| /* |
| * Copyright 2004,2005 The Apache Software Foundation. |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.rampart.util; |
| |
| import java.security.NoSuchAlgorithmException; |
| import java.security.cert.X509Certificate; |
| import java.util.ArrayList; |
| import java.util.Hashtable; |
| import java.util.Properties; |
| import java.util.Vector; |
| |
| import javax.crypto.KeyGenerator; |
| import javax.security.auth.callback.Callback; |
| import javax.security.auth.callback.CallbackHandler; |
| import javax.xml.namespace.QName; |
| |
| import java.security.NoSuchAlgorithmException; |
| import java.security.cert.X509Certificate; |
| import java.util.ArrayList; |
| import java.util.HashSet; |
| import java.util.Hashtable; |
| import java.util.Iterator; |
| import java.util.List; |
| import java.util.Properties; |
| import java.util.Set; |
| import java.util.Vector; |
| |
| import javax.crypto.KeyGenerator; |
| import javax.security.auth.callback.Callback; |
| import javax.security.auth.callback.CallbackHandler; |
| import javax.xml.namespace.QName; |
| |
| import org.apache.axiom.om.OMAbstractFactory; |
| import org.apache.axiom.om.OMAttribute; |
| import org.apache.axiom.om.OMElement; |
| import org.apache.axiom.om.OMFactory; |
| import org.apache.axiom.om.OMNamespace; |
| import org.apache.axiom.om.xpath.AXIOMXPath; |
| import org.apache.axiom.soap.SOAPEnvelope; |
| import org.apache.axiom.soap.SOAPHeader; |
| import org.apache.axiom.soap.SOAPHeaderBlock; |
| import org.apache.axis2.context.MessageContext; |
| import org.apache.axis2.description.Parameter; |
| import org.apache.commons.logging.Log; |
| import org.apache.commons.logging.LogFactory; |
| import org.apache.neethi.Policy; |
| import org.apache.rahas.RahasConstants; |
| import org.apache.rahas.Token; |
| import org.apache.rahas.TrustException; |
| import org.apache.rahas.TrustUtil; |
| import org.apache.rahas.client.STSClient; |
| import org.apache.rampart.RampartException; |
| import org.apache.rampart.RampartMessageData; |
| import org.apache.rampart.policy.RampartPolicyData; |
| import org.apache.rampart.policy.model.CryptoConfig; |
| import org.apache.rampart.policy.model.RampartConfig; |
| import org.apache.ws.secpolicy.Constants; |
| import org.apache.ws.secpolicy.model.IssuedToken; |
| import org.apache.ws.secpolicy.model.SecureConversationToken; |
| import org.apache.ws.secpolicy.model.X509Token; |
| import org.apache.ws.security.WSConstants; |
| import org.apache.ws.security.WSEncryptionPart; |
| import org.apache.ws.security.WSPasswordCallback; |
| import org.apache.ws.security.WSSecurityEngineResult; |
| import org.apache.ws.security.WSSecurityException; |
| import org.apache.ws.security.components.crypto.Crypto; |
| import org.apache.ws.security.components.crypto.CryptoFactory; |
| import org.apache.ws.security.conversation.ConversationConstants; |
| import org.apache.ws.security.conversation.ConversationException; |
| import org.apache.ws.security.handler.WSHandlerConstants; |
| import org.apache.ws.security.handler.WSHandlerResult; |
| import org.apache.ws.security.message.WSSecEncryptedKey; |
| import org.apache.ws.security.util.Loader; |
| import org.jaxen.JaxenException; |
| import org.jaxen.XPath; |
| import org.w3c.dom.Element; |
| import org.w3c.dom.Node; |
| |
| public class RampartUtil { |
| |
| private static final String CRYPTO_PROVIDER = "org.apache.ws.security.crypto.provider"; |
| private static Log log = LogFactory.getLog(RampartUtil.class); |
| |
| |
| public static CallbackHandler getPasswordCB(RampartMessageData rmd) throws RampartException { |
| |
| MessageContext msgContext = rmd.getMsgContext(); |
| RampartPolicyData rpd = rmd.getPolicyData(); |
| |
