View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.stax.impl.processor.input;
20  
21  import java.util.Deque;
22  import java.util.List;
23  
24  import jakarta.xml.bind.JAXBElement;
25  import javax.xml.namespace.QName;
26  
27  import org.apache.wss4j.binding.wss10.BinarySecurityTokenType;
28  import org.apache.wss4j.common.bsp.BSPRule;
29  import org.apache.wss4j.common.ext.WSSecurityException;
30  import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
31  import org.apache.wss4j.stax.ext.WSSConstants;
32  import org.apache.wss4j.stax.ext.WSSSecurityProperties;
33  import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
34  import org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent;
35  import org.apache.wss4j.stax.securityToken.KerberosServiceSecurityToken;
36  import org.apache.wss4j.stax.securityToken.X509SecurityToken;
37  import org.apache.wss4j.stax.validate.BinarySecurityTokenValidator;
38  import org.apache.wss4j.stax.validate.BinarySecurityTokenValidatorImpl;
39  import org.apache.wss4j.stax.validate.TokenContext;
40  import org.apache.xml.security.exceptions.XMLSecurityException;
41  import org.apache.xml.security.stax.ext.AbstractInputSecurityHeaderHandler;
42  import org.apache.xml.security.stax.ext.InputProcessorChain;
43  import org.apache.xml.security.stax.ext.XMLSecurityProperties;
44  import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
45  import org.apache.xml.security.stax.impl.util.IDGenerator;
46  import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
47  import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
48  import org.apache.xml.security.stax.securityToken.SecurityToken;
49  import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
50  
51  /**
52   * Processor for the BinarySecurityToken XML Structure
53   */
54  public class BinarySecurityTokenInputHandler extends AbstractInputSecurityHeaderHandler {
55  
56      @Override
57      public void handle(final InputProcessorChain inputProcessorChain, final XMLSecurityProperties securityProperties,
58                         final Deque<XMLSecEvent> eventQueue, final Integer index) throws XMLSecurityException {
59          @SuppressWarnings("unchecked")
60          final BinarySecurityTokenType binarySecurityTokenType =
61                  ((JAXBElement<BinarySecurityTokenType>) parseStructure(eventQueue, index, securityProperties)).getValue();
62  
63          checkBSPCompliance(inputProcessorChain, binarySecurityTokenType);
64  
65          if (binarySecurityTokenType.getId() == null) {
66              binarySecurityTokenType.setId(IDGenerator.generateID(null));
67          }
68  
69          final WSInboundSecurityContext wsInboundSecurityContext =
70              (WSInboundSecurityContext) inputProcessorChain.getSecurityContext();
71          final WSSSecurityProperties wssSecurityProperties = (WSSSecurityProperties) securityProperties;
72          final List<QName> elementPath = getElementPath(eventQueue);
73          final List<XMLSecEvent> xmlSecEvents = getResponsibleXMLSecEvents(eventQueue, index);
74  
75          final TokenContext tokenContext =
76              new TokenContext(wssSecurityProperties, wsInboundSecurityContext, xmlSecEvents, elementPath);
77  
78          BinarySecurityTokenValidator binarySecurityTokenValidator =
79                  wssSecurityProperties.getValidator(WSSConstants.TAG_WSSE_BINARY_SECURITY_TOKEN);
80          if (binarySecurityTokenValidator == null) {
81              binarySecurityTokenValidator = new BinarySecurityTokenValidatorImpl();
82          }
83          final InboundSecurityToken binarySecurityToken =
84                  binarySecurityTokenValidator.validate(binarySecurityTokenType, tokenContext);
85  
86          SecurityTokenProvider<InboundSecurityToken> securityTokenProvider = new SecurityTokenProvider<InboundSecurityToken>() {
87              @Override
88              public InboundSecurityToken getSecurityToken() throws XMLSecurityException {
89                  return binarySecurityToken;
90              }
91  
92              @Override
93              public String getId() {
94                  return binarySecurityToken.getId();
95              }
96          };
97  
98          wsInboundSecurityContext.registerSecurityTokenProvider(binarySecurityTokenType.getId(), securityTokenProvider);
99  
100         TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent;
101         //fire a tokenSecurityEvent
102         if (binarySecurityTokenType.getValueType().startsWith(WSSConstants.NS_X509TOKEN_PROFILE)) {
103             X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
104             x509TokenSecurityEvent.setSecurityToken((X509SecurityToken) binarySecurityToken);
105             tokenSecurityEvent = x509TokenSecurityEvent;
106         } else if (binarySecurityTokenType.getValueType().startsWith(WSSConstants.NS_KERBEROS11_TOKEN_PROFILE)) {
107             KerberosTokenSecurityEvent kerberosTokenSecurityEvent = new KerberosTokenSecurityEvent();
108             kerberosTokenSecurityEvent.setSecurityToken((KerberosServiceSecurityToken)binarySecurityToken);
109             tokenSecurityEvent = kerberosTokenSecurityEvent;
110         } else {
111             throw new WSSecurityException(
112                     WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "invalidValueType",
113                     new Object[] {binarySecurityTokenType.getValueType()});
114         }
115         tokenSecurityEvent.setCorrelationID(binarySecurityTokenType.getId());
116         wsInboundSecurityContext.registerSecurityEvent(tokenSecurityEvent);
117     }
118 
119     private void checkBSPCompliance(InputProcessorChain inputProcessorChain, BinarySecurityTokenType binarySecurityTokenType)
120             throws WSSecurityException {
121 
122         final WSInboundSecurityContext securityContext = (WSInboundSecurityContext) inputProcessorChain.getSecurityContext();
123         if (binarySecurityTokenType.getEncodingType() == null) {
124             securityContext.handleBSPRule(BSPRule.R3029);
125         }
126         if (!WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING.equals(binarySecurityTokenType.getEncodingType())) {
127             securityContext.handleBSPRule(BSPRule.R3030);
128         }
129         if (binarySecurityTokenType.getValueType() == null) {
130             securityContext.handleBSPRule(BSPRule.R3031);
131         }
132     }
133 }