Package org.apache.ws.security.message

Examples of org.apache.ws.security.message.WSSecKerberosToken


        if (krbConfig == null || krbConfig.getProp() == null) {
            throw new RampartException("noKerberosConfigDefined");
        }

        WSSecKerberosToken krb = new WSSecKerberosToken();
        krb.setWsConfig(rmd.getConfig());

        log.debug("Token inclusion: " + token.getInclusion());

        RampartUtil.setKeyIdentifierType(rmd, krb, token);

        String user = null;
        String passwordFromConfig = null;
        String clientPricipal = null;
        String servicePrincipal = null;
        String password = null;
        String service = null;

        clientPricipal = (String) rmd.getMsgContext().getProperty(
                KerberosConfig.CLIENT_PRINCIPLE_NAME);
        servicePrincipal = (String) rmd.getMsgContext().getProperty(
                KerberosConfig.SERVICE_PRINCIPLE_NAME);

        if (clientPricipal == null || servicePrincipal == null) {
            // Get the user from kerberos configuration
            user = krbConfig.getProp().getProperty(KerberosConfig.CLIENT_PRINCIPLE_NAME);
            passwordFromConfig = krbConfig.getProp().getProperty(
                    KerberosConfig.CLIENT_PRINCIPLE_PASSWORD);
            if (passwordFromConfig == null) {
                passwordFromConfig = krbConfig.getProp().getProperty(
                        KerberosConfig.SERVICE_PRINCIPLE_PASSWORD);
            }

            // If kerberos user is not present, use user property as Alias
            if (user == null) {
                user = rpd.getRampartConfig().getUser();
            }

            if (user != null && !"".equals(user)) {
                log.debug("User : " + user);

                // Get the password
                CallbackHandler handler = RampartUtil.getPasswordCB(rmd);

                if (handler != null) {
                    WSPasswordCallback[] cb = { new WSPasswordCallback(user,
                            WSPasswordCallback.KERBEROS_TOKEN) };
                    try {
                        handler.handle(cb);
                        if (cb[0].getPassword() != null && !"".equals(cb[0].getPassword())) {
                            password = cb[0].getPassword();
                            log.debug("Password : " + password);
                        } else {
                            password = passwordFromConfig;
                        }
                    } catch (IOException e) {
                        throw new RampartException("errorInGettingPasswordForUser",
                                new String[] { user }, e);
                    } catch (UnsupportedCallbackException e) {
                        throw new RampartException("errorInGettingPasswordForUser",
                                new String[] { user }, e);
                    }
                } else {
                    password = passwordFromConfig;
                }

            }
            service = krbConfig.getProp().getProperty(KerberosConfig.SERVICE_PRINCIPLE_NAME);
        } else {
            user = clientPricipal;
            service = servicePrincipal;
        }

        krb.setUserInfo(user, password);
        krb.setServicePrincipalName(service);

        if (!rmd.isInitiator()) {
            krb.setReceiver(true);
        }

        try {
            krb.build(rmd.getDocument(), rmd.getSecHeader());
        } catch (WSSecurityException e) {
            throw new RampartException("errorInBuilingKereberosToken", e);
        }

        if (!rmd.isInitiator()) {
View Full Code Here


        String encrTokId = null;
        String sigTokId = null;

        org.apache.rahas.Token encrTok = null;
        org.apache.rahas.Token sigTok = null;
        WSSecKerberosToken krbToken = null;

        Element sigTokElem = null;

        Vector signatureValues = new Vector();

        if (sigToken != null) {
            if (sigToken instanceof SecureConversationToken) {
                sigTokId = rmd.getSecConvTokenId();
            } else if (sigToken instanceof IssuedToken) {
                sigTokId = rmd.getIssuedSignatureTokenId();
            } else if (sigToken instanceof X509Token) {
                if (rmd.isInitiator()) {
                    sigTokId = setupEncryptedKey(rmd, sigToken);
                } else {
                    sigTokId = getEncryptedKey(rmd);
                }
            } else if (sigToken instanceof KerberosToken) {
                Date created = new Date();
                Date expires = new Date();
                // TODO make this lifetime configurable ???
                expires.setTime(System.currentTimeMillis() + 300000);
                krbToken = getKerberosTokenBuilder(rmd, sigToken);
                sigTokId = krbToken.getBSTTokenId();
                if (rmd.isInitiator()) {
                    sigTokElem = krbToken.getBinarySecurityTokenElement();
                }
                sigTok = new EncryptedKeyToken(sigTokId, created, expires);
                sigTok.setSecret(krbToken.getSessionKey().getEncoded());
            }
        } else {
            throw new RampartException("signatureTokenMissing");
        }

        if (sigTokId == null || sigTokId.length() == 0) {
            throw new RampartException("noSecurityToken");
        }

        if (!(sigToken instanceof KerberosToken)) {

            sigTok = this.getToken(rmd, sigTokId);

            if (SPConstants.INCLUDE_TOEKN_ALWAYS == sigToken.getInclusion()
                    || SPConstants.INCLUDE_TOKEN_ONCE == sigToken.getInclusion()
                    || (rmd.isInitiator() && SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == sigToken
                            .getInclusion())) {
                sigTokElem = RampartUtil.appendChildToSecHeader(rmd, sigTok.getToken());
            } else if ((rmd.isInitiator() && sigToken instanceof X509Token)
                    || sigToken instanceof SecureConversationToken) {
                sigTokElem = RampartUtil.appendChildToSecHeader(rmd, sigTok.getToken());
            }
        }

        if (sigTokElem != null) {
            // Set the insertion location
            this.setInsertionLocation(sigTokElem);
        }

        HashMap sigSuppTokMap = null;
        HashMap endSuppTokMap = null;
        HashMap sgndEndSuppTokMap = null;
        HashMap sgndEncSuppTokMap = null;
        HashMap endEncSuppTokMap = null;
        HashMap sgndEndEncSuppTokMap = null;

        Vector sigParts = RampartUtil.getSignedParts(rmd);

        if (this.timestampElement != null) {
            sigParts.add(new WSEncryptionPart(RampartUtil
                    .addWsuIdToElement((OMElement) this.timestampElement)));
        }

        if (rmd.isInitiator()) {
            // Now add the supporting tokens
            SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
            sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);

            SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
            endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);

            SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
            sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);

            SupportingToken sgndEncryptedSuppTokens = rpd.getSignedEncryptedSupportingTokens();
            sgndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEncryptedSuppTokens);

            SupportingToken endorsingEncryptedSuppTokens = rpd
                    .getEndorsingEncryptedSupportingTokens();
            endEncSuppTokMap = this.handleSupportingTokens(rmd, endorsingEncryptedSuppTokens);

            SupportingToken sgndEndEncSuppTokens = rpd
                    .getSignedEndorsingEncryptedSupportingTokens();
            sgndEndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEndEncSuppTokens);

            Vector supportingToks = rpd.getSupportingTokensList();
            for (int i = 0; i < supportingToks.size(); i++) {
                this.handleSupportingTokens(rmd, (SupportingToken) supportingToks.get(i));
            }

            SupportingToken encryptedSupportingToks = rpd.getEncryptedSupportingTokens();
            this.handleSupportingTokens(rmd, encryptedSupportingToks);

            // Setup signature parts
            sigParts = addSignatureParts(sigSuppTokMap, sigParts);
            sigParts = addSignatureParts(sgndEncSuppTokMap, sigParts);
            sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
            sigParts = addSignatureParts(sgndEndEncSuppTokMap, sigParts);

