private String getUTDerivedKey() throws WSSecurityException { List<WSHandlerResult> results = CastUtils.cast( (List<?>) message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS)); for (WSHandlerResult rResult : results) { List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults(); for (WSSecurityEngineResult wser : wsSecEngineResults) { Integer actInt = (Integer) wser.get(WSSecurityEngineResult.TAG_ACTION); String utID = (String) wser.get(WSSecurityEngineResult.TAG_ID); if (actInt.intValue() == WSConstants.UT_NOPASSWORD) { if (utID == null || utID.length() == 0) { utID = wssConfig.getIdAllocator().createId("UsernameToken-", null); } Date created = new Date(); Date expires = new Date(); expires.setTime(created.getTime() + 300000); SecurityToken tempTok = new SecurityToken(utID, created, expires); byte[] secret = (byte[]) wser.get(WSSecurityEngineResult.TAG_SECRET); tempTok.setSecret(secret); tokenStore.add(tempTok); return utID; } } } return null; }
private String getEncryptedKey() { List<WSHandlerResult> results = CastUtils.cast( (List<?>) message.getExchange().getInMessage().get(WSHandlerConstants.RECV_RESULTS)); for (WSHandlerResult rResult : results) { List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults(); for (WSSecurityEngineResult wser : wsSecEngineResults) { Integer actInt = (Integer) wser.get(WSSecurityEngineResult.TAG_ACTION); String encryptedKeyID = (String) wser.get(WSSecurityEngineResult.TAG_ID); if (actInt.intValue() == WSConstants.ENCR && encryptedKeyID != null && encryptedKeyID.length() != 0) { Date created = new Date(); Date expires = new Date(); expires.setTime(created.getTime() + 300000); SecurityToken tempTok = new SecurityToken(encryptedKeyID, created, expires); tempTok.setSecret((byte[]) wser.get(WSSecurityEngineResult.TAG_SECRET)); tempTok.setSHA1( getSHA1((byte[]) wser.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY))); tokenStore.add(tempTok); return encryptedKeyID; } } } return null; }
@Test public void shouldThrowIfHeadersDoNotContainAPrincipal() throws Exception { when(signatureSecurityResult.get(WSSecurityEngineResult.TAG_PRINCIPAL)).thenReturn(null); try { wsSecurityHandler.processEnvelope(envelope); fail("Should have thrown WSSecurityHandlerException"); } catch (WSSecurityHandlerException e) { assertThat(e.getMessage(), containsString("unable to find principal in WS-Security headers")); } }
@Before public void before() throws Exception { wsSecurityEngineResults = new Vector<WSSecurityEngineResult>(); wsSecurityEngineResults.add(new WSSecurityEngineResult(WSConstants.TS, new Object())); wsSecurityEngineResults.add(new WSSecurityEngineResult(WSConstants.BST, new Object())); wsSecurityEngineResults.add(signatureSecurityResult); when(signatureSecurityResult.get(WSSecurityEngineResult.TAG_ACTION)) .thenReturn(WSConstants.SIGN); when(signatureSecurityResult.get(WSSecurityEngineResult.TAG_PRINCIPAL)).thenReturn(principal); when(signatureSecurityResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE)) .thenReturn(requestCertificate); when(principal.getName()).thenReturn("a=b,c=d,O=" + USER_ID + ",e=f"); when(cryptoWrapper.processSecurityHeader(envelope)).thenReturn(wsSecurityEngineResults); when(cryptoWrapper.getUserCertificate(USER_ID, requestCertificate)).thenReturn(userCertificate); when(userCertificate.getPublicKey()).thenReturn(publicKey); when(userManagementService.getUser(USER_ID)).thenReturn(user); when(user.isEnabled()).thenReturn(true); }
public void invoke(MessageContext context) throws Exception { context.setProperty("TiempoInicial", new Long(System.currentTimeMillis())); Vector result = (Vector) context.getProperty(WSHandlerConstants.RECV_RESULTS); for (int i = 0; i < result.size(); i++) { WSHandlerResult res = (WSHandlerResult) result.get(i); for (int j = 0; j < res.getResults().size(); j++) { WSSecurityEngineResult secRes = (WSSecurityEngineResult) res.getResults().get(j); int action = secRes.getAction(); // USER TOKEN if ((action & WSConstants.UT) > 0) { WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal) secRes.getPrincipal(); // Set user property to user from UT to allow response encryption context.setProperty(WSHandlerConstants.ENCRYPTION_USER, principal.getName()); // System.out.print("User : "******" password : "******"\n"); SOALocalGISLNWS localGISLNWS = new SOALocalGISLNWS(); Integer idUsuario = localGISLNWS.obtenerUsuario(principal.getName(), principal.getPassword(), context); if (idUsuario != null) { context.setProperty(WSHandlerConstants.USER, idUsuario); localGISLNWS.comprobarPermisoLogin(context); } } // SIGNATURE if ((action & WSConstants.SIGN) > 0) { X509Certificate cert = secRes.getCertificate(); X500Name principal = (X500Name) secRes.getPrincipal(); // Do something whith cert System.out.print("Signature for : " + principal.getCommonName()); } } } }
