All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.sun.xml.wss.SecurityEnvironment Maven / Gradle / Ivy

/*
 * Copyright (c) 2010, 2022 Oracle and/or its affiliates. All rights reserved.
 *
 * This program and the accompanying materials are made available under the
 * terms of the Eclipse Distribution License v. 1.0, which is available at
 * http://www.eclipse.org/org/documents/edl-v10.php.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

/*
 * $Id: SecurityEnvironment.java,v 1.2 2010-10-21 15:37:10 snajper Exp $
 */

package com.sun.xml.wss;

import com.sun.xml.ws.security.impl.kerberos.KerberosContext;
import java.math.BigInteger;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;

import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;

import javax.crypto.SecretKey;

import com.sun.xml.wss.core.Timestamp;
import com.sun.xml.wss.saml.Assertion;

import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
import com.sun.xml.wss.impl.configuration.DynamicApplicationContext;
import javax.xml.stream.XMLStreamReader;

import org.w3c.dom.Element;
import org.w3c.dom.Document;

import java.util.Map;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSName;

/**
 * The SecurityEnvironment interface links the XWS-Security runtime with the
 * environment/container in which it is running. The SecurityEnvironment interface
 * is invoked by the XWS-Security runtime to perform tasks such as retrieving keys,
 * validating tokens etc.
 *

* When using the XWS-Security configuration files with <xwss:JAXRPCSecurity> as * the root element, a default implementation of this interface wraps the supplied CallbackHandler. * The default implemenation of this interface bundled with XWS-Security invokes the CallbackHandler * to implement the methods of this interface. *

* This interface facilitates usage of XWS-Security in environments which do not necessarily have a * natural mapping to the XWS-Security defined callbacks. *

* There is generally a single SecurityEnvironment instance per-application, which is initialized at application startup. *