        } else {
            addSignatureConfirmation(rmd, sigParts);
        }

        if (sigParts.size() > 0) {
            if (sigToken instanceof KerberosToken) {
                krbToken.setParts(sigParts);
                try {
                    krbToken.signMessage();
                } catch (WSSecurityException e) {
                    throw new RampartException("errorInSignatureWithKerberosToken");
                }
                this.setInsertionLocation(RampartUtil.insertSiblingAfter(rmd,
                        this.getInsertionLocation(), krbToken.getSignatureElement()));
                signatureValues.add(krbToken.getSignatureValue());
            } else {
                // Sign the message
                signatureValues.add(this.doSymmSignature(rmd, sigToken, sigTok, sigParts));
            }

            this.mainSigId = RampartUtil.addWsuIdToElement((OMElement) this.getInsertionLocation());

        }

        if (rmd.isInitiator()) {
            // Adding the endorsing encrypted supporting tokens to endorsing supporting tokens
            endSuppTokMap.putAll(endEncSuppTokMap);
            // Do endorsed signatures
            Vector endSigVals = this.doEndorsedSignatures(rmd, endSuppTokMap);

            for (Iterator iter = endSigVals.iterator(); iter.hasNext();) {
                signatureValues.add(iter.next());
            }

            // Adding the signed endorsed encrypted tokens to signed endorsed supporting tokens
            sgndEndSuppTokMap.putAll(sgndEndEncSuppTokMap);
            // Do signed endorsing signatures
            Vector sigEndSigVals = this.doEndorsedSignatures(rmd, sgndEndSuppTokMap);
            for (Iterator iter = sigEndSigVals.iterator(); iter.hasNext();) {
                signatureValues.add(iter.next());
            }
        }

        if (tlog.isDebugEnabled()) {
            t1 = System.currentTimeMillis();
        }

        // Encryption
        Token encrToken = rpd.getEncryptionToken();
        boolean isIssuedToken = false;
        if (encrToken instanceof IssuedToken) {
            isIssuedToken = true;
        }
        Element encrTokElem = null;
        if (sigToken.equals(encrToken)) {
            // Use the same token
            encrTokId = sigTokId;
            encrTok = sigTok;
            encrTokElem = sigTokElem;
        } else {
            encrTokId = rmd.getIssuedEncryptionTokenId();
            encrTok = this.getToken(rmd, encrTokId);

            if (SPConstants.INCLUDE_TOEKN_ALWAYS == encrToken.getInclusion()
                    || SPConstants.INCLUDE_TOKEN_ONCE == encrToken.getInclusion()
                    || (rmd.isInitiator() && SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == encrToken
                            .getInclusion())) {
                encrTokElem = (Element) encrTok.getToken();

                // Add the encrToken element before the sigToken element
                RampartUtil.insertSiblingBefore(rmd, sigTokElem, encrTokElem);
            }

        }

        Vector encrParts = RampartUtil.getEncryptedParts(rmd);

        // Check for signature protection
        if (rpd.isSignatureProtection() && this.mainSigId != null) {
            // Now encrypt the signature using the above token
            encrParts.add(new WSEncryptionPart(this.mainSigId, "Element"));
        }

        if (rmd.isInitiator()) {
            for (int i = 0; i < encryptedTokensIdList.size(); i++) {
                encrParts
                        .add(new WSEncryptionPart((String) encryptedTokensIdList.get(i), "Element"));
            }
        }

        Element refList = null;
        if (encrParts.size() > 0) {
            // The sec conv token can be used without derived keys
            if (encrToken.isDerivedKeys()) {

                try {
                    WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();

                    // Check whether it is security policy 1.2 and use the secure conversation
                    // accordingly
                    if (SPConstants.SP_V12 == encrToken.getVersion()) {
                        dkEncr.setWscVersion(ConversationConstants.VERSION_05_12);
                    }

                    if (encrTokElem != null && encrTok.getAttachedReference() != null) {

                        dkEncr.setExternalKey(encrTok.getSecret(), (Element) doc.importNode(
                                (Element) encrTok.getAttachedReference(), true));
                    } else if (encrTok.getUnattachedReference() != null) {
                        dkEncr.setExternalKey(encrTok.getSecret(), (Element) doc.importNode(
                                (Element) encrTok.getUnattachedReference(), true));
                    } else if (!rmd.isInitiator() && encrToken.isDerivedKeys()) {

