0001: /*
0002: * $Id: SecurityConfigurationXmlReader.java,v 1.8 2007/08/24 09:12:51 kumarjayanti Exp $
0003: */
0004:
0005: /*
0006: * The contents of this file are subject to the terms
0007: * of the Common Development and Distribution License
0008: * (the License). You may not use this file except in
0009: * compliance with the License.
0010: *
0011: * You can obtain a copy of the license at
0012: * https://glassfish.dev.java.net/public/CDDLv1.0.html.
0013: * See the License for the specific language governing
0014: * permissions and limitations under the License.
0015: *
0016: * When distributing Covered Code, include this CDDL
0017: * Header Notice in each file and include the License file
0018: * at https://glassfish.dev.java.net/public/CDDLv1.0.html.
0019: * If applicable, add the following below the CDDL Header,
0020: * with the fields enclosed by brackets [] replaced by
0021: * you own identifying information:
0022: * "Portions Copyrighted [year] [name of copyright owner]"
0023: *
0024: * Copyright 2006 Sun Microsystems Inc. All Rights Reserved
0025: */
0026:
0027: package com.sun.xml.wss.impl.config;
0028:
0029: import com.sun.xml.wss.impl.policy.mls.Parameter;
0030: import javax.xml.crypto.dsig.Transform;
0031: import javax.xml.crypto.dsig.spec.XPathFilter2ParameterSpec;
0032: import javax.xml.crypto.dsig.spec.XPathFilterParameterSpec;
0033: import javax.xml.crypto.dsig.spec.XPathType;
0034:
0035: import org.xml.sax.SAXException;
0036: import org.xml.sax.SAXParseException;
0037: import org.xml.sax.helpers.DefaultHandler;
0038:
0039: import java.io.PrintStream;
0040: import java.io.InputStream;
0041: import java.io.ByteArrayInputStream;
0042: import java.util.Random;
0043: import java.util.HashMap;
0044: import java.util.ArrayList;
0045: import java.util.logging.Level;
0046: import java.util.logging.Logger;
0047:
0048: import javax.xml.namespace.QName;
0049: import javax.xml.parsers.DocumentBuilder;
0050: import javax.xml.parsers.DocumentBuilderFactory;
0051:
0052: import org.w3c.dom.Attr;
0053: import org.w3c.dom.Document;
0054: import org.w3c.dom.Element;
0055: import org.w3c.dom.NamedNodeMap;
0056: import org.w3c.dom.Node;
0057: import org.w3c.dom.NodeList;
0058:
0059: import com.sun.xml.wss.impl.policy.mls.Target;
0060: import com.sun.xml.wss.impl.XMLUtil;
0061: import com.sun.xml.wss.impl.MessageConstants;
0062: import com.sun.xml.wss.logging.LogDomainConstants;
0063: import com.sun.xml.wss.XWSSecurityException;
0064: import com.sun.xml.wss.impl.PolicyTypeUtil;
0065: import com.sun.xml.wss.core.Timestamp;
0066:
0067: import com.sun.xml.wss.impl.policy.mls.SignatureTarget;
0068: import com.sun.xml.wss.impl.policy.mls.EncryptionTarget;
0069: import com.sun.xml.wss.impl.policy.mls.SignaturePolicy;
0070: import com.sun.xml.wss.impl.policy.mls.EncryptionPolicy;
0071: import com.sun.xml.wss.impl.policy.mls.SymmetricKeyBinding;
0072: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
0073: import com.sun.xml.wss.impl.policy.mls.TimestampPolicy;
0074: import com.sun.xml.wss.impl.policy.SecurityPolicy;
0075: import com.sun.xml.wss.impl.policy.PolicyGenerationException;
0076:
0077: import javax.xml.crypto.dsig.CanonicalizationMethod;
0078: import javax.xml.crypto.dsig.DigestMethod;
0079:
0080: import com.sun.xml.wss.impl.configuration.*;
0081: import com.sun.xml.wss.impl.policy.mls.DynamicSecurityPolicy;
0082: import com.sun.xml.wss.impl.policy.mls.MessagePolicy;
0083:
0084: /* TODO: add logging */
0085:
0086: /**
0087: * Represents a Parser for reading an XWS-Security configuration and creating an
0088: * appropriate XWS-Security configuration object.
0089: * The parser expects the root element of an XWS-Security configuration
0090: * to be either a <code>xwss:JAXRPCSecurity</code> or a <code>xwss:SecurityConfiguration</code>.
0091: *
0092: * @see xwssconfig.xsd (the XWS-Security configuration schema)
0093: */
0094:
0095: public class SecurityConfigurationXmlReader implements
0096: ConfigurationConstants {
0097:
0098: protected static final Logger log = Logger.getLogger(
0099: LogDomainConstants.CONFIGURATION_DOMAIN,
0100: LogDomainConstants.CONFIGURATION_DOMAIN_BUNDLE);
0101:
0102: static Random rnd = new Random();
0103:
0104: private static Document parseXmlString(String sourceXml)
0105: throws Exception {
0106: return parseXmlStream(new ByteArrayInputStream(sourceXml
0107: .getBytes()));
0108: }
0109:
0110: //Note: Assumes the passed element is a <SecurityConfiguration> element
0111: private static void validateConfiguration(Element element)
0112: throws Exception {
0113:
0114: // Check if more than one xwss:Timestamp element exists
0115: NodeList timestamps = element.getElementsByTagNameNS(
0116: CONFIGURATION_URL, TIMESTAMP_ELEMENT_NAME);
0117:
0118: if (timestamps.getLength() > 1) {
0119: // log
0120: throw new IllegalStateException(
0121: "More than one xwss:Timestamp element "
0122: + "in security configuration file");
0123: }
0124:
0125: // Check if more than one xwss:RequireTimestamp element exists
0126: NodeList requireTimestamps = element.getElementsByTagNameNS(
0127: CONFIGURATION_URL, TIMESTAMP_REQUIREMENT_ELEMENT_NAME);
0128:
0129: if (requireTimestamps.getLength() > 1) {
0130: // log
0131: throw new IllegalStateException(
0132: "More than one xwss:RequireTimestamp element "
0133: + "in security configuration file");
0134: }
0135:
0136: // Check if more than one xwss:UsernameAndPassword element exists
0137: NodeList usernamePasswords = element.getElementsByTagNameNS(
0138: CONFIGURATION_URL,
0139: USERNAME_PASSWORD_AUTHENTICATION_ELEMENT_NAME);
0140:
0141: if (usernamePasswords.getLength() > 1) {
0142: // log
0143: throw new IllegalStateException(
0144: "More than one xwss:UsernameToken element "
0145: + "in security configuration file");
0146: }
0147:
0148: // Check if more than one xwss:RequireUsernameAndPassword element exists
0149: NodeList requireUsernamePasswords = element
0150: .getElementsByTagNameNS(CONFIGURATION_URL,
0151: USERNAMETOKEN_REQUIREMENT_ELEMENT_NAME);
0152:
0153: if (requireUsernamePasswords.getLength() > 1) {
0154: // log
0155: throw new IllegalStateException(
0156: "More than one xwss:RequireUsernameToken element "
0157: + "in security configuration file");
0158: }
0159:
0160: // Check if more than one xwss:OptionalTargets element exists
0161: NodeList optionalTargets = element.getElementsByTagNameNS(
0162: CONFIGURATION_URL, OPTIONAL_TARGETS_ELEMENT_NAME);
0163:
0164: if (optionalTargets.getLength() > 1) {
0165: // log
0166: throw new IllegalStateException(
0167: "More than one xwss:OptionalTargets element "
0168: + "in security configuration file");
0169: }
0170:
0171: // Check if more than one xwss:SAMLASSERTION elements exist
0172: NodeList samlAssertions = element.getElementsByTagNameNS(
0173: CONFIGURATION_URL, SAML_ASSERTION_ELEMENT_NAME);
0174:
0175: if (samlAssertions.getLength() > 1) {
0176: // log
0177: throw new IllegalStateException(
0178: "More than one xwss:SAMLAssertion element "
0179: + "in security configuration file");
0180: }
0181:
0182: checkIdUniqueness(element);
0183: }
0184:
0185: /**
0186: * read an XWS-Security configuration String representing an <code>xwss:JAXRPCSecurity</code> element
0187: * and return an ApplicationSecurityConfiguration instance.
0188: * @param sourceXml the configuration String
0189: * @return an <code>ApplicationSecurityConfiguration</code> corresponding to the configuration
0190: * @exception Exception if there was an error in creating the configuration
0191: */
0192: public static ApplicationSecurityConfiguration readApplicationSecurityConfigurationString(
0193: String sourceXml) throws Exception {
0194: return (ApplicationSecurityConfiguration) createSecurityConfiguration(parseXmlString(
0195: sourceXml).getDocumentElement());
0196: }
0197:
0198: private static Document parseXmlStream(InputStream xmlStream)
0199: throws Exception {
0200: return parseXmlStream(xmlStream, null);
0201: }
0202:
0203: private static Document parseXmlStream(InputStream xmlStream,
0204: PrintStream out) throws Exception {
0205:
0206: DocumentBuilderFactory factory = new com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl();
0207: factory.setAttribute(
0208: "http://apache.org/xml/features/validation/dynamic",
0209: Boolean.FALSE);
0210: factory
0211: .setAttribute(
0212: "http://java.sun.com/xml/jaxp/properties/schemaLanguage",
0213: "http://www.w3.org/2001/XMLSchema");
0214: InputStream is = SecurityConfigurationXmlReader.class
0215: .getResourceAsStream("xwssconfig.xsd");
0216: factory.setAttribute(
0217: "http://java.sun.com/xml/jaxp/properties/schemaSource",
0218: is);
0219: factory.setValidating(true);
0220: factory.setIgnoringComments(true);
0221: factory.setNamespaceAware(true);
0222: DocumentBuilder builder = factory.newDocumentBuilder();
0223: builder.setErrorHandler(new ErrorHandler(out));
0224: Document configurationDocument = builder.parse(xmlStream);
0225:
0226: // not very efficient, can we do it as part of regular parsing
0227: NodeList nodeList = configurationDocument
0228: .getElementsByTagNameNS(CONFIGURATION_URL,
0229: DECLARATIVE_CONFIGURATION_ELEMENT_NAME);
0230: for (int i = 0; i < nodeList.getLength(); i++) {
0231: validateConfiguration((Element) nodeList.item(i));
0232: }
0233: return configurationDocument;
0234: }
0235:
0236: /**
0237: * Parse and validate an XWS-Security configuration
0238: * @param xmlStream the InputStream representing the configuration
0239: * @param out the PrintStream to which Errors messages should be logged
0240: * @exception Exception if there was an error while validating the configuration
0241: */
0242: public static void validate(InputStream xmlStream, PrintStream out)
0243: throws Exception {
0244: parseXmlStream(xmlStream, out);
0245: }
0246:
0247: /**
0248: * read an XWS-Security configuration representing a <code>xwss:SecurityConfiguration</code> element
0249: * and return a DeclarativeSecurityConfiguration instance.
0250: * @param xmlStream the InputStream for the configuration
0251: * @return a <code>DeclarativeSecurityConfiguration</code> corresponding to the configuration
0252: * @exception Exception if there was an error in creating the configuration
0253: */
0254: public static DeclarativeSecurityConfiguration createDeclarativeConfiguration(
0255: InputStream xmlStream) throws Exception {
0256: return readContainerForBaseConfigurationData(parseXmlStream(
0257: xmlStream).getDocumentElement(),
0258: new DeclarativeSecurityConfiguration());
0259: }
0260:
0261: /**
0262: * read an XWS-Security configuration representing an <code>xwss:JAXRPCSecurity</code> element
0263: * and return an ApplicationSecurityConfiguration instance.