*Note: This interface is evolving and is subject to change in a later release */ public interface SecurityEnvironment { /** * Retrieves a reasonable default value for the current user's * X509Certificate if one exists. * @param context a Map of application and integration-layer specific properties * @return the default certificate for the current user */ X509Certificate getDefaultCertificate(Map context) throws XWSSecurityException; /** * @return the certificate corresponding to the alias * * @param context a Map of application and integration-layer specific properties * @param alias the alias for identifying the certificate * @param forSigning whether this request is for a Sign operation or Encrypt * @exception XWSSecurityException if there was an error while trying to locate the Cerificate */ X509Certificate getCertificate(Map context, String alias, boolean forSigning) throws XWSSecurityException; /** *@return the SecretKey corresponding to the alias *@param context a Map of application and integration-layer specific properties *@param alias the alias for identifying the SecretKey *@param encryptMode whether this request is for an Encrypt or Decrypt operation *@exception XWSSecurityException if there was an error while trying to locate the SecretKey */ SecretKey getSecretKey(Map context, String alias, boolean encryptMode) throws XWSSecurityException; /** *@return the PrivateKey corresponding to the alias *@param context a Map of application and integration-layer specific properties *@param alias the alias for identifying the PrivateKey *@exception XWSSecurityException if there was an error while trying to locate the PrivateKey */ PrivateKey getPrivateKey(Map context, String alias) throws XWSSecurityException; /** * @return the PublicKey corresponding to a KeyIdentifier * @param context a Map of application and integration-layer specific properties * @param keyIdentifier an Opaque identifier indicating * the X509 certificate. * @exception XWSSecurityException if there was an error while trying to locate the PublicKey */ PublicKey getPublicKey(Map context, byte[] keyIdentifier) throws XWSSecurityException; PublicKey getPublicKey(Map context, byte[] keyIdentifier, String valueType) throws XWSSecurityException; /** * @return the X509Certificate corresponding to a KeyIdentifier * @param context a Map of application and integration-layer specific properties * @param keyIdentifier an Opaque identifier indicating * the X509 certificate. * @exception XWSSecurityException if there was an error while trying to locate the X509Certificate */ X509Certificate getCertificate(Map context, byte[] keyIdentifier) throws XWSSecurityException; /** * @return the X509Certificate corresponding to a KeyIdentifier * @param context a Map of application and integration-layer specific properties * @param identifier an Opaque identifier indicating the X509 certificate. * @exception XWSSecurityException if there was an error while trying to locate the X509Certificate */ X509Certificate getCertificate(Map context, byte[] identifier, String valueType) throws XWSSecurityException; /** * @return the PrivateKey corresponding to the X509Certificate * @param context a Map of application and integration-layer specific properties * @param cert the X509Certificate * @throws XWSSecurityException if there was an error while trying to locate the PrivateKey */ PrivateKey getPrivateKey(Map context, X509Certificate cert) throws XWSSecurityException; /** * @return the PrivateKey corresponding to (serialNumber, issuerName) * * @param context a Map of application and integration-layer specific properties * @param serialNumber the serialNumber of the certificate * @param issuerName the issuerName of the certificate * @throws XWSSecurityException if there was an error while trying to locate the PrivateKey */ PrivateKey getPrivateKey(Map context, BigInteger serialNumber, String issuerName) throws XWSSecurityException; /** * @return the X509Certificate corresponding to a PublicKey * * @param context a Map of application and integration-layer specific properties * @param publicKey the publicKey * @param forSign set to true if the public key is to be used for SignatureVerification * @throws XWSSecurityException if there was an error while trying to locate the PublicKey */ X509Certificate getCertificate(Map context, PublicKey publicKey, boolean forSign) throws XWSSecurityException; /** * @return the PrivateKey corresponding to a KeyIdentifier * * @param context a Map of application and integration-layer specific properties * @param keyIdentifier an Opaque identifier indicating * the X509 certificate. * @throws XWSSecurityException if there was an error while trying to locate the PrivateKey */ PrivateKey getPrivateKey(Map context, byte[] keyIdentifier) throws XWSSecurityException; PrivateKey getPrivateKey(Map context, byte[] keyIdentifier, String valueType) throws XWSSecurityException; /** * @return the PrivateKey corresponding to a PublicKey * * @param context a Map of application and integration-layer specific properties * @param publicKey the publicKey * @param forSign set to true if the purpose is Signature * @throws XWSSecurityException if there was an error while trying to locate the PrivateKey */ PrivateKey getPrivateKey(Map context, PublicKey publicKey, boolean forSign) throws XWSSecurityException; /** * @return the PublicKey corresponding to (serialNumber, issuerName) * * @param context a Map of application and integration-layer specific properties * @param serialNumber the serialNumber of the certificate * @param issuerName the issuerName of the certificate * @throws XWSSecurityException if there was an error while trying to locate the PublicKey */ PublicKey getPublicKey(Map context, BigInteger serialNumber, String issuerName) throws XWSSecurityException; /** * @return the