| return getPasswordCB(msgContext, rpd); |
| } |
| |
| /** |
| * @param msgContext |
| * @param rpd |
| * @return The <code>CallbackHandler</code> instance |
| * @throws RampartException |
| */ |
| public static CallbackHandler getPasswordCB(MessageContext msgContext, RampartPolicyData rpd) throws RampartException { |
| |
| CallbackHandler cbHandler; |
| |
| if (rpd.getRampartConfig() != null && rpd.getRampartConfig().getPwCbClass() != null) { |
| |
| String cbHandlerClass = rpd.getRampartConfig().getPwCbClass(); |
| ClassLoader classLoader = msgContext.getAxisService().getClassLoader(); |
| |
| log.debug("loading class : " + cbHandlerClass); |
| |
| Class cbClass; |
| try { |
| cbClass = Loader.loadClass(classLoader, cbHandlerClass); |
| } catch (ClassNotFoundException e) { |
| throw new RampartException("cannotLoadPWCBClass", |
| new String[]{cbHandlerClass}, e); |
| } |
| try { |
| cbHandler = (CallbackHandler) cbClass.newInstance(); |
| } catch (java.lang.Exception e) { |
| throw new RampartException("cannotCreatePWCBInstance", |
| new String[]{cbHandlerClass}, e); |
| } |
| } else { |
| cbHandler = (CallbackHandler) msgContext.getProperty( |
| WSHandlerConstants.PW_CALLBACK_REF); |
| if(cbHandler == null) { |
| Parameter param = msgContext.getParameter( |
| WSHandlerConstants.PW_CALLBACK_REF); |
| cbHandler = (CallbackHandler)param.getValue(); |
| } |
| } |
| |
| return cbHandler; |
| } |
| |
| /** |
| * Perform a callback to get a password. |
| * <p/> |
| * The called back function gets an indication why to provide a password: |
| * to produce a UsernameToken, Signature, or a password (key) for a given |
| * name. |
| */ |
| public static WSPasswordCallback performCallback(CallbackHandler cbHandler, |
| String username, |
| int doAction) |
| throws RampartException { |
| |
| WSPasswordCallback pwCb; |
| int reason = 0; |
| |
| switch (doAction) { |
| case WSConstants.UT: |
| case WSConstants.UT_SIGN: |
| reason = WSPasswordCallback.USERNAME_TOKEN; |
| break; |
| case WSConstants.SIGN: |
| reason = WSPasswordCallback.SIGNATURE; |
| break; |
| case WSConstants.ENCR: |
| reason = WSPasswordCallback.KEY_NAME; |
| break; |
| } |
| pwCb = new WSPasswordCallback(username, reason); |
| Callback[] callbacks = new Callback[1]; |
| callbacks[0] = pwCb; |
| /* |
| * Call back the application to get the password |
| */ |
| try { |
| cbHandler.handle(callbacks); |
| } catch (Exception e) { |
| throw new RampartException("pwcbFailed", e); |
| } |
| return pwCb; |
| } |
| |
| /** |
| * Create the <code>Crypto</code> instance for encryption using information |
| * from the rampart configuration assertion |
| * |
| * @param config |
| * @return The <code>Crypto</code> instance to be used for encryption |
| * @throws RampartException |
| */ |
| public static Crypto getEncryptionCrypto(RampartConfig config, ClassLoader loader) |
| throws RampartException { |
| log.debug("Loading encryption crypto"); |
| |
| if(config != null && config.getEncrCryptoConfig() != null) { |
| CryptoConfig cryptoConfig = config.getEncrCryptoConfig(); |
| String provider = cryptoConfig.getProvider(); |
| log.debug("Usig provider: " + provider); |
| Properties prop = cryptoConfig.getProp(); |
| prop.put(CRYPTO_PROVIDER, provider); |
| return CryptoFactory.getInstance(prop, loader); |
| } else { |
| log.debug("Trying the signature crypto info"); |
| |
| //Try using signature crypto infomation |
| if(config != null && config.getSigCryptoConfig() != null) { |
| CryptoConfig cryptoConfig = config.getSigCryptoConfig(); |
| String provider = cryptoConfig.getProvider(); |
| log.debug("Usig provider: " + provider); |
| Properties prop = cryptoConfig.getProp(); |
| prop.put(CRYPTO_PROVIDER, provider); |
