@Override
  public void handleMessage(SoapMessage msg) throws Fault {
    Endpoint ep = msg.getExchange().get(Endpoint.class);
    sdc.set(ep.getSecurityDomainContext());
    try {
      SecurityToken token = msg.get(SecurityToken.class);
      SecurityContext context = msg.get(SecurityContext.class);
      if (token == null || context == null || context.getUserPrincipal() == null) {
        super.handleMessage(msg);
        return;
      }
      UsernameToken ut = (UsernameToken) token;

      Subject subject =
          createSubject(
              ut.getName(), ut.getPassword(), ut.isHashed(), ut.getNonce(), ut.getCreatedTime());

      SecurityContext sc = doCreateSecurityContext(context.getUserPrincipal(), subject);
      msg.put(SecurityContext.class, sc);
    } finally {
      if (sdc != null) {
        sdc.remove();
      }
    }
  }
  public Response handleRequest(Message message, ClassResourceInfo resourceClass) {
    try {
      SecurityContext securityContext = message.get(SecurityContext.class);
      Method method = getTargetMethod(message);
      if (!authorize(securityContext, method)) {
        log.warn(
            "User :"******"trying to perform unauthrorized action"
                + " against the resource :"
                + method);
        return Response.status(Response.Status.FORBIDDEN)
            .type(MediaType.APPLICATION_JSON)
            .entity(
                Utils.buildMessage(
                    "The user does not have required permissions to " + "perform this operation"))
            .build();
      }
      return null;

    } catch (Exception exception) {
      log.error("Unexpercted error occured while REST api, authorization process", exception);
      return Response.status(Response.Status.INTERNAL_SERVER_ERROR)
          .type(MediaType.APPLICATION_JSON)
          .entity(Utils.buildMessage("Unexpected error. Please contact the system admin"))
          .build();
    }
  }
Пример #3
0
  protected void processToken(SoapMessage message) {
    Header h = findSecurityHeader(message, false);
    if (h == null) {
      return;
    }
    boolean utWithCallbacks =
        MessageUtils.getContextualBoolean(message, SecurityConstants.VALIDATE_TOKEN, true);

    Element el = (Element) h.getObject();
    Element child = DOMUtils.getFirstElement(el);
    while (child != null) {
      if (SPConstants.USERNAME_TOKEN.equals(child.getLocalName())
          && WSConstants.WSSE_NS.equals(child.getNamespaceURI())) {
        try {
          Principal principal = null;
          Subject subject = null;
          if (utWithCallbacks) {
            final WSSecurityEngineResult result = validateToken(child, message);
            principal = (Principal) result.get(WSSecurityEngineResult.TAG_PRINCIPAL);
            subject = (Subject) result.get(WSSecurityEngineResult.TAG_SUBJECT);
          } else {
            boolean bspCompliant = isWsiBSPCompliant(message);
            principal = parseTokenAndCreatePrincipal(child, bspCompliant);
            WSS4JTokenConverter.convertToken(message, principal);
          }

          SecurityContext sc = message.get(SecurityContext.class);
          if (sc == null || sc.getUserPrincipal() == null) {
            if (subject != null && principal != null) {
              message.put(SecurityContext.class, createSecurityContext(principal, subject));
            } else if (principal instanceof UsernameTokenPrincipal) {
              UsernameTokenPrincipal utPrincipal = (UsernameTokenPrincipal) principal;
              String nonce = null;
              if (utPrincipal.getNonce() != null) {
                nonce = Base64.encode(utPrincipal.getNonce());
              }
              subject =
                  createSubject(
                      utPrincipal.getName(),
                      utPrincipal.getPassword(),
                      utPrincipal.isPasswordDigest(),
                      nonce,
                      utPrincipal.getCreatedTime());
              message.put(SecurityContext.class, createSecurityContext(utPrincipal, subject));
            }
          }

          if (principal instanceof UsernameTokenPrincipal) {
            storeResults((UsernameTokenPrincipal) principal, message);
          }
        } catch (WSSecurityException ex) {
          throw new Fault(ex);
        } catch (Base64DecodingException ex) {
          throw new Fault(ex);
        }
      }
      child = DOMUtils.getNextElement(child);
    }
  }
  public void handleMessage(Message message) throws Fault {
    SecurityContext context = message.get(SecurityContext.class);
    if (context == null) {
      return;
    }
    Principal principal = context.getUserPrincipal();
    UsernameToken usernameToken = (UsernameToken) message.get(SecurityToken.class);
    if (principal == null
        || usernameToken == null
        || !principal.getName().equals(usernameToken.getName())) {
      return;
    }

