All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.ws.security.WSSecurityEngine Maven / Gradle / Ivy

/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.ws.security;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.conversation.ConversationConstants;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.processor.Processor;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;

import java.util.Vector;

/**
 * WS-Security Engine.
 * 

* * @author Davanum Srinivas ([email protected]). * @author Werner Dittmann ([email protected]). */ public class WSSecurityEngine { public static final String VALUE_TYPE = "ValueType"; private static Log log = LogFactory.getLog(WSSecurityEngine.class.getName()); private static Log tlog = LogFactory.getLog("org.apache.ws.security.TIME"); private static WSSecurityEngine engine = null; /** * The WSSConfig instance used by this SecurityEngine to * find Processors for processing security headers */ private WSSConfig wssConfig = null; private boolean doDebug = false; /** * wsse:BinarySecurityToken as defined by WS Security specification */ public static final QName binaryToken = new QName(WSConstants.WSSE_NS, WSConstants.BINARY_TOKEN_LN); /** * wsse:UsernameToken as defined by WS Security specification */ public static final QName usernameToken = new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN); /** * wsu:Timestamp as defined by OASIS WS Security specification, */ public static final QName timeStamp = new QName(WSConstants.WSU_NS, WSConstants.TIMESTAMP_TOKEN_LN); /** * wsse11:signatureConfirmation as defined by OASIS WS Security specification, */ public static final QName signatureConfirmation = new QName(WSConstants.WSSE11_NS, WSConstants.SIGNATURE_CONFIRMATION_LN); /** * ds:Signature as defined by XML Signature specification, * enhanced by WS Security specification */ public static final QName SIGNATURE = new QName(WSConstants.SIG_NS, WSConstants.SIG_LN); /** * xenc:EncryptedKey as defined by XML Encryption specification, * enhanced by WS Security specification */ public static final QName ENCRYPTED_KEY = new QName(WSConstants.ENC_NS, WSConstants.ENC_KEY_LN); /** * xenc:EncryptedData as defined by XML Encryption specification, * enhanced by WS Security specification */ public static final QName ENCRYPTED_DATA = new QName(WSConstants.ENC_NS, WSConstants.ENC_DATA_LN); /** * xenc:ReferenceList as defined by XML Encryption specification, */ public static final QName REFERENCE_LIST = new QName(WSConstants.ENC_NS, WSConstants.REF_LIST_LN); /** * saml:Assertion as defined by SAML specification */ public static final QName SAML_TOKEN = new QName(WSConstants.SAML_NS, WSConstants.ASSERTION_LN); /** * wsc:DerivedKeyToken as defined by WS-SecureConversation specification */ public static final QName DERIVED_KEY_TOKEN_05_02 = new QName(ConversationConstants.WSC_NS_05_02, ConversationConstants.DERIVED_KEY_TOKEN_LN); /** * wsc:SecurityContextToken as defined by WS-SecureConversation specification */ public static final QName SECURITY_CONTEXT_TOKEN_05_02 = new QName(ConversationConstants.WSC_NS_05_02, ConversationConstants.SECURITY_CONTEXT_TOKEN_LN); /** * wsc:DerivedKeyToken as defined by WS-SecureConversation specification in WS-SX */ public static final QName DERIVED_KEY_TOKEN_05_12 = new QName(ConversationConstants.WSC_NS_05_12, ConversationConstants.DERIVED_KEY_TOKEN_LN); /** * wsc:SecurityContextToken as defined by WS-SecureConversation specification in * WS-SX */ public static final QName SECURITY_CONTEXT_TOKEN_05_12 = new QName(ConversationConstants.WSC_NS_05_12, ConversationConstants.SECURITY_CONTEXT_TOKEN_LN); public WSSecurityEngine() { } /** * Get a singleton instance of security engine. *

* * @return ws-security engine. */ public synchronized static WSSecurityEngine getInstance() { if (engine == null) { engine = new WSSecurityEngine(); } return engine; } /** * @return the WSSConfig object set on this instance, or * the statically defined one, if the instance-level * config object is null. */ public final WSSConfig getWssConfig() { return (wssConfig == null) ? WSSConfig.getDefaultWSConfig() : wssConfig; } /** * @param cfg the WSSConfig instance for this WSSecurityEngine to use * * @return the WSSConfig instance previously set on this * WSSecurityEngine instance */ public final WSSConfig setWssConfig(WSSConfig cfg) { WSSConfig ret = wssConfig; wssConfig = cfg; return ret; } /** * Process the security header given the soap envelope as W3C document. *

* This is the main entry point to verify or decrypt a SOAP envelope. * First check if a wsse:Security is available with the * defined actor. * * @param doc the SOAP envelope as {@link Document} * @param actor the engine works on behalf of this actor. Refer * to the SOAP specification about actor or role * * @param cb a callback hander to the caller to resolve passwords during * encryption and {@link UsernameToken} handling * @param crypto the object that implements the access to the keystore and the * handling of certificates. * @return a result vector * @throws WSSecurityException * @see WSSecurityEngine#processSecurityHeader(Element securityHeader, CallbackHandler cb, * Crypto sigCrypto, Crypto decCrypto) */ public Vector processSecurityHeader(Document doc, String actor, CallbackHandler cb, Crypto crypto) throws WSSecurityException { return processSecurityHeader(doc, actor, cb, crypto, crypto); } /** * Process the security header given the soap envelope as W3C document. *