| return CryptoFactory.getInstance(prop, loader); |
| } else { |
| return null; |
| } |
| } |
| } |
| |
| /** |
| * Create the <code>Crypto</code> instance for signature using information |
| * from the rampart configuration assertion |
| * |
| * @param config |
| * @return The <code>Crypto</code> instance to be used for signature |
| * @throws RampartException |
| */ |
| public static Crypto getSignatureCrypto(RampartConfig config, ClassLoader loader) |
| throws RampartException { |
| log.debug("Loading Signature crypto"); |
| |
| if(config != null && config.getSigCryptoConfig() != null) { |
| CryptoConfig cryptoConfig = config.getSigCryptoConfig(); |
| String provider = cryptoConfig.getProvider(); |
| log.debug("Usig provider: " + provider); |
| Properties prop = cryptoConfig.getProp(); |
| prop.put(CRYPTO_PROVIDER, provider); |
| return CryptoFactory.getInstance(prop, loader); |
| } else { |
| return null; |
| } |
| } |
| |
| |
| /** |
| * figureout the key identifier of a give X509Token |
| * @param token |
| * @return The key identifier of a give X509Token |
| * @throws RampartException |
| */ |
| public static int getKeyIdentifier(X509Token token) throws RampartException { |
| if (token.isRequireIssuerSerialReference()) { |
| return WSConstants.ISSUER_SERIAL; |
| } else if (token.isRequireThumbprintReference()) { |
| return WSConstants.THUMBPRINT_IDENTIFIER; |
| } else if (token.isRequireEmbeddedTokenReference()) { |
| return WSConstants.BST_DIRECT_REFERENCE; |
| } else { |
| throw new RampartException( |
| "unknownKeyRefSpeficier"); |
| |
| } |
| } |
| |
| /** |
| * Process a give issuer address element and return the address. |
| * @param issuerAddress |
| * @return The address of an issuer address element |
| * @throws RampartException If the issuer address element is malformed. |
| */ |
| public static String processIssuerAddress(OMElement issuerAddress) |
| throws RampartException { |
| if(issuerAddress != null && issuerAddress.getText() != null && |
| !"".equals(issuerAddress.getText())) { |
| return issuerAddress.getText().trim(); |
| } else { |
| throw new RampartException("invalidIssuerAddress", |
| new String[] { issuerAddress.toString() }); |
| } |
| } |
| |
| |
| public static OMElement createRSTTempalteForSCT(int conversationVersion, |
| int wstVersion) throws RampartException { |
| try { |
| log.debug("Creating RSTTemplate for an SCT request"); |
| OMFactory fac = OMAbstractFactory.getOMFactory(); |
| |
| OMNamespace wspNs = fac.createOMNamespace(Constants.SP_NS, "wsp"); |
| OMElement rstTempl = fac.createOMElement( |
| Constants.REQUEST_SECURITY_TOKEN_TEMPLATE.getLocalPart(), |
| wspNs); |
| |
| //Create TokenType element and set the value |
| OMElement tokenTypeElem = TrustUtil.createTokenTypeElement( |
| wstVersion, rstTempl); |
| String tokenType = ConversationConstants |
| .getWSCNs(conversationVersion) |
| + ConversationConstants.TOKEN_TYPE_SECURITY_CONTEXT_TOKEN; |
| tokenTypeElem.setText(tokenType); |
| |
| return rstTempl; |
| } catch (TrustException e) { |
| throw new RampartException("errorCreatingRSTTemplateForSCT", e); |
| } catch (ConversationException e) { |
| throw new RampartException("errorCreatingRSTTemplateForSCT", e); |
| } |
| } |
| |
| |
| public static int getTimeToLive(RampartMessageData messageData) { |
| |
| RampartConfig rampartConfig = messageData.getPolicyData().getRampartConfig(); |
| if (rampartConfig != null) { |
| String ttl = rampartConfig.getTimestampTTL(); |
| int ttl_i = 0; |
| if (ttl != null) { |
| try { |
| ttl_i = Integer.parseInt(ttl); |
| } catch (NumberFormatException e) { |
| ttl_i = messageData.getTimeToLive(); |
| } |
| } |
| if (ttl_i <= 0) { |
| ttl_i = messageData.getTimeToLive(); |
| } |
| return ttl_i; |
| } else { |
| return RampartConfig.DEFAULT_TIMESTAMP_TTL; |
| } |
| } |
| |
| public static int getTimestampMaxSkew(RampartMessageData messageData) { |
| |
| RampartConfig rampartConfig = messageData.getPolicyData().getRampartConfig(); |
| if (rampartConfig != null) { |
| String maxSkew = rampartConfig.getTimestampMaxSkew(); |
| int maxSkew_i = 0; |
| if (maxSkew != null) { |
| try { |
| maxSkew_i = Integer.parseInt(maxSkew); |
| } catch (NumberFormatException e) { |
| maxSkew_i = messageData.getTimestampMaxSkew(); |
| } |
| } |
| if (maxSkew_i < 0) { |
| maxSkew_i = 0; |
| } |
| return maxSkew_i; |
| } else { |
| return RampartConfig.DEFAULT_TIMESTAMP_MAX_SKEW; |
| } |
| } |
| |
| /** |
| * Obtain a security context token. |
| * @param rmd |
| * @param secConvTok |
| * @return Return the SecurityContextidentifier of the token |
| * @throws TrustException |
| * @throws RampartException |
| */ |
| public static String getSecConvToken(RampartMessageData rmd, |
| SecureConversationToken secConvTok) throws TrustException, |
| RampartException { |
| String action = TrustUtil.getActionValue( |
| rmd.getWstVersion(), |
| RahasConstants.RST_ACTION_SCT); |
| |
| // Get sts epr |
| OMElement issuerEpr = secConvTok.getIssuerEpr(); |
| String issuerEprAddress = rmd.getMsgContext().getTo().getAddress(); |
| if(issuerEpr != null) { |
| issuerEprAddress = RampartUtil.processIssuerAddress(issuerEpr); |
| } |
| |
| //Find SC version |
| int conversationVersion = rmd.getSecConvVersion(); |
| |
| OMElement rstTemplate = RampartUtil.createRSTTempalteForSCT( |
| conversationVersion, |
| rmd.getWstVersion()); |
| |
| Policy stsPolicy = null; |
| |
| //Try boot strap policy |
| Policy bsPol = secConvTok.getBootstrapPolicy(); |
| |
| if(bsPol != null) { |
| log.debug("BootstrapPolicy found"); |
| bsPol.addAssertion(rmd.getPolicyData().getRampartConfig()); |
| stsPolicy = bsPol; |
| } else { |
| //No bootstrap policy use issuer policy |
| log.debug("No bootstrap policy, using issuer policy"); |
| stsPolicy = rmd.getPolicyData().getIssuerPolicy(); |
| } |
| |
| String id = getToken(rmd, rstTemplate, |
| issuerEprAddress, action, stsPolicy); |
| |
| log.debug("SecureConversationToken obtained: id=" + id); |
| return id; |
| } |
| |
| |
| /** |
| * Obtain an issued token. |
| * @param rmd |
| * @param issuedToken |
| * @return The identifier of the issued token |
| * @throws RampartException |
| */ |
| public static String getIssuedToken(RampartMessageData rmd, |
| IssuedToken issuedToken) throws RampartException { |
| |
| try { |
| |
| //TODO : Provide the overriding mechanism to prvide a custom way of |
| //obtianing a token |
| |
| String action = TrustUtil.getActionValue(rmd.getWstVersion(), |
| RahasConstants.RST_ACTION_ISSUE); |
| |
| // Get sts epr |
| String issuerEprAddress = RampartUtil.processIssuerAddress(issuedToken |
| .getIssuerEpr()); |
| |
| OMElement rstTemplate = issuedToken.getRstTemplate(); |
| |
| // Get STS policy |
| Policy stsPolicy = rmd.getPolicyData().getIssuerPolicy(); |
| |
| String id = getToken(rmd, rstTemplate, issuerEprAddress, action, |
| stsPolicy); |
| |
| log.debug("Issued token obtained: id=" + id); |
| return id; |
| } catch (TrustException e) { |
| throw new RampartException("errorInObtainingToken", e); |
| } |
| } |
| |
| /** |
| * Request a token. |
| * @param rmd |
| * @param rstTemplate |
| * @param issuerEpr |
| * @param action |
| * @param issuerPolicy |
| * @return Return the identifier of the obtained token |
| * @throws RampartException |
| */ |
| public static String getToken(RampartMessageData rmd, OMElement rstTemplate, |
| String issuerEpr, String action, Policy issuerPolicy) throws RampartException { |
| |
| try { |
| Axis2Util.useDOOM(false); |
| |
| STSClient client = new STSClient(rmd.getMsgContext() |
| .getConfigurationContext()); |
| // Set request action |
| client.setAction(action); |
| |
| client.setRstTemplate(rstTemplate); |
| |
| // Set crypto information |
| Crypto crypto = RampartUtil.getSignatureCrypto(rmd.getPolicyData().getRampartConfig(), |
| rmd.getMsgContext().getAxisService().getClassLoader()); |
| CallbackHandler cbh = RampartUtil.getPasswordCB(rmd); |
| client.setCryptoInfo(crypto, cbh); |
| |
| // Get service policy |
| Policy servicePolicy = rmd.getServicePolicy(); |
| |
| // Get service epr |
| String servceEprAddress = rmd.getMsgContext() |
| .getOptions().getTo().getAddress(); |
| |
| //Make the request |
| org.apache.rahas.Token rst = |
| client.requestSecurityToken(servicePolicy, |
| issuerEpr, |
| issuerPolicy, |
| servceEprAddress); |
| |
| //Add the token to token storage |
| rst.setState(Token.ISSUED); |
| rmd.getTokenStorage().add(rst); |
| Axis2Util.useDOOM(true); |
| return rst.getId(); |
| } catch (Exception e) { |
| throw new RampartException("errorInObtainingToken", e); |
| } |
| } |
| |
| public static String getSoapBodyId(SOAPEnvelope env) { |
| return addWsuIdToElement(env.getBody()); |
| } |
| |
| public static String addWsuIdToElement(OMElement elem) { |
| String id; |
| |
| //first try to get the Id attr |
| OMAttribute idAttr = elem.getAttribute(new QName("Id")); |
| if(idAttr == null) { |
| //then try the wsu:Id value |
| idAttr = elem.getAttribute(new QName(WSConstants.WSU_NS, "Id")); |
| } |
| |
| if(idAttr != null) { |
| id = idAttr.getAttributeValue(); |
| } else { |
| //Add an id |
| OMNamespace ns = elem.getOMFactory().createOMNamespace( |
| WSConstants.WSU_NS, WSConstants.WSU_PREFIX); |
| id = "Id-" + elem.hashCode(); |
| idAttr = elem.getOMFactory().createOMAttribute("Id", ns, id); |
| elem.addAttribute(idAttr); |
| } |
| |
| return id; |
| } |
| |
| public static Element appendChildToSecHeader(RampartMessageData rmd, |
| OMElement elem) { |
| return appendChildToSecHeader(rmd, (Element)elem); |
| } |
| |
| public static Element appendChildToSecHeader(RampartMessageData rmd, |
| Element elem) { |
| Element secHeaderElem = rmd.getSecHeader().getSecurityHeader(); |
| Node node = secHeaderElem.getOwnerDocument().importNode( |
| elem, true); |
| return (Element)secHeaderElem.appendChild(node); |
| } |
| |
| public static Element insertSiblingAfter(RampartMessageData rmd, |
| Element child, Element sibling) { |
| if (child == null) { |
| return appendChildToSecHeader(rmd, sibling); |
| } else { |
| if (child.getOwnerDocument().equals(sibling.getOwnerDocument())) { |
| |
| if (child.getParentNode() == null |
| && !child.getLocalName().equals("UsernameToken")) { |
| rmd.getSecHeader().getSecurityHeader().appendChild(child); |
| } |
| ((OMElement) child).insertSiblingAfter((OMElement) sibling); |
| return sibling; |
| } else { |
| Element newSib = (Element) child.getOwnerDocument().importNode( |
| sibling, true); |
| ((OMElement) child).insertSiblingAfter((OMElement) newSib); |
| return newSib; |
| } |
| } |
| } |
| |
| public static Element insertSiblingBefore(RampartMessageData rmd, Element child, Element sibling) { |
| if(child == null) { |
| return appendChildToSecHeader(rmd, sibling); |
| } else { |
| if(child.getOwnerDocument().equals(sibling.getOwnerDocument())) { |
| ((OMElement)child).insertSiblingBefore((OMElement)sibling); |
| return sibling; |
| } else { |
| Element newSib = (Element)child.getOwnerDocument().importNode(sibling, true); |
| ((OMElement)child).insertSiblingBefore((OMElement)newSib); |
| return newSib; |
| } |
| } |
| |
| } |
| |
| public static Vector getEncryptedParts(RampartMessageData rmd) { |
| RampartPolicyData rpd = rmd.getPolicyData(); |
| SOAPEnvelope envelope = rmd.getMsgContext().getEnvelope(); |
| return getPartsAndElements(false, envelope, rpd.isEncryptBody(), rpd.getEncryptedParts(), rpd.getEncryptedElements() ); |
| } |
| |
| public static Vector getSignedParts(RampartMessageData rmd) { |
| RampartPolicyData rpd = rmd.getPolicyData(); |
| SOAPEnvelope envelope = rmd.getMsgContext().getEnvelope(); |
| return getPartsAndElements(true, envelope, rpd.isSignBody(), rpd.getSignedParts(), rpd.getSignedElements() ); |
| } |
| |
| private static Set findAllPrefixNamespaces(OMElement currentElement) |
| { |
| Set results = new HashSet(); |
| Iterator iter = null; |
| |
| findPrefixNamespaces(currentElement,results); |
| |
| return results; |
| } |
| |
| private static void findPrefixNamespaces(OMElement e, Set results) |
| { |
| |
| Iterator iter = e.getAllDeclaredNamespaces(); |
| |
| if (iter!=null) |
| { |
| while (iter.hasNext()) |
| results.add(iter.next()); |
| } |
| |
| Iterator children = e.getChildElements(); |
| |
| while (children.hasNext()) |
| { |
| findPrefixNamespaces((OMElement)children.next(), results); |
| } |
| } |
| |
| private static List findDefaultPrefixNamespaces(OMElement e) |
| { |
| List namespaces = new ArrayList(); |
| OMFactory factory = e.getOMFactory(); |
| // put default namespaces here (sp, soapenv, wsu, etc...) |
| namespaces.add(factory.createOMNamespace(WSConstants.ENC_PREFIX, WSConstants.ENC_NS)); |
| namespaces.add(factory.createOMNamespace(WSConstants.SIG_PREFIX, WSConstants.SIG_NS)); |
| namespaces.add(factory.createOMNamespace(WSConstants.WSSE_PREFIX, WSConstants.WSSE_NS)); |
| namespaces.add(factory.createOMNamespace(WSConstants.WSU_PREFIX, WSConstants.WSU_NS)); |
| |
| return namespaces; |
| |
| } |
| |
| private static Vector getPartsAndElements(boolean sign, SOAPEnvelope envelope, boolean includeBody, Vector parts, Vector elements) { |
| |
| Vector found = new Vector(); |
| Vector result = new Vector(); |
| |
| // check body |
| if(includeBody) { |
| if( sign ) { |
| result.add(new WSEncryptionPart(addWsuIdToElement(envelope.getBody()))); |
| } else { |
| result.add(new WSEncryptionPart(addWsuIdToElement(envelope.getBody()), "Content")); |
| } |
| found.add( envelope.getBody() ); |
| } |
| |
| // Search envelope header for 'parts' from Policy (SignedParts/EncryptedParts) |
| |
| SOAPHeader header = envelope.getHeader(); |
| |
| for(int i=0; i<parts.size(); i++) { |
| WSEncryptionPart wsep = (WSEncryptionPart) parts.get( i ); |
| if( wsep.getName() == null ) { |
| // NO name - search by namespace |
| ArrayList headerList = header.getHeaderBlocksWithNSURI( wsep.getNamespace() ); |
| |
| for(int j=0; j<headerList.size(); j++) { |
| SOAPHeaderBlock shb = (SOAPHeaderBlock) headerList.get( j ); |
| |
| // find reference in envelope |
| OMElement e = header.getFirstChildWithName( shb.getQName() ); |
| |
| if( ! found.contains( e ) ) { |
| // found new |
| found.add( e ); |
| |
| if( sign ) { |
| result.add(new WSEncryptionPart(e.getLocalName(), wsep.getNamespace(), "Content")); |
| } else { |
| result.add(new WSEncryptionPart(e.getLocalName(), wsep.getNamespace(), "Element")); |
| } |
| } |
| } |
| } else { |
| // try to find |
| OMElement e = header.getFirstChildWithName( new QName(wsep.getNamespace(), wsep.getName()) ); |
| if( e != null ) { |
| if( ! found.contains( e ) ) { |
| // found new (reuse wsep) |
| found.add( e ); |
| result.add( wsep ); |
| } |
| } |
| } |
| } |
| |
| // ?? Search for 'Elements' here |
| |
| // decide what exactly is going to be used - only the default namespaces, or the list of all declared namespaces in the message ! |
| Set namespaces = findAllPrefixNamespaces(envelope); |
| |
| Iterator elementsIter = elements.iterator(); |
| while (elementsIter.hasNext()) |
| { |
| String expression = (String)elementsIter.next(); |
| try { |
| XPath xp = new AXIOMXPath(expression); |
| Iterator nsIter = namespaces.iterator(); |
| |
| while (nsIter.hasNext()) |
| { |
| OMNamespace tmpNs = (OMNamespace)nsIter.next(); |
| xp.addNamespace(tmpNs.getPrefix(), tmpNs.getNamespaceURI()); |
| } |
| |
| List selectedNodes = xp.selectNodes(envelope); |
| |
| Iterator nodesIter = selectedNodes.iterator(); |
| while (nodesIter.hasNext()) |
| { |
| OMElement e = (OMElement)nodesIter.next(); |
| |
| if (sign) |
| result.add(new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Content")); |
| else |
| result.add(new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Element")); |
| } |
| |
| } catch (JaxenException e) { |
| // This has to be changed to propagate an instance of a RampartException up |
| throw new RuntimeException(e); |
| } |
| } |
| |
| return result; |
| } |
| |
| |
| public static KeyGenerator getEncryptionKeyGenerator(String symEncrAlgo) throws WSSecurityException { |
| KeyGenerator keyGen; |
| try { |
| /* |
| * Assume AES as default, so initialize it |
| */ |
| keyGen = KeyGenerator.getInstance("AES"); |
| if (symEncrAlgo.equalsIgnoreCase(WSConstants.TRIPLE_DES)) { |
| keyGen = KeyGenerator.getInstance("DESede"); |
| } else if (symEncrAlgo.equalsIgnoreCase(WSConstants.AES_128)) { |
| keyGen.init(128); |
| } else if (symEncrAlgo.equalsIgnoreCase(WSConstants.AES_192)) { |
| keyGen.init(192); |
| } else if (symEncrAlgo.equalsIgnoreCase(WSConstants.AES_256)) { |
| keyGen.init(256); |
| } else { |
| return null; |
| } |
| } catch (NoSuchAlgorithmException e) { |
| throw new WSSecurityException( |
| WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e); |
| } |
| return keyGen; |
| } |
| |
| /** |
| * Creates the unique (reproducible) id for to hold the context identifier |
| * of the message exchange. |
| * @return Id to hold the context identifier in the message context |
| */ |
| public static String getContextIdentifierKey(MessageContext msgContext) { |
| return msgContext.getAxisService().getName(); |
| } |
| |
| |
| /** |
| * Returns the map of security context token identifiers |
| * @return the map of security context token identifiers |
| */ |
| public static Hashtable getContextMap(MessageContext msgContext) { |
| //Fist check whether its there |
| Object map = msgContext.getConfigurationContext().getProperty( |
| ConversationConstants.KEY_CONTEXT_MAP); |
| |
| if(map == null) { |
| //If not create a new one |
| map = new Hashtable(); |
| //Set the map globally |
| msgContext.getConfigurationContext().setProperty( |
| ConversationConstants.KEY_CONTEXT_MAP, map); |
| } |
| |
| return (Hashtable)map; |
| } |
| |
| public static boolean isTokenValid(RampartMessageData rmd, String id) throws RampartException { |
| try { |
| org.apache.rahas.Token token = rmd.getTokenStorage().getToken(id); |
| return token!= null && token.getState() == org.apache.rahas.Token.ISSUED; |
| } catch (TrustException e) { |
| throw new RampartException("errorExtractingToken"); |
| } |
| } |
| |
| public static void setEncryptionUser(RampartMessageData rmd, WSSecEncryptedKey encrKeyBuilder) throws RampartException { |
| RampartPolicyData rpd = rmd.getPolicyData(); |
| String encrUser = rpd.getRampartConfig().getEncryptionUser(); |
| if(encrUser == null || "".equals(encrUser)) { |
| throw new RampartException("missingEncryptionUser"); |
| } |
| if(encrUser.equals(WSHandlerConstants.USE_REQ_SIG_CERT)) { |
| Object resultsObj = rmd.getMsgContext().getProperty(WSHandlerConstants.RECV_RESULTS); |
| if(resultsObj != null) { |
| encrKeyBuilder.setUseThisCert(getReqSigCert((Vector)resultsObj)); |
| } else { |
| throw new RampartException("noSecurityResults"); |
| } |
| } else { |
| encrKeyBuilder.setUserInfo(encrUser); |
| } |
| } |
| |
| private static X509Certificate getReqSigCert(Vector results) { |
| /* |
| * Scan the results for a matching actor. Use results only if the |
| * receiving Actor and the sending Actor match. |
| */ |
| for (int i = 0; i < results.size(); i++) { |
| WSHandlerResult rResult = |
| (WSHandlerResult) results.get(i); |
| |
| Vector wsSecEngineResults = rResult.getResults(); |
| /* |
| * Scan the results for the first Signature action. Use the |
| * certificate of this Signature to set the certificate for the |
| * encryption action :-). |
| */ |
| for (int j = 0; j < wsSecEngineResults.size(); j++) { |
| WSSecurityEngineResult wser = |
| (WSSecurityEngineResult) wsSecEngineResults.get(j); |
| if (wser.getAction() == WSConstants.SIGN) { |
| return wser.getCertificate(); |
| } |
| } |
| } |
| |
| return null; |
| } |
| |
| public static String getRequestEncryptedKeyId(Vector results) { |
| |
| for (int i = 0; i < results.size(); i++) { |
| WSHandlerResult rResult = |
| (WSHandlerResult) results.get(i); |
| |
| Vector wsSecEngineResults = rResult.getResults(); |
| /* |
| * Scan the results for the first Signature action. Use the |
| * certificate of this Signature to set the certificate for the |
| * encryption action :-). |
| */ |
| for (int j = 0; j < wsSecEngineResults.size(); j++) { |
| WSSecurityEngineResult wser = |
| (WSSecurityEngineResult) wsSecEngineResults.get(j); |
| if (wser.getAction() == WSConstants.ENCR && |
| wser.getEncryptedKeyId() != null) { |
| return wser.getEncryptedKeyId(); |
| } |
| } |
| } |
| |
| return null; |
| } |
| |
| public static byte[] getRequestEncryptedKeyValue(Vector results) { |
| |
| for (int i = 0; i < results.size(); i++) { |
| WSHandlerResult rResult = |
| (WSHandlerResult) results.get(i); |
| |
| Vector wsSecEngineResults = rResult.getResults(); |
| /* |
| * Scan the results for the first Signature action. Use the |
| * certificate of this Signature to set the certificate for the |
| * encryption action :-). |
| */ |
| for (int j = 0; j < wsSecEngineResults.size(); j++) { |
| WSSecurityEngineResult wser = |
| (WSSecurityEngineResult) wsSecEngineResults.get(j); |
| if (wser.getAction() == WSConstants.ENCR && |
| wser.getDecryptedKey() != null) { |
| return wser.getDecryptedKey(); |
| } |
| } |
| } |
| |
| return null; |
| } |
| |
| /** |
| * If the child is present insert the element as a sibling after him. |
| * |
| * If the child is null, then prepend the element. |
| * |
| * @param rmd |
| * @param child |
| * @param elem - element mentioned above |
| * @return |
| */ |
| public static Element insertSiblingAfterOrPrepend(RampartMessageData rmd, Element child, Element elem) { |
| Element retElem = null; |
| if(child != null){ // child is not null so insert sibling after |
| retElem = RampartUtil.insertSiblingAfter(rmd, child, elem); |
| }else{ //Prepend |
| |
| Element secHeaderElem = rmd.getSecHeader().getSecurityHeader(); |
| Node node = secHeaderElem.getOwnerDocument().importNode( |
| elem, true); |
| Element firstElem = (Element)secHeaderElem.getFirstChild(); |
| |
| if(firstElem == null){ |
| retElem = (Element)secHeaderElem.appendChild(node); |
| }else{ |
| if(firstElem.getOwnerDocument().equals(elem.getOwnerDocument())) { |
| ((OMElement)firstElem).insertSiblingBefore((OMElement)elem); |
| retElem = elem; |
| } else { |
| Element newSib = (Element)firstElem.getOwnerDocument().importNode(elem, true); |
| ((OMElement)firstElem).insertSiblingBefore((OMElement)newSib); |
| retElem = newSib; |
| } |
| } |
| } |
| |
| return retElem; |
| } |
| |
| |
| } |