org.apache.ws.security.handler.WSHandler Maven / Gradle / Ivy
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ws.security.handler;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.action.Action;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.message.token.SignatureConfirmation;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.util.Loader;
import org.apache.ws.security.util.StringUtil;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.w3c.dom.Document;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.text.DateFormat;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.Hashtable;
import java.util.Properties;
import java.util.TimeZone;
import java.util.Vector;
/**
* Extracted from WSDoAllReceiver and WSDoAllSender
* Extended to all passwordless UsernameTokens and configurable identities.
*
* @author Davanum Srinivas ([email protected]).
* @author Werner Dittmann ([email protected]).
* @author Marcel Ammerlaan ([email protected]).
*/
public abstract class WSHandler {
public static String DONE = "done";
private static Log log = LogFactory.getLog(WSHandler.class.getName());
protected static final WSSecurityEngine secEngine = WSSecurityEngine.getInstance();
protected static Hashtable cryptos = new Hashtable(5);
private boolean doDebug = log.isDebugEnabled();
/**
* Performs all defined security actions to set-up the SOAP request.
*
*
* @param doAction a set defining the actions to do
* @param doc the request as DOM document
* @param reqData a data storage to pass values around between methods
* @param actions a vector holding the actions to do in the order defined
* in the deployment file or property
* @throws WSSecurityException
*/
protected void doSenderAction(
int doAction,
Document doc,
RequestData reqData,
Vector actions,
boolean isRequest
) throws WSSecurityException {
boolean mu = decodeMustUnderstand(reqData);
WSSConfig wssConfig = reqData.getWssConfig();
if (wssConfig == null) {
wssConfig = secEngine.getWssConfig();
}
boolean enableSigConf = decodeEnableSignatureConfirmation(reqData);
wssConfig.setEnableSignatureConfirmation(
enableSigConf || ((doAction & WSConstants.SC) != 0)
);
wssConfig.setPasswordsAreEncoded(decodeUseEncodedPasswords(reqData));
wssConfig.setPrecisionInMilliSeconds(
decodeTimestampPrecision(reqData)
);
reqData.setWssConfig(wssConfig);
Object mc = reqData.getMsgContext();
String actor = getString(WSHandlerConstants.ACTOR, mc);
reqData.setActor(actor);
WSSecHeader secHeader = new WSSecHeader(actor, mu);
secHeader.insertSecurityHeader(doc);
reqData.setSecHeader(secHeader);
reqData.setSoapConstants(
WSSecurityUtil.getSOAPConstants(doc.getDocumentElement())
);
/*
* Here we have action, username, password, and actor, mustUnderstand.
* Now get the action specific parameters.
*/
if ((doAction & WSConstants.UT) == WSConstants.UT) {
decodeUTParameter(reqData);
}
/*
* Here we have action, username, password, and actor, mustUnderstand.
* Now get the action specific parameters.
*/
if ((doAction & WSConstants.UT_SIGN) == WSConstants.UT_SIGN) {
decodeUTParameter(reqData);
decodeSignatureParameter(reqData);
}
/*
* Get and check the Signature specific parameters first because they
* may be used for encryption too.
*/
if ((doAction & WSConstants.SIGN) == WSConstants.SIGN) {
reqData.setSigCrypto(loadSignatureCrypto(reqData));
decodeSignatureParameter(reqData);
}
/*
* If we need to handle signed SAML token then we may need the
* Signature parameters. The handle procedure loads the signature crypto
* file on demand, thus don't do it here.
*/
if ((doAction & WSConstants.ST_SIGNED) == WSConstants.ST_SIGNED) {
decodeSignatureParameter(reqData);
}
/*
* Set and check the encryption specific parameters, if necessary take
* over signature parameters username and crypto instance.
*/
if ((doAction & WSConstants.ENCR) == WSConstants.ENCR) {
reqData.setEncCrypto(loadEncryptionCrypto(reqData));
decodeEncryptionParameter(reqData);
}
/*
* If after all the parsing no Signature parts defined, set here a
* default set. This is necessary because we add SignatureConfirmation
* and therefore the default (Body) must be set here. The default setting
* in WSSignEnvelope doesn't work because the vector is not empty anymore.
*/
if (reqData.getSignatureParts().isEmpty()) {
WSEncryptionPart encP = new WSEncryptionPart(reqData.getSoapConstants()
.getBodyQName().getLocalPart(), reqData.getSoapConstants()
.getEnvelopeURI(), "Content");
reqData.getSignatureParts().add(encP);
}
/*
* If SignatureConfirmation is enabled and this is a response then
* insert SignatureConfrmation elements, note their wsu:id in the signature
* parts. They will be signed automatically during a (probably) defined
* SIGN action.
*/
if (wssConfig.isEnableSignatureConfirmation() && !isRequest) {
String done = (String)
getProperty(reqData.getMsgContext(), WSHandlerConstants.SIG_CONF_DONE);
if (!DONE.equals(done)
&& (getProperty(reqData.getMsgContext(), WSHandlerConstants.RECV_RESULTS))
!= null) {
wssConfig.getAction(WSConstants.SC).execute(this, WSConstants.SC, doc, reqData);
}
}
/*
* Here we have all necessary information to perform the requested
* action(s).
*/
for (int i = 0; i < actions.size(); i++) {
int actionToDo = ((Integer) actions.get(i)).intValue();
if (doDebug) {
log.debug("Performing Action: " + actionToDo);
}
switch (actionToDo) {
case WSConstants.UT:
case WSConstants.ENCR:
case WSConstants.SIGN:
case WSConstants.ST_SIGNED:
case WSConstants.ST_UNSIGNED:
case WSConstants.TS:
case WSConstants.UT_SIGN:
wssConfig.getAction(actionToDo).execute(this, actionToDo, doc, reqData);
break;
case WSConstants.NO_SERIALIZE:
reqData.setNoSerialization(true);
break;
//
// Handle any "custom" actions, similarly,
// but to preserve behavior from previous
// versions, consume (but log) action lookup failures.
