private boolean isAllowNoPassword(AssertionInfoMap aim) throws WSSecurityException {
Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
UsernameToken policy = (UsernameToken) ai.getAssertion();
if (policy.getPasswordType() == UsernameToken.PasswordType.NoPassword) {
return true;
}
}
}
return false;
}
private UsernameToken assertTokens(
SoapMessage message, UsernameTokenPrincipal princ, boolean signed) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
UsernameToken tok = null;
for (AssertionInfo ai : ais) {
tok = (UsernameToken) ai.getAssertion();
ai.setAsserted(true);
if ((tok.getPasswordType() == UsernameToken.PasswordType.HashPassword)
&& (princ == null || !princ.isPasswordDigest())) {
ai.setNotAsserted("Password hashing policy not enforced");
} else {
assertPolicy(aim, SPConstants.HASH_PASSWORD);
}
if ((tok.getPasswordType() != UsernameToken.PasswordType.NoPassword)
&& isNonEndorsingSupportingToken(tok)
&& (princ == null || princ.getPassword() == null)) {
ai.setNotAsserted("Username Token No Password supplied");
} else {
assertPolicy(aim, SPConstants.NO_PASSWORD);
}
if (tok.isCreated() && princ.getCreatedTime() == null) {
ai.setNotAsserted("No Created Time");
} else {
assertPolicy(aim, SP13Constants.CREATED);
}
if (tok.isNonce() && princ.getNonce() == null) {
ai.setNotAsserted("No Nonce");
} else {
assertPolicy(aim, SP13Constants.NONCE);
}
}
assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
if (signed || isTLSInUse(message)) {
assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
}
return tok;
}
/**
* Return true if this UsernameToken policy is a (non-endorsing)SupportingToken. If this is true
* then the corresponding UsernameToken must have a password element.
*/
private boolean isNonEndorsingSupportingToken(
org.apache.wss4j.policy.model.UsernameToken usernameTokenPolicy) {
AbstractSecurityAssertion supportingToken = usernameTokenPolicy.getParentAssertion();
if (supportingToken instanceof SupportingTokens
&& ((SupportingTokens) supportingToken).isEndorsing()) {
return false;
}
return true;
}
protected WSSecUsernameToken addUsernameToken(SoapMessage message, UsernameToken token) {
String userName = (String) message.getContextualProperty(SecurityConstants.USERNAME);
WSSConfig wssConfig = (WSSConfig) message.getContextualProperty(WSSConfig.class.getName());
if (wssConfig == null) {
wssConfig = WSSConfig.getNewInstance();
}
if (!StringUtils.isEmpty(userName)) {
// If NoPassword property is set we don't need to set the password
if (token.getPasswordType() == UsernameToken.PasswordType.NoPassword) {
WSSecUsernameToken utBuilder = new WSSecUsernameToken(wssConfig);
utBuilder.setUserInfo(userName, null);
utBuilder.setPasswordType(null);
return utBuilder;
}
String password = (String) message.getContextualProperty(SecurityConstants.PASSWORD);
if (StringUtils.isEmpty(password)) {
password = getPassword(userName, token, WSPasswordCallback.USERNAME_TOKEN, message);
}
if (!StringUtils.isEmpty(password)) {
// If the password is available then build the token
WSSecUsernameToken utBuilder = new WSSecUsernameToken(wssConfig);
if (token.getPasswordType() == UsernameToken.PasswordType.HashPassword) {
utBuilder.setPasswordType(WSConstants.PASSWORD_DIGEST);
} else {
utBuilder.setPasswordType(WSConstants.PASSWORD_TEXT);
}
utBuilder.setUserInfo(userName, password);
return utBuilder;
} else {
policyNotAsserted(token, "No username available", message);
}
} else {
policyNotAsserted(token, "No username available", message);
}
return null;
}