    // Read the user from Syncope and get the roles
    WebClient client =
        WebClient.create(address, Collections.singletonList(new JacksonJsonProvider()));

    String authorizationHeader =
        "Basic "
            + Base64Utility.encode(
                (usernameToken.getName() + ":" + usernameToken.getPassword()).getBytes());

    client.header("Authorization", authorizationHeader);

    client = client.path("users/self");
    UserTO user = null;
    try {
      user = client.get(UserTO.class);
      if (user == null) {
        Exception exception = new Exception("Authentication failed");
        throw new Fault(exception);
      }
    } catch (RuntimeException ex) {
      if (log.isDebugEnabled()) {
        log.debug(ex.getMessage(), ex);
      }
      throw new Fault(ex);
    }

    // Now get the roles
    List<MembershipTO> membershipList = user.getMemberships();
    Subject subject = new Subject();
    subject.getPrincipals().add(principal);
    for (MembershipTO membership : membershipList) {
      String roleName = membership.getRoleName();
      subject.getPrincipals().add(new SimpleGroup(roleName, usernameToken.getName()));
    }
    subject.setReadOnly();

    message.put(SecurityContext.class, new DefaultSecurityContext(principal, subject));
  }
Пример #5
0
  @Test
  public void testEncryptedUsernameToken() throws Exception {
    Map<String, String> outProperties = new HashMap<String, String>();
    outProperties.put(
        WSHandlerConstants.ACTION,
        WSHandlerConstants.USERNAME_TOKEN + " " + WSHandlerConstants.ENCRYPT);
    outProperties.put(WSHandlerConstants.ENC_PROP_FILE, "outsecurity.properties");
    outProperties.put(WSHandlerConstants.USER, "alice");
    outProperties.put("password", "alicePassword");
    outProperties.put(WSHandlerConstants.ENCRYPTION_USER, "myalias");
    outProperties.put(
        WSHandlerConstants.ENCRYPTION_PARTS, "{Content}{" + WSConstants.WSSE_NS + "}UsernameToken");

    Map<String, String> inProperties = new HashMap<String, String>();
    inProperties.put(
        WSHandlerConstants.ACTION,
        WSHandlerConstants.USERNAME_TOKEN + " " + WSHandlerConstants.ENCRYPT);
    inProperties.put(WSHandlerConstants.DEC_PROP_FILE, "insecurity.properties");
    inProperties.put(
        WSHandlerConstants.PW_CALLBACK_CLASS, "org.apache.cxf.ws.security.wss4j.TestPwdCallback");

    List<String> xpaths = new ArrayList<String>();
    xpaths.add("//wsse:Security");

    SoapMessage inmsg = makeInvocation(outProperties, xpaths, inProperties);
    List<WSHandlerResult> handlerResults = getResults(inmsg);

    assertNotNull(handlerResults);
    assertSame(handlerResults.size(), 1);

    //
    // This should contain exactly 2 protection results
    //
    final java.util.List<WSSecurityEngineResult> protectionResults =
        handlerResults.get(0).getResults();
    assertNotNull(protectionResults);
    assertSame(protectionResults.size(), 2);

    final Principal p1 =
        (Principal) protectionResults.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
    final Principal p2 =
        (Principal) protectionResults.get(1).get(WSSecurityEngineResult.TAG_PRINCIPAL);
    assertTrue(p1 instanceof UsernameTokenPrincipal || p2 instanceof UsernameTokenPrincipal);

    Principal utPrincipal = p1 instanceof UsernameTokenPrincipal ? p1 : p2;

    SecurityContext securityContext = inmsg.get(SecurityContext.class);
    assertNotNull(securityContext);
    assertSame(securityContext.getUserPrincipal(), utPrincipal);
  }
  private boolean authorize(SecurityContext securityContext, Method targetMethod) throws Exception {
    // first we try to see whether this is a super.tenant only operation
    String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
    int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
    if (superTenantServiceSet.contains(targetMethod.getName())
        && !isCurrentUserSuperTenant(tenantDomain, tenantId)) {
      return false;
    }
    // authorize using permissionString given as annotation in the service class
    String userName = securityContext.getUserPrincipal().getName();
    String permissionString = authorizationActionMap.get(targetMethod.getName());