//
default:
Action doit = null;
try {
doit = wssConfig.getAction(actionToDo);
} catch (final WSSecurityException e) {
log.warn(
"Error trying to locate a custom action (" + actionToDo + ")",
e
);
}
if (doit != null) {
doit.execute(this, actionToDo, doc, reqData);
}
}
}
/*
* If this is a request then store all signature values. Add ours to
* already gathered values because of chained handlers, e.g. for
* other actors.
*/
if (wssConfig.isEnableSignatureConfirmation()
&& isRequest
&& reqData.getSignatureValues().size() > 0) {
Vector sigv = (Vector)
getProperty(reqData.getMsgContext(), WSHandlerConstants.SEND_SIGV);
if (sigv == null) {
sigv = new Vector();
setProperty(reqData.getMsgContext(),
WSHandlerConstants.SEND_SIGV, sigv);
}
// sigv.add(reqData.getSignatureValues());
sigv.addAll(reqData.getSignatureValues());
}
}
protected void doReceiverAction(int doAction, RequestData reqData)
throws WSSecurityException {
WSSConfig wssConfig = reqData.getWssConfig();
if (wssConfig == null) {
wssConfig = secEngine.getWssConfig();
}
boolean enableSigConf = decodeEnableSignatureConfirmation(reqData);
wssConfig.setEnableSignatureConfirmation(
enableSigConf || ((doAction & WSConstants.SC) != 0)
);
wssConfig.setTimeStampStrict(decodeTimestampStrict(reqData));
wssConfig.setHandleCustomPasswordTypes(decodeCustomPasswordTypes(reqData));
wssConfig.setPasswordsAreEncoded(decodeUseEncodedPasswords(reqData));
wssConfig.setAllowNamespaceQualifiedPasswordTypes(
decodeNamespaceQualifiedPasswordTypes(reqData)
);
wssConfig.setSecretKeyLength(reqData.getSecretKeyLength());
reqData.setWssConfig(wssConfig);
if ((doAction & WSConstants.SIGN) == WSConstants.SIGN) {
decodeSignatureParameter2(reqData);
}
if ((doAction & WSConstants.ST_SIGNED) == WSConstants.ST_SIGNED) {
decodeSignatureParameter2(reqData);
}
if ((doAction & WSConstants.ENCR) == WSConstants.ENCR) {
decodeDecryptionParameter(reqData);
}
if ((doAction & WSConstants.NO_SERIALIZE) == WSConstants.NO_SERIALIZE) {
reqData.setNoSerialization(true);
}
}
protected boolean checkReceiverResults(Vector wsResult, Vector actions) {
int resultActions = wsResult.size();
int size = actions.size();
int ai = 0;
for (int i = 0; i < resultActions; i++) {
final Integer actInt = (Integer) ((WSSecurityEngineResult) wsResult
.get(i)).get(WSSecurityEngineResult.TAG_ACTION);
int act = actInt.intValue();
if (act == WSConstants.SC || act == WSConstants.BST) {
continue;
}
if (ai >= size || ((Integer) actions.get(ai++)).intValue() != act) {
return false;
}
}
if (ai != size) {
return false;
}
return true;
}
protected boolean checkReceiverResultsAnyOrder(Vector wsResult, Vector actions) {
java.util.List recordedActions = new Vector(actions.size());
for (int i = 0; i < actions.size(); i++) {
Integer action = (Integer)actions.get(i);
recordedActions.add(action);
}
for (int i = 0; i < wsResult.size(); i++) {
final Integer actInt = (Integer) ((WSSecurityEngineResult) wsResult
.get(i)).get(WSSecurityEngineResult.TAG_ACTION);
int act = actInt.intValue();
if (act == WSConstants.SC || act == WSConstants.BST) {
continue;
}
if (!recordedActions.remove(actInt)) {
return false;
}
}
if (!recordedActions.isEmpty()) {
return false;
}
return true;
}
protected void checkSignatureConfirmation(RequestData reqData,
Vector wsResult) throws WSSecurityException{
if (doDebug) {
log.debug("Check Signature confirmation");
}
/*
* First get all Signature values stored during sending the request
*/
Vector sigv = (Vector) getProperty(reqData.getMsgContext(),
WSHandlerConstants.SEND_SIGV);
/*
* Now get all results that hold a SignatureConfirmation element from
* the current run of receiver (we can have more than one run: if we
* have several security header blocks with different actors/roles)
*/
Vector sigConf = new Vector();
WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.SC, sigConf);
/*
* now loop over all SignatureConfirmation results and check:
* - if there is a signature value and no Signature value generated in request: error
* - if there is a signature value and no matching Signature value found: error
*
* If a matching value found: remove from vector of stored signature values
*/
for (int i = 0; i < sigConf.size(); i++) {
WSSecurityEngineResult result =
(WSSecurityEngineResult)sigConf.get(i);
SignatureConfirmation sc =
(SignatureConfirmation)result.get(WSSecurityEngineResult.TAG_SIGNATURE_CONFIRMATION);
byte[] sigVal = sc.getSignatureValue();
if (sigVal != null) {
if (sigv == null || sigv.size() == 0) {
// If there are no stored signature values
if (sigVal.length != 0) {
// If there's no value in the case where there are no
// stored SV it is valid. Therefore if there IS a value
// in the sig confirmation element
throw new WSSecurityException(
"WSHandler: Check Signature confirmation: got a SC element, "
+ "but no stored SV"
);
}
} else {
//If we have stored signature values
boolean found = false;
for (int ii = 0; ii < sigv.size(); ii++) {
byte[] storedValue = (byte[]) sigv.get(ii);
if (Arrays.equals(sigVal, storedValue)) {
found = true;
sigv.remove(ii);
break;
}
}
if (!found) {
throw new WSSecurityException(
"WSHandler: Check Signature confirmation: got SC element, "
+ "but no matching SV"
);
}
}
}
}
/*
* This indicates this is the last handler: the vector holding the
* stored Signature values must be empty, otherwise we have an error
*/
if (!reqData.isNoSerialization()) {
log.debug("Check Signature confirmation - last handler");
if (sigv != null && !sigv.isEmpty()) {
throw new WSSecurityException(
"WSHandler: Check Signature confirmation: stored SV vector not empty"
);
}
}
}
/**
* Hook to allow subclasses to load their Signature Crypto however they see
* fit.
