerberosTokenValueType()); SecretKey secretKey = getSecretKeyFromToken(kerberosToken); token.setKey(secretKey); if (secretKey != null) { token.setSecret(secretKey.getEncoded()); } byte[] ticket = kerberosToken.getBinaryContent(); try { token.setSHA1(XMLUtils.encodeToString(KeyUtils.generateDigest(ticket))); } catch (WSSecurityException e) { // Just consume this for now as it isn't critical... } TokenStoreUtils.getTokenStore(message).add(token); message.getExchange().put(SecurityConstants.TOKEN_ID, token.getId()); }
private boolean isUsedForPublicKeySignature( SubjectAndPrincipalSecurityToken token ) throws XMLSecurityException { if (token == null) { return false; } // Check first of all that the token is used for Signature List<TokenUsage> tokenUsages = token.getTokenUsages(); boolean usedForSignature = false; if (tokenUsages != null) { for (TokenUsage usage : tokenUsages) { if ("MainSignature".equals(usage.getName())) { usedForSignature = true; break; } } } if (!usedForSignature) { return false; } // Now check that a PublicKey/X509Certificate was used return token.getPublicKey() != null || (token.getX509Certificates() != null && token.getX509Certificates().length > 0); }
private boolean isSamlEventAllowed(SamlTokenSecurityEvent event, Message msg) { if (event == null) { return false; } boolean allowUnsignedSamlPrincipals = SecurityUtils.getSecurityPropertyBoolean( SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg, false ); // The SAML Assertion must be signed by default return event.getSecurityToken() != null && event.getSecurityToken().getSamlAssertionWrapper() != null && (allowUnsignedSamlPrincipals || event.getSecurityToken().getSamlAssertionWrapper().isSigned()); }
public boolean isGssKerberosV5ApReqToken11() { String type = getSecurityToken().getKerberosTokenValueType(); if (WSSConstants.NS_GSS_KERBEROS5_AP_REQ.equals(type) || WSSConstants.NS_GSS_KERBEROS5_AP_REQ1510.equals(type) || WSSConstants.NS_GSS_KERBEROS5_AP_REQ4120.equals(type)) { return true; } return false; }
private boolean isUsernameTokenEventAllowed(UsernameTokenSecurityEvent event, Message msg) { if (event == null) { return false; } boolean allowUTNoPassword = SecurityUtils.getSecurityPropertyBoolean( SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, false ); // The "no password" case is not allowed by default return event.getSecurityToken() != null && (allowUTNoPassword || event.getSecurityToken().getPassword() != null); }
private SecretKey getSecretKeyFromToken(KerberosServiceSecurityToken kerberosToken) { try { Map<String, Key> secretKeys = kerberosToken.getSecretKey(); if (secretKeys != null) { SecretKey foundKey = null; for (Entry<String, Key> entry : kerberosToken.getSecretKey().entrySet()) { if (entry.getValue() instanceof SecretKey) { SecretKey secretKey = (SecretKey)entry.getValue(); if (foundKey == null || secretKey.getEncoded().length > foundKey.getEncoded().length) { foundKey = secretKey; } } } return foundKey; } } catch (XMLSecurityException e) { LOG.fine(e.getMessage()); } return null; } }
findInboundSecurityToken(WSSecurityEventConstants.SAML_TOKEN, messageContext); if (securityToken instanceof SamlSecurityToken && ((SamlSecurityToken)securityToken).getSamlAssertionWrapper() != null) { return ((SamlSecurityToken)securityToken).getSamlAssertionWrapper();
public boolean isKerberosV5ApReqToken11() { String type = getSecurityToken().getKerberosTokenValueType(); if (WSSConstants.NS_KERBEROS5_AP_REQ.equals(type) || WSSConstants.NS_KERBEROS5_AP_REQ1510.equals(type) || WSSConstants.NS_KERBEROS5_AP_REQ4120.equals(type)) { return true; } return false; }
findInboundSecurityToken(WSSecurityEventConstants.SAML_TOKEN, messageContext); if (securityToken instanceof SamlSecurityToken && ((SamlSecurityToken)securityToken).getSamlAssertionWrapper() != null) { return ((SamlSecurityToken)securityToken).getSamlAssertionWrapper();