org.apache.ws.security.WSSecurityException Java Examples

private void includeToken(String user, Crypto crypto, WSSecSignature sig) throws WSSecurityException {
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(user);
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    BinarySecurity bstToken = null;
    if (!sig.isUseSingleCertificate()) {
        bstToken = new PKIPathSecurity(saaj.getSOAPPart());
        ((PKIPathSecurity) bstToken).setX509Certificates(certs, crypto);
    } else {
        bstToken = new X509Security(saaj.getSOAPPart());
        ((X509Security) bstToken).setX509Certificate(certs[0]);
    }
    bstToken.setID(wssConfig.getIdAllocator().createSecureId("X509-", certs[0]));
    WSSecurityUtil.prependChildElement(
        secHeader.getSecurityHeader(), bstToken.getElement()
    );
    bstElement = bstToken.getElement();
}
 

private void addSamlToken(SoapMessage message) {
    WSSConfig.init();
    SamlToken tok = assertSamlTokens(message);

    Header h = findSecurityHeader(message, true);
    try {
        AssertionWrapper wrapper = addSamlToken(tok, message);
        if (wrapper == null) {
            AssertionInfoMap aim = message.get(AssertionInfoMap.class);
            Collection<AssertionInfo> ais = aim.getAssertionInfo(SP12Constants.SAML_TOKEN);
            for (AssertionInfo ai : ais) {
                if (ai.isAsserted()) {
                    ai.setAsserted(false);
                }
            }
            return;
        }
        Element el = (Element)h.getObject();
        el.appendChild(wrapper.toDOM(el.getOwnerDocument()));
    } catch (WSSecurityException ex) {
        policyNotAsserted(tok, ex.getMessage(), message);
    }
}
 

private Crypto getSignatureCrypto(Object s, SoapMessage message) throws WSSecurityException {
    Crypto signCrypto = null;
    if (s instanceof Crypto) {
        signCrypto = (Crypto)s;
    } else if (s != null) {
        URL propsURL = getPropertiesFileURL(s, message);
        String propsKey = s.toString();
        if (propsURL != null) {
            propsKey = propsURL.getPath();
        }
        Properties props = getProps(s, propsKey, propsURL, message);
        signCrypto = CryptoFactory.getInstance(props);
        
        EndpointInfo info = message.getExchange().get(Endpoint.class).getEndpointInfo();
        synchronized (info) {
            info.setProperty(SecurityConstants.SIGNATURE_CRYPTO, signCrypto);
        }
    }
    return signCrypto;
}
 

private Crypto getEncryptionCrypto(Object e, SoapMessage message) throws WSSecurityException {
    Crypto encrCrypto = null;
    if (e instanceof Crypto) {
        encrCrypto = (Crypto)e;
    } else if (e != null) {
        URL propsURL = getPropertiesFileURL(e, message);
        String propsKey = e.toString();
        if (propsURL != null) {
            propsKey = propsURL.getPath();
        }
        Properties props = getProps(e, propsKey, propsURL, message);
        encrCrypto = CryptoFactory.getInstance(props);
        
        EndpointInfo info = message.getExchange().get(Endpoint.class).getEndpointInfo();
        synchronized (info) {
            info.setProperty(SecurityConstants.ENCRYPT_CRYPTO, encrCrypto);
        }
    }
    return encrCrypto;
}
 

private void createEncryptedKey(TokenWrapper wrapper, Token token)
    throws WSSecurityException {
    //Set up the encrypted key to use
    encrKey = this.getEncryptedKeyBuilder(wrapper, token);
    Element bstElem = encrKey.getBinarySecurityTokenElement();
    if (bstElem != null) {
        // If a BST is available then use it
        encrKey.prependBSTElementToHeader(secHeader);
    }
    
    // Add the EncryptedKey
    this.addEncryptedKeyElement(encrKey.getEncryptedKeyElement());
    encryptedKeyValue = encrKey.getEphemeralKey();
    encryptedKeyId = encrKey.getId();
    
    //Store the token for client - response verification 
    // and server - response creation
    message.put(WSSecEncryptedKey.class.getName(), encrKey);
}
 

private Crypto getEncryptionCrypto(Object e, SoapMessage message) throws WSSecurityException {
    Crypto encrCrypto = null;
    if (e instanceof Crypto) {
        encrCrypto = (Crypto)e;
    } else if (e != null) {
        URL propsURL = getPropertiesFileURL(e, message);
        String propsKey = e.toString();
        if (propsURL != null) {
            propsKey = propsURL.getPath();
        }
        Properties props = getProps(e, propsKey, propsURL, message);
        encrCrypto = CryptoFactory.getInstance(props);
        
