Source Code Cross Referenced for BindingProcessor.java in  » 6.0-JDK-Modules-com.sun » wsit » com » sun » xml » ws » security » impl » policyconv » Java Source Code / Java DocumentationJava Source Code and Java Documentation

001:        /*
002:         * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
003:         * 
004:         * Copyright 1997-2007 Sun Microsystems, Inc. All rights reserved.
005:         * 
006:         * The contents of this file are subject to the terms of either the GNU
007:         * General Public License Version 2 only ("GPL") or the Common Development
008:         * and Distribution License("CDDL") (collectively, the "License").  You
009:         * may not use this file except in compliance with the License. You can obtain
010:         * a copy of the License at https://glassfish.dev.java.net/public/CDDL+GPL.html
011:         * or glassfish/bootstrap/legal/LICENSE.txt.  See the License for the specific
012:         * language governing permissions and limitations under the License.
013:         * 
014:         * When distributing the software, include this License Header Notice in each
015:         * file and include the License file at glassfish/bootstrap/legal/LICENSE.txt.
016:         * Sun designates this particular file as subject to the "Classpath" exception
017:         * as provided by Sun in the GPL Version 2 section of the License file that
018:         * accompanied this code.  If applicable, add the following below the License
019:         * Header, with the fields enclosed by brackets [] replaced by your own
020:         * identifying information: "Portions Copyrighted [year]
021:         * [name of copyright owner]"
022:         * 
023:         * Contributor(s):
024:         * 
025:         * If you wish your version of this file to be governed by only the CDDL or
026:         * only the GPL Version 2, indicate your decision by adding "[Contributor]
027:         * elects to include this software in this distribution under the [CDDL or GPL
028:         * Version 2] license."  If you don't indicate a single choice of license, a
029:         * recipient has the option to distribute your version of this file under
030:         * either the CDDL, the GPL Version 2 or to extend the choice of license to
031:         * its licensees as provided above.  However, if you add GPL Version 2 code
032:         * and therefore, elected the GPL Version 2 license, then the option applies
033:         * only if the new code is made subject to such option by the copyright
034:         * holder.
035:         */
036:
037:        package com.sun.xml.ws.security.impl.policyconv;
038:
039:        import com.sun.xml.ws.policy.PolicyException;
040:        import com.sun.xml.ws.security.policy.Binding;
041:        import com.sun.xml.ws.security.policy.EncryptedElements;
042:        import com.sun.xml.ws.security.policy.EncryptedParts;
043:        import com.sun.xml.ws.security.policy.EndorsingSupportingTokens;
044:        import com.sun.xml.ws.security.policy.SignedElements;
045:        import com.sun.xml.ws.security.policy.SignedEndorsingSupportingTokens;
046:        import com.sun.xml.ws.security.policy.SignedParts;
047:        import com.sun.xml.ws.security.policy.SignedSupportingTokens;
048:        import com.sun.xml.ws.security.policy.SupportingTokens;
049:        import com.sun.xml.ws.security.policy.WSSAssertion;
050:        import com.sun.xml.wss.impl.PolicyTypeUtil;
051:        import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
052:        import com.sun.xml.wss.impl.policy.mls.DerivedTokenKeyBinding;
053:        import com.sun.xml.wss.impl.policy.mls.EncryptionPolicy;
054:        import com.sun.xml.wss.impl.policy.mls.EncryptionTarget;
055:        import com.sun.xml.wss.impl.policy.mls.KeyBindingBase;
056:        import com.sun.xml.wss.impl.policy.mls.SignaturePolicy;
057:        import com.sun.xml.wss.impl.policy.mls.SignatureTarget;
058:        import com.sun.xml.wss.impl.policy.mls.TimestampPolicy;
059:        import com.sun.xml.wss.impl.policy.mls.WSSPolicy;
060:        import java.util.Vector;
061:        import javax.xml.crypto.dsig.CanonicalizationMethod;
062:        import static com.sun.xml.wss.impl.policy.mls.Target.SIGNATURE_CONFIRMATION;