    // get the authorization manager for this tenant..
    UserRealm userRealm = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm();
    AuthorizationManager authorizationManager = userRealm.getAuthorizationManager();

    boolean isAuthorized =
        isAuthorized(authorizationManager, userName, permissionString, ACTION_ON_RESOURCE);
    return isAuthorized;
  }
Пример #7
0
  /** This method is called by {@link CxfConsumer}. */
  public void populateExchangeFromCxfRequest(
      org.apache.cxf.message.Exchange cxfExchange, Exchange camelExchange) {

    Method method = null;
    QName operationName = null;
    ExchangePattern mep = ExchangePattern.InOut;

    // extract binding operation information
    BindingOperationInfo boi =
        camelExchange.getProperty(BindingOperationInfo.class.getName(), BindingOperationInfo.class);
    if (boi != null) {
      Service service = cxfExchange.get(Service.class);
      if (service != null) {
        MethodDispatcher md = (MethodDispatcher) service.get(MethodDispatcher.class.getName());
        if (md != null) {
          method = md.getMethod(boi);
        }
      }

      if (boi.getOperationInfo().isOneWay()) {
        mep = ExchangePattern.InOnly;
      }

      operationName = boi.getName();
    }

    // set operation name in header
    if (operationName != null) {
      camelExchange
          .getIn()
          .setHeader(CxfConstants.OPERATION_NAMESPACE, boi.getName().getNamespaceURI());
      camelExchange.getIn().setHeader(CxfConstants.OPERATION_NAME, boi.getName().getLocalPart());
      if (LOG.isTraceEnabled()) {
        LOG.trace(
            "Set IN header: {}={}",
            CxfConstants.OPERATION_NAMESPACE,
            boi.getName().getNamespaceURI());
        LOG.trace(
            "Set IN header: {}={}", CxfConstants.OPERATION_NAME, boi.getName().getLocalPart());
      }
    } else if (method != null) {
      camelExchange.getIn().setHeader(CxfConstants.OPERATION_NAME, method.getName());
      if (LOG.isTraceEnabled()) {
        LOG.trace("Set IN header: {}={}", CxfConstants.OPERATION_NAME, method.getName());
      }
    }

    // set message exchange pattern
    camelExchange.setPattern(mep);
    LOG.trace("Set exchange MEP: {}", mep);

    // propagate headers
    Message cxfMessage = cxfExchange.getInMessage();
    propagateHeadersFromCxfToCamel(cxfMessage, camelExchange.getIn(), camelExchange);

    // propagate the security subject from CXF security context
    SecurityContext securityContext = cxfMessage.get(SecurityContext.class);
    if (securityContext instanceof LoginSecurityContext
        && ((LoginSecurityContext) securityContext).getSubject() != null) {
      camelExchange
          .getIn()
          .getHeaders()
          .put(Exchange.AUTHENTICATION, ((LoginSecurityContext) securityContext).getSubject());
    } else if (securityContext != null && securityContext.getUserPrincipal() != null) {
      Subject subject = new Subject();
      subject.getPrincipals().add(securityContext.getUserPrincipal());
      camelExchange.getIn().getHeaders().put(Exchange.AUTHENTICATION, subject);
    }

    // Propagating properties from CXF Exchange to Camel Exchange has an
    // side effect of copying reply side stuff when the producer is retried.
    // So, we do not want to do this.
    // camelExchange.getProperties().putAll(cxfExchange);

    // propagate request context
    Object value = cxfMessage.get(Client.REQUEST_CONTEXT);
    if (value != null
        && !headerFilterStrategy.applyFilterToExternalHeaders(
            Client.REQUEST_CONTEXT, value, camelExchange)) {
      camelExchange.getIn().setHeader(Client.REQUEST_CONTEXT, value);
      LOG.trace("Populate context from CXF message {} value={}", Client.REQUEST_CONTEXT, value);
    }

    // setup the charset from content-type header
    setCharsetWithContentType(camelExchange);

    // set body
    Object body =
        DefaultCxfBinding.getContentFromCxf(
            cxfMessage,
            camelExchange.getProperty(CxfConstants.DATA_FORMAT_PROPERTY, DataFormat.class));
    if (body != null) {
      camelExchange.getIn().setBody(body);
    }

    // propagate attachments if the data format is not POJO
    if (cxfMessage.getAttachments() != null
        && !camelExchange
            .getProperty(CxfConstants.DATA_FORMAT_PROPERTY, DataFormat.class)
            .equals(DataFormat.POJO)) {
      for (Attachment attachment : cxfMessage.getAttachments()) {
        camelExchange.getIn().addAttachment(attachment.getId(), attachment.getDataHandler());
      }
    }
  }