        EndpointInfo info = message.getExchange().get(Endpoint.class).getEndpointInfo();
        synchronized (info) {
            info.setProperty(SecurityConstants.ENCRYPT_CRYPTO, encrCrypto);
        }
    }
    return encrCrypto;
}
 

public Crypto getEncryptionCrypto(TokenWrapper wrapper) throws WSSecurityException {
    Crypto crypto = getCrypto(wrapper, SecurityConstants.ENCRYPT_CRYPTO,
                              SecurityConstants.ENCRYPT_PROPERTIES);
    boolean enableRevocation = MessageUtils.isTrue(
                                   message.getContextualProperty(SecurityConstants.ENABLE_REVOCATION));
    if (enableRevocation && crypto != null) {
        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
        String encrUser = (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
        if (encrUser == null) {
            try {
                encrUser = crypto.getDefaultX509Identifier();
            } catch (WSSecurityException e1) {
                throw new Fault(e1);
            }
        }
        cryptoType.setAlias(encrUser);
        X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
        if (certs != null && certs.length > 0) {
            crypto.verifyTrust(certs, enableRevocation);
        }
    }
    return crypto;

}
 

protected void computeAction(SoapMessage message, RequestData data) throws WSSecurityException {
    String action = getString(WSHandlerConstants.ACTION, message);
    if (action == null) {
        action = "";
    }
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    if (aim != null) {
        //things that DO impact setup
        handleWSS11(aim, message);
        action = checkAsymmetricBinding(aim, action, message);
        action = checkSymmetricBinding(aim, action, message);
        action = checkTransportBinding(aim, action, message);
        
        // stuff we can default to asserted and un-assert if a condition isn't met
        assertPolicy(aim, SP12Constants.KEYVALUE_TOKEN);

        message.put(WSHandlerConstants.ACTION, action.trim());
    }
}
 

private Crypto getSignatureCrypto(Object s, SoapMessage message) throws WSSecurityException {
    Crypto signCrypto = null;
    if (s instanceof Crypto) {
        signCrypto = (Crypto)s;
    } else if (s != null) {
        URL propsURL = getPropertiesFileURL(s, message);
        String propsKey = s.toString();
        if (propsURL != null) {
            propsKey = propsURL.getPath();
        }
        Properties props = getProps(s, propsKey, propsURL, message);
        signCrypto = CryptoFactory.getInstance(props);
        
        EndpointInfo info = message.getExchange().get(Endpoint.class).getEndpointInfo();
        synchronized (info) {
            info.setProperty(SecurityConstants.SIGNATURE_CRYPTO, signCrypto);
        }
    }
    return signCrypto;
}
 

private String setupUTDerivedKey(UsernameToken sigToken) throws WSSecurityException {
    boolean useMac = hasSignedPartsOrElements();
    WSSecUsernameToken usernameToken = addDKUsernameToken(sigToken, useMac);
    String id = usernameToken.getId();
    byte[] secret = usernameToken.getDerivedKey();

    Date created = new Date();
    Date expires = new Date();
    expires.setTime(created.getTime() + 300000);
    SecurityToken tempTok = 
        new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
    tempTok.setSecret(secret);
    
    tokenStore.add(tempTok);
    
    return id;
}
 

@Override
/**
 * @see org.apache.ws.security.components.crypto.Crypto#getX509Certificates(byte[], boolean)
 */
public X509Certificate[] getX509Certificates(byte[] data, boolean reverse)
        throws WSSecurityException {
    InputStream in = new ByteArrayInputStream(data);
    CertPath path;
    try {
        path = getCertificateFactory().generateCertPath(in);
    } catch (CertificateException e) {
        throw new WSSecurityException(WSSecurityException.SECURITY_TOKEN_UNAVAILABLE,
                "parseError");
    }
    List l = path.getCertificates();
    X509Certificate[] certs = new X509Certificate[l.size()];
    Iterator iterator = l.iterator();
    for (int i = 0; i < l.size(); i++) {
        certs[reverse ? (l.size() - 1 - i) : i] = (X509Certificate) iterator.next();
    }
    return certs;
}
 

private Crypto getSignatureCrypto(Object s, SoapMessage message) throws WSSecurityException {
    Crypto signCrypto = null;
    if (s instanceof Crypto) {
        signCrypto = (Crypto)s;
    } else if (s != null) {
        URL propsURL = getPropertiesFileURL(s, message);
        String propsKey = s.toString();
        if (propsURL != null) {
            propsKey = propsURL.getPath();
        }
        Properties props = getProps(s, propsKey, propsURL, message);
        signCrypto = CryptoFactory.getInstance(props);
        
