Ejemplo n.º 1
0
  @Override
  public void handleMessage(SoapMessage soapMessage) throws Fault {

    AssertionInfoMap aim = soapMessage.get(AssertionInfoMap.class);
    @SuppressWarnings("unchecked")
    final List<SecurityEvent> incomingSecurityEventList =
        (List<SecurityEvent>) soapMessage.get(SecurityEvent.class.getName() + ".in");
    if (aim == null || incomingSecurityEventList == null) {
      return;
    }

    // First check for a SOAP Fault with no security header if we are the client
    // In this case don't blanket assert security policies
    if (MessageUtils.isRequestor(soapMessage)
        && incomingSecurityEventList.contains(WSSecurityEventConstants.NoSecurity)) {
      OperationSecurityEvent securityEvent =
          (OperationSecurityEvent)
              findEvent(WSSecurityEventConstants.Operation, incomingSecurityEventList);
      if (securityEvent != null
          && soapMessage.getVersion().getFault().equals(securityEvent.getOperation())) {
        LOG.warning("Request does not contain Security header, but it's a fault.");
        return;
      }
    }

    assertAllSecurityAssertions(aim);
  }
Ejemplo n.º 2
0
 private String getAbsolutePathAsString() {
   String address = getBaseUri().toString();
   if (MessageUtils.isRequestor(message)) {
     return address;
   }
   String path = doGetPath(false, false);
   if (path.startsWith("/") && address.endsWith("/")) {
     address = address.substring(0, address.length() - 1);
   }
   return address + path;
 }
Ejemplo n.º 3
0
  /** @param message */
  @Override
  public void handleMessage(SoapMessage message) throws Fault {
    long l = LOG.logStart();

    final OutputStream os = message.getContent(OutputStream.class);
    boolean isRequestor = MessageUtils.isRequestor(message);
    if (os == null) {
      LOG.logWarn("Could not log message because it not contains OutputStream!", null);
      return;
    }
    // create store file
    File fStore;
    if (isRequestor) {
      MSHOutMail rq = SoapUtils.getMSHOutMail(message);
      fStore = EBMSLogUtils.getOutboundFileName(true, rq.getId(), null);
    } else {
      // get base from input log file
      String base =
          (String) message.getExchange().get(EBMSConstants.EBMS_CP_BASE_LOG_SOAP_MESSAGE_FILE);
      fStore = EBMSLogUtils.getOutboundFileName(false, null, base);
    }

    LOG.log("Out " + (isRequestor ? "request" : "response") + " stored to:" + fStore.getName());
    message
        .getExchange()
        .put(
            EBMSConstants.EBMS_CP_BASE_LOG_SOAP_MESSAGE_FILE, EBMSLogUtils.getBaseFileName(fStore));
    message.getExchange().put(EBMSConstants.EBMS_CP_OUT_LOG_SOAP_MESSAGE_FILE, fStore);

    //  create FileOutputStream to log request
    FileOutputStream fos;
    try {
      fos = new FileOutputStream(fStore);
    } catch (FileNotFoundException ex) {
      String errmsg =
          "Could not log outbound message to file: '" + fStore.getAbsolutePath() + "'! ";
      LOG.logError(l, errmsg, ex);
      return;
    }

    // create  CacheAndWriteOutputStream
    final CacheAndWriteOutputStream newOut = new CacheAndWriteOutputStream(os);

    message.setContent(OutputStream.class, newOut);
    newOut.registerCallback(new LoggingCallback(fos, message, os, fStore));

    LOG.logEnd(l);
  }
Ejemplo n.º 4
0
  /**
   * Asserts all Addressing assertions for the current message, regardless their nested Policies.
   *
   * @param message the current message
   */
  private void assertAddressing(
      Message message, EndpointReferenceType replyTo, EndpointReferenceType faultTo) {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    if (null == aim) {
      return;
    }
    if (faultTo == null) {
      faultTo = replyTo;
    }
    boolean anonReply = ContextUtils.isGenericAddress(replyTo);
    boolean anonFault = ContextUtils.isGenericAddress(faultTo);
    boolean onlyAnonymous = anonReply && anonFault;
    boolean hasAnonymous = anonReply || anonFault;

