1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.stax.impl.processor.input;
20
21 import java.util.Deque;
22 import java.util.List;
23
24 import jakarta.xml.bind.JAXBElement;
25 import javax.xml.namespace.QName;
26
27 import org.apache.wss4j.binding.wss10.BinarySecurityTokenType;
28 import org.apache.wss4j.common.bsp.BSPRule;
29 import org.apache.wss4j.common.ext.WSSecurityException;
30 import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
31 import org.apache.wss4j.stax.ext.WSSConstants;
32 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
33 import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
34 import org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent;
35 import org.apache.wss4j.stax.securityToken.KerberosServiceSecurityToken;
36 import org.apache.wss4j.stax.securityToken.X509SecurityToken;
37 import org.apache.wss4j.stax.validate.BinarySecurityTokenValidator;
38 import org.apache.wss4j.stax.validate.BinarySecurityTokenValidatorImpl;
39 import org.apache.wss4j.stax.validate.TokenContext;
40 import org.apache.xml.security.exceptions.XMLSecurityException;
41 import org.apache.xml.security.stax.ext.AbstractInputSecurityHeaderHandler;
42 import org.apache.xml.security.stax.ext.InputProcessorChain;
43 import org.apache.xml.security.stax.ext.XMLSecurityProperties;
44 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
45 import org.apache.xml.security.stax.impl.util.IDGenerator;
46 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
47 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
48 import org.apache.xml.security.stax.securityToken.SecurityToken;
49 import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
50
51
52
53
54 public class BinarySecurityTokenInputHandler extends AbstractInputSecurityHeaderHandler {
55
56 @Override
57 public void handle(final InputProcessorChain inputProcessorChain, final XMLSecurityProperties securityProperties,
58 final Deque<XMLSecEvent> eventQueue, final Integer index) throws XMLSecurityException {
59 @SuppressWarnings("unchecked")
60 final BinarySecurityTokenType binarySecurityTokenType =
61 ((JAXBElement<BinarySecurityTokenType>) parseStructure(eventQueue, index, securityProperties)).getValue();
62
63 checkBSPCompliance(inputProcessorChain, binarySecurityTokenType);
64
65 if (binarySecurityTokenType.getId() == null) {
66 binarySecurityTokenType.setId(IDGenerator.generateID(null));
67 }
68
69 final WSInboundSecurityContext wsInboundSecurityContext =
70 (WSInboundSecurityContext) inputProcessorChain.getSecurityContext();
71 final WSSSecurityProperties wssSecurityProperties = (WSSSecurityProperties) securityProperties;
72 final List<QName> elementPath = getElementPath(eventQueue);
73 final List<XMLSecEvent> xmlSecEvents = getResponsibleXMLSecEvents(eventQueue, index);
74
75 final TokenContext tokenContext =
76 new TokenContext(wssSecurityProperties, wsInboundSecurityContext, xmlSecEvents, elementPath);
77
78 BinarySecurityTokenValidator binarySecurityTokenValidator =
79 wssSecurityProperties.getValidator(WSSConstants.TAG_WSSE_BINARY_SECURITY_TOKEN);
80 if (binarySecurityTokenValidator == null) {
81 binarySecurityTokenValidator = new BinarySecurityTokenValidatorImpl();
82 }
83 final InboundSecurityToken binarySecurityToken =
84 binarySecurityTokenValidator.validate(binarySecurityTokenType, tokenContext);
85
86 SecurityTokenProvider<InboundSecurityToken> securityTokenProvider = new SecurityTokenProvider<InboundSecurityToken>() {
87 @Override
88 public InboundSecurityToken getSecurityToken() throws XMLSecurityException {
89 return binarySecurityToken;
90 }
91
92 @Override
93 public String getId() {
94 return binarySecurityToken.getId();
95 }
96 };
97
98 wsInboundSecurityContext.registerSecurityTokenProvider(binarySecurityTokenType.getId(), securityTokenProvider);
99
100 TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent;
101
102 if (binarySecurityTokenType.getValueType().startsWith(WSSConstants.NS_X509TOKEN_PROFILE)) {
103 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
104 x509TokenSecurityEvent.setSecurityToken((X509SecurityToken) binarySecurityToken);
105 tokenSecurityEvent = x509TokenSecurityEvent;
106 } else if (binarySecurityTokenType.getValueType().startsWith(WSSConstants.NS_KERBEROS11_TOKEN_PROFILE)) {
107 KerberosTokenSecurityEvent kerberosTokenSecurityEvent = new KerberosTokenSecurityEvent();
108 kerberosTokenSecurityEvent.setSecurityToken((KerberosServiceSecurityToken)binarySecurityToken);
109 tokenSecurityEvent = kerberosTokenSecurityEvent;
110 } else {
111 throw new WSSecurityException(
112 WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "invalidValueType",
113 new Object[] {binarySecurityTokenType.getValueType()});
114 }
115 tokenSecurityEvent.setCorrelationID(binarySecurityTokenType.getId());
116 wsInboundSecurityContext.registerSecurityEvent(tokenSecurityEvent);
117 }
118
119 private void checkBSPCompliance(InputProcessorChain inputProcessorChain, BinarySecurityTokenType binarySecurityTokenType)
120 throws WSSecurityException {
121
122 final WSInboundSecurityContext securityContext = (WSInboundSecurityContext) inputProcessorChain.getSecurityContext();
123 if (binarySecurityTokenType.getEncodingType() == null) {
124 securityContext.handleBSPRule(BSPRule.R3029);
125 }
126 if (!WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING.equals(binarySecurityTokenType.getEncodingType())) {
127 securityContext.handleBSPRule(BSPRule.R3030);
128 }
129 if (binarySecurityTokenType.getValueType() == null) {
130 securityContext.handleBSPRule(BSPRule.R3031);
131 }
132 }
133 }