*/
public Crypto loadSignatureCrypto(RequestData reqData)
throws WSSecurityException {
Crypto crypto = null;
/*
* Get crypto property file for signature. If none specified throw
* fault, otherwise get a crypto instance.
*/
String sigPropFile =
getString(WSHandlerConstants.SIG_PROP_FILE, reqData.getMsgContext());
if (sigPropFile != null) {
crypto = (Crypto) cryptos.get(sigPropFile);
if (crypto == null) {
crypto =
CryptoFactory.getInstance(
sigPropFile, this.getClassLoader(reqData.getMsgContext())
);
cryptos.put(sigPropFile, crypto);
}
} else if (getString(WSHandlerConstants.SIG_PROP_REF_ID, reqData.getMsgContext()) != null) {
//
// If the property file is missing then look for the Properties object
//
String refId =
getString(WSHandlerConstants.SIG_PROP_REF_ID, reqData.getMsgContext());
if (refId != null) {
Object propObj = getProperty(reqData.getMsgContext(), refId);
if (propObj instanceof Properties) {
crypto = (Crypto) cryptos.get(refId);
if (crypto == null) {
crypto = CryptoFactory.getInstance((Properties)propObj);
cryptos.put(refId, crypto);
}
}
}
}
return crypto;
}
/**
* Hook to allow subclasses to load their Encryption Crypto however they
* see fit.
*/
protected Crypto loadEncryptionCrypto(RequestData reqData)
throws WSSecurityException {
Crypto crypto = null;
/*
* Get encryption crypto property file. If non specified take crypto
* instance from signature, if that fails: throw fault
*/
String encPropFile =
getString(WSHandlerConstants.ENC_PROP_FILE, reqData.getMsgContext());
if (encPropFile != null) {
crypto = (Crypto) cryptos.get(encPropFile);
if (crypto == null) {
crypto =
CryptoFactory.getInstance(
encPropFile, this.getClassLoader(reqData.getMsgContext())
);
cryptos.put(encPropFile, crypto);
}
} else if (getString(WSHandlerConstants.ENC_PROP_REF_ID, reqData.getMsgContext()) != null) {
//
// If the property file is missing then look for the Properties object
//
String refId =
getString(WSHandlerConstants.ENC_PROP_REF_ID, reqData.getMsgContext());
if (refId != null) {
Object propObj = getProperty(reqData.getMsgContext(), refId);
if (propObj instanceof Properties) {
crypto = (Crypto) cryptos.get(refId);
if (crypto == null) {
crypto = CryptoFactory.getInstance((Properties)propObj);
cryptos.put(refId, crypto);
}
}
}
} else if (reqData.getSigCrypto() != null) {
//
// Default to the signature crypto
//
crypto = reqData.getSigCrypto();
}
return crypto;
}
protected void decodeUTParameter(RequestData reqData)
throws WSSecurityException {
Object mc = reqData.getMsgContext();
String type = getString(WSHandlerConstants.PASSWORD_TYPE, mc);
if (type != null) {
if (WSConstants.PW_TEXT.equals(type)) {
reqData.setPwType(WSConstants.PASSWORD_TEXT);
} else if (WSConstants.PW_DIGEST.equals(type)) {
reqData.setPwType(WSConstants.PASSWORD_DIGEST);
} else if (WSConstants.PW_NONE.equals(type)) {
// No password requested.
