private boolean checkSignatureIsSignedPlacement(List<WSSecurityEngineResult> signedResults) {
   for (int i = 0; i < signedResults.size(); i++) {
     WSSecurityEngineResult signedResult = signedResults.get(i);
     List<WSDataRef> sl =
         CastUtils.cast((List<?>) signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
     if (sl != null && sl.size() >= 1) {
       for (WSDataRef dataRef : sl) {
         QName signedQName = dataRef.getName();
         if (WSSecurityEngine.SIGNATURE.equals(signedQName)) {
           Element protectedElement = dataRef.getProtectedElement();
           boolean endorsingSigFound = false;
           // Results are stored in reverse order
           for (WSSecurityEngineResult result : signedResults) {
             if (result == signedResult) {
               endorsingSigFound = true;
             }
             Element resultElement =
                 (Element) result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
             if (resultElement == protectedElement) {
               if (endorsingSigFound) {
                 break;
               } else {
                 return false;
               }
             }
           }
         }
       }
     }
   }
   return true;
 }
  protected void processToken(SoapMessage message) {
    Header h = findSecurityHeader(message, false);
    if (h == null) {
      return;
    }
    boolean utWithCallbacks =
        MessageUtils.getContextualBoolean(message, SecurityConstants.VALIDATE_TOKEN, true);

    Element el = (Element) h.getObject();
    Element child = DOMUtils.getFirstElement(el);
    while (child != null) {
      if (SPConstants.USERNAME_TOKEN.equals(child.getLocalName())
          && WSConstants.WSSE_NS.equals(child.getNamespaceURI())) {
        try {
          Principal principal = null;
          Subject subject = null;
          if (utWithCallbacks) {
            final WSSecurityEngineResult result = validateToken(child, message);
            principal = (Principal) result.get(WSSecurityEngineResult.TAG_PRINCIPAL);
            subject = (Subject) result.get(WSSecurityEngineResult.TAG_SUBJECT);
          } else {
            boolean bspCompliant = isWsiBSPCompliant(message);
            principal = parseTokenAndCreatePrincipal(child, bspCompliant);
            WSS4JTokenConverter.convertToken(message, principal);
          }

          SecurityContext sc = message.get(SecurityContext.class);
          if (sc == null || sc.getUserPrincipal() == null) {
            if (subject != null && principal != null) {
              message.put(SecurityContext.class, createSecurityContext(principal, subject));
            } else if (principal instanceof UsernameTokenPrincipal) {
              UsernameTokenPrincipal utPrincipal = (UsernameTokenPrincipal) principal;
              String nonce = null;
              if (utPrincipal.getNonce() != null) {
                nonce = Base64.encode(utPrincipal.getNonce());
              }
              subject =
                  createSubject(
                      utPrincipal.getName(),
                      utPrincipal.getPassword(),
                      utPrincipal.isPasswordDigest(),
                      nonce,
                      utPrincipal.getCreatedTime());
              message.put(SecurityContext.class, createSecurityContext(utPrincipal, subject));
            }
          }

          if (principal instanceof UsernameTokenPrincipal) {
            storeResults((UsernameTokenPrincipal) principal, message);
          }
        } catch (WSSecurityException ex) {
          throw new Fault(ex);
        } catch (Base64DecodingException ex) {
          throw new Fault(ex);
        }
      }
      child = DOMUtils.getNextElement(child);
    }
  }
  private boolean validateStrictSignatureTokenPlacement(List<WSSecurityEngineResult> results) {
    // Go through each Signature and check that the Signing Token appears before the Signature
    for (int i = 0; i < results.size(); i++) {
      WSSecurityEngineResult result = results.get(i);
      Integer actInt = (Integer) result.get(WSSecurityEngineResult.TAG_ACTION);
      if (actInt == WSConstants.SIGN) {
        int correspondingIndex = findCorrespondingTokenIndex(result, results);
        if (correspondingIndex > 0 && correspondingIndex < i) {
          return false;
        }
      }
    }

    return true;
  }
Exemple #4
0
  public int doubleIt(int numberToDouble) {
    //
    // Get the transformed SAML Assertion from the STS and check it
    //
    MessageContext context = wsc.getMessageContext();
    final List<WSHandlerResult> handlerResults =
        CastUtils.cast((List<?>) context.get(WSHandlerConstants.RECV_RESULTS));
    WSSecurityEngineResult actionResult =
        WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.UT);
    SamlAssertionWrapper assertion =
        (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
    Assert.assertTrue(assertion != null && "DoubleItSTSIssuer".equals(assertion.getIssuerString()));

    return numberToDouble * 2;
  }
  private boolean validateStrictSignaturePlacement(
      List<WSSecurityEngineResult> results, List<WSSecurityEngineResult> signedResults) {
    // Go through each Signature and check any security header token is before the Signature
    for (WSSecurityEngineResult signedResult : signedResults) {
      List<WSDataRef> sl =
          CastUtils.cast((List<?>) signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
      Integer actInt = (Integer) signedResult.get(WSSecurityEngineResult.TAG_ACTION);
      if (sl == null || WSConstants.ST_SIGNED == actInt) {
        continue;
      }

      for (WSDataRef r : sl) {
        String xpath = r.getXpath();
        if (xpath != null) {
          String[] nodes = StringUtils.split(xpath, "/");
          // envelope/Header/wsse:Security/header
          if (nodes.length == 5) {
            Element protectedElement = r.getProtectedElement();
            boolean tokenFound = false;
            // Results are stored in reverse order
            for (WSSecurityEngineResult result : results) {
              Element resultElement =
                  (Element) result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
              if (resultElement == protectedElement) {
                tokenFound = true;
              }
              if (tokenFound && result == signedResult) {
                return false;
              } else if (resultElement != null && result == signedResult) {
                break;
              }
            }
          }
        }
      }
    }

    return true;
  }
  /**
   * Find the index of the token corresponding to either the X509Certificate or PublicKey used to
   * sign the "signatureResult" argument.
   */
  private int findCorrespondingTokenIndex(
      WSSecurityEngineResult signatureResult, List<WSSecurityEngineResult> results) {
    // See what was used to sign this result
    X509Certificate cert =
        (X509Certificate) signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
    PublicKey publicKey = (PublicKey) signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);

    for (int i = 0; i < results.size(); i++) {
      WSSecurityEngineResult token = results.get(i);
      Integer actInt = (Integer) token.get(WSSecurityEngineResult.TAG_ACTION);
      if (actInt == WSConstants.SIGN) {
        continue;
      }

      BinarySecurity binarySecurity =
          (BinarySecurity) token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
      PublicKey foundPublicKey = (PublicKey) token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
      if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) {
        X509Certificate foundCert =
            (X509Certificate) token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
        if (foundCert.equals(cert)) {
          return i;
        }
      } else if (actInt.intValue() == WSConstants.ST_SIGNED
          || actInt.intValue() == WSConstants.ST_UNSIGNED) {
        SamlAssertionWrapper assertionWrapper =
            (SamlAssertionWrapper) token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
        SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
        if (samlKeyInfo != null) {
          X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
          PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
          if ((cert != null && subjectCerts != null && cert.equals(subjectCerts[0]))
              || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
            return i;
          }
        }
      } else if (publicKey != null && publicKey.equals(foundPublicKey)) {
        return i;
      }
    }
    return -1;
  }