0264: * @param xmlStream the InputStream for the configuration
0265: * @return an <code>ApplicationSecurityConfiguration</code> corresponding to the configuration
0266: * @exception Exception if there was an error in creating the configuration
0267: */
0268: public static ApplicationSecurityConfiguration createApplicationSecurityConfiguration(
0269: InputStream xmlStream) throws Exception {
0270: ApplicationSecurityConfiguration config = (ApplicationSecurityConfiguration) createSecurityConfiguration(parseXmlStream(
0271: xmlStream).getDocumentElement());
0272: config.init();
0273: return config;
0274: }
0275:
0276: private static DeclarativeSecurityConfiguration createDeclarativeConfiguration(
0277: Element configData) throws Exception {
0278: DeclarativeSecurityConfiguration declarations = new DeclarativeSecurityConfiguration();
0279: readContainerForBaseConfigurationData(configData, declarations);
0280: return declarations;
0281: }
0282:
0283: private static SecurityPolicy createSecurityConfiguration(
0284: Element configData) throws Exception {
0285:
0286: QName qname = getQName(configData);
0287:
0288: if (JAXRPC_SECURITY_ELEMENT_QNAME.equals(qname)) {
0289: ApplicationSecurityConfiguration declarations = new ApplicationSecurityConfiguration();
0290:
0291: String secEnvHandler = getSecurityEnvironmentHandler(configData);
0292: if (secEnvHandler != null)
0293: declarations
0294: .setSecurityEnvironmentHandler(secEnvHandler);
0295:
0296: if (!configHasSingleService(configData)) {
0297: throw new IllegalStateException(
0298: "Single <xwss:Service> element expected under <xwss:JAXRPCSecurity> element");
0299: }
0300:
0301: String optimize = configData
0302: .getAttribute(OPTIMIZE_ATTRIBUTE_NAME);
0303:
0304: boolean opt = Boolean.valueOf(optimize);
0305:
0306: declarations.isOptimized(opt);
0307:
0308: String retainSecHeader = configData
0309: .getAttribute(RETAIN_SEC_HEADER);
0310: declarations.retainSecurityHeader(Boolean
0311: .valueOf(retainSecHeader));
0312:
0313: Element previousDefinitionElement = null;
0314: Element eachDefinitionElement = getFirstChildElement(configData);
0315: int secEnvTagCount = 0;
0316: HashMap serviceNameMap = new HashMap();
0317:
0318: // we should encounter a single Sec-Env-Handler and one or more Services
0319: while (eachDefinitionElement != null) {
0320: QName definitionType = getQName(eachDefinitionElement);
0321:
0322: if (SERVICE_ELEMENT_QNAME.equals(definitionType)) {
0323: StaticApplicationContext jaxrpcSContext = new StaticApplicationContext();
0324:
0325: // when there are multiple services the name has to be unique
0326: String name = eachDefinitionElement
0327: .getAttribute(NAME_ATTRIBUTE_NAME);
0328: if (serviceNameMap.containsKey(name)) {
0329: //log
0330: throw new IllegalStateException("Service Name "
0331: + name
0332: + " Already in use for another Service");
0333: } else {
0334: serviceNameMap.put(name, null);
0335: }
0336:
0337: readApplicationSecurityConfiguration(
0338: eachDefinitionElement, declarations, null,
0339: jaxrpcSContext);
0340:
0341: } else if (SECURITY_ENVIRONMENT_HANDLER_ELEMENT_QNAME
0342: .equals(definitionType)) {
0343:
0344: if (secEnvTagCount == 1) {
0345: // log
0346: throw new IllegalStateException(
0347: "More than one xwss:SecurityEnvironmentHandler "
0348: + "element in security configuration file");
0349: }
0350: secEnvTagCount++;
0351:
0352: } else {
0353: log.log(Level.SEVERE,
0354: "WSS0413.illegal.configuration.element",
0355: eachDefinitionElement.getTagName());
0356: throw new IllegalStateException(
0357: eachDefinitionElement.getTagName()
0358: + " is not a recognized definition type");
0359: }
0360:
0361: previousDefinitionElement = eachDefinitionElement;
0362: eachDefinitionElement = getNextElement(eachDefinitionElement);
0363: }
0364:
0365: // check that the SecurityEnvironmentHandler was the last one
0366: // TODO: not sure if this check is required/enforced by schema
0367: QName definitionType = getQName(previousDefinitionElement);
0368: if (!SECURITY_ENVIRONMENT_HANDLER_ELEMENT_QNAME
0369: .equals(definitionType)) {
0370: // log
0371: throw new IllegalStateException(
0372: "The SecurityEnvironmentHandler must appear as "
0373: + "the last Element inside a <xwss:JAXRPCSecurity>");
0374: }
0375: // implementation optimization for most common case
0376: //declarations.configurationHasPorts(configHasPorts(configData));
0377: declarations
0378: .singleServiceNoPorts(configHasSingleServiceAndNoPorts(configData));
0379: declarations
0380: .hasOperationPolicies(configHasOperations(configData));
0381:
0382: return declarations;
0383:
0384: } else if (DECLARATIVE_CONFIGURATION_ELEMENT_QNAME
0385: .equals(qname)) {
0386: if (dynamicPolicy(configData)) {
0387: SecurityPolicy declarations = new DynamicSecurityPolicy();
0388: return declarations;
0389: }
0390: DeclarativeSecurityConfiguration declarations = new DeclarativeSecurityConfiguration();
0391: readContainerForBaseConfigurationData(configData,
0392: declarations);
0393: return declarations;
0394: } else {
0395: log.log(Level.SEVERE,
0396: "WSS0413.illegal.configuration.element", configData
0397: .getTagName());
0398: throw new IllegalStateException(configData.getTagName()
0399: + " is not a recognized definition type");
0400: }
0401: }
0402:
0403: /*
0404: * Need to be coupled with schema checks
0405: */
0406: private static void readApplicationSecurityConfiguration(
0407: Element configData, SecurityPolicy declarations,
0408: SecurityPolicy subDeclarations,
0409: StaticApplicationContext iContext) throws Exception {
0410:
0411: QName qname = getQName(configData);
0412:
0413: if (SERVICE_ELEMENT_QNAME.equals(qname)) {
0414:
0415: String id = getIdAttribute(configData);
0416: String name = configData.getAttribute(NAME_ATTRIBUTE_NAME);
0417: String useCache = configData
0418: .getAttribute(USECACHE_ATTRIBUTE_NAME);
0419:
0420: boolean isBSP = getBSPAttribute(configData, null);
0421:
0422: iContext.isService(true);
0423: iContext.setUUID(id);
0424: iContext.setServiceIdentifier(name);
0425:
0426: // temporary work-around for applicationId
0427: if (!"".equals(name)) {
0428: iContext.setApplicationContextRoot(name);
0429: } else if (!"".equals(id)) {
0430: iContext.setApplicationContextRoot(id);
0431: } else {
0432: iContext.setApplicationContextRoot(generateUUID());
0433: }
0434:
0435: ApplicationSecurityConfiguration innerDeclarations = new ApplicationSecurityConfiguration();
0436:
0437: innerDeclarations.isBSP(isBSP);
0438: innerDeclarations.useCache(parseBoolean(
0439: USECACHE_ATTRIBUTE_NAME, useCache));
0440:
0441: ((ApplicationSecurityConfiguration) declarations)
0442: .setSecurityPolicy(iContext, innerDeclarations);
0443:
0444: String secEnvHandler = getSecurityEnvironmentHandler(configData);
0445: if (secEnvHandler != null) {
0446: innerDeclarations
0447: .setSecurityEnvironmentHandler(secEnvHandler);
0448: } else if (((ApplicationSecurityConfiguration) declarations)
0449: .getSecurityEnvironmentHandler() != null) {
0450: innerDeclarations
0451: .setSecurityEnvironmentHandler(((ApplicationSecurityConfiguration) declarations)
0452: .getSecurityEnvironmentHandler());
0453: } else {
0454: throw new IllegalStateException(
0455: "Missing <xwss:SecurityEnvironmentHandler> element for "
0456: + qname.getLocalPart());
0457: }
0458:
0459: NodeList nl = configData.getChildNodes();
0460: for (int i = 0; i < nl.getLength(); i++) {
0461: // assuming all element nodes
0462: Node child = (Node) nl.item(i);
0463: if (child instanceof Element) {
0464: readApplicationSecurityConfiguration(
0465: (Element) child, declarations,
0466: innerDeclarations, iContext);
0467: }
0468: }
0469:
0470: } else if (PORT_ELEMENT_QNAME.equals(qname)) {
0471:
0472: if (subDeclarations == null) {
0473: throw new Exception(
0474: "Unexpected <xwss:Port> element without a parent "
0475: + "<xwss:Service> encountered");
0476: }
0477:
0478: String port = configData.getAttribute(NAME_ATTRIBUTE_NAME);
0479:
0480: StaticApplicationContext jContext = new StaticApplicationContext();
0481: jContext.copy(iContext);
0482: jContext.isPort(true);
0483: jContext.isService(false);
0484: jContext.setPortIdentifier(port);
0485:
0486: ApplicationSecurityConfiguration innerDeclarations = new ApplicationSecurityConfiguration();
0487:
0488: boolean isBSP = getBSPAttribute(configData,
0489: (ApplicationSecurityConfiguration) subDeclarations);
0490:
0491: innerDeclarations.isBSP(isBSP);
0492: innerDeclarations
0493: .setSecurityEnvironmentHandler(((ApplicationSecurityConfiguration) subDeclarations)
0494: .getSecurityEnvironmentHandler());
0495:
0496: ((ApplicationSecurityConfiguration) declarations)
0497: .setSecurityPolicy(jContext, innerDeclarations);
0498: ((ApplicationSecurityConfiguration) subDeclarations)
0499: .setSecurityPolicy(jContext, innerDeclarations);
0500:
0501: NodeList nl = configData.getChildNodes();
0502: for (int i = 0; i < nl.getLength(); i++) {
0503: // assuming all element nodes
0504: Node child = (Node) nl.item(i);
0505: if (child instanceof Element) {
0506: readApplicationSecurityConfiguration(
0507: (Element) child, declarations,
0508: innerDeclarations, jContext);
0509: }
0510: }
0511:
0512: } else if (OPERATION_ELEMENT_QNAME.equals(qname)) {
0513:
0514: String operation = configData
0515: .getAttribute(NAME_ATTRIBUTE_NAME);
0516:
0517: StaticApplicationContext kContext = new StaticApplicationContext();
0518:
0519: kContext.copy(iContext);
0520: kContext.isOperation(true);
0521: kContext.isPort(false);
0522: kContext.setOperationIdentifier(operation);
0523:
0524: ApplicationSecurityConfiguration innerDeclarations = new ApplicationSecurityConfiguration();
0525:
0526: ((ApplicationSecurityConfiguration) declarations)
0527: .setSecurityPolicy(kContext, innerDeclarations);
0528: ((ApplicationSecurityConfiguration) subDeclarations)
0529: .setSecurityPolicy(kContext, innerDeclarations);
0530:
0531: boolean isBSP = getBSPAttribute(configData,
0532: (ApplicationSecurityConfiguration) subDeclarations);
0533: innerDeclarations.isBSP(isBSP);
0534: innerDeclarations
0535: .setSecurityEnvironmentHandler(((ApplicationSecurityConfiguration) subDeclarations)
0536: .getSecurityEnvironmentHandler());
0537:
0538: NodeList nl = configData.getChildNodes();
0539: for (int i = 0; i < nl.getLength(); i++) {
0540: // assuming all element nodes
0541: Node child = (Node) nl.item(i);
0542: if (child instanceof Element) {
0543: readApplicationSecurityConfiguration(
0544: (Element) child, declarations,
0545: innerDeclarations, kContext);
0546: }
0547: }
0548:
0549: } else if (DECLARATIVE_CONFIGURATION_ELEMENT_QNAME
0550: .equals(qname)) {
0551:
0552: if (dynamicPolicy(configData)) {
0553: ((ApplicationSecurityConfiguration) subDeclarations)
0554: .setSecurityPolicy(iContext,
0555: new DynamicSecurityPolicy());
0556: }
0557:
0558: DeclarativeSecurityConfiguration innerDeclarations = new DeclarativeSecurityConfiguration();
0559:
0560: boolean isBSP = getBSPAttribute(configData,
0561: (ApplicationSecurityConfiguration) subDeclarations);
0562: innerDeclarations.isBSP(isBSP);
0563:
0564: ((ApplicationSecurityConfiguration) subDeclarations)
0565: .setSecurityPolicy(iContext, innerDeclarations);
0566:
0567: readContainerForBaseConfigurationData(
0568: configData,
0569: innerDeclarations,
0570: ((ApplicationSecurityConfiguration) subDeclarations)
0571: .getSecurityEnvironmentHandler());
0572:
0573: } else if (SECURITY_ENVIRONMENT_HANDLER_ELEMENT_QNAME
0574: .equals(qname)) {
0575:
0576: //TODO: check here that number of handler specified is not > 1
0577: if (!iContext.isService()) {
0578: // log
0579: throw new IllegalStateException(
0580: "An <xwss:SecurityEnvironmentHandler> can only appear"
0581: + "under a <xwss:Service>/<xwss:JAXRPCSecurity> element");
0582: }
0583: }
0584: }
0585:
0586: private static DeclarativeSecurityConfiguration readContainerForBaseConfigurationData(
0587: Element configData,
0588: DeclarativeSecurityConfiguration declarations)
0589: throws Exception {
0590: return readContainerForBaseConfigurationData(configData,
0591: declarations, null);
0592: }
0593:
0594: private static DeclarativeSecurityConfiguration readContainerForBaseConfigurationData(
0595: Element configData,
0596: DeclarativeSecurityConfiguration declarations,
0597: String securityHandlerClass) throws Exception {
0598:
0599: QName qname = getQName(configData);
0600:
0601: if (DECLARATIVE_CONFIGURATION_ELEMENT_QNAME.equals(qname)) {
0602:
0603: NamedNodeMap configurationAttributes = configData
0604: .getAttributes();
0605: int attributeCount = configurationAttributes.getLength();
0606: String attributeName = null;
0607:
0608: for (int index = 0; index < attributeCount; index++) {
0609: Attr configurationAttribute = (Attr) configurationAttributes
0610: .item(index);
0611: attributeName = configurationAttribute.getName();
0612:
0613: if (DUMP_MESSAGES_ATTRIBUTE_NAME
0614: .equalsIgnoreCase(attributeName)) {
0615: declarations.setDumpMessages(parseBoolean(
0616: DUMP_MESSAGES_ATTRIBUTE_NAME,
0617: configurationAttribute.getValue()));
0618:
0619: } else if (MessageConstants.NAMESPACES_NS
0620: .equals(configurationAttribute
0621: .getNamespaceURI())) {
0622: // Ignore namespace declaration
0623: } else if (ENABLE_DYNAMIC_POLICY_ATTRIBUTE_NAME
0624: .equalsIgnoreCase(attributeName)) {
0625: declarations.enableDynamicPolicy(parseBoolean(
0626: ENABLE_DYNAMIC_POLICY_ATTRIBUTE_NAME,
0627: configurationAttribute.getValue()));
0628: } else if (ENABLE_WSS11_POLICY_ATTRIBUTE_NAME
0629: .equalsIgnoreCase(attributeName)) {
0630: boolean wss11Enabled = parseBoolean(
0631: ENABLE_WSS11_POLICY_ATTRIBUTE_NAME,
0632: configurationAttribute.getValue());
0633: declarations.senderSettings().enableWSS11Policy(
0634: wss11Enabled);
0635: declarations.receiverSettings().enableWSS11Policy(
0636: wss11Enabled);
0637: } else if (RETAIN_SEC_HEADER
0638: .equalsIgnoreCase(attributeName)) {
0639: String retainSecHeader = configurationAttribute
0640: .getValue();
0641: declarations.retainSecurityHeader(Boolean
0642: .valueOf(retainSecHeader));
0643: } else {
0644: log.log(Level.SEVERE,
0645: "WSS0412.illegal.attribute.name",
0646: new Object[] { attributeName,
0647: configData.getTagName() });
0648: throw new IllegalStateException(
0649: attributeName
0650: + " is not a recognized attribute of SecurityConfiguration");
0651: }
0652: }
0653: readBaseConfigurationData(configData, declarations,
0654: securityHandlerClass);
0655: } else {
0656: log.log(Level.SEVERE,
0657: "WSS0413.illegal.configuration.element", configData
0658: .getTagName());
0659: throw new IllegalStateException(configData.getTagName()
0660: + " is not a recognized definition type");
0661: }
0662: return declarations;
0663: }
0664:
0665: private static void readBaseConfigurationData(Element configData,
0666: DeclarativeSecurityConfiguration declarations,
0667: String securityHandlerClass)
0668: throws PolicyGenerationException, XWSSecurityException {
0669:
0670: Element eachDefinitionElement = getFirstChildElement(configData);
0671: boolean timestampFound = false;
0672:
0673: boolean senderEnableDynamicPolicy = declarations
0674: .senderSettings().enableDynamicPolicy();
0675: boolean receiverEnableDynamicPolicy = declarations
0676: .receiverSettings().enableDynamicPolicy();
0677: boolean receiverBSPFlag = declarations.receiverSettings()
0678: .isBSP();
0679: //added for BackwardCompatibility with XWSS1.1, the xmlsec in XWSS11 cannot
0680: //accept PrefixList in CanonicalizationMethod parameters
0681: boolean senderBSPFlag = declarations.senderSettings().isBSP();
0682:
0683: while (eachDefinitionElement != null) {
0684: QName definitionType = getQName(eachDefinitionElement);
0685:
0686: if (TIMESTAMP_ELEMENT_QNAME.equals(definitionType)) {
0687:
0688: if (!timestampFound) {
0689: TimestampPolicy timestampPolicy = new TimestampPolicy();
0690: readTimestampSettings(timestampPolicy,
0691: eachDefinitionElement);
0692: applyDefaults(timestampPolicy,
0693: senderEnableDynamicPolicy);
0694: declarations.senderSettings().append(
0695: timestampPolicy);
0696: timestampFound = true;
0697: } else {
0698: log.log(Level.SEVERE,
0699: "WSS0516.duplicate.configuration.element",
0700: new Object[] { definitionType,
0701: configData.getLocalName() });
0702: throw new IllegalStateException(
0703: "Duplicate Timestamp element");
0704: }
0705:
0706: } else if (ENCRYPT_OPERATION_ELEMENT_QNAME
0707: .equals(definitionType)) {
0708:
0709: EncryptionPolicy encryptionPolicy = new EncryptionPolicy();
0710: readEncryptionSettings(encryptionPolicy,
0711: eachDefinitionElement);
0712: applyDefaults(encryptionPolicy,
0713: senderEnableDynamicPolicy);
0714: declarations.senderSettings().append(encryptionPolicy);
0715:
0716: } else if (SIGN_OPERATION_ELEMENT_QNAME
0717: .equals(definitionType)) {
0718: SignaturePolicy signaturePolicy = new SignaturePolicy();
0719: readSigningSettings(signaturePolicy,
0720: eachDefinitionElement,
0721: senderEnableDynamicPolicy);
0722: //declarations.senderSettings().append(signaturePolicy);
0723: //added for BackwardCompatibility with XWSS1.1, the xmlsec in XWSS11 cannot
0724: //accept PrefixList in CanonicalizationMethod parameters
0725: SignaturePolicy.FeatureBinding fb = (SignaturePolicy.FeatureBinding) signaturePolicy
0726: .getFeatureBinding();
0727: if (fb != null) {
0728: fb.isBSP(senderBSPFlag);
0729: }
0730: //end of XWSS11 BC fix
0731:
0732: String includeTimeStamp = eachDefinitionElement
0733: .getAttribute(INCLUDE_TIMESTAMP_ATTRIBUTE_NAME);
0734: boolean timeStamp = getBooleanValue(includeTimeStamp);
0735:
0736: if (timeStamp
0737: && !hasTimestampSiblingPolicy(eachDefinitionElement)) {
0738: //System.out.println("Adding from SIGN");
0739: TimestampPolicy t = new TimestampPolicy();
0740: t.setMaxClockSkew(Timestamp.MAX_CLOCK_SKEW);
0741: t
0742: .setTimestampFreshness(Timestamp.TIMESTAMP_FRESHNESS_LIMIT);
0743: applyDefaults(t, senderEnableDynamicPolicy);
0744: declarations.senderSettings().append(t);
0745: }
0746:
0747: declarations.senderSettings().append(signaturePolicy);
0748:
0749: } else if (USERNAME_PASSWORD_AUTHENTICATION_ELEMENT_QNAME
0750: .equals(definitionType)) {
0751:
0752: try {
0753: AuthenticationTokenPolicy utBinding = new AuthenticationTokenPolicy();
0754: AuthenticationTokenPolicy.UsernameTokenBinding featureBinding = (AuthenticationTokenPolicy.UsernameTokenBinding) utBinding
0755: .newUsernameTokenFeatureBinding();
0756: featureBinding.newTimestampFeatureBinding();
0757: readUsernamePasswordSettings(featureBinding,
0758: eachDefinitionElement);
0759: applyDefaults(featureBinding,
0760: senderEnableDynamicPolicy);
0761: declarations.senderSettings().append(utBinding);
0762: } catch (PolicyGenerationException pge) {
0763: // log
0764: throw new IllegalStateException(pge.getMessage());
0765: }
0766:
0767: } else if (SAML_ELEMENT_QNAME.equals(definitionType)) {
0768:
0769: try {
0770: AuthenticationTokenPolicy samlBinding = new AuthenticationTokenPolicy();
0771: AuthenticationTokenPolicy.SAMLAssertionBinding featureBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) samlBinding
0772: .newSAMLAssertionFeatureBinding();
0773: readSAMLTokenSettings(featureBinding,
0774: eachDefinitionElement);
0775: applyDefaults(featureBinding,
0776: senderEnableDynamicPolicy);
0777: declarations.senderSettings().append(samlBinding);
0778: } catch (PolicyGenerationException pge) {
0779: // log
0780: throw new IllegalStateException(pge.getMessage());
0781: }
0782: } else if (SIGNATURE_REQUIREMENT_ELEMENT_QNAME
0783: .equals(definitionType)) {
0784: SignaturePolicy signaturePolicy = new SignaturePolicy();
0785: readVerifySettings(signaturePolicy,
0786: eachDefinitionElement, receiverBSPFlag,
0787: receiverEnableDynamicPolicy);
0788: declarations.receiverSettings().append(signaturePolicy);
0789:
0790: String requireTimeStamp = eachDefinitionElement
0791: .getAttribute(TIMESTAMP_REQUIRED_ATTRIBUTE_NAME);
0792: boolean timeStamp = getBooleanValue(requireTimeStamp);
0793:
0794: if (timeStamp
0795: && !hasTimestampSiblingPolicy(eachDefinitionElement)) {
0796: //System.out.println("Adding from RequireSignature");
0797: TimestampPolicy t = new TimestampPolicy();
0798: //t.setMaxClockSkew(Timestamp.MAX_CLOCK_SKEW);
0799: //t.setTimestampFreshness(Timestamp.TIMESTAMP_FRESHNESS_LIMIT);
0800: applyReceiverDefaults(t, receiverBSPFlag,
0801: securityHandlerClass,
0802: receiverEnableDynamicPolicy);
0803: declarations.receiverSettings().append(t);
0804: }
0805:
0806: } else if (ENCRYPTION_REQUIREMENT_ELEMENT_QNAME
0807: .equals(definitionType)) {
0808: EncryptionPolicy encryptionPolicy = new EncryptionPolicy();
0809: readDecryptionSettings(encryptionPolicy,
0810: eachDefinitionElement);
0811: applyReceiverDefaults(encryptionPolicy,
0812: receiverBSPFlag, receiverEnableDynamicPolicy);
0813: declarations.receiverSettings()
0814: .append(encryptionPolicy);
0815:
0816: } else if (USERNAMETOKEN_REQUIREMENT_ELEMENT_QNAME
0817: .equals(definitionType)) {
0818: try {
0819: AuthenticationTokenPolicy utBinding = new AuthenticationTokenPolicy();
0820: AuthenticationTokenPolicy.UsernameTokenBinding featureBinding = (AuthenticationTokenPolicy.UsernameTokenBinding) utBinding
0821: .newUsernameTokenFeatureBinding();
0822: featureBinding.newTimestampFeatureBinding();
0823: readUsernamePasswordRequirementSettings(
0824: featureBinding, eachDefinitionElement);
0825: applyReceiverDefaults(featureBinding,
0826: receiverBSPFlag, securityHandlerClass,
0827: receiverEnableDynamicPolicy);
0828: declarations.receiverSettings().append(utBinding);
0829: if (MessageConstants.debug) {
0830: log.log(Level.FINEST,
0831: "Added usernameToken Requirement ...."
0832: + featureBinding);
0833: }
0834: } catch (PolicyGenerationException pge) {
0835: // log
0836: throw new IllegalStateException(pge.getMessage());
0837: }
0838: } else if (TIMESTAMP_REQUIREMENT_ELEMENT_QNAME
0839: .equals(definitionType)) {
0840:
0841: TimestampPolicy timestampPolicy = new TimestampPolicy();
0842: readTimestampRequirementSettings(timestampPolicy,
0843: eachDefinitionElement);
0844: applyReceiverDefaults(timestampPolicy, receiverBSPFlag,
0845: securityHandlerClass,
0846: receiverEnableDynamicPolicy);
0847: declarations.receiverSettings().append(timestampPolicy);
0848:
0849: } else if (SAML_REQUIREMENT_ELEMENT_QNAME
0850: .equals(definitionType)) {
0851:
0852: // read SAML requirement element
0853: try {
0854: AuthenticationTokenPolicy samlBinding = new AuthenticationTokenPolicy();
0855: AuthenticationTokenPolicy.SAMLAssertionBinding featureBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) samlBinding
0856: .newSAMLAssertionFeatureBinding();
0857: readRequireSAMLTokenSettings(featureBinding,
0858: eachDefinitionElement);
0859: applyReceiverDefaults(featureBinding,
0860: receiverBSPFlag,
0861: receiverEnableDynamicPolicy);
0862: declarations.receiverSettings().append(samlBinding);
0863: } catch (PolicyGenerationException pge) {
0864: // log
0865: throw new IllegalStateException(pge.getMessage());
0866: }
0867:
0868: } else if (OPTIONAL_TARGETS_ELEMENT_QNAME
0869: .equals(definitionType)) {
0870: readOptionalTargetSettings(declarations
0871: .receiverSettings(), eachDefinitionElement);
0872: } else {
0873: log.log(Level.SEVERE,
0874: "WSS0513.illegal.configuration.element",
0875: definitionType.toString());
0876: throw new IllegalStateException(definitionType
0877: + " is not a recognized definition type");
0878: }
0879:
0880: eachDefinitionElement = getNextElement(eachDefinitionElement);
0881: }
0882: }
0883:
0884: private static void readVerifySettings(
0885: SignaturePolicy signaturePolicy, Element signingSettings,
0886: boolean bsp, boolean dp) {
0887: readVerifySettings(signaturePolicy, signingSettings);
0888: applyReceiverDefaults(signaturePolicy, bsp, dp);
0889: String includeTimeStamp = signingSettings
0890: .getAttribute(TIMESTAMP_REQUIRED_ATTRIBUTE_NAME);
0891: boolean timeStamp = getBooleanValue(includeTimeStamp);
0892: if (timeStamp) {
0893: /*if (!hasTimestampSiblingPolicy(signingSettings)) {
0894: ((SignaturePolicy.FeatureBinding)signaturePolicy.getFeatureBinding())
0895: .includeTimestamp(timeStamp);
0896: } else {*/
0897: // add an Xpath target to existing singular timestamp
0898: SignatureTarget st = new SignatureTarget();
0899: st.setType("qname");
0900: st.setValue(MessageConstants.TIMESTAMP_QNAME);
0901: st.setDigestAlgorithm(DigestMethod.SHA1); //SHA1
0902: ((SignaturePolicy.FeatureBinding) signaturePolicy
0903: .getFeatureBinding()).addTargetBinding(st);
0904:
0905: //}
0906: }
0907: signaturePolicy.isBSP(bsp);
0908: }
0909:
0910: private static void readVerifySettings(
0911: SignaturePolicy signaturePolicy, Element signingSettings) {
0912: readSigningSettings(signaturePolicy, signingSettings);