reqData.setPwType(null);
} else {
throw new WSSecurityException("Unknown password type encoding: " + type);
}
}
String add = getString(WSHandlerConstants.ADD_UT_ELEMENTS, mc);
if (add != null) {
reqData.setUtElements(StringUtil.split(add, ' '));
}
String derived = getString(WSHandlerConstants.USE_DERIVED_KEY, mc);
boolean useDerivedKey = Boolean.valueOf(derived).booleanValue();
if (useDerivedKey) {
reqData.setUseDerivedKey(useDerivedKey);
}
String derivedMAC = getString(WSHandlerConstants.USE_DERIVED_KEY, mc);
boolean useDerivedKeyForMAC = Boolean.valueOf(derivedMAC).booleanValue();
if (useDerivedKeyForMAC) {
reqData.setUseDerivedKeyForMAC(useDerivedKeyForMAC);
}
String iterations = getString(WSHandlerConstants.DERIVED_KEY_ITERATIONS, mc);
if (iterations != null) {
int iIterations = Integer.parseInt(iterations);
reqData.setDerivedKeyIterations(iIterations);
}
}
protected void decodeSignatureParameter(RequestData reqData)
throws WSSecurityException {
Object mc = reqData.getMsgContext();
String signatureUser = getString(WSHandlerConstants.SIGNATURE_USER, mc);
if (signatureUser != null) {
reqData.setSignatureUser(signatureUser);
} else {
reqData.setSignatureUser(reqData.getUsername());
}
String keyId = getString(WSHandlerConstants.SIG_KEY_ID, mc);
if (keyId != null) {
Integer id = (Integer) WSHandlerConstants.keyIdentifier.get(keyId);
if (id == null) {
throw new WSSecurityException(
"WSHandler: Signature: unknown key identification"
);
}
int tmp = id.intValue();
if (!(tmp == WSConstants.ISSUER_SERIAL
|| tmp == WSConstants.BST_DIRECT_REFERENCE
|| tmp == WSConstants.X509_KEY_IDENTIFIER
|| tmp == WSConstants.SKI_KEY_IDENTIFIER
|| tmp == WSConstants.THUMBPRINT_IDENTIFIER
|| tmp == WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER)) {
throw new WSSecurityException(
"WSHandler: Signature: illegal key identification"
);
}
reqData.setSigKeyId(tmp);
}
String algo = getString(WSHandlerConstants.SIG_ALGO, mc);
reqData.setSigAlgorithm(algo);
String digestAlgo = getString(WSHandlerConstants.SIG_DIGEST_ALGO, mc);
reqData.setSigDigestAlgorithm(digestAlgo);
String parts = getString(WSHandlerConstants.SIGNATURE_PARTS, mc);
if (parts != null) {
splitEncParts(parts, reqData.getSignatureParts(), reqData);
}
String secretKeyLength = getString(WSHandlerConstants.WSE_SECRET_KEY_LENGTH, mc);
if (secretKeyLength != null) {
int iSecretKeyLength = Integer.parseInt(secretKeyLength);
reqData.setSecretKeyLength(iSecretKeyLength);
}
boolean useSingleCert = decodeUseSingleCertificate(reqData);
reqData.setUseSingleCert(useSingleCert);
}
protected void decodeEncryptionParameter(RequestData reqData)
throws WSSecurityException {
Object mc = reqData.getMsgContext();
String encUser = getString(WSHandlerConstants.ENCRYPTION_USER, mc);
if (encUser != null) {
reqData.setEncUser(encUser);
} else {
reqData.setEncUser(reqData.getUsername());
}
if (reqData.getEncUser() == null) {
throw new WSSecurityException("WSHandler: Encryption: no username");
}
/*
* String msgType = msgContext.getCurrentMessage().getMessageType(); if
* (msgType != null && msgType.equals(Message.RESPONSE)) {
* handleSpecialUser(encUser); }
*/
handleSpecialUser(reqData);
/*
* If the following parameters are no used (they return null) then the
* default values of WSS4J are used.
*/
String encKeyId = getString(WSHandlerConstants.ENC_KEY_ID, mc);
if (encKeyId != null) {
Integer id = (Integer) WSHandlerConstants.keyIdentifier.get(encKeyId);
if (id == null) {
throw new WSSecurityException(
"WSHandler: Encryption: unknown key identification"
);
}
int tmp = id.intValue();
reqData.setEncKeyId(tmp);
if (!(tmp == WSConstants.ISSUER_SERIAL
|| tmp == WSConstants.X509_KEY_IDENTIFIER
|| tmp == WSConstants.SKI_KEY_IDENTIFIER
|| tmp == WSConstants.BST_DIRECT_REFERENCE
|| tmp == WSConstants.EMBEDDED_KEYNAME
|| tmp == WSConstants.THUMBPRINT_IDENTIFIER
|| tmp == WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER)) {
throw new WSSecurityException(
"WSHandler: Encryption: illegal key identification"
);
}
}
String encSymAlgo = getString(WSHandlerConstants.ENC_SYM_ALGO, mc);
reqData.setEncSymmAlgo(encSymAlgo);
String encKeyTransport =
getString(WSHandlerConstants.ENC_KEY_TRANSPORT, mc);
reqData.setEncKeyTransport(encKeyTransport);
String encSymEncKey = getString(WSHandlerConstants.ENC_SYM_ENC_KEY, mc);
if (encSymEncKey != null) {
boolean encSymEndKeyBoolean = Boolean.valueOf(encSymEncKey).booleanValue();
reqData.setEncryptSymmetricEncryptionKey(encSymEndKeyBoolean);
}
String encParts = getString(WSHandlerConstants.ENCRYPTION_PARTS, mc);
if (encParts != null) {
splitEncParts(encParts, reqData.getEncryptParts(), reqData);
}
}
protected boolean decodeMustUnderstand(RequestData reqData)
throws WSSecurityException {
String mu =
getString(WSHandlerConstants.MUST_UNDERSTAND, reqData.getMsgContext());
if (mu == null) {
return true;
}
if ("0".equals(mu) || "false".equals(mu)) {
return false;
}
if ("1".equals(mu) || "true".equals(mu)) {
return true;
}
throw new WSSecurityException(
"WSHandler: illegal mustUnderstand parameter"
);
}
public int decodeTimeToLive(RequestData reqData) {
String ttl =
getString(WSHandlerConstants.TTL_TIMESTAMP, reqData.getMsgContext());
int ttl_i = 0;
if (ttl != null) {
try {
ttl_i = Integer.parseInt(ttl);
} catch (NumberFormatException e) {
ttl_i = reqData.getTimeToLive();
}
}
if (ttl_i <= 0) {
ttl_i = reqData.getTimeToLive();
