All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.ws.security.WSSConfig Maven / Gradle / Ivy

Go to download

The Apache WSS4J project provides a Java implementation of the primary security standards for Web Services, namely the OASIS Web Services Security (WS-Security) specifications from the OASIS Web Services Security TC.

There is a newer version: 1.6.19
Show newest version
/**
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */


package org.apache.ws.security;

import java.util.HashMap;

import javax.xml.namespace.QName;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.action.Action;
import org.apache.ws.security.processor.Processor;
import org.apache.ws.security.transform.STRTransform;
import org.apache.ws.security.util.Loader;
import org.apache.ws.security.util.UUIDGenerator;
import org.apache.xml.security.transforms.Transform;

/**
 * WSSConfig 

Carries configuration data so the WSS4J spec compliance can be * modified in runtime. Configure an instance of this object only if you need * WSS4J to emulate certain industry clients or previous OASIS specifications * for WS-Security interoperability testing purposes.

The default settings * follow the latest OASIS and changing anything might violate the OASIS specs. *

WARNING: changing the default settings will break the compliance with * the latest specs. Do this only if you know what you are doing.

* * @author Rami Jaamour ([email protected]) * @author Werner Dittmann ([email protected]) */ public class WSSConfig { private static final Log log = LogFactory.getLog(WSSConfig.class.getName()); /** * The default collection of actions supported by the toolkit. */ private static final java.util.Map DEFAULT_ACTIONS; static { final java.util.Map tmp = new java.util.HashMap(); try { tmp.put( new Integer(WSConstants.UT), org.apache.ws.security.action.UsernameTokenAction.class.getName() ); tmp.put( new Integer(WSConstants.ENCR), org.apache.ws.security.action.EncryptionAction.class.getName() ); tmp.put( new Integer(WSConstants.SIGN), org.apache.ws.security.action.SignatureAction.class.getName() ); // // Note that all actions/processors with dependencies on opensaml are // registered as Strings. This is so that applications that do not use // saml do not have to have the opensaml jar available. // tmp.put( new Integer(WSConstants.ST_SIGNED), "org.apache.ws.security.action.SAMLTokenSignedAction" ); tmp.put( new Integer(WSConstants.ST_UNSIGNED), "org.apache.ws.security.action.SAMLTokenUnsignedAction" ); tmp.put( new Integer(WSConstants.TS), org.apache.ws.security.action.TimestampAction.class.getName() ); tmp.put( new Integer(WSConstants.UT_SIGN), org.apache.ws.security.action.UsernameTokenSignedAction.class.getName() ); tmp.put( new Integer(WSConstants.SC), org.apache.ws.security.action.SignatureConfirmationAction.class.getName() ); } catch (final Throwable t) { if (log.isDebugEnabled()) { log.debug(t.getMessage(), t); } } DEFAULT_ACTIONS = java.util.Collections.unmodifiableMap(tmp); } /** * The default collection of processors supported by the toolkit */ private static final java.util.Map DEFAULT_PROCESSORS; static { final java.util.Map tmp = new java.util.HashMap(); try { tmp.put( WSSecurityEngine.SAML_TOKEN, "org.apache.ws.security.processor.SAMLTokenProcessor" ); tmp.put( WSSecurityEngine.ENCRYPTED_KEY, org.apache.ws.security.processor.EncryptedKeyProcessor.class.getName() ); tmp.put( WSSecurityEngine.SIGNATURE, org.apache.ws.security.processor.SignatureProcessor.class.getName() ); tmp.put( WSSecurityEngine.timeStamp, org.apache.ws.security.processor.TimestampProcessor.class.getName() ); tmp.put( WSSecurityEngine.usernameToken, org.apache.ws.security.processor.UsernameTokenProcessor.class.getName() ); tmp.put( WSSecurityEngine.REFERENCE_LIST, org.apache.ws.security.processor.ReferenceListProcessor.class.getName() ); tmp.put( WSSecurityEngine.signatureConfirmation, org.apache.ws.security.processor.SignatureConfirmationProcessor.class.getName() ); tmp.put( WSSecurityEngine.DERIVED_KEY_TOKEN_05_02, org.apache.ws.security.processor.DerivedKeyTokenProcessor.class.getName() ); tmp.put( WSSecurityEngine.DERIVED_KEY_TOKEN_05_12, tmp.get(WSSecurityEngine.DERIVED_KEY_TOKEN_05_02) ); tmp.put( WSSecurityEngine.SECURITY_CONTEXT_TOKEN_05_02, org.apache.ws.security.processor.SecurityContextTokenProcessor.class.getName() ); tmp.put( WSSecurityEngine.SECURITY_CONTEXT_TOKEN_05_12, tmp.get(WSSecurityEngine.SECURITY_CONTEXT_TOKEN_05_02) ); tmp.put( WSSecurityEngine.binaryToken, org.apache.ws.security.processor.BinarySecurityTokenProcessor.class.getName() ); tmp.put( WSSecurityEngine.ENCRYPTED_DATA, org.apache.ws.security.processor.EncryptedDataProcessor.class.getName() ); } catch (final Throwable t) { if (log.isDebugEnabled()) { log.debug(t.getMessage(), t); } } DEFAULT_PROCESSORS = java.util.Collections.unmodifiableMap(tmp); } protected static WSSConfig defaultConfig = null; protected boolean wsiBSPCompliant = false; /** * Set the timestamp precision mode. If set to true then use * timestamps with milliseconds, otherwise omit the milliseconds. As per XML * Date/Time specification the default is to include the milliseconds. */ protected boolean precisionInMilliSeconds = true; protected boolean enableSignatureConfirmation = true; /** * If set to true then the timestamp handling will throw an exception if the * timestamp contains an expires element and the semantics are expired. * * If set to false, no exception will be thrown, even if the semantics are * expired. */ protected boolean timeStampStrict = true; /** * This variable controls whether types other than PasswordDigest or PasswordText * are allowed when processing UsernameTokens. * * By default this is set to false so that the user doesn't have to explicitly * reject custom token types in the callback handler. */ protected boolean handleCustomPasswordTypes = false; /** * This variable controls whether (wsse) namespace qualified password types are * accepted when processing UsernameTokens. * * By default this is set to false. */ protected boolean allowNamespaceQualifiedPasswordTypes = false; /** * The secret key length to be used for UT_SIGN. */ protected int secretKeyLength = WSConstants.WSE_DERIVED_KEY_LEN; /** * The default wsu:Id allocator is a simple "start at 1 and increment up" * thing that is very fast. */ public static WsuIdAllocator DEFAULT_ID_ALLOCATOR = new WsuIdAllocator() { int i; private synchronized String next() { return Integer.toString(++i); } public String createId(String prefix, Object o) { if (prefix == null) { return next(); } return prefix + next(); } public String createSecureId(String prefix, Object o) { if (prefix == null) { return UUIDGenerator.getUUID(); } return prefix + UUIDGenerator.getUUID(); } }; protected WsuIdAllocator idAllocator = DEFAULT_ID_ALLOCATOR; protected HashMap jceProvider = new HashMap(10); /** * The known actions. This map is of the form or . * The known actions are initialized from a set of defaults, * but the list may be modified via the setAction operations. */ private final java.util.Map actionMap = new java.util.HashMap(DEFAULT_ACTIONS); /** * The known processors. This map is of the form or . * The known processors are initialized from a set of defaults, * but the list may be modified via the setProcessor operations. */ private final java.util.Map processorMap = new java.util.HashMap(DEFAULT_PROCESSORS); /** * a static boolean flag that determines whether default JCE providers * should be added at the time of construction. * * These providers, and the order in which they are added, can interfere * with some JVMs (such as IBMs). */ private static boolean addJceProviders = true; /** * a boolean flag to record whether we have already been statically * initialized. This flag prevents repeated and unnecessary calls * to static initialization code at construction time. */ private static boolean staticallyInitialized = false; /** * Set the value of the internal addJceProviders flag. This flag * turns on (or off) automatic registration of known JCE providers * that provide necessary cryptographic algorithms for use with WSS4J. * By default, this flag is true, for backwards compatibility. You may * wish (or need) to initialize the JCE manually, e.g., in some JVMs. */ public static void setAddJceProviders(boolean value) { addJceProviders = value; } private synchronized void staticInit() { if (!staticallyInitialized) { org.apache.xml.security.Init.init(); if (addJceProviders) { /* * The last provider added has precedence, that is if JuiCE can be added * then WSS4J uses this provider. */ addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider"); addJceProvider("JuiCE", "org.apache.security.juice.provider.JuiCEProviderOpenSSL"); } Transform.init(); try { Transform.register( STRTransform.implementedTransformURI, "org.apache.ws.security.transform.STRTransform" ); } catch (Exception ex) { if (log.isDebugEnabled()) { log.debug(ex.getMessage(), ex); } } staticallyInitialized = true; } } protected WSSConfig() { staticInit(); } /** * @return a new WSSConfig instance configured with the default values * (values identical to * {@link #getDefaultWSConfig getDefaultWSConfig()}) */ public static WSSConfig getNewInstance() { return new WSSConfig(); } /** * returns a static WSConfig instance that is configured with the latest * OASIS WS-Security settings. */ public static WSSConfig getDefaultWSConfig() { if (defaultConfig == null) { defaultConfig = getNewInstance(); } return defaultConfig; } /** * Checks if we are in WS-I Basic Security Profile compliance mode * * @return TODO */ public boolean isWsiBSPCompliant() { return wsiBSPCompliant; } /** * Set the WS-I Basic Security Profile compliance mode. The default is false * (dues to .Net interop problems). * * @param wsiBSPCompliant */ public void setWsiBSPCompliant(boolean wsiBSPCompliant) { this.wsiBSPCompliant = wsiBSPCompliant; } /** * Checks if we need to use milliseconds in timestamps * * @return TODO */ public boolean isPrecisionInMilliSeconds() { return precisionInMilliSeconds; } /** * Set the precision in milliseconds * * @param precisionInMilliSeconds * TODO */ public void setPrecisionInMilliSeconds(boolean precisionInMilliSeconds) { this.precisionInMilliSeconds = precisionInMilliSeconds; } /** * @return Returns the enableSignatureConfirmation. */ public boolean isEnableSignatureConfirmation() { return enableSignatureConfirmation; } /** * @param enableSignatureConfirmation * The enableSignatureConfirmation to set. */ public void setEnableSignatureConfirmation(boolean enableSignatureConfirmation) { this.enableSignatureConfirmation = enableSignatureConfirmation; } /** * @param handleCustomTypes * whether to handle custom UsernameToken password types or not */ public void setHandleCustomPasswordTypes(boolean handleCustomTypes) { this.handleCustomPasswordTypes = handleCustomTypes; } /** * @return whether custom UsernameToken password types are allowed or not */ public boolean getHandleCustomPasswordTypes() { return handleCustomPasswordTypes; } /** * @param allowNamespaceQualifiedTypes * whether (wsse) namespace qualified password types are accepted or not */ public void setAllowNamespaceQualifiedPasswordTypes(boolean allowNamespaceQualifiedTypes) { allowNamespaceQualifiedPasswordTypes = allowNamespaceQualifiedTypes; } /** * @return whether (wsse) namespace qualified password types are accepted or not */ public boolean getAllowNamespaceQualifiedPasswordTypes() { return allowNamespaceQualifiedPasswordTypes; } /** * @return Returns if we shall throw an exception on expired request * semantic */ public boolean isTimeStampStrict() { return timeStampStrict; } /** * @param timeStampStrict * If true throw an exception on expired request semantic */ public void setTimeStampStrict(boolean timeStampStrict) { this.timeStampStrict = timeStampStrict; } /** * Set the secret key length to be used for UT_SIGN. */ public void setSecretKeyLength(int length) { secretKeyLength = length; } /** * Get the secret key length to be used for UT_SIGN. */ public int getSecretKeyLength() { return secretKeyLength; } /** * @return Returns the WsuIdAllocator used to generate wsu:Id attributes */ public WsuIdAllocator getIdAllocator() { return idAllocator; } public void setIdAllocator(WsuIdAllocator idAllocator) { this.idAllocator = idAllocator; } /** * Associate an action name with a specific action code. * * This operation allows applications to supply their own * actions for well-known operations. */ public String setAction(int code, String action) { Object previousAction = actionMap.put(new Integer(code), action); if (previousAction instanceof String) { return (String)previousAction; } else if (previousAction instanceof Action){ return previousAction.getClass().getName(); } return null; } /** * Associate an action instance with a specific action code. * * This operation allows applications to supply their own * actions for well-known operations. */ public String setAction(int code, Action action) { Object previousAction = actionMap.put(new Integer(code), action); if (previousAction instanceof String) { return (String)previousAction; } else if (previousAction