0913: }
0914:
0915: private static void readSigningSettings(
0916: SignaturePolicy signaturePolicy, Element signingSettings,
0917: boolean enableDynamicPolicy) {
0918: readSigningSettings(signaturePolicy, signingSettings);
0919: applyDefaults(signaturePolicy, enableDynamicPolicy);
0920:
0921: String includeTimeStamp = signingSettings
0922: .getAttribute(INCLUDE_TIMESTAMP_ATTRIBUTE_NAME);
0923: boolean timeStamp = getBooleanValue(includeTimeStamp);
0924:
0925: if (timeStamp) {
0926: /*if (!hasTimestampSiblingPolicy(signingSettings)) {
0927: ((SignaturePolicy.FeatureBinding)signaturePolicy.getFeatureBinding())
0928: .includeTimestamp(timeStamp);
0929: } else {*/
0930: // add an Xpath target to existing singular timestamp
0931: SignatureTarget st = new SignatureTarget();
0932: st.setType("qname");
0933: st.setDigestAlgorithm(DigestMethod.SHA1); //SHA1
0934: st.setValue(MessageConstants.TIMESTAMP_QNAME);
0935: ((SignaturePolicy.FeatureBinding) signaturePolicy
0936: .getFeatureBinding()).addTargetBinding(st);
0937:
0938: //}
0939: }
0940: }
0941:
0942: private static boolean hasTimestampSiblingPolicy(Element signElement) {
0943: if (SIGN_OPERATION_ELEMENT_NAME.equals(signElement
0944: .getLocalName())) {
0945: Element signParent = (Element) signElement.getParentNode();
0946: NodeList timeStampNodes = signParent
0947: .getElementsByTagNameNS(
0948: ConfigurationConstants.CONFIGURATION_URL,
0949: TIMESTAMP_ELEMENT_NAME);
0950: if (timeStampNodes.getLength() > 0) {
0951: return true;
0952: }
0953: } else {
0954: Element signParent = (Element) signElement.getParentNode();
0955: NodeList timeStampNodes = signParent
0956: .getElementsByTagNameNS(
0957: ConfigurationConstants.CONFIGURATION_URL,
0958: TIMESTAMP_REQUIREMENT_ELEMENT_NAME);
0959: if (timeStampNodes.getLength() > 0) {
0960: return true;
0961: }
0962: NamedNodeMap requireTimestampAttrNode = null;
0963: Node requireSignatureNode = signElement
0964: .getPreviousSibling();
0965: while (requireSignatureNode != null) {
0966: if (SIGNATURE_REQUIREMENT_ELEMENT_NAME
0967: .equals(requireSignatureNode.getLocalName())) {
0968: requireTimestampAttrNode = requireSignatureNode
0969: .getAttributes();
0970: //If there is no requireTimestamp attrbute then the defaultvalue is true
0971: //System.out.println(requireTimestampAttrNode.getNamedItem(TIMESTAMP_REQUIRED_ATTRIBUTE_NAME));
0972: if ("true"
0973: .equalsIgnoreCase(requireTimestampAttrNode
0974: .getNamedItem(
0975: TIMESTAMP_REQUIRED_ATTRIBUTE_NAME)
0976: .getLocalName())) {
0977: return true;
0978: }
0979: }
0980: requireSignatureNode = requireSignatureNode
0981: .getPreviousSibling();
0982: }
0983:
0984: }
0985: return false;
0986: }
0987:
0988: /*
0989: */
0990: private static void readSigningSettings(
0991: SignaturePolicy signaturePolicy, Element signingSettings) {
0992:
0993: String id = getIdAttribute(signingSettings);
0994: signaturePolicy.setUUID(id);
0995: // Read sign attributes
0996: NamedNodeMap signingAttributes = signingSettings
0997: .getAttributes();
0998: int attributeCount = signingAttributes.getLength();
0999: String attributeName = null;
1000:
1001: for (int index = 0; index < attributeCount; index++) {
1002: Attr signingAttribute = (Attr) signingAttributes
1003: .item(index);
1004: attributeName = signingAttribute.getName();
1005: if (ID_ATTRIBUTE_NAME.equalsIgnoreCase(attributeName)) {
1006: // do nothing
1007: } else if (INCLUDE_TIMESTAMP_ATTRIBUTE_NAME
1008: .equalsIgnoreCase(attributeName)
1009: && (SIGN_OPERATION_ELEMENT_NAME
1010: .equals(signingSettings.getLocalName()))) {
1011: /*((SignaturePolicy.FeatureBinding)signaturePolicy.getFeatureBinding())
1012: .includeTimestamp(getBooleanValue
1013: (signingAttribute.getValue()));*/
1014: } else if (TIMESTAMP_REQUIRED_ATTRIBUTE_NAME
1015: .equalsIgnoreCase(attributeName)
1016: && (SIGNATURE_REQUIREMENT_ELEMENT_NAME
1017: .equals(signingSettings.getLocalName()))) {
1018: /*((SignaturePolicy.FeatureBinding)signaturePolicy.getFeatureBinding())
1019: .includeTimestamp(getBooleanValue
1020: (signingAttribute.getValue()));*/
1021: } else {
1022: log.log(Level.SEVERE, "WSS0512.illegal.attribute.name",
1023: new Object[] { attributeName,
1024: signingSettings.getTagName() });
1025: throw new IllegalStateException(attributeName
1026: + " is not a recognized attribute of "
1027: + signingSettings.getTagName());
1028: }
1029: }
1030:
1031: Element eachSubElement = getFirstChildElement(signingSettings);
1032: int keyBearingTokensSeen = 0;
1033:
1034: while (eachSubElement != null) {
1035: QName subElementQName = getQName(eachSubElement);
1036:
1037: if (TARGET_QNAME.equals(subElementQName)) {
1038: SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding) signaturePolicy
1039: .getFeatureBinding();
1040: featureBinding.addTargetBinding(readTargetSettings(
1041: eachSubElement, true));
1042: } else if (X509TOKEN_ELEMENT_QNAME.equals(subElementQName)) {
1043: if (keyBearingTokensSeen > 0) {
1044: log.log(Level.SEVERE,
1045: "WSS0520.illegal.configuration.state");
1046: throw new IllegalStateException(
1047: "Atmost one of X509token/SymmetricKey/SAMLAssertion "
1048: + " key bindings can be configured "
1049: + "for an Sign/RequireSignature operation");
1050: }
1051: keyBearingTokensSeen++;
1052: readX509TokenSettings(
1053: (AuthenticationTokenPolicy.X509CertificateBinding) signaturePolicy
1054: .newX509CertificateKeyBinding(),
1055: eachSubElement);
1056: } else if (SYMMETRIC_KEY_ELEMENT_QNAME
1057: .equals(subElementQName)) {
1058: if (keyBearingTokensSeen > 0) {
1059: log.log(Level.SEVERE,
1060: "WSS0520.illegal.configuration.state");
1061: throw new IllegalStateException(
1062: "Atmost one of X509token/SymmetricKey/SAMLAssertion "
1063: + " key bindings can be configured "
1064: + "for an Sign/RequireSignature operation");
1065: }
1066: keyBearingTokensSeen++;
1067: readSymmetricKeySettings(
1068: (SymmetricKeyBinding) signaturePolicy
1069: .newSymmetricKeyBinding(),
1070: eachSubElement);
1071: } else if (SAML_ELEMENT_QNAME.equals(subElementQName)) {
1072: if (keyBearingTokensSeen > 0) {
1073: log.log(Level.SEVERE,
1074: "WSS0520.illegal.configuration.state");
1075: throw new IllegalStateException(
1076: "Atmost one of X509token/SymmetricKey/SAMLAssertion "
1077: + " key bindings can be configured "
1078: + "for an Sign/RequireSignature operation");
1079: }
1080: keyBearingTokensSeen++;
1081: readSAMLTokenSettings(
1082: (AuthenticationTokenPolicy.SAMLAssertionBinding) signaturePolicy
1083: .newSAMLAssertionKeyBinding(),
1084: eachSubElement);
1085: } else if (SIGNATURE_TARGET_ELEMENT_QNAME
1086: .equals(subElementQName)) {
1087: SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding) signaturePolicy
1088: .getFeatureBinding();
1089: featureBinding
1090: .addTargetBinding(readSignatureTargetSettings(eachSubElement));
1091: } else if (CANONICALIZATION_METHOD_ELEMENT_QNAME
1092: .equals(subElementQName)) {
1093: readCanonMethodSettings(signaturePolicy, eachSubElement);
1094: } else if (SIGNATURE_METHOD_ELEMENT_QNAME
1095: .equals(subElementQName)) {
1096: readSigMethodSettings(signaturePolicy, eachSubElement);
1097: } else {
1098: log.log(Level.SEVERE,
1099: "WSS0513.illegal.configuration.element",
1100: subElementQName.toString());
1101: throw new IllegalStateException(
1102: subElementQName
1103: + " is not a recognized sub-element of Sign/RequireSignature");
1104: }
1105: eachSubElement = getNextElement(eachSubElement);
1106: }
1107: }
1108:
1109: /*
1110: * TODO: was the keyAlias an optional attribute in last release
1111: */
1112: private static void readSymmetricKeySettings(
1113: SymmetricKeyBinding keyBinding, Element symmKeyElement) {
1114:
1115: NamedNodeMap symmKeyAttributes = symmKeyElement.getAttributes();
1116: int attributeCount = symmKeyAttributes.getLength();
1117: String attributeName = null;
1118:
1119: if (attributeCount == 0) {
1120: throw new IllegalStateException(
1121: "A SymmetricKey must specify keyAlias, certAlias or useReceivedSecret as an attribute");
1122: }
1123:
1124: for (int index = 0; index < attributeCount; index++) {
1125: Attr symmKeyAttribute = (Attr) symmKeyAttributes
1126: .item(index);
1127: attributeName = symmKeyAttribute.getName();
1128:
1129: if (SYMMETRIC_KEY_ALIAS_ATTRIBUTE_NAME
1130: .equalsIgnoreCase(attributeName)) {
1131: keyBinding
1132: .setKeyIdentifier(symmKeyAttribute.getValue());
1133: } else if ("certAlias".equalsIgnoreCase(attributeName)) {
1134: keyBinding.setCertAlias(symmKeyAttribute.getValue());
1135: } else if ("useReceivedSecret"
1136: .equalsIgnoreCase(attributeName)) {
1137: try {
1138: keyBinding
1139: .setUseReceivedSecret(parseBoolean(
1140: attributeName, symmKeyAttribute
1141: .getValue()));
1142: } catch (Exception e) {
1143: e.printStackTrace();
1144: }
1145: } else {
1146: log.log(Level.SEVERE, "WSS0512.illegal.attribute.name",
1147: new Object[] { attributeName,
1148: "xwss:SymmetricKey" });
1149: throw new IllegalStateException(
1150: attributeName
1151: + " is not a recognized attribute of SymmetricKey");
1152: }
1153: }
1154: }
1155:
1156: /*
1157: * TODO: Make use of MessageConstants.<appropriateStrategyConstant>
1158: */
1159: private static void readX509TokenSettings(
1160: AuthenticationTokenPolicy.X509CertificateBinding keyBinding,
1161: Element token) {
1162: keyBinding.newPrivateKeyBinding();
1163: String id = getIdAttribute(token);
1164: keyBinding.setUUID(id);
1165:
1166: NamedNodeMap tokenAttributes = token.getAttributes();
1167: int attributeCount = tokenAttributes.getLength();
1168: String attributeName = null;
1169: for (int index = 0; index < attributeCount; index++) {
1170: Attr tokenAttribute = (Attr) tokenAttributes.item(index);
1171: attributeName = tokenAttribute.getName();
1172:
1173: if (ID_ATTRIBUTE_NAME.equalsIgnoreCase(attributeName)) {
1174: //do nothing
1175: } else if (KEY_REFERENCE_TYPE_ATTRIBUTE_NAME
1176: .equalsIgnoreCase(attributeName)) {
1177: String keyReferenceStrategy = tokenAttribute.getValue();
1178: keyBinding.setReferenceType(keyReferenceStrategy);
1179:
1180: } else if (CERTIFICATE_ALIAS_ATTRIBUTE_NAME
1181: .equalsIgnoreCase(attributeName)) {
1182: String certificateAlias = tokenAttribute.getValue();
1183: keyBinding.setCertificateIdentifier(certificateAlias);
1184: } else if (ENCODING_TYPE_ATTRIBUTE_NAME
1185: .equalsIgnoreCase(attributeName)) {
1186: String encodingType = tokenAttribute.getValue();
1187: keyBinding.setEncodingType(encodingType);
1188: } else if (VALUE_TYPE_ATTRIBUTE_NAME
1189: .equalsIgnoreCase(attributeName)) {
1190: String valueType = tokenAttribute.getValue();
1191: keyBinding.setValueType(valueType);
1192: } else if (STRID.equalsIgnoreCase(attributeName)) {
1193: String strid = tokenAttribute.getValue();
1194: keyBinding.setSTRID(strid);
1195: } else {
1196: log
1197: .log(Level.SEVERE,
1198: "WSS0512.illegal.attribute.name",
1199: new Object[] { attributeName,
1200: "xwss:X509Token" });
1201: throw new IllegalStateException(attributeName
1202: + " is not a recognized attribute of X509Token");
1203: }
1204: }
1205: }
1206:
1207: /*
1208: */
1209: private static void readOptionalTargetSettings(
1210: MessagePolicy requirements, Element optionalTargetSettings)
1211: throws XWSSecurityException {
1212: ArrayList targets = new ArrayList();
1213: Element eachSubElement = getFirstChildElement(optionalTargetSettings);
1214: while (eachSubElement != null) {
1215: QName subElementQName = getQName(eachSubElement);
1216:
1217: if (TARGET_QNAME.equals(subElementQName)) {
1218: Target t = new Target();
1219: t.setEnforce(false);
1220: Target t1 = readTargetSettings(eachSubElement, t);
1221: targets.add(t1);
1222: } else {
1223: log.log(Level.SEVERE,
1224: "WSS0513.illegal.configuration.element",
1225: subElementQName.toString());
1226: throw new IllegalStateException(
1227: subElementQName
1228: + " is not a recognized sub-element of OptionalTargets");
1229: }
1230: eachSubElement = getNextElement(eachSubElement);
1231: }
1232:
1233: requirements.addOptionalTargets(targets);
1234: //call iterator once to update the optional targets into policies
1235: requirements.iterator();
1236: }
1237:
1238: private static void readDecryptionSettings(
1239: EncryptionPolicy encryptionPolicy,
1240: Element encryptionSettings) {
1241: readEncryptionSettings(encryptionPolicy, encryptionSettings);
1242: }
1243:
1244: /*
1245: */