    QName[] types =
        new QName[] {
          MetadataConstants.ADDRESSING_ASSERTION_QNAME,
          MetadataConstants.USING_ADDRESSING_2004_QNAME,
          MetadataConstants.USING_ADDRESSING_2005_QNAME,
          MetadataConstants.USING_ADDRESSING_2006_QNAME
        };

    for (QName type : types) {
      assertAssertion(aim, type);
      if (type.equals(MetadataConstants.ADDRESSING_ASSERTION_QNAME)) {
        if (onlyAnonymous) {
          assertAssertion(aim, MetadataConstants.ANON_RESPONSES_ASSERTION_QNAME);
        } else if (!hasAnonymous) {
          assertAssertion(aim, MetadataConstants.NON_ANON_RESPONSES_ASSERTION_QNAME);
        }
      } else if (type.equals(MetadataConstants.ADDRESSING_ASSERTION_QNAME_0705)) {
        if (onlyAnonymous) {
          assertAssertion(aim, MetadataConstants.ANON_RESPONSES_ASSERTION_QNAME_0705);
        } else if (!hasAnonymous) {
          assertAssertion(aim, MetadataConstants.NON_ANON_RESPONSES_ASSERTION_QNAME_0705);
        }
      }
    }
    if (!MessageUtils.isRequestor(message) && !MessageUtils.isOutbound(message)) {
      // need to throw an appropriate fault for these
      Collection<AssertionInfo> aicNonAnon =
          aim.getAssertionInfo(MetadataConstants.NON_ANON_RESPONSES_ASSERTION_QNAME);
      Collection<AssertionInfo> aicNonAnon2 =
          aim.getAssertionInfo(MetadataConstants.NON_ANON_RESPONSES_ASSERTION_QNAME_0705);
      Collection<AssertionInfo> aicAnon =
          aim.getAssertionInfo(MetadataConstants.ANON_RESPONSES_ASSERTION_QNAME);
      Collection<AssertionInfo> aicAnon2 =
          aim.getAssertionInfo(MetadataConstants.ANON_RESPONSES_ASSERTION_QNAME_0705);
      boolean hasAnon =
          (aicAnon != null && !aicAnon.isEmpty()) || (aicAnon2 != null && !aicAnon2.isEmpty());
      boolean hasNonAnon =
          (aicNonAnon != null && !aicNonAnon.isEmpty())
              || (aicNonAnon2 != null && !aicNonAnon2.isEmpty());

      if (hasAnonymous && hasNonAnon && !hasAnon) {
        message.put(FaultMode.class, FaultMode.UNCHECKED_APPLICATION_FAULT);
        if (isSOAP12(message)) {
          SoapFault soap12Fault =
              new SoapFault(
                  "Found anonymous address but non-anonymous required",
                  Soap12.getInstance().getSender());
          soap12Fault.addSubCode(
              new QName(Names.WSA_NAMESPACE_NAME, "OnlyNonAnonymousAddressSupported"));
          throw soap12Fault;
        }

        throw new SoapFault(
            "Found anonymous address but non-anonymous required",
            new QName(Names.WSA_NAMESPACE_NAME, "OnlyNonAnonymousAddressSupported"));
      } else if (!onlyAnonymous && !hasNonAnon && hasAnon) {
        message.put(FaultMode.class, FaultMode.UNCHECKED_APPLICATION_FAULT);
        if (isSOAP12(message)) {
          SoapFault soap12Fault =
              new SoapFault(
                  "Found non-anonymous address but only anonymous supported",
                  Soap12.getInstance().getSender());
          soap12Fault.addSubCode(
              new QName(Names.WSA_NAMESPACE_NAME, "OnlyAnonymousAddressSupported"));
          throw soap12Fault;
        }

        throw new SoapFault(
            "Found non-anonymous address but only anonymous supported",
            new QName(Names.WSA_NAMESPACE_NAME, "OnlyAnonymousAddressSupported"));
      }
    }
  }
Ejemplo n.º 5
0
  private void doSignature(
      AbstractTokenWrapper wrapper,
      AbstractToken policyToken,
      SecurityToken tok,
      List<SecurePart> sigParts)
      throws WSSecurityException, SOAPException {