X509Certificate corresponding to (serialNumber, issuerName) * * @param context a Map of application and integration-layer specific properties * @param serialNumber the serialNumber of the certificate * @param issuerName the issuerName of the certificate * @throws XWSSecurityException if there was an error while trying to locate the X509Certificate */ X509Certificate getCertificate(Map context, BigInteger serialNumber, String issuerName) throws XWSSecurityException; /** * Authenticate the user against a list of known username-password * pairs. * * @param context a Map of application and integration-layer specific properties * @param username the username * @param password the password * @return true if the username-password pair is valid, false otherwise * @throws XWSSecurityException if there was an error while trying to authenticate the username */ boolean authenticateUser(Map context, String username, String password) throws XWSSecurityException; /** * Authenticate the user given the password digest. * * @param context a Map of application and integration-layer specific properties * @param username the username * @param passwordDigest the digested password * @param nonce the nonce which was part of the digest * @param created the creation time which was part of the digest * @return true if the password digest is valid, false otherwise * @throws XWSSecurityException if there was an error while trying to authenticate the username */ boolean authenticateUser( Map context, String username, String passwordDigest, String nonce, String created) throws XWSSecurityException; /** * Authenticate the user given the username and context. * * @param context a Map of application and integration-layer specific properties * @param username the username * @return password if the username is valid * @throws XWSSecurityException if there was an error while trying to authenticate the username */ String authenticateUser( Map context, String username) throws XWSSecurityException; /** * @return the host/sender Subject, * null if subject is not available/initialized */ Subject getSubject(); /** * Validate the creation time. It is an error if the * creation time is older than current local time minus * TIMESTAMP_FRESHNESS_LIMIT minus MAX_CLOCK_SKEW * * @param context a Map of application and integration-layer specific properties * @param creationTime the creation-time value * @param maxClockSkew (in milliseconds) the maximum clockskew * @param timestampFreshnessLimit (in milliseconds) the limit for which timestamps * are considered fresh * @throws XWSSecurityException if there was an error while trying to validate the creationTime */ void validateCreationTime( Map context, String creationTime, long maxClockSkew, long timestampFreshnessLimit) throws XWSSecurityException; /* Validate the expiration time (wsu:Expires). It is an error if the expiration time is older than current local time minus MAX_CLOCK_SKEW @return true if this expiration time is valid * @param expirationTime the expiration-time value * @param maxClockSkew (in milliseconds) the maximum clockskew * @param timestampFreshnessLimit (in milliseconds) the limit for which timestamps * are considered fresh * @throws XWSSecurityException if there was an error while trying to validate the expirationTime */ /*public boolean validateExpirationTime( String expirationTime, long maxClockSkew, long timestampFreshnessLimit) throws XWSSecurityException;*/ /* * Validate an X509Certificate. * @return true, if the cert is a valid one, false otherwise. * @param cert the X509Certificate to be validated * @throws XWSSecurityException * if there is some problem during validation. public boolean validateCertificate(X509Certificate cert) throws XWSSecurityException; */ /** * Validate an X509Certificate. * @return true if the cert is a valid one, false otherwise. * @param cert the X509Certificate to be validated * @param context Map of application and integration-layer specific properties * @throws XWSSecurityException * if there is some problem during validation. */ boolean validateCertificate(X509Certificate cert, Map context) throws XWSSecurityException; /** * Update the public/private credentials of the subject of the party * whose username password pair is given. * @param subject the Subject of the requesting party * @param username the username of the requesting party * @param password the password of the requesting party */ void updateOtherPartySubject( Subject subject, String username, String password); /** * Update the public credentials of the subject of the party * whose certificate is given. * @param subject the Subject of the requesting party * @param cert the X509Certificate of the requesting party */ void updateOtherPartySubject( Subject subject, X509Certificate cert); /** * Update the public credentials of the subject of the party * whose Assertion is given. * @param subject the Subject of the requesting party * @param assertion the SAML Assertion of the requesting party */ void updateOtherPartySubject( Subject subject, Assertion assertion); /** * Update the public credentials of the subject of the party * whose Assertion is given. * @param subject the Subject of the requesting party * @param assertion the SAML Assertion of the requesting party */ void updateOtherPartySubject( Subject subject, XMLStreamReader assertion); /** * Update the principal/credentials of the requesting party subject * @param subject the Subject of the requesting party * @param bootStrapSubject the bootstrap Credentials (during a SecureConversation Bootstrap) of the requesting party */ void updateOtherPartySubject( Subject subject, Subject bootStrapSubject); /* The three methods below are required to insulate integrating environments * such as JSR 196 etc from XWS Policies and Dynamic Policy Callback * Also the SAML infrastructure would