1246: private static void readEncryptionSettings(
1247: EncryptionPolicy encryptionPolicy,
1248: Element encryptionSettings) {
1249:
1250: String id = getIdAttribute(encryptionSettings);
1251: encryptionPolicy.setUUID(id);
1252:
1253: // read attributes
1254: NamedNodeMap encryptAttributes = encryptionSettings
1255: .getAttributes();
1256: int attributeCount = encryptAttributes.getLength();
1257:
1258: String attributeName = null;
1259:
1260: for (int index = 0; index < attributeCount; index++) {
1261: Attr encAttr = (Attr) encryptAttributes.item(index);
1262: attributeName = encAttr.getName();
1263:
1264: if (ID_ATTRIBUTE_NAME.equalsIgnoreCase(attributeName)) {
1265: //do nothing
1266: } else {
1267: log.log(Level.SEVERE, "WSS0512.illegal.attribute.name",
1268: new Object[] { attributeName,
1269: encryptionSettings.getTagName() });
1270: throw new IllegalStateException(attributeName
1271: + " is not a recognized attribute of "
1272: + encryptionSettings.getTagName());
1273: }
1274: }
1275:
1276: // read sub-elements
1277: int keyBearingTokensSeen = 0;
1278:
1279: Element eachSubElement = getFirstChildElement(encryptionSettings);
1280: while (eachSubElement != null) {
1281: QName subElementQName = getQName(eachSubElement);
1282:
1283: if (TARGET_QNAME.equals(subElementQName)) {
1284: EncryptionPolicy.FeatureBinding featureBinding = (EncryptionPolicy.FeatureBinding) encryptionPolicy
1285: .getFeatureBinding();
1286: featureBinding.addTargetBinding(readTargetSettings(
1287: eachSubElement, false));
1288: } else if (X509TOKEN_ELEMENT_QNAME.equals(subElementQName)) {
1289: if (keyBearingTokensSeen > 0) {
1290: log.log(Level.SEVERE,
1291: "WSS0520.illegal.configuration.state");
1292: throw new IllegalStateException(
1293: "Atmost one of X509token/SymmetricKey/SAMLAssertion "
1294: + " key bindings can be configured "
1295: + "for an Encrypt/RequireEncryption operation");
1296: }
1297: keyBearingTokensSeen++;
1298: readX509TokenSettings(
1299: (AuthenticationTokenPolicy.X509CertificateBinding) encryptionPolicy
1300: .newX509CertificateKeyBinding(),
1301: eachSubElement);
1302: } else if (SYMMETRIC_KEY_ELEMENT_QNAME
1303: .equals(subElementQName)) {
1304: if (keyBearingTokensSeen > 0) {
1305: log.log(Level.SEVERE,
1306: "WSS0520.illegal.configuration.state");
1307: throw new IllegalStateException(
1308: "Atmost one of X509token/SymmetricKey/SAMLAssertion "
1309: + " key bindings can be configured "
1310: + "for an Encrypt/RequireEncryption operation");
1311: }
1312: keyBearingTokensSeen++;
1313: readSymmetricKeySettings(
1314: (SymmetricKeyBinding) encryptionPolicy
1315: .newSymmetricKeyBinding(),
1316: eachSubElement);
1317: } else if (SAML_ELEMENT_QNAME.equals(subElementQName)) {
1318: if (keyBearingTokensSeen > 0) {
1319: log.log(Level.SEVERE,
1320: "WSS0520.illegal.configuration.state");
1321: throw new IllegalStateException(
1322: "Atmost one of X509token/SymmetricKey/SAMLAssertion "
1323: + " key bindings can be configured "
1324: + "for an Encrypt/RequireEncryption operation");
1325: }
1326: keyBearingTokensSeen++;
1327: readSAMLTokenSettings(
1328: (AuthenticationTokenPolicy.SAMLAssertionBinding) encryptionPolicy
1329: .newSAMLAssertionKeyBinding(),
1330: eachSubElement);
1331: } else if (ENCRYPTION_TARGET_ELEMENT_QNAME
1332: .equals(subElementQName)) {
1333: EncryptionPolicy.FeatureBinding featureBinding = (EncryptionPolicy.FeatureBinding) encryptionPolicy
1334: .getFeatureBinding();
1335: featureBinding
1336: .addTargetBinding(readEncryptionTargetSettings(eachSubElement));
1337: } else if (KEY_ENCRYPTION_METHOD_ELEMENT_QNAME
1338: .equals(subElementQName)) {
1339: readKeyEncMethodSettings(encryptionPolicy,
1340: eachSubElement);
1341: } else if (DATA_ENCRYPTION_METHOD_ELEMENT_QNAME
1342: .equals(subElementQName)) {
1343: readDataEncMethodSettings(encryptionPolicy,
1344: eachSubElement);
1345: } else {
1346: log.log(Level.SEVERE,
1347: "WSS0513.illegal.configuration.element",
1348: subElementQName.toString());
1349: throw new IllegalStateException(
1350: subElementQName
1351: + " is not a recognized sub-element of Encrypt/RequireEncryption");
1352: }
1353: eachSubElement = getNextElement(eachSubElement);
1354: }
1355:
1356: }
1357:
1358: private static void readKeyEncMethodSettings(
1359: EncryptionPolicy encryptionPolicy, Element keyEncSettings) {
1360: String algorithm = keyEncSettings
1361: .getAttribute(ALGORITHM_ATTRIBUTE_NAME);
1362: if ("".equals(algorithm)) {
1363: throw new IllegalArgumentException(
1364: "Empty/Missing algorithm attribute on "
1365: + keyEncSettings.getTagName());
1366:
1367: }
1368: checkCompatibility(algorithm, keyEncSettings);
1369: SecurityPolicy keyBinding = encryptionPolicy.getKeyBinding();
1370: if (keyBinding == null) {
1371: keyBinding = encryptionPolicy
1372: .newX509CertificateKeyBinding();
1373: ((AuthenticationTokenPolicy.X509CertificateBinding) keyBinding)
1374: .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
1375: }
1376: setKeyAlgorithm(keyBinding, algorithm);
1377: }
1378:
1379: private static void checkCompatibility(String keyEncAlgo,
1380: Element keyEncSettings) {
1381: if (MessageConstants.RSA_OAEP_KEY_TRANSPORT.equals(keyEncAlgo)
1382: || MessageConstants.RSA_15_KEY_TRANSPORT
1383: .equals(keyEncAlgo)) {
1384: /* if (!hasX509Sibling(keyEncSettings)) {
1385: // log
1386: throw new IllegalStateException("Missing X509Token/SAML key association for " +
1387: KEY_ENCRYPTION_METHOD_ELEMENT_NAME + " " + keyEncAlgo);
1388: }*/
1389: if (hasSymmetricKeySibling(keyEncSettings)) {
1390: // log
1391: throw new IllegalStateException(
1392: "Invalid SymmetricKey association specified for "
1393: + KEY_ENCRYPTION_METHOD_ELEMENT_NAME
1394: + " "
1395: + keyEncAlgo
1396: + ", required X509Token/SAML key association");
1397: }
1398: } else if (MessageConstants.TRIPLE_DES_KEY_WRAP
1399: .equals(keyEncAlgo)
1400: || keyEncAlgo
1401: .startsWith("http://www.w3.org/2001/04/xmlenc#kw-aes")) {
1402:
1403: if (!hasSymmetricKeySibling(keyEncSettings)) {
1404: // log
1405: throw new IllegalStateException(
1406: "Missing SymmetricKey association for "
1407: + KEY_ENCRYPTION_METHOD_ELEMENT_NAME
1408: + " " + keyEncAlgo);
1409: }
1410:
1411: if (hasX509Sibling(keyEncSettings)) {
1412: // log
1413: throw new IllegalStateException(
1414: "Invalid X509Token/SAML key association specified for "
1415: + KEY_ENCRYPTION_METHOD_ELEMENT_NAME
1416: + " "
1417: + keyEncAlgo
1418: + ", required SymmetricKey association");
1419: }
1420: } else {
1421: throw new IllegalArgumentException(
1422: "Invalid/Unsupported Algorithm " + keyEncAlgo
1423: + " specified for "
1424: + KEY_ENCRYPTION_METHOD_ELEMENT_NAME);
1425: }
1426: }
1427:
1428: //TODO : Add SAML support here later. An HOK assertion here can serve the same purpose
1429: private static boolean hasX509Sibling(Element keyEncSettings) {
1430: Element parent = (Element) keyEncSettings.getParentNode();
1431: NodeList x509Nodes = parent.getElementsByTagNameNS(
1432: ConfigurationConstants.CONFIGURATION_URL,
1433: X509TOKEN_ELEMENT_NAME);
1434: if (x509Nodes.getLength() > 0) {
1435: return true;
1436: }
1437: return false;
1438: }
1439:
1440: private static boolean hasSymmetricKeySibling(Element keyEncSettings) {
1441: Element parent = (Element) keyEncSettings.getParentNode();
1442: NodeList symKeyNodes = parent.getElementsByTagNameNS(
1443: ConfigurationConstants.CONFIGURATION_URL,
1444: SYMMETRIC_KEY_ELEMENT_NAME);
1445: if (symKeyNodes.getLength() > 0) {
1446: return true;
1447: }
1448: return false;
1449: }
1450:
1451: private static void setDefaultKeyAlgorithm(
1452: SecurityPolicy keyBinding, String algorithm) {
1453:
1454: if (PolicyTypeUtil.samlTokenPolicy(keyBinding)) {
1455: AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) keyBinding;
1456: if ("".equals(samlBinding.getKeyAlgorithm()))
1457: samlBinding.setKeyAlgorithm(algorithm);
1458: } else if (PolicyTypeUtil.x509CertificateBinding(keyBinding)) {
1459: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = (AuthenticationTokenPolicy.X509CertificateBinding) keyBinding;
1460: if ("".equals(x509Binding.getKeyAlgorithm()))
1461: x509Binding.setKeyAlgorithm(algorithm);
1462: } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding)) {
1463: SymmetricKeyBinding symBinding = (SymmetricKeyBinding) keyBinding;
1464: if ("".equals(symBinding.getKeyAlgorithm()))
1465: symBinding.setKeyAlgorithm(algorithm);
1466: } else {
1467: throw new IllegalArgumentException("Unknown Key Type "
1468: + keyBinding.getClass().getName());
1469: }
1470: }
1471:
1472: private static void setKeyAlgorithm(SecurityPolicy keyBinding,
1473: String algorithm) {
1474:
1475: if (PolicyTypeUtil.samlTokenPolicy(keyBinding)) {
1476: AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) keyBinding;
1477: samlBinding.setKeyAlgorithm(algorithm);
1478: } else if (PolicyTypeUtil.x509CertificateBinding(keyBinding)) {
1479: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = (AuthenticationTokenPolicy.X509CertificateBinding) keyBinding;
1480: x509Binding.setKeyAlgorithm(algorithm);
1481: if (MessageConstants.HMAC_SHA1_SIGMETHOD.equals(algorithm)) {
1482: String certAlias = x509Binding
1483: .getCertificateIdentifier();
1484: if (certAlias == null || certAlias.equals("")) {
1485: throw new IllegalArgumentException(
1486: "The certificate Alias should be set when algorithm is:"
1487: + algorithm);
1488: }
1489: }
1490: } else if (PolicyTypeUtil.symmetricKeyBinding(keyBinding)) {
1491: SymmetricKeyBinding symBinding = (SymmetricKeyBinding) keyBinding;
1492: symBinding.setKeyAlgorithm(algorithm);
1493: } else {
1494: throw new IllegalArgumentException("Unknown Key Type "
1495: + keyBinding.getClass().getName());
1496: }
1497: }
1498:
1499: private static void readDataEncMethodSettings(
1500: EncryptionPolicy encryptionPolicy, Element dataEncSettings) {
1501: String algorithm = dataEncSettings
1502: .getAttribute(ALGORITHM_ATTRIBUTE_NAME);
1503: if ("".equals(algorithm)) {
1504: throw new IllegalArgumentException(
1505: "Empty/Missing algorithm attribute on "
1506: + dataEncSettings.getTagName());
1507:
1508: }
1509: EncryptionPolicy.FeatureBinding featureBinding = (EncryptionPolicy.FeatureBinding) encryptionPolicy
1510: .getFeatureBinding();
1511: featureBinding.setDataEncryptionAlgorithm(algorithm);
1512: }
1513:
1514: private static void readCanonMethodSettings(
1515: SignaturePolicy signaturePolicy, Element canonSettings) {
1516: String algorithm = canonSettings
1517: .getAttribute(ALGORITHM_ATTRIBUTE_NAME);
1518: boolean disableInclusivePrefix = false;
1519: try {
1520: disableInclusivePrefix = parseBoolean(
1521: DISABLE_INCLUSIVE_PREFIX, canonSettings
1522: .getAttribute(DISABLE_INCLUSIVE_PREFIX));
1523: } catch (Exception e) {
1524: e.printStackTrace();
1525: }
1526: if ("".equals(algorithm)) {
1527: throw new IllegalArgumentException(
1528: "Empty/Missing algorithm attribute on "
1529: + canonSettings.getTagName());
1530:
1531: }
1532: SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding) signaturePolicy
1533: .getFeatureBinding();
1534: featureBinding.setCanonicalizationAlgorithm(algorithm);
1535: featureBinding
1536: .setDisbaleInclusivePrefix(disableInclusivePrefix);
1537: }
1538:
1539: private static void readSigMethodSettings(
1540: SignaturePolicy signaturePolicy, Element sigMethodSettings) {
1541: String algorithm = sigMethodSettings
1542: .getAttribute(ALGORITHM_ATTRIBUTE_NAME);
1543: if ("".equals(algorithm)) {
1544: throw new IllegalArgumentException(
1545: "Empty/Missing algorithm attribute on "
1546: + sigMethodSettings.getTagName());
1547:
1548: }
1549:
1550: SecurityPolicy keyBinding = signaturePolicy.getKeyBinding();
1551: if (keyBinding == null) {
1552: keyBinding = signaturePolicy.newX509CertificateKeyBinding();
1553: ((AuthenticationTokenPolicy.X509CertificateBinding) keyBinding)
1554: .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
1555: }
1556: setKeyAlgorithm(keyBinding, algorithm);
1557: }
1558:
1559: private static QName getQName(Node element) {
1560: return new QName(element.getNamespaceURI(), element
1561: .getLocalName());
1562: }
1563:
1564: private static Element getFirstChildElement(Node node) {
1565: Node nextSibling = node.getFirstChild();
1566: while (nextSibling != null) {
1567: if (nextSibling instanceof Element) {
1568: break;
1569: }
1570: nextSibling = nextSibling.getNextSibling();
1571: }
1572: return (Element) nextSibling;
1573: }
1574:
1575: private static Element getNextElement(Node node) {
1576: Node nextSibling = node;
1577: while (nextSibling != null) {
1578: nextSibling = nextSibling.getNextSibling();
1579: if (nextSibling instanceof Element) {
1580: break;
1581: }
1582: }
1583: return (Element) nextSibling;
1584: }
1585:
1586: private static class ErrorHandler extends DefaultHandler {
1587: PrintStream out;
1588:
1589: public ErrorHandler(PrintStream out) {
1590: this .out = out;
1591: }
1592:
1593: public void error(SAXParseException e) throws SAXException {
1594: if (out != null)
1595: out.println(e);
1596: throw e;
1597: }
1598:
1599: public void warning(SAXParseException e) throws SAXException {
1600: if (out != null)
1601: out.println(e);
1602: else
1603: ;// log
1604: }
1605:
1606: public void fatalError(SAXParseException e) throws SAXException {
1607: if (out != null)
1608: out.println(e);
1609: throw e;
1610: }
1611: }
1612:
1613: private static boolean parseBoolean(String attr, String value)
1614: throws Exception {
1615: if ("1".equals(value) || "true".equalsIgnoreCase(value)) {
1616: return true;
1617: } else if ("0".equals(value) || "false".equalsIgnoreCase(value)) {
1618: return false;
1619: } else {
1620: log.log(Level.SEVERE, "WSS0511.illegal.boolean.value",
1621: value);
1622: throw new Exception("Boolean attribute " + attr
1623: + " has value other than 'true' or 'false'");
1624: }
1625: }
1626:
1627: private static long parseLong(String str) {
1628: if (!"".equals(str)) {
1629: String ret = str;
1630: int idx = str.indexOf(".");
1631: if (idx > 0) {
1632: ret = str.substring(0, idx);
1633: }
1634: return Long.parseLong(ret);
1635: }
1636: return 0;
1637: }
1638:
1639: private static void readTimestampSettings(TimestampPolicy policy,
1640: Element timestampSettings) {
1641: String id = getIdAttribute(timestampSettings);
1642: policy.setUUID(id);
1643: String timeout = timestampSettings
1644: .getAttribute(TIMEOUT_ATTRIBUTE_NAME);
1645: policy.setTimeout(parseLong(timeout) * 1000);
1646:
1647: Element someElement = getFirstChildElement(timestampSettings);
1648: if (someElement != null) {
1649: log.log(Level.SEVERE,
1650: "WSS0513.illegal.configuration.element",
1651: getQName(someElement));
1652: throw new IllegalStateException(getQName(someElement)
1653: + " is not a recognized sub-element of Timestamp");
1654: }
1655: }
1656:
1657: private static void readTimestampRequirementSettings(
1658: TimestampPolicy policy, Element timestampSettings) {
1659: String id = getIdAttribute(timestampSettings);
1660: policy.setUUID(id);
1661:
1662: String maxClockSkew = timestampSettings
1663: .getAttribute(MAX_CLOCK_SKEW);
1664: String timestampFreshness = timestampSettings
1665: .getAttribute(TIMESTAMP_FRESHNESS_LIMIT);
1666:
1667: //set them on the policy
1668: policy.setMaxClockSkew(parseLong(maxClockSkew) * 1000);
1669: policy
1670: .setTimestampFreshness(parseLong(timestampFreshness) * 1000);
1671:
1672: Element someElement = getFirstChildElement(timestampSettings);
1673: if (someElement != null) {
1674: log.log(Level.SEVERE,
1675: "WSS0513.illegal.configuration.element",
1676: getQName(someElement));
1677: throw new IllegalStateException(
1678: getQName(someElement)
1679: + " is not a recognized sub-element of RequireTimestamp");
1680: }
1681: }
1682:
1683: /*
1684: */
1685: private static void readUsernamePasswordSettings(
1686: AuthenticationTokenPolicy.UsernameTokenBinding utBinding,
1687: Element usernamePasswordSettings) {
1688:
1689: String id = getIdAttribute(usernamePasswordSettings);
1690: utBinding.setUUID(id);
1691:
1692: NamedNodeMap usernameAttributes = usernamePasswordSettings
1693: .getAttributes();
1694: int attributeCount = usernameAttributes.getLength();
1695:
1696: String attributeName = null;
1697:
1698: for (int index = 0; index < attributeCount; index++) {
1699: Attr usernamePasswordAttribute = (Attr) usernameAttributes
1700: .item(index);
1701:
1702: attributeName = usernamePasswordAttribute.getName();
1703: if (ID_ATTRIBUTE_NAME.equalsIgnoreCase(attributeName)) {
1704: utBinding.setUUID(usernamePasswordAttribute.getValue());
1705: } else if (USERNAME_ATTRIBUTE_NAME
1706: .equalsIgnoreCase(attributeName)) {
1707: utBinding.setUsername(usernamePasswordAttribute
1708: .getValue());
1709: } else if (PASSWORD_ATTRIBUTE_NAME
1710: .equalsIgnoreCase(attributeName)) {
1711: utBinding.setPassword(usernamePasswordAttribute
1712: .getValue());
1713: } else if (USE_NONCE_ATTRIBUTE_NAME
1714: .equalsIgnoreCase(attributeName)) {
1715: utBinding
1716: .setUseNonce(getBooleanValue(usernamePasswordAttribute
1717: .getValue()));
1718: } else if (DIGEST_PASSWORD_ATTRIBUTE_NAME
1719: .equalsIgnoreCase(attributeName)) {
1720: utBinding
1721: .setDigestOn(getBooleanValue(usernamePasswordAttribute
1722: .getValue()));
1723: } else {
1724: log
1725: .log(Level.SEVERE,
1726: "WSS0512.illegal.attribute.name",
1727: new Object[] {
1728: attributeName,
1729: usernamePasswordSettings
1730: .getTagName() });
1731: throw new IllegalStateException(
1732: attributeName
1733: + " is not a recognized attribute of UsernameToken");
1734: }
1735:
1736: }
1737: if (utBinding.getDigestOn() && !utBinding.getUseNonce()) {
1738: throw new IllegalStateException(
1739: "useNonce attribute must be true if digestPassword is true");
1740: }
1741:
1742: Element someElement = getFirstChildElement(usernamePasswordSettings);
1743: if (someElement != null) {
1744: log.log(Level.SEVERE,
1745: "WSS0513.illegal.configuration.element",
1746: getQName(someElement));
1747: throw new IllegalStateException(
1748: getQName(someElement)
1749: + " is not a recognized sub-element of UsernameToken");
1750: }
1751: }
1752:
1753: /*
1754: */
1755: private static void readUsernamePasswordRequirementSettings(
1756: AuthenticationTokenPolicy.UsernameTokenBinding utBinding,
1757: Element authenticateUserSettings) {
1758:
1759: String id = getIdAttribute(authenticateUserSettings);
1760: utBinding.setUUID(id);
1761:
1762: //set them on the policy
1763: TimestampPolicy tPolicy = null;
1764: try {
1765: tPolicy = (TimestampPolicy) utBinding
1766: .newTimestampFeatureBinding();
1767: } catch (Exception e) {
1768: //log
1769: throw new IllegalStateException(e.getMessage());
1770: }
1771:
1772: NamedNodeMap authenticateUserAttributes = authenticateUserSettings
1773: .getAttributes();
1774: int attributeCount = authenticateUserAttributes.getLength();
1775: String attributeName = null;
1776:
1777: for (int index = 0; index < attributeCount; index++) {
1778: Attr authenticateUserAttribute = (Attr) authenticateUserAttributes
1779: .item(index);
1780: attributeName = authenticateUserAttribute.getName();
1781:
1782: if (ID_ATTRIBUTE_NAME.equalsIgnoreCase(attributeName)) {
1783: // do nothing
1784: } else if (NONCE_REQUIRED_ATTRIBUTE_NAME
1785: .equalsIgnoreCase(attributeName)) {
1786: utBinding
1787: .setUseNonce(getBooleanValue(authenticateUserAttribute
1788: .getValue()));
1789: } else if (PASSWORD_DIGEST_REQUIRED_ATTRIBUTE_NAME
1790: .equalsIgnoreCase(attributeName)) {
1791: utBinding
1792: .setDigestOn(getBooleanValue(authenticateUserAttribute
1793: .getValue()));
1794: } else if (MAX_CLOCK_SKEW.equalsIgnoreCase(attributeName)) {
1795: tPolicy
1796: .setMaxClockSkew(parseLong(authenticateUserAttribute
1797: .getValue()) * 1000);
1798: } else if (TIMESTAMP_FRESHNESS_LIMIT
1799: .equalsIgnoreCase(attributeName)) {
1800: tPolicy
1801: .setTimestampFreshness(parseLong(authenticateUserAttribute
1802: .getValue()) * 1000);
1803: } else if (MAX_NONCE_AGE.equalsIgnoreCase(attributeName)) {
1804: utBinding
1805: .setMaxNonceAge(parseLong(authenticateUserAttribute
1806: .getValue()) * 1000);
1807: } else {
1808: log.log(Level.SEVERE, "WSS0512.illegal.attribute.name",
1809: new Object[] { attributeName,
1810: "xwss:RequireUsernameToken" });
1811: throw new IllegalStateException(
1812: attributeName
1813: + " is not a recognized attribute of RequireUsernameToken");
1814: }
1815: }
1816:
1817: Element someElement = getFirstChildElement(authenticateUserSettings);
1818: if (someElement != null) {
1819: log.log(Level.SEVERE,
1820: "WSS0513.illegal.configuration.element",
1821: getQName(someElement));
1822: throw new IllegalStateException(
1823: getQName(someElement)
1824: + " is not a recognized sub-element of RequireUsernameToken");
1825: }
1826:
1827: if (utBinding.getDigestOn() && !utBinding.getUseNonce()) {
1828: throw new IllegalStateException(
1829: "nonceRequired attribute must be true if passwordDigestRequired is true");
1830: }
1831: }
1832:
1833: private static void readSAMLTokenSettings(
1834: AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding,
1835: Element samlTokenSettings) {
1836:
1837: String id = getIdAttribute(samlTokenSettings);
1838: samlBinding.setUUID(id);
1839:
1840: String type = samlTokenSettings
1841: .getAttribute(SAML_ASSERTION_TYPE_ATTRIBUTE_NAME);
1842: validateSAMLType(type, samlTokenSettings);
1843:
1844: NamedNodeMap samlAttributes = samlTokenSettings.getAttributes();
1845: int attributeCount = samlAttributes.getLength();
1846: String attributeName = null;
1847:
1848: for (int index = 0; index < attributeCount; index++) {
1849: Attr samlAttribute = (Attr) samlAttributes.item(index);
1850:
1851: attributeName = samlAttribute.getName();
1852:
1853: if (ID_ATTRIBUTE_NAME.equalsIgnoreCase(attributeName)) {
1854: // do nothing
1855: } else if (SAML_ASSERTION_TYPE_ATTRIBUTE_NAME
1856: .equalsIgnoreCase(attributeName)) {
1857: samlBinding.setAssertionType(samlAttribute.getValue());
1858: } else if (SAML_AUTHORITY_ID_ATTRIBUTE_NAME
1859: .equalsIgnoreCase(attributeName)) {
1860: samlBinding.setAuthorityIdentifier(samlAttribute
1861: .getValue());
1862: } else if (SAML_KEYIDENTIFIER_ATTRIBUTE_NAME
1863: .equalsIgnoreCase(attributeName)) {
1864: samlBinding.setKeyIdentifier(samlAttribute.getValue());
1865: } else if (KEY_REFERENCE_TYPE_ATTRIBUTE_NAME
1866: .equalsIgnoreCase(attributeName)) {
1867: String attributeValue = samlAttribute.getValue();
1868: validateSAMLKeyReferenceType(attributeValue);
1869: samlBinding.setReferenceType(attributeValue);
1870: } else if (STRID.equalsIgnoreCase(attributeName)) {
1871: String strid = samlAttribute.getValue();
1872: samlBinding.setSTRID(strid);
1873: } else {
1874: log.log(Level.SEVERE, "WSS0512.illegal.attribute.name",
1875: new Object[] { attributeName,
1876: "xwss:SAMLAssertion" });
1877: throw new IllegalStateException(
1878: attributeName
1879: + " is not a recognized attribute of SAMLAssertion");
1880: }
1881: }
1882: }
1883:
1884: private static void readRequireSAMLTokenSettings(
1885: AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding,
1886: Element samlTokenSettings) {
1887:
1888: String id = getIdAttribute(samlTokenSettings);
1889: samlBinding.setUUID(id);
1890:
1891: String type = samlTokenSettings
1892: .getAttribute(SAML_ASSERTION_TYPE_ATTRIBUTE_NAME);
1893: validateRequireSAMLType(type, samlTokenSettings);
1894:
1895: NamedNodeMap samlAttributes = samlTokenSettings.getAttributes();
1896: int attributeCount = samlAttributes.getLength();
1897: String attributeName = null;
1898:
1899: for (int index = 0; index < attributeCount; index++) {
1900: Attr samlAttribute = (Attr) samlAttributes.item(index);
1901:
1902: attributeName = samlAttribute.getName();
1903:
1904: if (ID_ATTRIBUTE_NAME.equalsIgnoreCase(attributeName)) {
1905: // do nothing
1906: } else if (SAML_ASSERTION_TYPE_ATTRIBUTE_NAME
1907: .equalsIgnoreCase(attributeName)) {
1908: samlBinding.setAssertionType(samlAttribute.getValue());
1909: } else if (SAML_AUTHORITY_ID_ATTRIBUTE_NAME
1910: .equalsIgnoreCase(attributeName)) {
1911: samlBinding.setAuthorityIdentifier(samlAttribute
1912: .getValue());
1913: } else if (KEY_REFERENCE_TYPE_ATTRIBUTE_NAME
1914: .equalsIgnoreCase(attributeName)) {
1915: String attributeValue = samlAttribute.getValue();
1916: validateSAMLKeyReferenceType(attributeValue);
1917: samlBinding.setReferenceType(attributeValue);
1918: } else if (STRID.equalsIgnoreCase(attributeName)) {
1919: String strid = samlAttribute.getValue();
1920: samlBinding.setSTRID(strid);
1921: } else {
1922: log.log(Level.SEVERE, "WSS0512.illegal.attribute.name",
1923: new Object[] { attributeName,
1924: "xwss:RequireSAMLAssertion" });
1925: throw new IllegalStateException(
1926: attributeName
1927: + " is not a recognized attribute of RequireSAMLAssertion");