}
return ttl_i;
}
protected boolean decodeEnableSignatureConfirmation(RequestData reqData) throws WSSecurityException {
String value = getString(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION,
reqData.getMsgContext());
if (value == null) {
return true;
}
if ("0".equals(value) || "false".equals(value)) {
return false;
}
if ("1".equals(value) || "true".equals(value)) {
return true;
}
throw new WSSecurityException(
"WSHandler: illegal enableSignatureConfirmation parameter"
);
}
protected boolean decodeTimestampPrecision(RequestData reqData)
throws WSSecurityException {
String value = getString(WSHandlerConstants.TIMESTAMP_PRECISION,
reqData.getMsgContext());
if (value == null) {
return true;
}
if ("0".equals(value) || "false".equals(value)) {
return false;
}
if ("1".equals(value) || "true".equals(value)) {
return true;
}
throw new WSSecurityException(
"WSHandler: illegal precisionInMilliSeconds parameter"
);
}
protected boolean decodeCustomPasswordTypes(RequestData reqData)
throws WSSecurityException {
String value = getString(
WSHandlerConstants.HANDLE_CUSTOM_PASSWORD_TYPES,
reqData.getMsgContext()
);
if (value == null) {
return false;
}
if ("0".equals(value) || "false".equals(value)) {
return false;
}
if ("1".equals(value) || "true".equals(value)) {
return true;
}
throw new WSSecurityException(
"WSHandler: illegal handleCustomPasswordTypes parameter"
);
}
protected boolean decodeUseEncodedPasswords(RequestData reqData)
throws WSSecurityException {
String value = getString(
WSHandlerConstants.USE_ENCODED_PASSWORDS,
reqData.getMsgContext()
);
if (value == null) {
return false;
}
if ("0".equals(value) || "false".equals(value)) {
return false;
}
if ("1".equals(value) || "true".equals(value)) {
return true;
}
throw new WSSecurityException(
"WSHandler: illegal useEncodedPasswords parameter"
);
}
protected boolean decodeNamespaceQualifiedPasswordTypes(RequestData reqData)
throws WSSecurityException {
String value = getString(
WSHandlerConstants.ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES,
reqData.getMsgContext()
);
if (value == null) {
return false;
}
if ("0".equals(value) || "false".equals(value)) {
return false;
}
if ("1".equals(value) || "true".equals(value)) {
return true;
}
throw new WSSecurityException(
"WSHandler: illegal allowNamespaceQualifiedPasswordTypes parameter"
);
}
protected boolean decodeTimestampStrict(RequestData reqData)
throws WSSecurityException {
String value = getString(WSHandlerConstants.TIMESTAMP_STRICT,
reqData.getMsgContext());
if (value == null) {
return true;
}
if ("0".equals(value) || "false".equals(value)) {
return false;
}
if ("1".equals(value) || "true".equals(value)) {
return true;
}
throw new WSSecurityException(
"WSHandler: illegal timestampStrict parameter"
);
}
protected boolean decodeUseSingleCertificate(RequestData reqData)
throws WSSecurityException {
String useSingleCert =
getString(WSHandlerConstants.USE_SINGLE_CERTIFICATE, reqData.getMsgContext());
if (useSingleCert == null) {
return true;
}
if ("0".equals(useSingleCert) || "false".equals(useSingleCert)) {
return false;
}
if ("1".equals(useSingleCert) || "true".equals(useSingleCert)) {
return true;
}
throw new WSSecurityException(
"WSHandler: illegal useSingleCert parameter"
);
}
/**
* Get a password to construct a UsernameToken or sign a message.
*
* Try all possible sources to get a password.
*/
public WSPasswordCallback getPassword(String username,
int doAction,
String clsProp,
String refProp,
RequestData reqData
) throws WSSecurityException {
WSPasswordCallback pwCb = null;
Object mc = reqData.getMsgContext();
String callback = getString(clsProp, mc);
if (callback != null) {
// we have a password callback class
pwCb = readPwViaCallbackClass(callback, username, doAction, reqData);
} else {
// Try to obtain a password callback class from the message context or handler options
CallbackHandler cbHandler = (CallbackHandler) getOption(refProp);
if (cbHandler == null) {
cbHandler = (CallbackHandler) getProperty(mc, refProp);
}
if (cbHandler != null) {
pwCb = performCallback(cbHandler, username, doAction);
} else {
//
// If a callback isn't configured then try to get the password
// from the message context
//
String password = getPassword(mc);
if (password == null) {
String err = "provided null or empty password";
throw new WSSecurityException("WSHandler: application " + err);
}
pwCb = constructPasswordCallback(username, doAction);
pwCb.setPassword(password);
}
}
return pwCb;
}
private WSPasswordCallback readPwViaCallbackClass(String callback,
String username,
int doAction,
RequestData requestData
) throws WSSecurityException {
Class cbClass = null;
CallbackHandler cbHandler = null;
try {
cbClass =
Loader.loadClass(getClassLoader(requestData.getMsgContext()), callback);
} catch (ClassNotFoundException e) {
throw new WSSecurityException(
"WSHandler: cannot load password callback class: " + callback, e
);
}
try {
cbHandler = (CallbackHandler) cbClass.newInstance();
} catch (Exception e) {
throw new WSSecurityException(
"WSHandler: cannot create instance of password callback: " + callback, e
);
}
return performCallback(cbHandler, username, doAction);
}
/**
* Perform a callback to get a password.
*
* The called back function gets an indication why to provide a password:
* to produce a UsernameToken, Signature, or a password (key) for a given
* name.