    // Action
    WSSSecurityProperties properties = getProperties();
    WSSConstants.Action actionToPerform = WSSConstants.SIGNATURE;
    if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
      actionToPerform = WSSConstants.SIGNATURE_WITH_DERIVED_KEY;
      if (MessageUtils.isRequestor(message) && policyToken instanceof X509Token) {
        properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey);
      } else {
        properties.setDerivedKeyTokenReference(
            WSSConstants.DerivedKeyTokenReference.DirectReference);
      }
      AlgorithmSuiteType algSuiteType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
      properties.setDerivedSignatureKeyLength(algSuiteType.getSignatureDerivedKeyLength() / 8);
    }

    if (policyToken.getVersion() == SPConstants.SPVersion.SP12) {
      properties.setUse200512Namespace(true);
    }

    List<WSSConstants.Action> actionList = properties.getActions();
    // Add a Signature directly before Kerberos, otherwise just append it
    boolean actionAdded = false;
    for (int i = 0; i < actionList.size(); i++) {
      WSSConstants.Action action = actionList.get(i);
      if (action.equals(WSSConstants.KERBEROS_TOKEN)) {
        actionList.add(i, actionToPerform);
        actionAdded = true;
        break;
      }
    }
    if (!actionAdded) {
      actionList.add(actionToPerform);
    }

    properties.getSignatureSecureParts().addAll(sigParts);

    AbstractToken sigToken = wrapper.getToken();
    if (sbinding.isProtectTokens() && sigToken instanceof X509Token && isRequestor()) {
      SecurePart securePart =
          new SecurePart(new QName(WSSConstants.NS_XMLENC, "EncryptedKey"), Modifier.Element);
      properties.addSignaturePart(securePart);
    }

    configureSignature(sigToken, false);

    if (policyToken instanceof X509Token) {
      properties.setIncludeSignatureToken(false);
      if (isRequestor()) {
        properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_EncryptedKey);
      } else {
        properties.setSignatureKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
        if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
          properties.setDerivedKeyKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
          properties.setSignatureKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
        }
      }
    } else if (policyToken instanceof KerberosToken) {
      if (isRequestor()) {
        properties.setDerivedKeyKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
      } else {
        if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
          properties.setSignatureKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
        } else {
          properties.setSignatureKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
        }
        properties.setDerivedKeyKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
      }
    } else if (policyToken instanceof IssuedToken
        || policyToken instanceof SecurityContextToken
        || policyToken instanceof SecureConversationToken
        || policyToken instanceof SpnegoContextToken) {
      if (!isRequestor()) {
        properties.setIncludeSignatureToken(false);
      } else {
        properties.setIncludeSignatureToken(true);
      }
      properties.setDerivedKeyKeyIdentifier(
          WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
    }

    if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
      properties.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
    }
  }
Ejemplo n.º 6
0
  private void doEncryption(
      AbstractTokenWrapper recToken, List<SecurePart> encrParts, boolean externalRef)
      throws SOAPException {
    // Do encryption
    if (recToken != null && recToken.getToken() != null) {
      AbstractToken encrToken = recToken.getToken();
      AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();

      // Action
      WSSSecurityProperties properties = getProperties();
      WSSConstants.Action actionToPerform = WSSConstants.ENCRYPT;
      if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        actionToPerform = WSSConstants.ENCRYPT_WITH_DERIVED_KEY;
        if (MessageUtils.isRequestor(message) && recToken.getToken() instanceof X509Token) {
          properties.setDerivedKeyTokenReference(
              WSSConstants.DerivedKeyTokenReference.EncryptedKey);
        } else {
          properties.setDerivedKeyTokenReference(
              WSSConstants.DerivedKeyTokenReference.DirectReference);
        }
        AlgorithmSuiteType algSuiteType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setDerivedEncryptionKeyLength(algSuiteType.getEncryptionDerivedKeyLength() / 8);
      }

      if (recToken.getVersion() == SPConstants.SPVersion.SP12) {
        properties.setUse200512Namespace(true);
      }

      properties.getEncryptionSecureParts().addAll(encrParts);
      properties.addAction(actionToPerform);

      if (isRequestor()) {
        properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
        properties.setDerivedKeyKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
      } else if (recToken.getToken() instanceof KerberosToken && !isRequestor()) {
        properties.setEncryptionKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
        properties.setDerivedKeyKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
        if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
          properties.setEncryptionKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
        }
      } else if ((recToken.getToken() instanceof IssuedToken
              || recToken.getToken() instanceof SecureConversationToken
              || recToken.getToken() instanceof SpnegoContextToken)
          && !isRequestor()) {
        properties.setEncryptionKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
      } else {
        properties.setEncryptionKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
        if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
          properties.setDerivedKeyKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
          properties.setEncryptionKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
          properties.setEncryptSymmetricEncryptionKey(false);
        }
      }

      // Find out do we also need to include the token as per the Inclusion requirement
      WSSecurityTokenConstants.KeyIdentifier keyIdentifier =
          properties.getEncryptionKeyIdentifier();
      if (encrToken instanceof X509Token
          && isTokenRequired(encrToken.getIncludeTokenType())
          && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier)
              || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier)
              || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(
                  keyIdentifier))) {
        properties.setIncludeEncryptionToken(true);
      } else {
        properties.setIncludeEncryptionToken(false);
      }

      properties.setEncryptionKeyTransportAlgorithm(
          algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap());
      properties.setEncryptionSymAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());

      String encUser =
          (String)
              SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
      if (encUser == null) {
        encUser =
            (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
      }
      if (encUser != null && properties.getEncryptionUser() == null) {
        properties.setEncryptionUser(encUser);
      }
      if (ConfigurationConstants.USE_REQ_SIG_CERT.equals(encUser)) {
        properties.setUseReqSigCertForEncryption(true);
      }

      if (encrToken instanceof KerberosToken
          || encrToken instanceof IssuedToken
          || encrToken instanceof SpnegoContextToken
          || encrToken instanceof SecurityContextToken
          || encrToken instanceof SecureConversationToken) {
        properties.setEncryptSymmetricEncryptionKey(false);
      }
    }
  }
Ejemplo n.º 7
0
  private void doSignBeforeEncrypt() {
    AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
    assertTokenWrapper(sigAbstractTokenWrapper);
    AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
    String sigTokId = null;

    try {
      SecurityToken sigTok = null;
      if (sigToken != null) {
        if (sigToken instanceof KerberosToken) {
          sigTok = getSecurityToken();
          if (isRequestor()) {
            addKerberosToken((KerberosToken) sigToken, false, true, true);
          }
        } else if (sigToken instanceof IssuedToken) {
          sigTok = getSecurityToken();
          addIssuedToken((IssuedToken) sigToken, sigTok, false, true);

          if (sigTok == null && !isRequestor()) {
            org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
                findInboundSecurityToken(WSSecurityEventConstants.SAML_TOKEN);
            sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
          }
        } else if (sigToken instanceof SecureConversationToken
            || sigToken instanceof SecurityContextToken
            || sigToken instanceof SpnegoContextToken) {
          sigTok = getSecurityToken();
          if (sigTok != null && isRequestor()) {
            WSSSecurityProperties properties = getProperties();
            WSSConstants.Action actionToPerform = WSSConstants.CUSTOM_TOKEN;
            properties.addAction(actionToPerform);
          } else if (sigTok == null && !isRequestor()) {
            org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
                findInboundSecurityToken(WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN);
            sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
          }
        } else if (sigToken instanceof X509Token) {
          if (isRequestor()) {
            sigTokId = setupEncryptedKey(sigAbstractTokenWrapper, sigToken);
          } else {
            org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
                findEncryptedKeyToken();
            sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
          }
        } else if (sigToken instanceof UsernameToken) {
          unassertPolicy(sbinding, "UsernameTokens not supported with Symmetric binding");
          return;
        }
        assertToken(sigToken);
      } else {
        unassertPolicy(sbinding, "No signature token");
        return;
      }

      if (sigTok == null && StringUtils.isEmpty(sigTokId)) {
        unassertPolicy(sigAbstractTokenWrapper, "No signature token id");
        return;
      }
      if (sigTok == null) {
        sigTok = TokenStoreUtils.getTokenStore(message).getToken(sigTokId);
      }

      // Store key
      if (!(MessageUtils.isRequestor(message) && sigToken instanceof KerberosToken)) {
        storeSecurityToken(sigToken, sigTok);
      }

      // Add timestamp
      List<SecurePart> sigs = new ArrayList<>();
      if (timestampAdded) {
        SecurePart part =
            new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
        sigs.add(part);
      }
      sigs.addAll(this.getSignedParts());

      if (!isRequestor()) {
        addSignatureConfirmation(sigs);
      }

      if (!sigs.isEmpty()) {
        doSignature(sigAbstractTokenWrapper, sigToken, sigTok, sigs);
      }

      addSupportingTokens();
      removeSignatureIfSignedSAML();
      prependSignatureToSC();

