org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker Maven / Gradle / Ivy
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.cxf.ws.security.wss4j;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPMessage;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.util.WSSecurityUtil;
/**
* Utility to enable the checking of WS-Security signature/encryption
* coverage based on the results of the WSS4J processors. This interceptor
* provides an alternative to using WS-Policy based configuration for crypto
* coverage enforcement.
*
* Note that the processor must properly address the Security Token
* Reference Dereference transform in the case of a signed security token
* such as a SAML assertion. Consequently, a version of WSS4J that properly
* addresses this transform must be used with this utility if you wish to
* check coverage over a message part referenced through the Security Token
* Reference Dereference transform.
* See WSS-222
* for more details.
*/
public class CryptoCoverageChecker extends AbstractSoapInterceptor {
/**
* The XPath expressions for locating elements in SOAP messages
* that must be covered. See {@link #prefixMap}
* for namespace prefixes available.
*/
protected List xPaths = new ArrayList();
/**
* Mapping of namespace prefixes to namespace URIs.
*/
protected Map prefixMap = new HashMap();
/**
* Creates a new instance. See {@link #setPrefixes()} and {@link #setXpaths()}
* for providing configuration options.
*/
public CryptoCoverageChecker() {
this(null, null);
}
/**
* Creates a new instance that checks for signature coverage over matches to
* the provided XPath expressions making defensive copies of provided arguments.
*
* @param prefixes
* mapping of namespace prefixes to namespace URIs
* @param xPaths
* a list of XPath expressions
*/
public CryptoCoverageChecker(Map prefixes, List xPaths)
{
super(Phase.PRE_PROTOCOL);
this.addAfter(WSS4JInInterceptor.class.getName());
this.setPrefixes(prefixes);
this.setXPaths(xPaths);
}
/**
* Checks that the WSS4J results refer to the required signed/encrypted
* elements as defined by the XPath expressions in {@link #xPaths}.
*
* @param message
* the SOAP message containing the signature
*
* @throws SoapFault
* if there is an error evaluating an XPath or an element is not
* covered by the required cryptographic operation
*/
public void handleMessage(SoapMessage message) throws Fault {
final Collection signed = new HashSet();
final Collection encrypted = new HashSet();
List