                        // If the Encrypted key used to create the derived key is not
                        // attached use key identifier as defined in WSS1.1 section
                        // 7.7 Encrypted Key reference
                        SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
                        if (encrTok instanceof EncryptedKeyToken) {
                            tokenRef.setKeyIdentifierEncKeySHA1(((EncryptedKeyToken) encrTok)
                                    .getSHA1());
                        }
                        dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement());

                    } else {
                        dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId());
                    }

                    if (encrTok instanceof EncryptedKeyToken) {
                        dkEncr.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
                                + WSConstants.ENC_KEY_VALUE_TYPE);
                    }

                    dkEncr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
                    dkEncr.setDerivedKeyLength(rpd.getAlgorithmSuite()
                            .getEncryptionDerivedKeyLength() / 8);
                    dkEncr.prepare(doc);
                    Element encrDKTokenElem = null;
                    encrDKTokenElem = dkEncr.getdktElement();
                    if (encrTokElem != null) {
                        RampartUtil.insertSiblingAfter(rmd, encrTokElem, encrDKTokenElem);
                    } else if (timestampElement != null) {
                        RampartUtil.insertSiblingAfter(rmd, this.timestampElement, encrDKTokenElem);
                    } else {
                        RampartUtil.insertSiblingBefore(rmd, this.getInsertionLocation(),
                                encrDKTokenElem);
                    }

                    refList = dkEncr.encryptForExternalRef(null, encrParts);

                    RampartUtil.insertSiblingAfter(rmd, encrDKTokenElem, refList);

                } catch (WSSecurityException e) {
                    throw new RampartException("errorInDKEncr");
                } catch (ConversationException e) {
                    throw new RampartException("errorInDKEncr");
                }
            } else {
                try {

                    WSSecEncrypt encr = new WSSecEncrypt();

                    encr.setWsConfig(rmd.getConfig());
                    // Hack to handle reference id issues
                    // TODO Need a better fix
                    if (encrTokId.startsWith("#")) {
                        encrTokId = encrTokId.substring(1);
                    }
                    encr.setEncKeyId(encrTokId);

                    if (krbToken == null) {
                        encr.setEphemeralKey(encrTok.getSecret());
                        RampartUtil.setEncryptionUser(rmd, encr);
                        encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
                    } else {
                        if (encrTok != null) {
                            byte[] secret = encrTok.getSecret();
                            int factor = 0;
                            if (rmd.getPolicyData().getRampartConfig() != null) {
                                KerberosConfig config = null;
                                String fac = null;
                                config = rmd.getPolicyData().getRampartConfig().getKerberosConfig();
                                if ((fac = config.getProp().getProperty(
                                        KerberosConfig.KDC_DES_AES_FACTOR)) != null) {
                                    try {
                                        factor = Integer.parseInt(fac);
                                    } catch (Exception e) {
                                        factor = 0;
                                    }
                                }
                            }

                            if (factor > 1) {
                                byte[] newSecret = new byte[secret.length * 4];
                                int j = 0;
                                for (int i = 0; i < newSecret.length; i++) {
                                    newSecret[i] = secret[j++];
                                    if (j == secret.length)
                                        j = 0;
                                }
                                encr.setEphemeralKey(newSecret);
                                encrTok.setSecret(newSecret);
                            } else {
                                encr.setEphemeralKey(secret);
                                encrTok.setSecret(secret);
                            }
                            ((EncryptedKeyToken) encrTok).setSHA1(krbToken.getKrbSession()
                                    .getThumbPrintEncoded());
                            try {
                                rmd.getTokenStorage().add(sigTok);
                            } catch (TrustException e) {
                                throw new RampartException("errorAddingKerbTokenToStore");
View Full Code Here

TOP

Related Classes of org.apache.ws.security.message.WSSecKerberosToken

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.