public void handleToken( Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc) throws WSSecurityException { if (log.isDebugEnabled()) { log.debug("Found encrypted key element"); } if (decCrypto == null) { throw new WSSecurityException(WSSecurityException.FAILURE, "noDecCryptoFile"); } if (cb == null) { throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback"); } docInfo = wsDocInfo; ArrayList dataRefUris = handleEncryptedKey((Element) elem, cb, decCrypto); encryptedKeyId = elem.getAttributeNS(null, "Id"); WSSecurityEngineResult result = new WSSecurityEngineResult( WSConstants.ENCR, this.decryptedBytes, this.encryptedEphemeralKey, this.encryptedKeyId, dataRefUris, cert); result.put( WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD, this.encryptedKeyTransportMethod); returnResults.add(0, result); }
/** * The method invoke performs the security checks on the soap headers for the incoming message. */ public void invoke(MessageContext msgContext) throws SecurityException, XFireFault, WSSecurityException { boolean doDebug = log.isDebugEnabled(); if (doDebug) { log.debug("MuleWSSInSecurityHandler: enter invoke()"); } RequestData reqData = new RequestData(); try { reqData.setMsgContext(msgContext); Vector actions = new Vector(); String action = null; // the action property in the security header is necessary to know which // type of security measure to adopt. It cannot be null. if ((action = (String) getOption(WSHandlerConstants.ACTION)) == null) { action = getString(WSHandlerConstants.ACTION, msgContext); } if (action == null) { throw new XFireRuntimeException("MuleWSSInHandler: No action defined"); } int doAction = WSSecurityUtil.decodeAction(action, actions); String actor = (String) getOption(WSHandlerConstants.ACTOR); AbstractMessage sm = msgContext.getCurrentMessage(); Document doc = (Document) sm.getProperty(DOMInHandler.DOM_MESSAGE); if (doc == null) throw new XFireRuntimeException("DOMInHandler must be enabled for WS-Security!"); // Check if it's a response and if its a fault it doesn't continue. if (sm.getBody() instanceof XFireFault) return; // Get the password using a callback handler CallbackHandler cbHandler = null; if ((doAction & (WSConstants.ENCR | WSConstants.UT)) != 0) { cbHandler = getPasswordCB(reqData); } // Get and check the parameters pertaining to the signature and // encryption actions. Doesn't get SAML properties, though doReceiverAction(doAction, reqData); // If we're using signed SAML, we need to get the signature file in order // to decrypt the SAML token if (action.equals(WSHandlerConstants.SAML_TOKEN_SIGNED)) { reqData.setSigCrypto(loadSignatureCrypto(reqData)); } Vector wsResult = null; // process the security header try { wsResult = secEngine.processSecurityHeader( doc, actor, cbHandler, reqData.getSigCrypto(), reqData.getDecCrypto()); } catch (WSSecurityException ex) { throw new XFireFault( "MuleWSSInHandler: security processing failed: " + ex.toString(), ex, XFireFault.SENDER); } // no security header found we check whether the action was set to // "no_security" or else we throw an exception if (wsResult == null) { if (doAction == WSConstants.NO_SECURITY) { return; } else { throw new XFireFault( "MuleWSSInHandler: Request does not contain required Security header", XFireFault.SENDER); } } // confim that the signature is valid if (reqData.getWssConfig().isEnableSignatureConfirmation()) { checkSignatureConfirmation(reqData, wsResult); } // Extract the signature action result from the action vector WSSecurityEngineResult actionResult = WSSecurityUtil.fetchActionResult(wsResult, WSConstants.SIGN); if (actionResult != null) { X509Certificate returnCert = actionResult.getCertificate(); if (returnCert != null) { if (!verifyTrust(returnCert, reqData)) { throw new XFireFault( "MuleWSSInHandler: The certificate used for the signature is not trusted", XFireFault.SENDER); } } } if (actions.elementAt(0).equals(new Integer(16))) { actions.clear(); actions.add(new Integer(2)); actions.add(new Integer(8)); } // now check the security actions: do they match, in right order? if (!checkReceiverResults(wsResult, actions)) { throw new XFireFault( "MuleWSSInHandler: security processing failed (actions mismatch)", XFireFault.SENDER); } /* * Construct and setup the security result structure. The service may * fetch this and check it. */ Vector results = null; if ((results = (Vector) msgContext.getProperty(WSHandlerConstants.RECV_RESULTS)) == null) { results = new Vector(); msgContext.setProperty(WSHandlerConstants.RECV_RESULTS, results); } WSHandlerResult rResult = new WSHandlerResult(actor, wsResult); results.add(0, rResult); if (doDebug) { log.debug("MuleWSSInHandler: exit invoke()"); } } catch (WSSecurityException e) { throw new WSSecurityException(e.getErrorCode()); } finally { reqData.clear(); reqData = null; } }