be different in different containers * The default implementation in JWSDP will make a DP callback, but * the notion of DP callbacks does not apply for JSR 196 */ /** * Validate the received SAML Assertion * Validations can include validating the Issuer and the Saml User, SAML Version etc. * Note: The SAML Condition (notBefore, notOnOrAfter) is validated by the XWS runtime * * @param context a Map of application and integration-layer specific properties * @param assertion the Assertion to be validated * @throws XWSSecurityException if there was an error while validating the SAML Assertion */ void validateSAMLAssertion(Map context, Element assertion) throws XWSSecurityException; /** * Validate the received SAML Assertion * Validations can include validating the Issuer and the Saml User, SAML Version etc. * Note: The SAML Condition (notBefore, notOnOrAfter) is validated by the XWS runtime * * In case HOK SAML Assertion the enveloped signature is removed from this SAML Assertion and verified. * (i,e one will not find Signature element under this SAMLAssertion) * @param context a Map of application and integration-layer specific properties * @param assertion the Assertion to be validated * @throws XWSSecurityException if there was an error while validating the SAML Assertion */ void validateSAMLAssertion(Map context, XMLStreamReader assertion) throws XWSSecurityException; /** * Locate and return a SAML Assertion, given the Authority binding and assertionId * * @param context a Map of application and integration-layer specific properties * @param binding an org.w3c.dom.Element representing the SAML AuthorityBinding * @param assertionId the Assertion ID of the SAML Assertion * @param ownerDoc the owner document into which the returned SAML Assertion should be imported to * @throws XWSSecurityException if there was an error while trying to locate the SAML Assertion */ Element locateSAMLAssertion( Map context, Element binding, String assertionId, Document ownerDoc) throws XWSSecurityException; /** * Locate and update the Policy argument with the SAML Assertion and/or the AuthorityBinding * and Assertion ID information. * The DynamicApplicationContext may contain information to be used by the implementation to make * its runtime decisions on how to obtaim the SAML Assertion * * @param fpcontext a Map of application and integration-layer specific properties * @param policy the SAML Assertion Policy to be populated * @param context the DynamicApplicationContext * @return populated SAML Assertion policy * @throws XWSSecurityException if there was an error while trying to populate the SAML Assertion Policy */ AuthenticationTokenPolicy.SAMLAssertionBinding populateSAMLPolicy(Map fpcontext, AuthenticationTokenPolicy.SAMLAssertionBinding policy, DynamicApplicationContext context) throws XWSSecurityException; /** * * @param context a Map of application and integration-layer specific properties * @return the username using UsernameCallback * @throws XWSSecurityException if there was an error while trying obtain the username */ String getUsername(Map context) throws XWSSecurityException; /** * * @param context a Map of application and integration-layer specific properties * @return the password using PasswordCallback * @throws XWSSecurityException if there was an error while trying obtain the password */ String getPassword(Map context) throws XWSSecurityException; /** * Validate the creation time. It is an error if the * creation time is older than current local time minus * TIMESTAMP_FRESHNESS_LIMIT minus MAX_CLOCK_SKEW * * @param context a Map of application and integration-layer specific properties * @param timestamp the Timestamp element * @param maxClockSkew (in milliseconds) the maximum clockskew * @param freshnessLimit (in milliseconds) the limit for which timestamps * are considered fresh * @throws XWSSecurityException if there was an error while trying validate the Timestamp */ void validateTimestamp( Map context, Timestamp timestamp, long maxClockSkew, long freshnessLimit) throws XWSSecurityException; void validateTimestamp(Map context, String created, String expires, long maxClockSkew, long freshnessLimit) throws XWSSecurityException; /** * @return any Callback Handler associated with this Environment, null otherwise */ CallbackHandler getCallbackHandler() ; /** * Validate the given nonce. It is an error if the nonce matches any * stored nonce values on the server * if there is no error then the nonce is Cached. * @return true if this nonce is valid * @param context a context containing runtime properties * @param nonce the encoded nonce value * @param created the creation time value * @param maxNonceAge the time in milliseconds for which this nonce * will be stored on the receiver. * @throws XWSSecurityException if there was an error while trying to validate the Nonce */ boolean validateAndCacheNonce(Map context, String nonce, String created, long maxNonceAge) throws XWSSecurityException; /** *@return true if the certificate is a self certificate, false otherwise */ boolean isSelfCertificate(X509Certificate cert); /** * Perform a Kerberos Login and return a Kerberos Context * KerberosContext stores the secretKey, GSSContext, kerberos BST etc */ KerberosContext doKerberosLogin()throws XWSSecurityException; /** * Perform a Kerberos Login and return a Kerberos Context * KerberosContext stores the secretKey, GSSContext, kerberos BST etc */ KerberosContext doKerberosLogin(byte[] tokenValue) throws XWSSecurityException; /** * Update the principal/credentials of the requesting party subject * @param subject the Subject of the requesting party * @param clientCred the GSSName of the requesting party */ void updateOtherPartySubject(Subject subject, GSSName clientCred, GSSCredential gssCred); }





© 2015 - 2025 Weber Informatics LLC | Privacy Policy