org.apache.xml.security.stax.ext.XMLSec Maven / Gradle / Ivy
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.xml.security.stax.ext;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.interfaces.DSAPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.HashSet;
import javax.crypto.SecretKey;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.validation.Schema;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.config.Init;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;
import org.apache.xml.security.utils.ClassLoaderUtils;
import org.xml.sax.SAXException;
/**
* This is the central class of the streaming XML-security framework.
* Instances of the inbound and outbound security streams can be retrieved
* with this class.
*/
public class XMLSec {
static {
try {
URL resource = ClassLoaderUtils.getResource("security-config.xml", XMLSec.class);
if (resource == null) {
throw new RuntimeException("security-config.xml not found in classpath");
}
Init.init(resource.toURI(), XMLSec.class);
try {
XMLSecurityConstants.setJaxbContext(
JAXBContext.newInstance(
org.apache.xml.security.binding.xmlenc.ObjectFactory.class,
org.apache.xml.security.binding.xmlenc11.ObjectFactory.class,
org.apache.xml.security.binding.xmldsig.ObjectFactory.class,
org.apache.xml.security.binding.xmldsig11.ObjectFactory.class,
org.apache.xml.security.binding.excc14n.ObjectFactory.class,
org.apache.xml.security.binding.xop.ObjectFactory.class
)
);
Schema schema = XMLSecurityUtils.loadXMLSecuritySchemas();
XMLSecurityConstants.setJaxbSchemas(schema);
} catch (JAXBException e) {
throw new RuntimeException(e);
} catch (SAXException e) {
throw new RuntimeException(e);
}
} catch (XMLSecurityException e) {
throw new RuntimeException(e.getMessage(), e);
} catch (URISyntaxException e) {
throw new RuntimeException(e.getMessage(), e);
}
}
public static void init() {
// Do nothing
}
/**
* Creates and configures an outbound streaming security engine
*
* @param securityProperties The user-defined security configuration
* @return A new OutboundXMLSec
* @throws XMLSecurityException
* if the initialisation failed
* @throws org.apache.xml.security.stax.ext.XMLSecurityConfigurationException
* if the configuration is invalid
*/
public static OutboundXMLSec getOutboundXMLSec(XMLSecurityProperties securityProperties) throws XMLSecurityException {
if (securityProperties == null) {
throw new XMLSecurityConfigurationException("stax.missingSecurityProperties");
}
securityProperties = validateAndApplyDefaultsToOutboundSecurityProperties(securityProperties);
return new OutboundXMLSec(securityProperties);
}
/**
* Creates and configures an inbound streaming security engine
*
* @param securityProperties The user-defined security configuration
* @return A new InboundWSSec
* @throws XMLSecurityException
* if the initialisation failed
* @throws org.apache.xml.security.stax.ext.XMLSecurityConfigurationException
* if the configuration is invalid
*/
public static InboundXMLSec getInboundWSSec(XMLSecurityProperties securityProperties) throws XMLSecurityException {
if (securityProperties == null) {
throw new XMLSecurityConfigurationException("stax.missingSecurityProperties");
}
securityProperties = validateAndApplyDefaultsToInboundSecurityProperties(securityProperties);
return new InboundXMLSec(securityProperties);
}
/**
* Validates the user supplied configuration and applies default values as appropriate for the outbound security engine
*
* @param securityProperties The configuration to validate
* @return The validated configuration
* @throws org.apache.xml.security.stax.ext.XMLSecurityConfigurationException
* if the configuration is invalid
*/
public static XMLSecurityProperties validateAndApplyDefaultsToOutboundSecurityProperties(XMLSecurityProperties securityProperties) throws XMLSecurityConfigurationException {
if (securityProperties.getActions() == null || securityProperties.getActions().isEmpty()) {
throw new XMLSecurityConfigurationException("stax.noOutputAction");
}
// Check for duplicate actions
if (new HashSet(securityProperties.getActions()).size()
!= securityProperties.getActions().size()) {
throw new XMLSecurityConfigurationException("stax.duplicateActions");
}
if (!securityProperties.isSignatureGenerateIds() && !securityProperties.getIdAttributeNS().equals(XMLSecurityConstants.ATT_NULL_Id)) {
throw new XMLSecurityConfigurationException("stax.idsetbutnotgenerated");
}
if (securityProperties.getSignatureSecureParts() != null && securityProperties.getSignatureSecureParts().size() > 1 && !securityProperties.isSignatureGenerateIds()) {
throw new XMLSecurityConfigurationException("stax.idgenerationdisablewithmultipleparts");
}
for (XMLSecurityConstants.Action action : securityProperties.getActions()) {
if (XMLSecurityConstants.SIGNATURE.equals(action)) {
if (securityProperties.getSignatureAlgorithm() == null) {
if (securityProperties.getSignatureKey() instanceof RSAPrivateKey) {
securityProperties.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#rsa-sha1");
} else if (securityProperties.getSignatureKey() instanceof DSAPrivateKey) {
securityProperties.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#dsa-sha1");
} else if (securityProperties.getSignatureKey() instanceof SecretKey) {
securityProperties.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#hmac-sha1");
}
}
if (securityProperties.getSignatureDigestAlgorithm() == null) {
securityProperties.setSignatureDigestAlgorithm("http://www.w3.org/2000/09/xmldsig#sha1");
}
if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
securityProperties.setSignatureCanonicalizationAlgorithm(XMLSecurityConstants.NS_C14N_EXCL_OMIT_COMMENTS);
}
if (securityProperties.getSignatureKeyIdentifiers().isEmpty()) {
securityProperties.setSignatureKeyIdentifier(SecurityTokenConstants.KeyIdentifier_IssuerSerial);
}
} else if (XMLSecurityConstants.ENCRYPT.equals(action)) {
if (securityProperties.getEncryptionKeyTransportAlgorithm() == null) {
//@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5 :
//"RSA-OAEP is RECOMMENDED for the transport of AES keys"
//@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-oaep-mgf1p
securityProperties.setEncryptionKeyTransportAlgorithm("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
}
if (securityProperties.getEncryptionSymAlgorithm() == null) {
securityProperties.setEncryptionSymAlgorithm("http://www.w3.org/2001/04/xmlenc#aes256-cbc");
}
if (securityProperties.getEncryptionKeyIdentifier() == null) {
securityProperties.setEncryptionKeyIdentifier(SecurityTokenConstants.KeyIdentifier_IssuerSerial);
}
}
}
return new XMLSecurityProperties(securityProperties);
}
/**
* Validates the user supplied configuration and applies default values as appropriate for the inbound security engine
*
* @param securityProperties The configuration to validate
* @return The validated configuration
* @throws org.apache.xml.security.stax.ext.XMLSecurityConfigurationException
* if the configuration is invalid
*/
public static XMLSecurityProperties validateAndApplyDefaultsToInboundSecurityProperties(XMLSecurityProperties securityProperties) throws XMLSecurityConfigurationException {
return new XMLSecurityProperties(securityProperties);
}
}