Exemplo n.º 1
0
  /**
   * Test that encrypts using EncryptedKeySHA1, where it uses a symmetric key, rather than a
   * generated session key which is then encrypted using a public key. The request is generated
   * using WSHandler, instead of coding it.
   *
   * @throws java.lang.Exception Thrown when there is any problem in encryption or decryption
   */
  public void testEncryptionSHA1SymmetricBytesHandler() throws Exception {
    final WSSConfig cfg = WSSConfig.getNewInstance();
    final RequestData reqData = new RequestData();
    reqData.setWssConfig(cfg);
    java.util.Map messageContext = new java.util.TreeMap();
    messageContext.put(WSHandlerConstants.ENC_SYM_ENC_KEY, "false");
    messageContext.put(WSHandlerConstants.ENC_KEY_ID, "EncryptedKeySHA1");
    messageContext.put(WSHandlerConstants.PW_CALLBACK_REF, this);
    reqData.setMsgContext(messageContext);
    reqData.setUsername("");

    final java.util.Vector actions = new java.util.Vector();
    actions.add(new Integer(WSConstants.ENCR));

    Document doc = unsignedEnvelope.getAsDocument();
    MyHandler handler = new MyHandler();
    handler.send(WSConstants.ENCR, doc, reqData, actions, true);

    String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
    if (LOG.isDebugEnabled()) {
      LOG.debug(outputString);
    }

    verify(doc);
  }
Exemplo n.º 2
0
  /**
   * The method invoke performs the security checks on the soap headers for the incoming message.
   */
  public void invoke(MessageContext msgContext)
      throws SecurityException, XFireFault, WSSecurityException {
    boolean doDebug = log.isDebugEnabled();

    if (doDebug) {
      log.debug("MuleWSSInSecurityHandler: enter invoke()");
    }

    RequestData reqData = new RequestData();

    try {
      reqData.setMsgContext(msgContext);

      Vector actions = new Vector();
      String action = null;

      // the action property in the security header is necessary to know which
      // type of security measure to adopt. It cannot be null.
      if ((action = (String) getOption(WSHandlerConstants.ACTION)) == null) {
        action = getString(WSHandlerConstants.ACTION, msgContext);
      }
      if (action == null) {
        throw new XFireRuntimeException("MuleWSSInHandler: No action defined");
      }

      int doAction = WSSecurityUtil.decodeAction(action, actions);

      String actor = (String) getOption(WSHandlerConstants.ACTOR);

      AbstractMessage sm = msgContext.getCurrentMessage();
      Document doc = (Document) sm.getProperty(DOMInHandler.DOM_MESSAGE);

      if (doc == null)
        throw new XFireRuntimeException("DOMInHandler must be enabled for WS-Security!");

      // Check if it's a response and if its a fault it doesn't continue.
      if (sm.getBody() instanceof XFireFault) return;

      // Get the password using a callback handler
      CallbackHandler cbHandler = null;
      if ((doAction & (WSConstants.ENCR | WSConstants.UT)) != 0) {
        cbHandler = getPasswordCB(reqData);
      }

      // Get and check the parameters pertaining to the signature and
      // encryption actions. Doesn't get SAML properties, though
      doReceiverAction(doAction, reqData);

      // If we're using signed SAML, we need to get the signature file in order
      // to decrypt the SAML token
      if (action.equals(WSHandlerConstants.SAML_TOKEN_SIGNED)) {
        reqData.setSigCrypto(loadSignatureCrypto(reqData));
      }

      Vector wsResult = null;

      // process the security header
      try {
        wsResult =
            secEngine.processSecurityHeader(
                doc, actor, cbHandler, reqData.getSigCrypto(), reqData.getDecCrypto());
      } catch (WSSecurityException ex) {
        throw new XFireFault(
            "MuleWSSInHandler: security processing failed: " + ex.toString(),
            ex,
            XFireFault.SENDER);
      }

      // no security header found we check whether the action was set to
      // "no_security" or else we throw an exception
      if (wsResult == null) {
        if (doAction == WSConstants.NO_SECURITY) {
          return;
        } else {
          throw new XFireFault(
              "MuleWSSInHandler: Request does not contain required Security header",
              XFireFault.SENDER);
        }
      }

      // confim that the signature is valid
      if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
        checkSignatureConfirmation(reqData, wsResult);
      }

      // Extract the signature action result from the action vector
      WSSecurityEngineResult actionResult =
          WSSecurityUtil.fetchActionResult(wsResult, WSConstants.SIGN);

      if (actionResult != null) {
        X509Certificate returnCert = actionResult.getCertificate();

        if (returnCert != null) {
          if (!verifyTrust(returnCert, reqData)) {
            throw new XFireFault(
                "MuleWSSInHandler: The certificate used for the signature is not trusted",
                XFireFault.SENDER);
          }
        }
      }

      if (actions.elementAt(0).equals(new Integer(16))) {
        actions.clear();
        actions.add(new Integer(2));
        actions.add(new Integer(8));
      }

      // now check the security actions: do they match, in right order?
      if (!checkReceiverResults(wsResult, actions)) {
        throw new XFireFault(
            "MuleWSSInHandler: security processing failed (actions mismatch)", XFireFault.SENDER);
      }
      /*
       * Construct and setup the security result structure. The service may
       * fetch this and check it.
       */
      Vector results = null;
      if ((results = (Vector) msgContext.getProperty(WSHandlerConstants.RECV_RESULTS)) == null) {
        results = new Vector();
        msgContext.setProperty(WSHandlerConstants.RECV_RESULTS, results);
      }
      WSHandlerResult rResult = new WSHandlerResult(actor, wsResult);
      results.add(0, rResult);

      if (doDebug) {
        log.debug("MuleWSSInHandler: exit invoke()");
      }
    } catch (WSSecurityException e) {
      throw new WSSecurityException(e.getErrorCode());
    } finally {
      reqData.clear();
      reqData = null;
    }
  }