*/
private WSPasswordCallback performCallback(CallbackHandler cbHandler,
String username,
int doAction
) throws WSSecurityException {
WSPasswordCallback pwCb = constructPasswordCallback(username, doAction);
Callback[] callbacks = new Callback[1];
callbacks[0] = pwCb;
/*
* Call back the application to get the password
*/
try {
cbHandler.handle(callbacks);
} catch (Exception e) {
throw new WSSecurityException("WSHandler: password callback failed", e);
}
return pwCb;
}
private WSPasswordCallback constructPasswordCallback(
String username,
int doAction
) throws WSSecurityException {
int reason = WSPasswordCallback.UNKNOWN;
switch (doAction) {
case WSConstants.UT:
case WSConstants.UT_SIGN:
reason = WSPasswordCallback.USERNAME_TOKEN;
break;
case WSConstants.SIGN:
reason = WSPasswordCallback.SIGNATURE;
break;
case WSConstants.ENCR:
reason = WSPasswordCallback.KEY_NAME;
break;
}
return new WSPasswordCallback(username, reason);
}
private void splitEncParts(String tmpS, Vector parts, RequestData reqData)
throws WSSecurityException {
WSEncryptionPart encPart = null;
String[] rawParts = StringUtil.split(tmpS, ';');
for (int i = 0; i < rawParts.length; i++) {
String[] partDef = StringUtil.split(rawParts[i], '}');
if (partDef.length == 1) {
if (doDebug) {
log.debug("single partDef: '" + partDef[0] + "'");
}
encPart =
new WSEncryptionPart(partDef[0].trim(),
reqData.getSoapConstants().getEnvelopeURI(),
"Content");
} else if (partDef.length == 3) {
String mode = partDef[0].trim();
if (mode.length() <= 1) {
mode = "Content";
} else {
mode = mode.substring(1);
}
String nmSpace = partDef[1].trim();
if (nmSpace.length() <= 1) {
nmSpace = reqData.getSoapConstants().getEnvelopeURI();
} else {
nmSpace = nmSpace.substring(1);
if (nmSpace.equals(WSConstants.NULL_NS)) {
nmSpace = null;
}
}
String element = partDef[2].trim();
if (doDebug) {
log.debug(
"partDefs: '" + mode + "' ,'" + nmSpace + "' ,'" + element + "'"
);
}
encPart = new WSEncryptionPart(element, nmSpace, mode);
} else {
throw new WSSecurityException("WSHandler: wrong part definition: " + tmpS);
}
parts.add(encPart);
}
}
private void handleSpecialUser(RequestData reqData) {
if (!WSHandlerConstants.USE_REQ_SIG_CERT.equals(reqData.getEncUser())) {
return;
}
Vector results =
(Vector) getProperty(reqData.getMsgContext(), WSHandlerConstants.RECV_RESULTS);
if (results == null) {
return;
}
/*
* Scan the results for a matching actor. Use results only if the
* receiving Actor and the sending Actor match.
*/
for (int i = 0; i < results.size(); i++) {
WSHandlerResult rResult =
(WSHandlerResult) results.get(i);
String hActor = rResult.getActor();
if (!WSSecurityUtil.isActorEqual(reqData.getActor(), hActor)) {
continue;
}
Vector wsSecEngineResults = rResult.getResults();
/*
* Scan the results for the first Signature action. Use the
* certificate of this Signature to set the certificate for the
* encryption action :-).
*/
for (int j = 0; j < wsSecEngineResults.size(); j++) {
WSSecurityEngineResult wser =
(WSSecurityEngineResult) wsSecEngineResults.get(j);
int wserAction =
((java.lang.Integer)wser.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
if (wserAction == WSConstants.SIGN) {
X509Certificate cert =
(X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
reqData.setEncCert(cert);
return;
}
}
}
}
/**
* Hook to allow subclasses to load their Decryption Crypto however they
* see fit.
*/
protected Crypto loadDecryptionCrypto(RequestData reqData)
throws WSSecurityException {
Crypto crypto = null;
String decPropFile =
getString(WSHandlerConstants.DEC_PROP_FILE, reqData.getMsgContext());
if (decPropFile != null) {
crypto = (Crypto) cryptos.get(decPropFile);
if (crypto == null) {
crypto =
CryptoFactory.getInstance(
decPropFile, this.getClassLoader(reqData.getMsgContext())
);
cryptos.put(decPropFile, crypto);
}
} else if (getString(WSHandlerConstants.DEC_PROP_REF_ID, reqData.getMsgContext()) != null) {
//
// If the property file is missing then look for the Properties object
//
String refId =
getString(WSHandlerConstants.DEC_PROP_REF_ID, reqData.getMsgContext());
if (refId != null) {
Object propObj = getProperty(reqData.getMsgContext(), refId);
if (propObj instanceof Properties) {
crypto = (Crypto) cryptos.get(refId);
if (crypto == null) {
crypto = CryptoFactory.getInstance((Properties)propObj);
cryptos.put(refId, crypto);
}
}
}
} else if (reqData.getSigCrypto() != null) {
//
// Default to the signature crypto
//
crypto = reqData.getSigCrypto();
}
return crypto;
}
protected void decodeSignatureParameter2(RequestData reqData)
throws WSSecurityException {
reqData.setSigCrypto(loadSignatureCrypto(reqData));
/* There are currently no other signature parameters that need
* to be handled here, but we call the load crypto hook rather
* than just changing the visibility
* of this method to maintain parity with WSDoAllSender.
*/
}
/*
* Set and check the decryption specific parameters, if necessary
* take over signature crypto instance.
*/
protected void decodeDecryptionParameter(RequestData reqData)
throws WSSecurityException {
reqData.setDecCrypto(loadDecryptionCrypto(reqData));
/* There are currently no other decryption parameters that need
* to be handled here, but we call the load crypto hook rather
* than just changing the visibility
* of this method to maintain parity with WSDoAllSender.