instanceof Action){ return previousAction.getClass().getName(); } return null; } /** * Lookup action * * @param action * @return An action class to create a security token * @throws WSSecurityException */ public Action getAction(int action) throws WSSecurityException { Integer key = new Integer(action); final Object actionObject = actionMap.get(key); if (actionObject instanceof String) { final String name = (String)actionObject; try { return (Action) Loader.loadClass(name).newInstance(); } catch (Throwable t) { if (log.isDebugEnabled()) { log.debug(t.getMessage(), t); } throw new WSSecurityException(WSSecurityException.FAILURE, "unableToLoadClass", new Object[] { name }, t); } } else if (actionObject instanceof Action) { return (Action)actionObject; } return null; } /** * Associate a SOAP processor name with a specified SOAP Security header * element QName. Processors registered under this QName will be * called when processing header elements with the specified type. */ public String setProcessor(QName el, String name) { Object previousProcessor = processorMap.put(el, name); if (previousProcessor instanceof String) { return (String)previousProcessor; } else if (previousProcessor instanceof Processor){ return previousProcessor.getClass().getName(); } return null; } /** * Associate a SOAP processor instance with a specified SOAP Security header * element QName. Processors registered under this QName will be * called when processing header elements with the specified type. */ public String setProcessor(QName el, Processor processor) { Object previousProcessor = processorMap.put(el, processor); if (previousProcessor instanceof String) { return (String)previousProcessor; } else if (previousProcessor instanceof Processor){ return previousProcessor.getClass().getName(); } return null; } /** * @return the SOAP processor associated with the specified * QName. The QName is intended to refer to an element * in a SOAP security header. This operation returns * null if there is no processor associated with the * specified QName. */ public Processor getProcessor(QName el) throws WSSecurityException { final Object processorObject = processorMap.get(el); if (processorObject instanceof String) { final String name = (String)processorObject; try { return (Processor) Loader.loadClass(name).newInstance(); } catch (Throwable t) { if (log.isDebugEnabled()) { log.debug(t.getMessage(), t); } throw new WSSecurityException(WSSecurityException.FAILURE, "unableToLoadClass", new Object[] { name }, t); } } else if (processorObject instanceof Processor) { return (Processor)processorObject; } return null; } private boolean loadProvider(String id, String className) { try { if (java.security.Security.getProvider(id) == null) { Class c = Loader.loadClass(className, false); java.security.Provider[] provs = java.security.Security.getProviders(); // // Install the provider after the SUN provider (see WSS-99) // Otherwise fall back to the old behaviour of inserting // the provider in position 2. For AIX, install it after // the IBMJCE provider. // int ret = 0; for (int i = 0; i < provs.length; i++) { if ("SUN".equals(provs[i].getName()) || "IBMJCE".equals(provs[i].getName())) { ret = java.security.Security.insertProviderAt( (java.security.Provider) c.newInstance(), i + 2 ); break; } } if (ret == 0) { ret = java.security.Security.insertProviderAt( (java.security.Provider) c.newInstance(), 2 ); } if (log.isDebugEnabled()) { log.debug("The provider " + id + " was added at position: " + ret); } } return true; } catch (Throwable t) { if (log.isDebugEnabled()) { log.debug("The provider " + id + " could not be added: " + t.getMessage()); } return false; } } /** * Add a new JCE security provider to use for WSS4J. * * If the provider is not already known the method loads a security provider * class and adds the provider to the java security service. * * * @param id * The id string of the provider * @param className * Name of the class the implements the provider. This class must * be a subclass of java.security.Provider * * @return Returns true if the provider was successfully * added, false otherwise. */ public boolean addJceProvider(String id, String className) { if (jceProvider.get(id) == null && loadProvider(id, className)) { jceProvider.put(id, className); return true; } return false; } }





© 2015 - 2024 Weber Informatics LLC | Privacy Policy