* This is the main entry point to verify or decrypt a SOAP envelope. * First check if a wsse:Security is available with the * defined actor. * * @param doc the SOAP envelope as {@link Document} * @param actor the engine works on behalf of this actor. Refer * to the SOAP specification about actor or role * * @param cb a callback hander to the caller to resolve passwords during * encryption and {@link UsernameToken} handling * @param sigCrypto the object that implements the access to the keystore and the * handling of certificates for Signature * @param decCrypto the object that implements the access to the keystore and the * handling of certificates for Decryption * @return a result vector * @throws WSSecurityException * @see WSSecurityEngine#processSecurityHeader( * Element securityHeader, CallbackHandler cb, Crypto sigCrypto, Crypto decCrypto) */ public Vector processSecurityHeader(Document doc, String actor, CallbackHandler cb, Crypto sigCrypto, Crypto decCrypto) throws WSSecurityException { doDebug = log.isDebugEnabled(); if (doDebug) { log.debug("enter processSecurityHeader()"); } if (actor == null) { actor = ""; } Vector wsResult = null; SOAPConstants sc = WSSecurityUtil.getSOAPConstants(doc.getDocumentElement()); Element elem = WSSecurityUtil.getSecurityHeader(doc, actor, sc); if (elem != null) { if (doDebug) { log.debug("Processing WS-Security header for '" + actor + "' actor."); } wsResult = processSecurityHeader(elem, cb, sigCrypto, decCrypto); } return wsResult; } /** * Process the security header given the wsse:Security DOM * Element. * * This function loops over all direct child elements of the * wsse:Security header. If it finds a known element, it * transfers control to the appropriate handling function. The method * processes the known child elements in the same order as they appear in * the wsse:Security element. This is in accordance to the WS * Security specification.

* * Currently the functions can handle the following child elements: * *

    *
  • {@link #SIGNATURE ds:Signature}
  • *
  • {@link #ENCRYPTED_KEY xenc:EncryptedKey}
  • *
  • {@link #REFERENCE_LIST xenc:ReferenceList}
  • *
  • {@link #usernameToken wsse:UsernameToken}
  • *
  • {@link #timeStamp wsu:Timestamp}
  • *
* * Note that additional child elements can be processed if appropriate * Processors have been registered with the WSSCondig instance set * on this class. * * @param securityHeader the wsse:Security header element * @param cb a callback hander to the caller to resolve passwords during * encryption and {@link UsernameToken}handling * @param sigCrypto the object that implements the access to the keystore and the * handling of certificates used for Signature * @param decCrypto the object that implements the access to the keystore and the * handling of certificates used for Decryption * @return a Vector of {@link WSSecurityEngineResult}. Each element in the * the Vector represents the result of a security action. The elements * are ordered according to the sequence of the security actions in the * wsse:Signature header. The Vector maybe empty if no security processing * was performed. * @throws WSSecurityException */ protected Vector processSecurityHeader(Element securityHeader, CallbackHandler cb, Crypto sigCrypto, Crypto decCrypto) throws WSSecurityException { long t0 = 0, t1 = 0, t2 = 0; if (tlog.isDebugEnabled()) { t0 = System.currentTimeMillis(); } /* * Gather some info about the document to process and store * it for retrieval. Store the implementation of signature crypto * (no need for encryption --- yet) */ WSDocInfo wsDocInfo = new WSDocInfo(securityHeader.getOwnerDocument()); wsDocInfo.setCrypto(sigCrypto); NodeList list = securityHeader.getChildNodes(); int len = list.getLength(); Node elem; if (tlog.isDebugEnabled()) { t1 = System.currentTimeMillis(); } Vector returnResults = new Vector(); for (int i = 0; i < len; i++) { elem = list.item(i); if (elem.getNodeType() != Node.ELEMENT_NODE) { continue; } QName el = new QName(elem.getNamespaceURI(), elem.getLocalName()); final WSSConfig cfg = getWssConfig(); Processor p = cfg.getProcessor(el); /* * Call the processor for this token. After the processor returns, * store it for later retrieval. The token processor may store some * information about the processed token */ if (p != null) { p.handleToken((Element) elem, sigCrypto, decCrypto, cb, wsDocInfo, returnResults, cfg); wsDocInfo.setProcessor(p); } else { /* * Add check for a BinarySecurityToken, add info to WSDocInfo. If BST is * found before a Signature token this would speed up (at least a little * bit) the processing of STR Transform. */ if (doDebug) { log.debug( "Unknown Element: " + elem.getLocalName() + " " + elem.getNamespaceURI() ); } } } if (tlog.isDebugEnabled()) { t2 = System.currentTimeMillis(); tlog.debug( "processHeader: total " + (t2 - t0) + ", prepare " + (t1 - t0) + ", handle " + (t2 - t1) ); } return returnResults; } }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy