| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| |
| package org.apache.wss4j.dom.action; |
| |
| import javax.security.auth.callback.CallbackHandler; |
| |
| import org.apache.wss4j.common.SecurityActionToken; |
| import org.apache.wss4j.common.SignatureActionToken; |
| import org.apache.wss4j.common.crypto.Crypto; |
| import org.apache.wss4j.common.ext.WSPasswordCallback; |
| import org.apache.wss4j.common.ext.WSSecurityException; |
| import org.apache.wss4j.common.saml.SamlAssertionWrapper; |
| import org.apache.wss4j.common.saml.SAMLCallback; |
| import org.apache.wss4j.common.saml.SAMLUtil; |
| import org.apache.wss4j.dom.WSConstants; |
| import org.apache.wss4j.dom.handler.RequestData; |
| import org.apache.wss4j.dom.handler.WSHandler; |
| import org.apache.wss4j.dom.handler.WSHandlerConstants; |
| import org.apache.wss4j.dom.saml.WSSecSignatureSAML; |
| |
| public class SAMLTokenSignedAction implements Action { |
| |
| private static final org.slf4j.Logger LOG = |
| org.slf4j.LoggerFactory.getLogger(SAMLTokenSignedAction.class); |
| |
| public void execute(WSHandler handler, SecurityActionToken actionToken, RequestData reqData) |
| throws WSSecurityException { |
| Crypto crypto = null; |
| |
| // it is possible and legal that we do not have a signature crypto here - thus ignore the exception. |
| // This is usually the case for the SAML option "sender vouches". In this case no user crypto is |
| // required. |
| try { |
| crypto = handler.loadSignatureCrypto(reqData); |
| } catch (Exception ex) { |
| LOG.debug(ex.getMessage(), ex); |
| } |
| |
| CallbackHandler samlCallbackHandler = |
| handler.getCallbackHandler( |
| WSHandlerConstants.SAML_CALLBACK_CLASS, |
| WSHandlerConstants.SAML_CALLBACK_REF, |
| reqData |
| ); |
| if (samlCallbackHandler == null) { |
| throw new WSSecurityException( |
| WSSecurityException.ErrorCode.FAILURE, |
| "noSAMLCallbackHandler" |
| ); |
| } |
| SAMLCallback samlCallback = new SAMLCallback(); |
| SAMLUtil.doSAMLCallback(samlCallbackHandler, samlCallback); |
| |
| SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback); |
| if (samlCallback.isSignAssertion()) { |
| samlAssertion.signAssertion( |
| samlCallback.getIssuerKeyName(), |
| samlCallback.getIssuerKeyPassword(), |
| samlCallback.getIssuerCrypto(), |
| samlCallback.isSendKeyValue(), |
| samlCallback.getCanonicalizationAlgorithm(), |
| samlCallback.getSignatureAlgorithm(), |
| samlCallback.getSignatureDigestAlgorithm() |
| ); |
| } |
| WSSecSignatureSAML wsSign = new WSSecSignatureSAML(reqData.getSecHeader()); |
| wsSign.setIdAllocator(reqData.getWssConfig().getIdAllocator()); |
| wsSign.setAddInclusivePrefixes(reqData.isAddInclusivePrefixes()); |
| wsSign.setWsDocInfo(reqData.getWsDocInfo()); |
| wsSign.setExpandXopInclude(reqData.isExpandXopInclude()); |
| wsSign.setSignatureProvider(reqData.getSignatureProvider()); |
| |
| CallbackHandler callbackHandler = |
| handler.getPasswordCallbackHandler(reqData); |
| |
| SignatureActionToken signatureToken = null; |
| if (actionToken instanceof SignatureActionToken) { |
| signatureToken = (SignatureActionToken)actionToken; |
| } |
| if (signatureToken == null) { |
| signatureToken = reqData.getSignatureToken(); |
| } |
| |
| WSPasswordCallback passwordCallback = |
| handler.getPasswordCB(signatureToken.getUser(), WSConstants.ST_SIGNED, callbackHandler, reqData); |
| wsSign.setUserInfo(signatureToken.getUser(), passwordCallback.getPassword()); |
| |
| if (signatureToken.getKeyIdentifierId() != 0) { |
| wsSign.setKeyIdentifierType(signatureToken.getKeyIdentifierId()); |
| } |
| if (signatureToken.getSignatureAlgorithm() != null) { |
| wsSign.setSignatureAlgorithm(signatureToken.getSignatureAlgorithm()); |
| } |
| if (signatureToken.getDigestAlgorithm() != null) { |
| wsSign.setDigestAlgo(signatureToken.getDigestAlgorithm()); |
| } |
| if (signatureToken.getC14nAlgorithm() != null) { |
| wsSign.setSigCanonicalization(signatureToken.getC14nAlgorithm()); |
| } |
| if (signatureToken.getKeyInfoElement() != null) { |
| wsSign.setCustomKeyInfoElement(signatureToken.getKeyInfoElement()); |
| } |
| |
| if (!signatureToken.getParts().isEmpty()) { |
| wsSign.getParts().addAll(signatureToken.getParts()); |
| } |
| |
| try { |
| wsSign.build( |
| crypto, |
| samlAssertion, |
| samlCallback.getIssuerCrypto(), |
| samlCallback.getIssuerKeyName(), |
| samlCallback.getIssuerKeyPassword()); |
| |
| reqData.getSignatureValues().add(wsSign.getSignatureValue()); |
| byte[] signatureValue = samlAssertion.getSignatureValue(); |
| if (signatureValue != null) { |
| reqData.getSignatureValues().add(signatureValue); |
| } |
| } catch (WSSecurityException e) { |
| throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e, "empty", |
| new Object[] {"Error when signing the SAML token: "}); |
| } |
| } |
| |
| } |