*/
}
/**
* Get the password callback class and get an instance
*
*/
protected CallbackHandler getPasswordCB(RequestData reqData)
throws WSSecurityException {
Object mc = reqData.getMsgContext();
CallbackHandler cbHandler = null;
String callback = getString(WSHandlerConstants.PW_CALLBACK_CLASS, mc);
if (callback != null) {
Class cbClass = null;
try {
cbClass =
Loader.loadClass(getClassLoader(reqData.getMsgContext()), callback);
} catch (ClassNotFoundException e) {
throw new WSSecurityException(
"WSHandler: cannot load password callback class: " + callback, e
);
}
try {
cbHandler = (CallbackHandler) cbClass.newInstance();
} catch (java.lang.Exception e) {
throw new WSSecurityException(
"WSHandler: cannot create instance of password callback: " + callback, e
);
}
} else {
cbHandler =
(CallbackHandler) getProperty(mc, WSHandlerConstants.PW_CALLBACK_REF);
if (cbHandler == null) {
throw new WSSecurityException(
"WSHandler: no reference in callback property"
);
}
}
return cbHandler;
}
/**
* Evaluate whether a given certificate should be trusted.
* Hook to allow subclasses to implement custom validation methods however they see fit.
*
* Policy used in this implementation:
* 1. Search the keystore for the transmitted certificate
* 2. Search the keystore for a connection to the transmitted certificate
* (that is, search for certificate(s) of the issuer of the transmitted certificate
* 3. Verify the trust path for those certificates found because the search for the issuer
* might be fooled by a phony DN (String!)
*
* @param cert the certificate that should be validated against the keystore
* @return true if the certificate is trusted, false if not (AxisFault is thrown for exceptions
* during CertPathValidation)
* @throws WSSecurityException
*/
protected boolean verifyTrust(X509Certificate cert, RequestData reqData)
throws WSSecurityException {
// If no certificate was transmitted, do not trust the signature
if (cert == null) {
return false;
}
String[] aliases = null;
String alias = null;
X509Certificate[] certs;
String subjectString = cert.getSubjectX500Principal().getName();
String issuerString = cert.getIssuerX500Principal().getName();
BigInteger issuerSerial = cert.getSerialNumber();
if (doDebug) {
log.debug("WSHandler: Transmitted certificate has subject " + subjectString);
log.debug(
"WSHandler: Transmitted certificate has issuer " + issuerString
+ " (serial " + issuerSerial + ")"
);
}
// FIRST step
// Search the keystore for the transmitted certificate
// Search the keystore for the alias of the transmitted certificate
try {
alias = reqData.getSigCrypto().getAliasForX509Cert(issuerString, issuerSerial);
} catch (WSSecurityException ex) {
throw new WSSecurityException(
"WSHandler: Could not get alias for certificate with " + subjectString, ex
);
}
if (alias != null) {
// Retrieve the certificate for the alias from the keystore
try {
certs = reqData.getSigCrypto().getCertificates(alias);
} catch (WSSecurityException ex) {
throw new WSSecurityException(
"WSHandler: Could not get certificates for alias " + alias, ex
);
}
// If certificates have been found, the certificates must be compared
// to ensure against phony DNs (compare encoded form including signature)
if (certs != null && certs.length > 0 && cert.equals(certs[0])) {
if (doDebug) {
log.debug("Direct trust for certificate with " + subjectString);
}
return true;
}
} else {
if (doDebug) {
log.debug(
"No alias found for subject from issuer with " + issuerString
+ " (serial " + issuerSerial + ")"
);
}
}
// SECOND step
// Search for the issuer of the transmitted certificate in the keystore
// Search the keystore for the alias of the transmitted certificates issuer
try {
aliases = reqData.getSigCrypto().getAliasesForDN(issuerString);
} catch (WSSecurityException ex) {
throw new WSSecurityException(
"WSHandler: Could not get alias for certificate with " + issuerString, ex
);
}
// If the alias has not been found, the issuer is not in the keystore
// As a direct result, do not trust the transmitted certificate
if (aliases == null || aliases.length < 1) {
if (doDebug) {
log.debug(
"No aliases found in keystore for issuer " + issuerString
+ " of certificate for " + subjectString
);
}
return false;
}
// THIRD step
// Check the certificate trust path for every alias of the issuer found in the keystore
for (int i = 0; i < aliases.length; i++) {
alias = aliases[i];
if (doDebug) {
log.debug(
"Preparing to validate certificate path with alias " + alias
+ " for issuer " + issuerString
);
}
// Retrieve the certificate(s) for the alias from the keystore
try {
certs = reqData.getSigCrypto().getCertificates(alias);
} catch (WSSecurityException ex) {
throw new WSSecurityException(
"WSHandler: Could not get certificates for alias " + alias, ex
);
}
// If no certificates have been found, there has to be an error:
// The keystore can find an alias but no certificate(s)
if (certs == null || certs.length < 1) {
throw new WSSecurityException(
"WSHandler: Could not get certificates for alias " + alias
);
}
// Form a certificate chain from the transmitted certificate
// and the certificate(s) of the issuer from the keystore
// First, create new array
X509Certificate[] x509certs = new X509Certificate[certs.length + 1];
// Then add the first certificate ...
x509certs[0] = cert;
// ... and the other certificates
for (int j = 0; j < certs.length; j++) {
x509certs[j + 1] = certs[j];
}
certs = x509certs;
// Use the validation method from the crypto to check whether the subjects'
// certificate was really signed by the issuer stated in the certificate
try {
if (reqData.getSigCrypto().validateCertPath(certs)) {
if (doDebug) {
log.debug(
"WSHandler: Certificate path has been verified for certificate "
+ "with subject " + subjectString
);
}
return true;
}
} catch (WSSecurityException ex) {
throw new WSSecurityException(
"WSHandler: Certificate path verification failed for certificate "
+ "with subject " + subjectString, ex
);
}
}
if (doDebug) {
log.debug(
"WSHandler: Certificate path could not be verified for "
+ "certificate with subject " + subjectString
);
}
return false;
}
/**
* Evaluate whether the given certificate chain should be trusted.