063:
064:        /**
065:         *
066:         * @author K.Venugopal@sun.com
067:         */
068:        public abstract class BindingProcessor {
069:
070:            protected String protectionOrder = Binding.SIGN_ENCRYPT;
071:            protected boolean isServer = false;
072:            protected boolean isIncoming = false;
073:            protected SignaturePolicy primarySP = null;
074:            protected EncryptionPolicy primaryEP = null;
075:            //current secondary encryption policy
076:
077:            protected EncryptionPolicy sEncPolicy = null;
078:            protected SignaturePolicy sSigPolicy = null;
079:            protected XWSSPolicyContainer container = null;
080:
081:            protected Vector<SignedParts> signedParts = null;
082:            protected Vector<EncryptedParts> encryptedParts = null;
083:
084:            protected Vector<SignedElements> signedElements = null;
085:            protected Vector<EncryptedElements> encryptedElements = null;
086:            protected PolicyID pid = null;
087:
088:            protected TokenProcessor tokenProcessor = null;
089:            protected IntegrityAssertionProcessor iAP = null;
090:            protected EncryptionAssertionProcessor eAP = null;
091:            private WSSAssertion wss11 = null;
092:
093:            protected boolean foundEncryptTargets = false;
094:
095:            /** Creates a new instance of BindingProcessor */
096:            public BindingProcessor() {
097:                this .pid = new PolicyID();
098:            }
099:
100:            /*
101:             WSIT Configuration should not allow protect primary signature
102:             property to be set if we determine there will be no signature.
103:             */
104:
105:            protected void protectPrimarySignature() throws PolicyException {
106:                boolean encryptSignConfirm = (isServer && !isIncoming)
107:                        || (!isServer && isIncoming);
108:                if (protectionOrder == Binding.ENCRYPT_SIGN) {
109:                    EncryptionPolicy ep = getSecondaryEncryptionPolicy();
110:                    EncryptionPolicy.FeatureBinding epFB = (EncryptionPolicy.FeatureBinding) ep
111:                            .getFeatureBinding();
112:                    EncryptionTarget et = eAP.getTargetCreator()
113:                            .newURIEncryptionTarget(primarySP.getUUID());
114:                    SecurityPolicyUtil.setName(et, primarySP);
115:                    epFB.addTargetBinding(et);
116:                    if (foundEncryptTargets && (isWSS11() && requireSC())
117:                            && encryptSignConfirm
118:                            && getBinding().getSignatureProtection()) {
119:                        eAP.process(SIGNATURE_CONFIRMATION, epFB);
120:                    }
121:                } else {
122:                    EncryptionPolicy.FeatureBinding epFB = (EncryptionPolicy.FeatureBinding) primaryEP
123:                            .getFeatureBinding();
124:                    EncryptionTarget et = eAP.getTargetCreator()
125:                            .newURIEncryptionTarget(primarySP.getUUID());
126:                    SecurityPolicyUtil.setName(et, primarySP);
127:                    epFB.addTargetBinding(et);
128:                    if (foundEncryptTargets && (isWSS11() && requireSC())
129:                            && encryptSignConfirm
130:                            && getBinding().getSignatureProtection()) {
131:                        eAP.process(SIGNATURE_CONFIRMATION, epFB);
132:                    }
133:                }
134:            }
135:
136:            protected void protectTimestamp(TimestampPolicy tp) {
137:                SignatureTarget target = iAP.getTargetCreator()
138:                        .newURISignatureTarget(tp.getUUID());
139:                SecurityPolicyUtil.setName(target, tp);
140:                SignaturePolicy.FeatureBinding spFB = (SignaturePolicy.FeatureBinding) primarySP
141:                        .getFeatureBinding();
142:                spFB.addTargetBinding(target);
143:            }
144:
145:            //TODO:WS-SX Spec:If we have a secondary signature should it protect the token too ?
146:            protected void protectToken(WSSPolicy token) {
147:                protectToken(token, false);
148:            }
149:
150:            protected void protectToken(WSSPolicy token, boolean ignoreSTR) {
151:                String uid = token.getUUID();
152:                if (PolicyTypeUtil.x509CertificateBinding(token)) {
153:                    uid = ((AuthenticationTokenPolicy.X509CertificateBinding) token)
154:                            .getSTRID();
155:                    if (uid == null) {
156:                        uid = pid.generateID();
157:                        ((AuthenticationTokenPolicy.X509CertificateBinding) token)
158:                                .setSTRID(uid);
159:                    }
160:                } else if (PolicyTypeUtil.samlTokenPolicy(token)) {
161:                    uid = ((AuthenticationTokenPolicy.SAMLAssertionBinding) token)
162:                            .getSTRID();
163:                    if (uid == null) {
164:                        uid = pid.generateID();
165:                        ((AuthenticationTokenPolicy.SAMLAssertionBinding) token)
166:                                .setSTRID(uid);
167:                    }
168:                }
169:                //TODO:: Handle DTK and IssuedToken.
170:                if (!ignoreSTR) {
171:                    if (uid != null) {
172:                        SignatureTargetCreator stc = iAP.getTargetCreator();
173:                        SignatureTarget st = stc.newURISignatureTarget(uid);
174:                        stc.addSTRTransform(st);
175:                        SignaturePolicy.FeatureBinding fb = (com.sun.xml.wss.impl.policy.mls.SignaturePolicy.FeatureBinding) primarySP
176:                                .getFeatureBinding();
177:                        fb.addTargetBinding(st);
178:                    }
179:                } else {
180:                    SignatureTargetCreator stc = iAP.getTargetCreator();
181:                    SignatureTarget st = null;
182:                    if (PolicyTypeUtil.derivedTokenKeyBinding(token)) {
183:                        WSSPolicy kbd = ((DerivedTokenKeyBinding) token)
184:                                .getOriginalKeyBinding();
185:                        if (PolicyTypeUtil.symmetricKeyBinding(kbd)) {
186:                            WSSPolicy sbd = (KeyBindingBase) kbd
187:                                    .getKeyBinding();
188:                            st = stc.newURISignatureTarget(sbd.getUUID());
189:                        } else {
190:                            st = stc.newURISignatureTarget(kbd.getUUID());
191:                        }
192:                    } else {
193:                        st = stc.newURISignatureTarget(token.getUUID());
194:                    }
195:                    SignaturePolicy.FeatureBinding fb = (com.sun.xml.wss.impl.policy.mls.SignaturePolicy.FeatureBinding) primarySP
196:                            .getFeatureBinding();
197:                    fb.addTargetBinding(st);
198:                }
199:            }
200:
201:            protected abstract EncryptionPolicy getSecondaryEncryptionPolicy()
202:                    throws PolicyException;
203:
204:            protected void addPrimaryTargets() throws PolicyException {
205:                SignaturePolicy.FeatureBinding spFB = (SignaturePolicy.FeatureBinding) primarySP
206:                        .getFeatureBinding();
207:                EncryptionPolicy.FeatureBinding epFB = (EncryptionPolicy.FeatureBinding) primaryEP
208:                        .getFeatureBinding();
209:                if (spFB.getCanonicalizationAlgorithm() == null
210:                        || spFB.getCanonicalizationAlgorithm().equals("")) {
211:                    spFB
212:                            .setCanonicalizationAlgorithm(CanonicalizationMethod.EXCLUSIVE);
213:                }
214:
215:                //TODO:: Merge SignedElements.