      // Encryption
      List<SecurePart> enc = getEncryptedParts();

      // Check for signature protection
      if (sbinding.isEncryptSignature()) {
        SecurePart part =
            new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element);
        enc.add(part);
        if (signatureConfirmationAdded) {
          part = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
          enc.add(part);
        }
        assertPolicy(
            new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
      }

      // Do encryption
      if (isRequestor()) {
        enc.addAll(encryptedTokensList);
      }
      AbstractTokenWrapper encrAbstractTokenWrapper = getEncryptionToken();
      doEncryption(encrAbstractTokenWrapper, enc, false);

      putCustomTokenAfterSignature();
    } catch (Exception e) {
      throw new Fault(e);
    }
  }
Ejemplo n.º 8
0
  private void doEncryptBeforeSign() {
    try {
      AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
      assertTokenWrapper(encryptionWrapper);
      AbstractToken encryptionToken = encryptionWrapper.getToken();

      String tokenId = null;
      SecurityToken tok = null;
      if (encryptionToken instanceof KerberosToken) {
        tok = getSecurityToken();
        if (MessageUtils.isRequestor(message)) {
          addKerberosToken((KerberosToken) encryptionToken, false, true, true);
        }
      } else if (encryptionToken instanceof IssuedToken) {
        tok = getSecurityToken();
        addIssuedToken((IssuedToken) encryptionToken, tok, false, true);

        if (tok == null && !isRequestor()) {
          org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
              findInboundSecurityToken(WSSecurityEventConstants.SAML_TOKEN);
          tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
        }
      } else if (encryptionToken instanceof SecureConversationToken
          || encryptionToken instanceof SecurityContextToken
          || encryptionToken instanceof SpnegoContextToken) {
        tok = getSecurityToken();
        if (tok != null && isRequestor()) {
          WSSSecurityProperties properties = getProperties();
          WSSConstants.Action actionToPerform = WSSConstants.CUSTOM_TOKEN;
          properties.addAction(actionToPerform);
        } else if (tok == null && !isRequestor()) {
          org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
              findInboundSecurityToken(WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN);
          tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
        }
      } else if (encryptionToken instanceof X509Token) {
        if (isRequestor()) {
          tokenId = setupEncryptedKey(encryptionWrapper, encryptionToken);
        } else {
          org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
              findEncryptedKeyToken();
          tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
        }
      } else if (encryptionToken instanceof UsernameToken) {
        unassertPolicy(sbinding, "UsernameTokens not supported with Symmetric binding");
        return;
      }
      assertToken(encryptionToken);
      if (tok == null) {
        tokenId = XMLUtils.getIDFromReference(tokenId);

        // Get hold of the token from the token storage
        tok = TokenStoreUtils.getTokenStore(message).getToken(tokenId);
      }

      // Store key
      if (!(MessageUtils.isRequestor(message) && encryptionToken instanceof KerberosToken)) {
        storeSecurityToken(encryptionToken, tok);
      }

      List<SecurePart> encrParts = null;
      List<SecurePart> sigParts = null;
      try {
        encrParts = getEncryptedParts();
        // Signed parts are determined before encryption because encrypted signed headers
        // will not be included otherwise
        sigParts = getSignedParts();
      } catch (SOAPException ex) {
        throw new Fault(ex);
      }

      addSupportingTokens();

      if (encryptionToken != null && encrParts.size() > 0) {
        if (isRequestor()) {
          encrParts.addAll(encryptedTokensList);
        }

        // Check for signature protection
        if (sbinding.isEncryptSignature()) {
          SecurePart part =
              new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element);
          encrParts.add(part);
          if (signatureConfirmationAdded) {
            part = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
            encrParts.add(part);
          }
          assertPolicy(
              new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
        }

        doEncryption(encryptionWrapper, encrParts, true);
      }

      if (timestampAdded) {
        SecurePart part =
            new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
        sigParts.add(part);
      }
      sigParts.addAll(this.getSignedParts());

      if (sigParts.size() > 0) {
        AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
        if (sigAbstractTokenWrapper != null) {
          AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
          if (isRequestor()) {
            doSignature(sigAbstractTokenWrapper, sigToken, tok, sigParts);
          } else {
            addSignatureConfirmation(sigParts);
            doSignature(sigAbstractTokenWrapper, sigToken, tok, sigParts);
          }
        }
      }

      removeSignatureIfSignedSAML();
      enforceEncryptBeforeSigningWithSignedSAML();
      prependSignatureToSC();
      putCustomTokenAfterSignature();
    } catch (RuntimeException ex) {
      throw ex;
    } catch (Exception ex) {
      throw new Fault(ex);
    }
  }
  protected void handle(Message msg) {
    if (MessageUtils.isRequestor(msg)) {
      LOG.fine("Is a requestor.");
      return;
    }

    Exchange exchange = msg.getExchange();
    assert null != exchange;

    BindingOperationInfo boi = exchange.get(BindingOperationInfo.class);
    if (null == boi) {
      LOG.fine("No binding operation info.");
      return;
    }

    Endpoint e = exchange.get(Endpoint.class);
    if (null == e) {
      LOG.fine("No endpoint.");
      return;
    }
    EndpointInfo ei = e.getEndpointInfo();

    Bus bus = exchange.get(Bus.class);
    PolicyEngine pe = bus.getExtension(PolicyEngine.class);
    if (null == pe) {
      return;
    }

    Destination destination = exchange.getDestination();

    Exception ex = exchange.get(Exception.class);

    List<Interceptor<? extends Message>> faultInterceptors =
        new ArrayList<Interceptor<? extends Message>>();
    Collection<Assertion> assertions = new ArrayList<Assertion>();

    // 1. Check overridden policy
    Policy p = (Policy) msg.getContextualProperty(PolicyConstants.POLICY_OVERRIDE);
    if (p != null) {
      EndpointPolicyImpl endpi = new EndpointPolicyImpl(p);
      EffectivePolicyImpl effectivePolicy = new EffectivePolicyImpl();
      effectivePolicy.initialise(endpi, (PolicyEngineImpl) pe, false, true);
      PolicyUtils.logPolicy(
          LOG, Level.FINEST, "Using effective policy: ", effectivePolicy.getPolicy());

      faultInterceptors.addAll(effectivePolicy.getInterceptors());
      assertions.addAll(effectivePolicy.getChosenAlternative());
    } else {
      // 2. Process effective server policy
      BindingFaultInfo bfi = getBindingFaultInfo(msg, ex, boi);

      if (bfi == null
          && msg.get(FaultMode.class) != FaultMode.UNCHECKED_APPLICATION_FAULT
          && msg.get(FaultMode.class) != FaultMode.CHECKED_APPLICATION_FAULT) {
        return;
      }

      EffectivePolicy effectivePolicy = pe.getEffectiveServerFaultPolicy(ei, boi, bfi, destination);
      if (effectivePolicy != null) {
        faultInterceptors.addAll(effectivePolicy.getInterceptors());
        assertions.addAll(effectivePolicy.getChosenAlternative());
      }
    }

    // add interceptors into message chain
    for (Interceptor<? extends Message> oi : faultInterceptors) {
      msg.getInterceptorChain().add(oi);
      LOG.log(Level.FINE, "Added interceptor of type {0}", oi.getClass().getSimpleName());
    }

    // insert assertions of the chosen alternative into the message
    if (null != assertions && !assertions.isEmpty()) {
      msg.put(AssertionInfoMap.class, new AssertionInfoMap(assertions));
    }
  }
Ejemplo n.º 10
0
  private void doResend(SoapMessage message) {
    try {

      // initialize copied interceptor chain for message
      PhaseInterceptorChain retransmitChain = manager.getRetransmitChain(message);
      ProtocolVariation protocol = RMContextUtils.getProtocolVariation(message);
      Endpoint endpoint = manager.getReliableEndpoint(message).getEndpoint(protocol);
      PhaseChainCache cache = new PhaseChainCache();
      boolean after = true;
      if (retransmitChain == null) {

        // no saved retransmit chain, so construct one from scratch (won't work for WS-Security on
        // server, so
        //  need to fix)
        retransmitChain = buildRetransmitChain(endpoint, cache);
        after = false;
      }
      message.setInterceptorChain(retransmitChain);

      // clear flag for SOAP out interceptor so envelope will be written
      message.remove(SoapOutInterceptor.WROTE_ENVELOPE_START);

      // discard all saved content
      Set<Class<?>> formats = message.getContentFormats();
      List<CachedOutputStreamCallback> callbacks = null;
      for (Class<?> clas : formats) {
        Object content = message.getContent(clas);
        if (content != null) {
          LOG.info(
              "Removing "
                  + clas.getName()
                  + " content of actual type "
                  + content.getClass().getName());
          message.removeContent(clas);
          if (clas == OutputStream.class && content instanceof WriteOnCloseOutputStream) {
            callbacks = ((WriteOnCloseOutputStream) content).getCallbacks();
          }
        }
      }

      // read SOAP headers from saved input stream
      RewindableInputStream is =
          (RewindableInputStream) message.get(RMMessageConstants.SAVED_CONTENT);
      is.rewind();
      XMLStreamReader reader = StaxUtils.createXMLStreamReader(is, "UTF-8");
      message.getHeaders().clear();
      if (reader.getEventType() != XMLStreamConstants.START_ELEMENT
          && reader.nextTag() != XMLStreamConstants.START_ELEMENT) {
        throw new IllegalStateException("No document found");
      }
      readHeaders(reader, message);
      int event;
      while ((event = reader.nextTag()) != XMLStreamConstants.START_ELEMENT) {
        if (event == XMLStreamConstants.END_ELEMENT) {
          throw new IllegalStateException("No body content present");
        }
      }

      // set message addressing properties
      AddressingProperties maps = new MAPCodec().unmarshalMAPs(message);
      RMContextUtils.storeMAPs(maps, message, true, MessageUtils.isRequestor(message));
      AttributedURIType to = null;
      if (null != maps) {
        to = maps.getTo();
      }
      if (null == to) {
        LOG.log(Level.SEVERE, "NO_ADDRESS_FOR_RESEND_MSG");
        return;
      }
      if (RMUtils.getAddressingConstants().getAnonymousURI().equals(to.getValue())) {
        LOG.log(Level.FINE, "Cannot resend to anonymous target");
        return;
      }

      // initialize conduit for new message
      Conduit c = message.getExchange().getConduit(message);
      if (c == null) {
        c = buildConduit(message, endpoint, to);
      }
      c.prepare(message);

      // replace standard message marshaling with copy from saved stream
      ListIterator<Interceptor<? extends Message>> iterator = retransmitChain.getIterator();
      while (iterator.hasNext()) {
        Interceptor<? extends Message> incept = iterator.next();

        // remove JAX-WS interceptors which handle message modes and such
        if (incept.getClass().getName().startsWith("org.apache.cxf.jaxws.interceptors")) {
          retransmitChain.remove(incept);
        } else if (incept instanceof PhaseInterceptor
            && (((PhaseInterceptor<?>) incept).getPhase() == Phase.MARSHAL)) {

          // remove any interceptors from the marshal phase
          retransmitChain.remove(incept);
        }
      }
      retransmitChain.add(new CopyOutInterceptor(reader));

      // restore callbacks on output stream
      if (callbacks != null) {
        OutputStream os = message.getContent(OutputStream.class);
        if (os != null) {
          WriteOnCloseOutputStream woc;
          if (os instanceof WriteOnCloseOutputStream) {
            woc = (WriteOnCloseOutputStream) os;
          } else {
            woc = new WriteOnCloseOutputStream(os);
            message.setContent(OutputStream.class, woc);
          }
          for (CachedOutputStreamCallback cb : callbacks) {
            woc.registerCallback(cb);
          }
        }
      }

      // send the message
      message.put(RMMessageConstants.RM_RETRANSMISSION, Boolean.TRUE);
      if (after) {
        retransmitChain.doInterceptStartingAfter(message, RMCaptureOutInterceptor.class.getName());
      } else {
        retransmitChain.doIntercept(message);
      }
      if (LOG.isLoggable(Level.INFO)) {
        RMProperties rmps = RMContextUtils.retrieveRMProperties(message, true);
        SequenceType seq = rmps.getSequence();
        LOG.log(
            Level.INFO,
            "Retransmitted message "
                + seq.getMessageNumber()
                + " in sequence "
                + seq.getIdentifier().getValue());
        rmps = new RMProperties();
      }

    } catch (Exception ex) {
      LOG.log(Level.SEVERE, "RESEND_FAILED_MSG", ex);
    }
  }