*
* @param certificates the certificate chain that should be validated against the keystore
* @return true if the certificate chain is trusted, false if not
* @throws WSSecurityException
*/
protected boolean verifyTrust(X509Certificate[] certificates, RequestData reqData)
throws WSSecurityException {
// If no certificate was transmitted, do not trust the signature
if (certificates == null) {
return false;
}
String subjectString = certificates[0].getSubjectX500Principal().getName();
//
// Use the validation method from the crypto to check whether the subjects'
// certificate was really signed by the issuer stated in the certificate
//
try {
if (certificates != null && certificates.length > 1
&& reqData.getSigCrypto().validateCertPath(certificates)) {
if (log.isDebugEnabled()) {
log.debug(
"Certificate path has been verified for certificate with subject "
+ subjectString
);
}
return true;
}
} catch (WSSecurityException ex) {
throw new WSSecurityException(
"WSHandler: Certificate path verification failed for certificate "
+ "with subject " + subjectString, ex
);
}
if (log.isDebugEnabled()) {
log.debug(
"Certificate path could not be verified for certificate with subject "
+ subjectString
);
}
return false;
}
/**
* Evaluate whether a timestamp is considered valid on the receivers' side. Hook to
* allow subclasses to implement custom validation methods however they see fit.
*
* Policy used in this implementation:
*
* 1. The receiver can set its own time to live (besides from that set on
* sender side)
*
* 2. If the message was created before (now-ttl) the message is rejected
*
* @param timestamp
* the timestamp that is validated
* @param timeToLive
* the limit on the receivers' side, that the timestamp is validated against
* @return true if the timestamp is before (now-timeToLive), false otherwise
* @throws WSSecurityException
*/
protected boolean verifyTimestamp(Timestamp timestamp, int timeToLive) throws WSSecurityException {
return verifyTimestamp(timestamp, timeToLive, 60);
}
/**
* Evaluate whether a timestamp is considered valid on the receivers' side. Hook to
* allow subclasses to implement custom validation methods however they see fit.
*
* Policy used in this implementation:
*
* 1. The receiver can set its own time to live (besides from that set on
* sender side)
*
* 2. If the message was created before (now-ttl) the message is rejected
*
* @param timestamp
* the timestamp that is validated
* @param timeToLive
* the limit on the receivers' side, that the timestamp is validated against
* @param futureTimeToLive
* the value in seconds for the future validity of the Created time
* @return true if the timestamp is before (now-timeToLive), false otherwise
* @throws WSSecurityException
*/
protected boolean verifyTimestamp(
Timestamp timestamp,
int timeToLive,
int futureTimeToLive
) throws WSSecurityException {
// Calculate the time that is allowed for the message to travel
Calendar validCreation = Calendar.getInstance();
validCreation.setTimeZone(TimeZone.getTimeZone("UTC"));
long currentTime = validCreation.getTime().getTime();
Calendar cre = timestamp.getCreated();
if (futureTimeToLive > 0) {
validCreation.setTime(new Date(currentTime + futureTimeToLive * 1000));
}
if (cre != null && cre.after(validCreation)) {
if (doDebug) {
log.debug("Validation of Timestamp: The message was created in the future!");
}
return false;
}
currentTime -= timeToLive * 1000;
validCreation.setTime(new Date(currentTime));
if (doDebug) {
log.debug("Preparing to verify the timestamp");
DateFormat zulu = new XmlSchemaDateFormat();
log.debug("Validation of Timestamp: Current time is "
+ zulu.format(Calendar.getInstance().getTime()));
log.debug("Validation of Timestamp: Valid creation is "
+ zulu.format(validCreation.getTime()));
if (timestamp.getCreated() != null) {
log.debug("Validation of Timestamp: Timestamp created is "
+ zulu.format(timestamp.getCreated().getTime()));
}
}
// Validate the time it took the message to travel
// if (timestamp.getCreated().before(validCreation) ||
// !timestamp.getCreated().equals(validCreation)) {
if (cre != null && !cre.after(validCreation)) {
if (doDebug) {
log.debug("Validation of Timestamp: The message was created too long ago");
}
return false;
}
if (doDebug) {
log.debug("Validation of Timestamp: Everything is ok");
}
return true;
}
/**
* Looks up key first via {@link #getOption(String)} and if not found
* there, via {@link #getProperty(Object, String)}
*
* @param key the key to search for. May not be null.
* @param mc the message context to search.
* @return the value found.
* @throws IllegalArgumentException if key is null.
*/
public String getString(String key, Object mc) {
if (key == null) {
throw new IllegalArgumentException("Key cannot be null");
}
String s = getStringOption(key);
if (s != null) {
return s;
}
if (mc == null) {
throw new IllegalArgumentException("Message context cannot be null");
}
return (String) getProperty(mc, key);
}
/**
* Returns the option on name.
*
* @param key the non-null key of the option.
* @return the option on key if key
* exists and is of type java.lang.String; otherwise null.
*/
public String getStringOption(String key) {
Object o = getOption(key);
if (o instanceof String){
return (String) o;
} else {
return null;
}
}
/**
* Returns the classloader to be used for loading the callback class
* @param msgCtx The MessageContext
* @return class loader
*/
public ClassLoader getClassLoader(Object msgCtx) {
try {
return Loader.getTCL();
} catch (Throwable t) {
return null;
}
}
public abstract Object getOption(String key);
public abstract Object getProperty(Object msgContext, String key);
public abstract void setProperty(Object msgContext, String key,
Object value);
public abstract String getPassword(Object msgContext);
public abstract void setPassword(Object msgContext, String password);
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy