private boolean isAllowNoPassword(AssertionInfoMap aim) throws WSSecurityException {
    Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);

    if (!ais.isEmpty()) {
      for (AssertionInfo ai : ais) {
        UsernameToken policy = (UsernameToken) ai.getAssertion();
        if (policy.getPasswordType() == UsernameToken.PasswordType.NoPassword) {
          return true;
        }
      }
    }

    return false;
  }
  // Handle these separately for custom AlgorithmSuites
  private void assertAlgorithmSuites(Collection<AssertionInfo> ais, AssertionInfoMap aim) {
    for (AssertionInfo ai : ais) {
      ai.setAsserted(true);
      AlgorithmSuite algorithmSuite = (AlgorithmSuite) ai.getAssertion();

      AlgorithmSuiteType algorithmSuiteType = algorithmSuite.getAlgorithmSuiteType();
      String namespace = algorithmSuiteType.getNamespace();
      if (namespace != null && !namespace.equals(algorithmSuite.getName().getNamespaceURI())) {
        Collection<AssertionInfo> algAis =
            aim.get(new QName(namespace, algorithmSuiteType.getName()));
        if (algAis != null && !algAis.isEmpty()) {
          for (AssertionInfo algAi : algAis) {
            algAi.setAsserted(true);
          }
        }
      }
    }
  }
  protected void addToken(SoapMessage message) {
    UsernameToken tok = assertTokens(message);

    Header h = findSecurityHeader(message, true);
    WSSecUsernameToken utBuilder = addUsernameToken(message, tok);
    if (utBuilder == null) {
      AssertionInfoMap aim = message.get(AssertionInfoMap.class);
      Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
      for (AssertionInfo ai : ais) {
        if (ai.isAsserted()) {
          ai.setAsserted(false);
        }
      }
      return;
    }
    Element el = (Element) h.getObject();
    utBuilder.prepare(el.getOwnerDocument());
    el.appendChild(utBuilder.getUsernameTokenElement());
  }
 private void assertAllSecurityAssertions(AssertionInfoMap aim) {
   for (Map.Entry<QName, Collection<AssertionInfo>> entry : aim.entrySet()) {
     String namespace = entry.getKey().getNamespaceURI();
     if (SP11Constants.SP_NS.equals(namespace)
         || SP12Constants.SP_NS.equals(namespace)
         || SP13Constants.SP_NS.equals(namespace)) {
       Collection<AssertionInfo> ais = entry.getValue();
       if (ais != null && !ais.isEmpty()) {
         if (SPConstants.ALGORITHM_SUITE.equals(entry.getKey().getLocalPart())) {
           assertAlgorithmSuites(ais, aim);
         } else {
           for (AssertionInfo ai : ais) {
             ai.setAsserted(true);
           }
         }
       }
     }
   }
 }
  private void parsePolicies(
      AssertionInfoMap aim,
      Collection<AssertionInfo> ais,
      Message message,
      List<WSSecurityEngineResult> results,
      List<WSSecurityEngineResult> signedResults) {
    for (AssertionInfo ai : ais) {
      Layout layout = (Layout) ai.getAssertion();
      ai.setAsserted(true);

      if (!validatePolicy(layout, results, signedResults)) {
        String error = "Layout does not match the requirements";
        ai.setNotAsserted(error);
      }
    }

    assertPolicy(aim, SPConstants.LAYOUT_LAX);
    assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
    assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
    assertPolicy(aim, SPConstants.LAYOUT_STRICT);
  }
  private UsernameToken assertTokens(
      SoapMessage message, UsernameTokenPrincipal princ, boolean signed) {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
    UsernameToken tok = null;
    for (AssertionInfo ai : ais) {
      tok = (UsernameToken) ai.getAssertion();
      ai.setAsserted(true);
      if ((tok.getPasswordType() == UsernameToken.PasswordType.HashPassword)
          && (princ == null || !princ.isPasswordDigest())) {
        ai.setNotAsserted("Password hashing policy not enforced");
      } else {
        assertPolicy(aim, SPConstants.HASH_PASSWORD);
      }

      if ((tok.getPasswordType() != UsernameToken.PasswordType.NoPassword)
          && isNonEndorsingSupportingToken(tok)
          && (princ == null || princ.getPassword() == null)) {
        ai.setNotAsserted("Username Token No Password supplied");
      } else {
        assertPolicy(aim, SPConstants.NO_PASSWORD);
      }

      if (tok.isCreated() && princ.getCreatedTime() == null) {
        ai.setNotAsserted("No Created Time");
      } else {
        assertPolicy(aim, SP13Constants.CREATED);
      }

      if (tok.isNonce() && princ.getNonce() == null) {
        ai.setNotAsserted("No Nonce");
      } else {
        assertPolicy(aim, SP13Constants.NONCE);
      }
    }

    assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
    assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
    assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);

    if (signed || isTLSInUse(message)) {
      assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
    }
    return tok;
  }
  /**
   * Mediate message flow.
   *
   * @param message the current message
   * @param isFault true if a fault is being mediated
   * @return true if processing should continue on dispatch path
   */
  protected boolean mediate(Message message, boolean isFault) {
    boolean continueProcessing = true;
    if (ContextUtils.isOutbound(message)) {
      if (usingAddressing(message)) {
        // request/response MAPs must be aggregated
        aggregate(message, isFault);
      }
      AddressingProperties theMaps =
          ContextUtils.retrieveMAPs(message, false, ContextUtils.isOutbound(message));
      if (null != theMaps) {
        if (ContextUtils.isRequestor(message)) {
          assertAddressing(message, theMaps.getReplyTo(), theMaps.getFaultTo());
        } else {
          checkReplyTo(message, theMaps);
        }
      }
    } else if (!ContextUtils.isRequestor(message)) {
      // responder validates incoming MAPs
      AddressingProperties maps = getMAPs(message, false, false);
      // check responses
      if (maps != null) {
        checkAddressingResponses(maps.getReplyTo(), maps.getFaultTo());
        assertAddressing(message, maps.getReplyTo(), maps.getFaultTo());
      }
      boolean isOneway = message.getExchange().isOneWay();
      if (null == maps && !addressingRequired) {
        return false;
      }
      continueProcessing = validateIncomingMAPs(maps, message);
      if (maps != null) {
        AddressingProperties theMaps =
            ContextUtils.retrieveMAPs(message, false, ContextUtils.isOutbound(message));
        if (null != theMaps) {
          assertAddressing(message, theMaps.getReplyTo(), theMaps.getFaultTo());
        }

        if (isOneway || !ContextUtils.isGenericAddress(maps.getReplyTo())) {
          InternalContextUtils.rebaseResponse(maps.getReplyTo(), maps, message);
        }
        if (!isOneway) {
          if (ContextUtils.isNoneAddress(maps.getReplyTo())) {
            LOG.warning("Detected NONE value in ReplyTo WSA header for request-respone MEP");
          } else {
            // ensure the inbound MAPs are available in both the full & fault
            // response messages (used to determine relatesTo etc.)
            ContextUtils.propogateReceivedMAPs(maps, message.getExchange());
          }
        }
      }
      if (continueProcessing) {
        // any faults thrown from here on can be correlated with this message
        message.put(FaultMode.class, FaultMode.LOGICAL_RUNTIME_FAULT);
      } else {
        // validation failure => dispatch is aborted, response MAPs
        // must be aggregated
        // isFault = true;
        // aggregate(message, isFault);
        if (isSOAP12(message)) {
          SoapFault soap12Fault =
              new SoapFault(
                  ContextUtils.retrieveMAPFaultReason(message), Soap12.getInstance().getSender());
          soap12Fault.setSubCode(
              new QName(Names.WSA_NAMESPACE_NAME, ContextUtils.retrieveMAPFaultName(message)));
          throw soap12Fault;
        }
        throw new SoapFault(
            ContextUtils.retrieveMAPFaultReason(message),
            new QName(Names.WSA_NAMESPACE_NAME, ContextUtils.retrieveMAPFaultName(message)));
      }
    } else {
      AddressingProperties theMaps =
          ContextUtils.retrieveMAPs(message, false, ContextUtils.isOutbound(message));
      if (null != theMaps) {
        assertAddressing(message, theMaps.getReplyTo(), theMaps.getFaultTo());
      }
      // If the wsa policy is enabled , but the client sets the
      // WSAddressingFeature.isAddressingRequired to false , we need to assert all WSA assertion to
      // true
      if (!ContextUtils.isOutbound(message)
          && ContextUtils.isRequestor(message)
          && getWSAddressingFeature(message) != null
          && !getWSAddressingFeature(message).isAddressingRequired()) {
        assertAddressing(message);
      }
      // CXF-3060 :If wsa policy is not enforced, AddressingProperties map is null and
      // AddressingFeature.isRequired, requestor checks inbound message and throw exception
      if (null == theMaps
          && !ContextUtils.isOutbound(message)
          && ContextUtils.isRequestor(message)
          && getWSAddressingFeature(message) != null
          && getWSAddressingFeature(message).isAddressingRequired()) {
        boolean missingWsaHeader = false;
        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
        if (aim == null || aim.size() == 0) {
          missingWsaHeader = true;
        }
        if (aim != null && aim.size() > 0) {
          missingWsaHeader = true;
          QName[] types =
              new QName[] {
                MetadataConstants.ADDRESSING_ASSERTION_QNAME,
                MetadataConstants.USING_ADDRESSING_2004_QNAME,
                MetadataConstants.USING_ADDRESSING_2005_QNAME,
                MetadataConstants.USING_ADDRESSING_2006_QNAME
              };
          for (QName type : types) {
            for (AssertionInfo assertInfo : aim.getAssertionInfo(type)) {
              if (assertInfo.isAsserted()) {
                missingWsaHeader = false;
              }
            }
          }
        }
        if (missingWsaHeader) {
          throw new SoapFault(
              "MISSING_ACTION_MESSAGE",
              BUNDLE,
              new QName(Names.WSA_NAMESPACE_NAME, Names.HEADER_REQUIRED_NAME));
        }
      }
      if (MessageUtils.isPartialResponse(message)
          && message.getExchange().getOutMessage() != null) {
        // marked as a partial response, let's see if it really is
        MessageInfo min = message.get(MessageInfo.class);
        MessageInfo mout = message.getExchange().getOutMessage().get(MessageInfo.class);
        if (min != null
            && mout != null
            && min.getOperation() == mout.getOperation()
            && message.getContent(List.class) != null) {
          // the in and out messages are on the same operation
          // and we were able to get a response for it.
          message.remove(Message.PARTIAL_RESPONSE_MESSAGE);
        }
      }
    }
    return continueProcessing;
  }
 private void assertAssertion(AssertionInfoMap aim, QName type) {
   Collection<AssertionInfo> aic = aim.getAssertionInfo(type);
   for (AssertionInfo ai : aic) {
     ai.setAsserted(true);
   }
 }
Beispiel #9
0
 @SuppressWarnings("unchecked")
 protected JaxbAssertion<RMAssertion> getAssertion(AssertionInfo ai) {
   return (JaxbAssertion<RMAssertion>) ai.getAssertion();
 }