        EndpointInfo info = message.getExchange().get(Endpoint.class).getEndpointInfo();
        synchronized (info) {
            info.setProperty(SecurityConstants.SIGNATURE_CRYPTO, signCrypto);
        }
    }
    return signCrypto;
}
 

private byte[] doIssuedTokenSignature(
    Token token, SupportingToken wrapper
) throws Exception {
    boolean tokenIncluded = false;
    // Get the issued token
    SecurityToken secTok = getSecurityToken();
    if (secTok == null) {
        LOG.fine("The retrieved SecurityToken was null");
        throw new WSSecurityException("The retrieved SecurityToken was null");
    }
    
    if (includeToken(token.getInclusion())) {
        //Add the token
        Element el = cloneElement(secTok.getToken());
        //if (securityTok != null) {
            //do we need to sign this as well?
            //String id = addWsuIdToElement(el);
            //sigParts.add(new WSEncryptionPart(id));                          
        //}
        
        addEncryptedKeyElement(el);
        tokenIncluded = true;
    }
    
    List<WSEncryptionPart> sigParts = 
            signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
    
    if (token.isDerivedKeys()) {
        return doDerivedKeySignature(tokenIncluded, secTok, token, sigParts);
    } else {
        return doSignature(tokenIncluded, secTok, token, wrapper, sigParts);
    }
}
 

private SecurityToken findCancelToken(Exchange exchange, Element el) throws WSSecurityException {
    SecurityTokenReference ref = new SecurityTokenReference(DOMUtils.getFirstElement(el));
    String uri = ref.getReference().getURI();
    TokenStore store = (TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
            .getProperty(TokenStore.class.getName());
    return store.getToken(uri);
}
 

public static void validateSAMLResults(
    List<WSSecurityEngineResult> results,
    Message message,
    Element body
) throws WSSecurityException {
    List<WSSecurityEngineResult> samlResults = new ArrayList<WSSecurityEngineResult>();
    WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
    WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
    
    if (samlResults.isEmpty()) {
        return;
    }
    
    List<WSSecurityEngineResult> signedResults = new ArrayList<WSSecurityEngineResult>();
    WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN, signedResults);
    WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_SIGN, signedResults);
    
    for (WSSecurityEngineResult samlResult : samlResults) {
        AssertionWrapper assertionWrapper = 
            (AssertionWrapper)samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
        
        TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
        Certificate[] tlsCerts = null;
        if (tlsInfo != null) {
            tlsCerts = tlsInfo.getPeerCertificates();
        }
        if (!SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
            LOG.warning("Assertion fails holder-of-key requirements");
            throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
        }
        if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signedResults)) {
            LOG.warning("Assertion fails sender-vouches requirements");
            throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
        }
    }
    
}
 

/**
 * Extract the basic authentication credentials from the basic authorization header via Base64 decoding.
 *
 * @param basicAuthHeader the basic authorization header
 * @return a String array containing username and password
 * @throws APISecurityException in case of invalid authorization header or no header
 */
private String[] extractBasicAuthCredentials(String basicAuthHeader) throws APISecurityException {
    if (basicAuthHeader == null) {
        if (log.isDebugEnabled()) {
            log.debug("Basic Authentication: No Basic Auth Header found");
        }
        throw new APISecurityException(APISecurityConstants.API_AUTH_MISSING_CREDENTIALS,
                APISecurityConstants.API_AUTH_MISSING_CREDENTIALS_MESSAGE);
    } else {
        if (basicAuthHeader.contains(basicAuthKeyHeaderSegment)) {
            try {
                String basicAuthKey = new String(Base64.decode(
                        basicAuthHeader.substring(basicAuthKeyHeaderSegment.length() + 1).trim()));
                if (basicAuthKey.contains(":")) {
                    return basicAuthKey.split(":");
                } else {
                    log.error("Basic Authentication: Invalid Basic Auth token");
                    throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS,
                            APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
                }
            } catch (WSSecurityException e) {
                log.error("Error occured during Basic Authentication: Invalid Basic Auth token");
                throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS,
                        APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Basic Authentication: No Basic Auth Header found");
            }
            throw new APISecurityException(APISecurityConstants.API_AUTH_MISSING_CREDENTIALS,
                    APISecurityConstants.API_AUTH_MISSING_CREDENTIALS_MESSAGE);
        }
    }
}
 

public String setEncryptionUser(WSSecEncryptedKey encrKeyBuilder, TokenWrapper token,
                              boolean sign, Crypto crypto) {
    String encrUser = (String)message.getContextualProperty(sign 
                                                            ? SecurityConstants.SIGNATURE_USERNAME
                                                            : SecurityConstants.ENCRYPT_USERNAME);
    if (crypto != null && encrUser == null) {
        try {
            encrUser = crypto.getDefaultX509Identifier();
        } catch (WSSecurityException e1) {
            throw new Fault(e1);
        }
    } else if (encrUser == null || "".equals(encrUser)) {
        policyNotAsserted(token, "No " + (sign ? "signature" : "encryption") + " crypto object found.");
    }
    if (encrUser == null || "".equals(encrUser)) {
        policyNotAsserted(token, "A " + (sign ? "signature" : "encryption") + " username needs to be declared.");
    }
    if (WSHandlerConstants.USE_REQ_SIG_CERT.equals(encrUser)) {
        List<WSHandlerResult> results = 
            CastUtils.cast((List<?>)
                message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS));
        if (results != null) {
            encrKeyBuilder.setUseThisCert(getReqSigCert(results));
             
            //TODO This is a hack, this should not come under USE_REQ_SIG_CERT
            if (encrKeyBuilder.isCertSet()) {
                encrKeyBuilder.setUserInfo(getUsername(results));
            }
        } else {
            policyNotAsserted(token, "No security results in incoming message");
        }
    } else {
        encrKeyBuilder.setUserInfo(encrUser);
    }
    
    return encrUser;
}
 

protected void advanceBody(
    SoapMessage msg, Node body
) throws SOAPException, XMLStreamException, WSSecurityException {
    XMLStreamReader reader = StaxUtils.createXMLStreamReader(new DOMSource(body));
    // advance just past body
    int evt = reader.next();
    int i = 0;
    while (reader.hasNext() && i < 1
           && (evt != XMLStreamConstants.END_ELEMENT || evt != XMLStreamConstants.START_ELEMENT)) {
        reader.next();
        i++;
    }
    msg.setContent(XMLStreamReader.class, reader);
}
 

protected WSUsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean bspCompliant) 
    throws WSSecurityException {
    org.apache.ws.security.message.token.UsernameToken ut = 
        new org.apache.ws.security.message.token.UsernameToken(tokenElement, false, bspCompliant);
    
    WSUsernameTokenPrincipal principal = new WSUsernameTokenPrincipal(ut.getName(), ut.isHashed());
    principal.setNonce(ut.getNonce());
    principal.setPassword(ut.getPassword());
    principal.setCreatedTime(ut.getCreated());
    principal.setPasswordType(ut.getPasswordType());

    return principal;
}
 

private String setupEncryptedKey(TokenWrapper wrapper, Token sigToken) throws WSSecurityException {
    WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(wrapper, sigToken);
    String id = encrKey.getId();
    byte[] secret = encrKey.getEphemeralKey();

    Date created = new Date();
    Date expires = new Date();
    expires.setTime(created.getTime() + 300000);
    SecurityToken tempTok = new SecurityToken(
                    id, 
                    encrKey.getEncryptedKeyElement(),
                    created, 
                    expires);
    
    
    tempTok.setSecret(secret);
    
    // Set the SHA1 value of the encrypted key, this is used when the encrypted
    // key is referenced via a key identifier of type EncryptedKeySHA1
    tempTok.setSHA1(getSHA1(encrKey.getEncryptedEphemeralKey()));
    
    tokenStore.add(tempTok);
    
    String bstTokenId = encrKey.getBSTTokenId();
    //If direct ref is used to refer to the cert
    //then add the cert to the sec header now
    if (bstTokenId != null && bstTokenId.length() > 0) {
        encrKey.prependBSTElementToHeader(secHeader);
    }
    return id;
}
 

protected void advanceBody(
    SoapMessage msg, Node body
) throws SOAPException, XMLStreamException, WSSecurityException {
    XMLStreamReader reader = StaxUtils.createXMLStreamReader(new DOMSource(body));
    // advance just past body
    int evt = reader.next();
    int i = 0;
    while (reader.hasNext() && i < 1
           && (evt != XMLStreamConstants.END_ELEMENT || evt != XMLStreamConstants.START_ELEMENT)) {
        reader.next();
        i++;
    }
    msg.setContent(XMLStreamReader.class, reader);
}
 

@Override
protected void verifyCustomPassword(
    org.apache.ws.security.message.token.UsernameToken usernameToken,
    RequestData data
) throws WSSecurityException {
    AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
        usernameToken.getName(), usernameToken.getPassword(), false, null, null
    );
}
 

private SecurityToken findCancelToken(Exchange exchange, Element el) throws WSSecurityException {
    SecurityTokenReference ref = new SecurityTokenReference(DOMUtils.getFirstElement(el));
    String uri = ref.getReference().getURI();
    TokenStore store = (TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
            .getProperty(TokenStore.class.getName());
    return store.getToken(uri);
}
 

@Override
protected Crypto loadCryptoFromPropertiesFile(
    String propFilename, 
    RequestData reqData
) throws WSSecurityException {
    ClassLoaderHolder orig = null;
    try {
        try {
            URL url = ClassLoaderUtils.getResource(propFilename, this.getClass());
            if (url == null) {
                ResourceManager manager = ((Message)reqData.getMsgContext()).getExchange()
                        .getBus().getExtension(ResourceManager.class);
                ClassLoader loader = manager.resolveResource("", ClassLoader.class);
                if (loader != null) {
                    orig = ClassLoaderUtils.setThreadContextClassloader(loader);
                }
                url = manager.resolveResource(propFilename, URL.class);
            }
            if (url != null) {
                Properties props = new Properties();
                InputStream in = url.openStream(); 
                props.load(in);
                in.close();
                return CryptoFactory.getInstance(props,
                                                 this.getClassLoader(reqData.getMsgContext()));
            }
        } catch (Exception e) {
            //ignore
        } 
        return CryptoFactory.getInstance(propFilename, this.getClassLoader(reqData.getMsgContext()));
    } finally {
        if (orig != null) {
            orig.reset();
        }
    }
}
 

private void storeTimestamp(
    SoapMessage msg, RequestData reqData, List<WSSecurityEngineResult> wsResult
) throws WSSecurityException {
    // Extract the timestamp action result from the action list
    List<WSSecurityEngineResult> timestampResults = new ArrayList<WSSecurityEngineResult>();
    timestampResults = 
        WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.TS, timestampResults);

    if (!timestampResults.isEmpty()) {
        msg.put(TIMESTAMP_RESULT, timestampResults.get(timestampResults.size() - 1));
    }
}
 

@Override
protected void verifyCustomPassword(
    org.apache.ws.security.message.token.UsernameToken usernameToken,
    RequestData data
) throws WSSecurityException {
    AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
        usernameToken.getName(), usernameToken.getPassword(), false, null, null
    );
}
 

@Override
protected void verifyPlaintextPassword(
    org.apache.ws.security.message.token.UsernameToken usernameToken,
    RequestData data
) throws WSSecurityException {
    AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
        usernameToken.getName(), usernameToken.getPassword(), false, null, null
    );
}
 

private String getUTDerivedKey() throws WSSecurityException {
    
    List<WSHandlerResult> results = CastUtils.cast((List<?>)message.getExchange().getInMessage()
        .get(WSHandlerConstants.RECV_RESULTS));
    
    for (WSHandlerResult rResult : results) {
        List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
        
        for (WSSecurityEngineResult wser : wsSecEngineResults) {
            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
            String utID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
            if (actInt.intValue() == WSConstants.UT_NOPASSWORD) {
                if (utID == null || utID.length() == 0) {
                    utID = wssConfig.getIdAllocator().createId("UsernameToken-", null);
                }
                Date created = new Date();
                Date expires = new Date();
                expires.setTime(created.getTime() + 300000);
                SecurityToken tempTok = new SecurityToken(utID, created, expires);
                
                byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                tempTok.setSecret(secret);
                tokenStore.add(tempTok);

                return utID;
            }
        }
    }
    return null;
}
 

private void storeSignature(
    SoapMessage msg, RequestData reqData, List<WSSecurityEngineResult> wsResult
) throws WSSecurityException {
    // Extract the signature action result from the action list
    List<WSSecurityEngineResult> signatureResults = new ArrayList<WSSecurityEngineResult>();
    signatureResults = 
        WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.SIGN, signatureResults);

    // Store the last signature result
    if (!signatureResults.isEmpty()) {
        msg.put(SIGNATURE_RESULT, signatureResults.get(signatureResults.size() - 1));
    }
}
 

@Override
protected void verifyUnknownPassword(
    org.apache.ws.security.message.token.UsernameToken usernameToken,
    RequestData data
) throws WSSecurityException {
    AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
        usernameToken.getName(), null, false, null, null
    );
}