1928: }
1929: }
1930: }
1931:
1932: /*
1933: */
1934: private static EncryptionTarget readEncryptionTargetSettings(
1935: Element targetSettings) {
1936: EncryptionTarget target = new EncryptionTarget();
1937:
1938: // Read-in the target type attribute
1939: NamedNodeMap targetAttributes = targetSettings.getAttributes();
1940: int attributeCount = targetAttributes.getLength();
1941: String attributeName = null;
1942: for (int index = 0; index < attributeCount; index++) {
1943: Attr targetAttribute = (Attr) targetAttributes.item(index);
1944: attributeName = targetAttribute.getName();
1945:
1946: if (TARGET_TYPE_ATTRIBUTE_NAME
1947: .equalsIgnoreCase(attributeName)) {
1948: String targetType = targetAttribute.getValue();
1949: // valid values of targetType are xpath, qname, id
1950: if (Target.TARGET_TYPE_VALUE_QNAME
1951: .equalsIgnoreCase(targetType)) {
1952: target.setType(Target.TARGET_TYPE_VALUE_QNAME);
1953: } else if (Target.TARGET_TYPE_VALUE_XPATH
1954: .equalsIgnoreCase(targetType)) {
1955: target.setType(Target.TARGET_TYPE_VALUE_XPATH);
1956: } else if (Target.TARGET_TYPE_VALUE_URI
1957: .equalsIgnoreCase(targetType)) {
1958: target.setType(Target.TARGET_TYPE_VALUE_URI);
1959: } else {
1960: log.log(Level.SEVERE,
1961: "WSS0519.illegal.attribute.value",
1962: "xwss:Target@Type");
1963: throw new IllegalStateException(targetType
1964: + " is not a recognized type of Target");
1965: }
1966: } else if (CONTENT_ONLY_ATTRIBUTE_NAME
1967: .equalsIgnoreCase(attributeName)) {
1968:
1969: String contentOnly = targetAttribute.getValue();
1970: target.setContentOnly(getBooleanValue(contentOnly));
1971:
1972: } else if (ENFORCE_ATTRIBUTE_NAME
1973: .equalsIgnoreCase(attributeName)) {
1974: String enforce_S = targetAttribute.getValue();
1975: boolean enforce = Boolean.valueOf(enforce_S);
1976: target.setEnforce(enforce);
1977: } else if (VALUE_ATTRIBUTE_NAME
1978: .equalsIgnoreCase(attributeName)) {
1979:
1980: } else {
1981: log.log(Level.SEVERE, "WSS0512.illegal.attribute.name",
1982: new Object[] { attributeName, "xwss:Target" });
1983: throw new IllegalStateException(attributeName
1984: + " is not a recognized attribute of Target");
1985: }
1986: }
1987:
1988: // Read-in the target type attribute
1989: //read value attribute
1990: String targetValue = targetSettings
1991: .getAttribute(VALUE_ATTRIBUTE_NAME);
1992: if (targetValue == null) {
1993: //|| targetValue.equals("")) {
1994: // log
1995: throw new IllegalStateException(
1996: "value attribute of the EncryptionTarget element missing/empty");
1997: }
1998:
1999: if (targetValue.startsWith("#"))
2000: targetValue = targetValue.substring(1);
2001:
2002: target.setValue(targetValue);
2003:
2004: //read any transform child elements
2005: Element eachDefinitionElement = getFirstChildElement(targetSettings);
2006: while (eachDefinitionElement != null) {
2007: QName definitionType = getQName(eachDefinitionElement);
2008: if (TRANSFORM_ELEMENT_QNAME.equals(definitionType)) {
2009: EncryptionTarget.Transform transform = readEncTransform(eachDefinitionElement);
2010: target.addCipherReferenceTransform(transform);
2011: } else {
2012: log.log(Level.SEVERE,
2013: "WSS0513.illegal.configuration.element",
2014: definitionType.toString());
2015: throw new IllegalStateException(
2016: definitionType
2017: + " is not a recognized sub-element of EncryptionTarget");
2018: }
2019: eachDefinitionElement = getNextElement(eachDefinitionElement);
2020: }
2021:
2022: return target;
2023: }
2024:
2025: private static Target readTargetSettings(Element targetSettings,
2026: boolean signature) {
2027: if (signature) {
2028: SignatureTarget target = new SignatureTarget();
2029: target.setDigestAlgorithm(DigestMethod.SHA1); //SHA1
2030: return readTargetSettings(targetSettings, target);
2031: } else {
2032: EncryptionTarget target = new EncryptionTarget();
2033: return readTargetSettings(targetSettings, target);
2034: }
2035: }
2036:
2037: /*
2038: */
2039: private static Target readTargetSettings(Element targetSettings,
2040: Target target) {
2041:
2042: // Read-in the target type attribute
2043: NamedNodeMap targetAttributes = targetSettings.getAttributes();
2044: int attributeCount = targetAttributes.getLength();
2045: String attributeName = null;
2046: for (int index = 0; index < attributeCount; index++) {
2047: Attr targetAttribute = (Attr) targetAttributes.item(index);
2048: attributeName = targetAttribute.getName();
2049:
2050: if (TARGET_TYPE_ATTRIBUTE_NAME
2051: .equalsIgnoreCase(attributeName)) {
2052: String targetType = targetAttribute.getValue();
2053: // valid values of targetType are xpath, qname, id
2054: if (Target.TARGET_TYPE_VALUE_QNAME
2055: .equalsIgnoreCase(targetType)) {
2056: target.setType(Target.TARGET_TYPE_VALUE_QNAME);
2057: } else if (Target.TARGET_TYPE_VALUE_XPATH
2058: .equalsIgnoreCase(targetType)) {
2059: target.setType(Target.TARGET_TYPE_VALUE_XPATH);
2060: } else if (Target.TARGET_TYPE_VALUE_URI
2061: .equalsIgnoreCase(targetType)) {
2062: target.setType(Target.TARGET_TYPE_VALUE_URI);
2063: } else {
2064: log.log(Level.SEVERE,
2065: "WSS0519.illegal.attribute.value",
2066: "xwss:Target@Type");
2067: throw new IllegalStateException(targetType
2068: + " is not a recognized type of Target");
2069: }
2070: } else if (CONTENT_ONLY_ATTRIBUTE_NAME
2071: .equalsIgnoreCase(attributeName)) {
2072: if (targetAttribute.getSpecified()) {
2073: validateTargetContentOnly(targetSettings);
2074: }
2075: String contentOnly = targetAttribute.getValue();
2076: target.setContentOnly(getBooleanValue(contentOnly));
2077: } else if (ENFORCE_ATTRIBUTE_NAME
2078: .equalsIgnoreCase(attributeName)) {
2079: String enforce_S = targetAttribute.getValue();
2080: boolean enforce = getBooleanValue(enforce_S);
2081: Node parent = targetSettings.getParentNode();
2082: if (OPTIONAL_TARGETS_ELEMENT_NAME.equals(parent
2083: .getLocalName())) {
2084: if (targetAttribute.getSpecified() && enforce) {
2085: log
2086: .warning("WSS0760.warning.optionaltarget.enforce.ignored");
2087: }
2088: } else {
2089: target.setEnforce(enforce);
2090: }
2091: } else {
2092: log.log(Level.SEVERE, "WSS0512.illegal.attribute.name",
2093: new Object[] { attributeName, "xwss:Target" });
2094: throw new IllegalStateException(attributeName
2095: + " is not a recognized attribute of Target");
2096: }
2097: }
2098:
2099: // Read-in the target value
2100: String targetValue = XMLUtil
2101: .getFullTextFromChildren(targetSettings);
2102:
2103: if (targetValue == null || targetValue.equals("")) {
2104: // log
2105: throw new IllegalStateException(
2106: "Value of the Target element is required to be specified");
2107: }
2108:
2109: // ignore the proceeding # in case this is a xpointer uri
2110: if (targetValue.startsWith("#")) {
2111: targetValue = targetValue.substring(1);
2112: }
2113:
2114: target.setValue(targetValue);
2115:
2116: return target;
2117: }
2118:
2119: /*
2120: */
2121: private static SignatureTarget readSignatureTargetSettings(
2122: Element targetSettings) {
2123: SignatureTarget target = new SignatureTarget();
2124:
2125: // Read-in the target type attribute
2126: NamedNodeMap targetAttributes = targetSettings.getAttributes();
2127: int attributeCount = targetAttributes.getLength();
2128: String attributeName = null;
2129: for (int index = 0; index < attributeCount; index++) {
2130: Attr targetAttribute = (Attr) targetAttributes.item(index);
2131: attributeName = targetAttribute.getName();
2132:
2133: if (TARGET_TYPE_ATTRIBUTE_NAME
2134: .equalsIgnoreCase(attributeName)) {
2135: String targetType = targetAttribute.getValue();
2136: // valid values of targetType are xpath, qname, id
2137: if (Target.TARGET_TYPE_VALUE_QNAME
2138: .equalsIgnoreCase(targetType)) {
2139: target.setType(Target.TARGET_TYPE_VALUE_QNAME);
2140: } else if (Target.TARGET_TYPE_VALUE_XPATH
2141: .equalsIgnoreCase(targetType)) {
2142: target.setType(Target.TARGET_TYPE_VALUE_XPATH);
2143: } else if (Target.TARGET_TYPE_VALUE_URI
2144: .equalsIgnoreCase(targetType)) {
2145: target.setType(Target.TARGET_TYPE_VALUE_URI);
2146: } else {
2147: log.log(Level.SEVERE,
2148: "WSS0519.illegal.attribute.value",
2149: "xwss:Target@Type");
2150: throw new IllegalStateException(targetType
2151: + " is not a recognized type of Target");
2152: }
2153: } else if (CONTENT_ONLY_ATTRIBUTE_NAME
2154: .equalsIgnoreCase(attributeName)) {
2155: if (targetAttribute.getSpecified()) {
2156: throw new IllegalStateException(
2157: "invalid contentOnly attribute in a xwss:SignatureTarget");
2158: }
2159:
2160: /* we could check if the reference is to an attachement
2161: * and add a Transform
2162: String contentOnly = targetAttribute.getValue();
2163: validateContentOnly(targetSettings);
2164: boolean contentValue = getBooleanValue(contentOnly);
2165: SignatureTarget.Transform transform = null;
2166: if (contentValue) {
2167: transform = new SignatureTarget.Transform(
2168: MessageConstants.ATTACHMENT_CONTENT_ONLY_TRANSFORM_URI);
2169: } else {
2170: transform = new SignatureTarget.Transform(
2171: MessageConstants.ATTACHMENT_COMPLETE_TRANSFORM_URI);
2172: }
2173: target.addTransform(transform);
2174: */
2175:
2176: } else if (ENFORCE_ATTRIBUTE_NAME
2177: .equalsIgnoreCase(attributeName)) {
2178: String enforce_S = targetAttribute.getValue();
2179: boolean enforce = getBooleanValue(enforce_S);
2180: target.setEnforce(enforce);
2181: } else if (VALUE_ATTRIBUTE_NAME
2182: .equalsIgnoreCase(attributeName)) {
2183:
2184: } else {
2185: log.log(Level.SEVERE, "WSS0512.illegal.attribute.name",
2186: new Object[] { attributeName, "xwss:Target" });
2187: throw new IllegalStateException(attributeName
2188: + " is not a recognized attribute of Target");
2189: }
2190: }
2191: //read value attribute
2192: String targetValue = targetSettings
2193: .getAttribute(VALUE_ATTRIBUTE_NAME);
2194: if (targetValue == null) {
2195: //|| targetValue.equals("")) {
2196: // log
2197: throw new IllegalStateException(
2198: "value attribute of the SignatureTarget element missing/empty");
2199: }
2200: target.setValue(targetValue);
2201:
2202: //read the DigestMethod child
2203: boolean attachmentTxSeen = false;
2204: Element eachDefinitionElement = getFirstChildElement(targetSettings);
2205: while (eachDefinitionElement != null) {
2206: QName definitionType = getQName(eachDefinitionElement);
2207: if (DIGEST_METHOD_ELEMENT_QNAME.equals(definitionType)) {
2208: String algorithm = readDigestMethod(eachDefinitionElement);
2209: target.setDigestAlgorithm(algorithm);
2210: } else if (TRANSFORM_ELEMENT_QNAME.equals(definitionType)) {
2211: SignatureTarget.Transform transform = readSigTransform(eachDefinitionElement);
2212: if (transform
2213: .getTransform()
2214: .equals(
2215: MessageConstants.ATTACHMENT_CONTENT_ONLY_TRANSFORM_URI)
2216: || transform
2217: .getTransform()
2218: .equals(
2219: MessageConstants.ATTACHMENT_COMPLETE_TRANSFORM_URI)) {
2220: attachmentTxSeen = true;
2221: }
2222: target.addTransform(transform);
2223: } else {
2224: log.log(Level.SEVERE,
2225: "WSS0513.illegal.configuration.element",
2226: definitionType.toString());
2227: throw new IllegalStateException(
2228: definitionType
2229: + " is not a recognized sub-element of SignatureTarget");
2230: }
2231: eachDefinitionElement = getNextElement(eachDefinitionElement);
2232: }
2233: if ("".equals(target.getDigestAlgorithm())) {
2234: target.setDigestAlgorithm(MessageConstants.SHA1_DIGEST);
2235: }
2236: if (target.getValue().startsWith("cid")
2237: || target.getValue().startsWith("CID")
2238: || target.getValue().startsWith(
2239: MessageConstants.ATTACHMENTREF)) {
2240: if (!attachmentTxSeen) {
2241: throw new IllegalStateException(
2242: "Missing Transform specification for Attachment Target "
2243: + target.getValue());
2244: }
2245: }
2246:
2247: return target;
2248: }
2249:
2250: private static String readDigestMethod(Element digestMethod) {
2251: String algorithm = digestMethod
2252: .getAttribute(ALGORITHM_ATTRIBUTE_NAME);
2253: if ("".equals(algorithm)) {
2254: throw new IllegalArgumentException(
2255: "Empty/missing algorithm attribute on SignatureTarget");
2256: }
2257: return algorithm;
2258: }
2259:
2260: private static SignatureTarget.Transform readSigTransform(
2261: Element transform) {
2262:
2263: String algorithm = transform
2264: .getAttribute(ALGORITHM_ATTRIBUTE_NAME);
2265: boolean disableInclusivePrefix = false;