216:
217:                for (SignedElements se : signedElements) {
218:                    iAP.process(se, spFB);
219:                }
220:                /*
221:                    If Empty SignParts is present then remove rest of the SignParts
222:                    as we will be signing all HEADERS and Body. Question to WS-SX:
223:                    Are SignedParts headers targeted to ultimate reciever role.
224:                 */
225:                for (SignedParts sp : signedParts) {
226:                    if (SecurityPolicyUtil.isSignedPartsEmpty(sp)) {
227:                        signedParts.removeAllElements();
228:                        signedParts.add(sp);
229:                        break;
230:                    }
231:                }
232:                for (SignedParts sp : signedParts) {
233:                    iAP.process(sp, spFB);
234:                }
235:                for (EncryptedParts ep : encryptedParts) {
236:                    foundEncryptTargets = true;
237:                    eAP.process(ep, epFB);
238:                }
239:
240:                for (EncryptedElements encEl : encryptedElements) {
241:                    foundEncryptTargets = true;
242:                    eAP.process(encEl, epFB);
243:                }
244:                if (isWSS11() && requireSC()) {
245:                    iAP.process(SIGNATURE_CONFIRMATION, spFB);
246:                }
247:            }
248:
249:            protected boolean requireSC() {
250:                if (wss11 != null) {
251:                    if (wss11.getRequiredProperties().contains(
252:                            WSSAssertion.REQUIRE_SIGNATURE_CONFIRMATION)) {
253:                        return true;
254:                    }
255:                }
256:                return false;
257:            }
258:
259:            protected abstract Binding getBinding();
260:
261:            public void processSupportingTokens(SupportingTokens st)
262:                    throws PolicyException {
263:
264:                SupportingTokensProcessor stp = new SupportingTokensProcessor(
265:                        (SupportingTokens) st, tokenProcessor, getBinding(),
266:                        container, primarySP, getEncryptionPolicy(), pid);
267:                stp.process();
268:            }
269:
270:            public void processSupportingTokens(SignedSupportingTokens st)
271:                    throws PolicyException {
272:
273:                SignedSupportingTokensProcessor stp = new SignedSupportingTokensProcessor(
274:                        st, tokenProcessor, getBinding(), container, primarySP,
275:                        getEncryptionPolicy(), pid);
276:                stp.process();
277:            }
278:
279:            public void processSupportingTokens(EndorsingSupportingTokens est)
280:                    throws PolicyException {
281:
282:                EndorsingSupportingTokensProcessor stp = new EndorsingSupportingTokensProcessor(
283:                        est, tokenProcessor, getBinding(), container,
284:                        primarySP, getEncryptionPolicy(), pid);
285:                stp.process();
286:            }
287:
288:            public void processSupportingTokens(
289:                    SignedEndorsingSupportingTokens est) throws PolicyException {
290:                SignedEndorsingSupportingTokensProcessor stp = new SignedEndorsingSupportingTokensProcessor(
291:                        est, tokenProcessor, getBinding(), container,
292:                        primarySP, getEncryptionPolicy(), pid);
293:                stp.process();
294:
295:            }
296:
297:            protected SignaturePolicy getSignaturePolicy() {
298:                if (getBinding().getProtectionOrder() == Binding.SIGN_ENCRYPT) {
299:                    return primarySP;
300:                } else {
301:                    return sSigPolicy;
302:                }
303:            }
304:
305:            private EncryptionPolicy getEncryptionPolicy()
306:                    throws PolicyException {
307:                if (getBinding().getProtectionOrder() == Binding.SIGN_ENCRYPT) {
308:                    return primaryEP;
309:                } else {
310:                    return getSecondaryEncryptionPolicy();
311:                }
312:            }
313:
314:            protected abstract void close();
315:
316:            public boolean isWSS11() {
317:                if (wss11 != null) {
318:                    return true;
319:                }
320:                return false;
321:            }
322:
323:            public void setWSS11(WSSAssertion wss11) {
324:                this.wss11 = wss11;
325:            }
326:        }