2266: try {
2267: disableInclusivePrefix = parseBoolean(
2268: DISABLE_INCLUSIVE_PREFIX, transform
2269: .getAttribute(DISABLE_INCLUSIVE_PREFIX));
2270: } catch (Exception e) {
2271: e.printStackTrace();
2272: }
2273: if ("".equals(algorithm)) {
2274: // log
2275: throw new IllegalStateException(
2276: " Empty/Missing algorithm attribute on xwss:Transform element");
2277: }
2278:
2279: Element eachDefinitionElement = getFirstChildElement(transform);
2280: //HashMap props = new HashMap();
2281: SignatureTarget.Transform trans = new SignatureTarget.Transform();
2282: trans.setTransform(algorithm);
2283: trans.setDisbaleInclusivePrefix(disableInclusivePrefix);
2284:
2285: if (algorithm.equals(Transform.XPATH)) {
2286: fillXPATHTransformParams(eachDefinitionElement, trans);
2287: } else if (algorithm.equals(Transform.XPATH2)) {
2288: fillXPATH2TransformParams(eachDefinitionElement, trans);
2289: } else if (algorithm.equals(MessageConstants.STR_TRANSFORM_URI)) {
2290: fillSTRTransformParams(eachDefinitionElement, trans);
2291: } else {
2292: if (log.getLevel() == Level.FINE) {
2293: log.log(Level.FINE,
2294: "Algorithm Parameters not supported"
2295: + "for transform", algorithm);
2296: }
2297: }
2298:
2299: return trans;
2300: }
2301:
2302: private static void fillXPATHTransformParams(Element algoElement,
2303: SignatureTarget.Transform transform) {
2304: QName definitionType = getQName(algoElement);
2305: if (ALGORITHM_PARAMETER_ELEMENT_QNAME.equals(definitionType)) {
2306: String name = algoElement.getAttribute(NAME_ATTRIBUTE_NAME);
2307: String value = algoElement
2308: .getAttribute(VALUE_ATTRIBUTE_NAME);
2309:
2310: if (name.equals("XPATH")) {
2311: transform
2312: .setAlgorithmParameters(new XPathFilterParameterSpec(
2313: value));
2314: } else {
2315: throw new IllegalStateException(
2316: "XPATH Transform must have XPATH attribute"
2317: + " name and an XPATH Expression as value");
2318: }
2319: } else {
2320: log.log(Level.SEVERE,
2321: "WSS0513.illegal.configuration.element",
2322: definitionType.toString());
2323: throw new IllegalStateException(definitionType
2324: + " is not a recognized sub-element of Transform");
2325: }
2326: return;
2327: }
2328:
2329: private static void fillXPATH2TransformParams(Element algoElement,
2330: SignatureTarget.Transform transform) {
2331:
2332: ArrayList xpathTypeList = new ArrayList();
2333: while (algoElement != null) {
2334: QName definitionType = getQName(algoElement);
2335: if (ALGORITHM_PARAMETER_ELEMENT_QNAME
2336: .equals(definitionType)) {
2337:
2338: String name = algoElement
2339: .getAttribute(NAME_ATTRIBUTE_NAME);
2340: String value = algoElement
2341: .getAttribute(VALUE_ATTRIBUTE_NAME);
2342: if (name.equalsIgnoreCase("UNION")) {
2343: xpathTypeList.add(new XPathType(value,
2344: XPathType.Filter.UNION));
2345: } else if (name.equalsIgnoreCase("INTERSECT")) {
2346: xpathTypeList.add(new XPathType(value,
2347: XPathType.Filter.INTERSECT));
2348: } else if (name.equalsIgnoreCase("SUBTRACT")) {
2349: xpathTypeList.add(new XPathType(value,
2350: XPathType.Filter.SUBTRACT));
2351: } else {
2352: throw new IllegalStateException(
2353: "XPATH2 Transform AlgorithmParameter name attribute"
2354: + " should be one of UNION,INTERSECT,SUBTRACT");
2355: }
2356:
2357: } else {
2358: log.log(Level.SEVERE,
2359: "WSS0513.illegal.configuration.element",
2360: definitionType.toString());
2361: throw new IllegalStateException(
2362: definitionType
2363: + " is not a recognized sub-element of Transform");
2364: }
2365: algoElement = getNextElement(algoElement);
2366:
2367: }
2368: transform.setAlgorithmParameters(new XPathFilter2ParameterSpec(
2369: xpathTypeList));
2370: return;
2371: }
2372:
2373: private static void fillSTRTransformParams(Element algoElement,
2374: SignatureTarget.Transform transform) {
2375: QName definitionType = getQName(algoElement);
2376: if (ALGORITHM_PARAMETER_ELEMENT_QNAME.equals(definitionType)) {
2377: String name = algoElement.getAttribute(NAME_ATTRIBUTE_NAME);
2378: String value = algoElement
2379: .getAttribute(VALUE_ATTRIBUTE_NAME);
2380: transform
2381: .setAlgorithmParameters(new Parameter(name, value));
2382: } else {
2383: log.log(Level.SEVERE,
2384: "WSS0513.illegal.configuration.element",
2385: definitionType.toString());
2386: throw new IllegalStateException(definitionType
2387: + " is not a recognized sub-element of Transform");
2388: }
2389: return;
2390: }
2391:
2392: private static EncryptionTarget.Transform readEncTransform(
2393: Element transform) {
2394:
2395: String algorithm = transform
2396: .getAttribute(ALGORITHM_ATTRIBUTE_NAME);
2397: if ("".equals(algorithm)) {
2398: // log
2399: throw new IllegalStateException(
2400: " Empty/Missing algorithm attribute on xwss:Transform element");
2401: }
2402:
2403: //Element eachDefinitionElement = getFirstChildElement(transform);
2404: /* HashMap props = new HashMap();
2405: while (eachDefinitionElement != null) {
2406: QName definitionType = getQName(eachDefinitionElement);
2407: if (ALGORITHM_PARAMETER_ELEMENT_QNAME.equals(definitionType)) {
2408: readAlgorithmProperties(props, eachDefinitionElement);
2409: } else {
2410: log.log(
2411: Level.SEVERE,
2412: "WSS0513.illegal.configuration.element",
2413: definitionType.toString());
2414: throw new IllegalStateException(definitionType +
2415: " is not a recognized sub-element of Transform");
2416: }
2417: eachDefinitionElement = getNextElement(eachDefinitionElement);
2418: }
2419: */
2420: EncryptionTarget.Transform trans = new EncryptionTarget.Transform();
2421: trans.setTransform(algorithm);
2422: //trans.setAlgorithmParameters(props);
2423: return trans;
2424: }
2425:
2426: private static void validateContentOnly(Element target) {
2427:
2428: Node parent = target.getParentNode();
2429: String parentName = parent.getLocalName();
2430:
2431: if (SIGNATURE_REQUIREMENT_ELEMENT_NAME
2432: .equalsIgnoreCase(parentName)
2433: || SIGN_OPERATION_ELEMENT_NAME
2434: .equalsIgnoreCase(parentName)) {
2435: String targetValue = target
2436: .getAttribute(VALUE_ATTRIBUTE_NAME);
2437: String targetType = target
2438: .getAttribute(TARGET_TYPE_ATTRIBUTE_NAME);
2439: if (URI_TARGET.equalsIgnoreCase(targetType)) {
2440: if (!targetValue.startsWith("cid")
2441: && !targetValue.startsWith("CID")) {
2442: throw new IllegalStateException(
2443: "invalid contentOnly attribute on a non-attachment "
2444: + "SignatureTarget");
2445: }
2446: } else {
2447: throw new IllegalStateException(
2448: "invalid contentOnly attribute in a SignatureTarget");
2449: }
2450: }
2451:
2452: if (!ENCRYPT_OPERATION_ELEMENT_NAME
2453: .equalsIgnoreCase(parentName)
2454: && !ENCRYPTION_REQUIREMENT_ELEMENT_NAME
2455: .equalsIgnoreCase(parentName)) {
2456: throw new IllegalStateException(
2457: "contentOnly attribute not allowed on Targets under element "
2458: + parentName);
2459: }
2460: }
2461:
2462: private static void validateSAMLKeyReferenceType(String typeName) {
2463: if (!MessageConstants.KEY_INDETIFIER_TYPE
2464: .equalsIgnoreCase(typeName)
2465: && !MessageConstants.EMBEDDED_REFERENCE_TYPE
2466: .equalsIgnoreCase(typeName)) {
2467: throw new IllegalStateException("Reference Type "
2468: + typeName
2469: + " not allowed for SAMLAssertion References");
2470: }
2471:
2472: }
2473:
2474: private static void validateRequireSAMLType(String type,
2475: Element samlTokenSettings) {
2476: if (!SV_SAML_TYPE.equals(type)) {
2477: throw new IllegalStateException(
2478: "Allowed Assertion Types for <xwss:RequireSAMLAssertion> is SV only");
2479: }
2480:
2481: // the parent node should be a <SecurityConfiguration> if the type = SV
2482: Node parent = samlTokenSettings.getParentNode();
2483: if (parent == null) {
2484: //should never happen
2485: throw new IllegalStateException(
2486: "<xwss:RequireSAMLAssertion> cannot occur at this position");
2487: }
2488:
2489: String parentName = parent.getLocalName();
2490: if (!DECLARATIVE_CONFIGURATION_ELEMENT_NAME.equals(parentName)) {
2491: throw new IllegalStateException(
2492: "<xwss:RequireSAMLAssertion> of Type=SV cannot occur as child of "
2493: + parentName);
2494: }
2495: }
2496:
2497: private static void validateSAMLType(String type,
2498: Element samlTokenSettings) {
2499: if (!SV_SAML_TYPE.equals(type) && !HOK_SAML_TYPE.equals(type)) {
2500: throw new IllegalStateException(
2501: type
2502: + " not a valid SAML Assertion Type, require one of HOK|SV");
2503: }
2504:
2505: // the parent node should be a <SecurityConfiguration> if the type = SV
2506: if (SV_SAML_TYPE.equals(type)) {
2507:
2508: Node parent = samlTokenSettings.getParentNode();
2509: if (parent == null) {
2510: //should never happen
2511: throw new IllegalStateException(
2512: "SAML Assertion cannot occur at this position");
2513: }
2514:
2515: String parentName = parent.getLocalName();
2516: if (!DECLARATIVE_CONFIGURATION_ELEMENT_NAME
2517: .equals(parentName)) {
2518: throw new IllegalStateException(
2519: "SAML Assertion of Type=SV cannot occur as child of "
2520: + parentName);
2521: }
2522: }
2523: }
2524:
2525: private static boolean dynamicPolicy(Element configData) {
2526: String dynamicFlag = configData
2527: .getAttribute(ENABLE_DYNAMIC_POLICY_ATTRIBUTE_NAME);
2528: NodeList nl = configData.getElementsByTagName("*");
2529:
2530: if ("".equals(dynamicFlag) || "false".equals(dynamicFlag)
2531: || "0".equals(dynamicFlag))
2532: return false;
2533:
2534: if ("true".equals(dynamicFlag) || "1".equals(dynamicFlag)) {
2535: if (nl.getLength() == 0) {
2536: return true;
2537: }
2538: }
2539: return false;
2540: }
2541:
2542: private static boolean getBSPAttribute(Element configData,
2543: ApplicationSecurityConfiguration parent) {
2544: String conformanceValue = configData
2545: .getAttribute(CONFORMANCE_ATTRIBUTE_NAME);
2546: if (BSP_CONFORMANCE.equals(conformanceValue)) {
2547: return true;
2548: } else if ("".equals(conformanceValue) && (parent != null)) {
2549: return parent.isBSP();
2550: }
2551: return false;
2552: }
2553:
2554: private static String getIdAttribute(Element configData) {
2555: String id = configData.getAttribute(ID_ATTRIBUTE_NAME);
2556:
2557: if (id.startsWith("#")) {
2558: throw new IllegalArgumentException(
2559: "Illegal id attribute "
2560: + id
2561: + ", id attributes on policy elements cannot begin with a '#' character");
2562: }
2563:
2564: if ("".equals(id)) {
2565: id = generateUUID();
2566: }
2567: return id;
2568: }
2569:
2570: //TODO: rewrite this
2571: private static String generateUUID() {
2572: //Random rnd = new Random();
2573: int intRandom = rnd.nextInt();
2574: String id = "XWSSGID-"
2575: + String.valueOf(System.currentTimeMillis())
2576: + String.valueOf(intRandom);
2577: return id;
2578: }
2579:
2580: private static void validateTargetContentOnly(Element target) {
2581:
2582: Node parent = target.getParentNode();
2583: String parentName = parent.getLocalName();
2584: if (!ENCRYPT_OPERATION_ELEMENT_NAME
2585: .equalsIgnoreCase(parentName)
2586: && !ENCRYPTION_REQUIREMENT_ELEMENT_NAME
2587: .equalsIgnoreCase(parentName)) {
2588: throw new IllegalStateException(
2589: "contentOnly attribute not allowed on Targets under element "
2590: + parentName);
2591: }
2592: }
2593:
2594: private static String getSecurityEnvironmentHandler(Element element) {
2595:
2596: int secEnvCount = 0;
2597: Element eachDefinitionElement = getFirstChildElement(element);
2598: String handlerClsName = null;
2599:
2600: while (eachDefinitionElement != null) {
2601: QName definitionType = getQName(eachDefinitionElement);
2602: if (SECURITY_ENVIRONMENT_HANDLER_ELEMENT_QNAME
2603: .equals(definitionType)) {
2604: if (secEnvCount > 0) {
2605: // log
2606: throw new IllegalStateException(
2607: "More than one <xwss:SecurityEnvironmentHandler> element "
2608: + "under " + element.getTagName());
2609: }
2610: secEnvCount++;
2611:
2612: handlerClsName = XMLUtil
2613: .getFullTextFromChildren(eachDefinitionElement);
2614: if (handlerClsName == null || handlerClsName.equals("")) {
2615: // log
2616: throw new IllegalStateException(
2617: "A Handler class name has to be specified "
2618: + "in security configuration file");
2619: }
2620: }
2621: eachDefinitionElement = getNextElement(eachDefinitionElement);
2622: }
2623: return handlerClsName;
2624: }
2625:
2626: //TODO : might actually want to set XPath2ParameterSpec for XPATH2
2627: private static void readAlgorithmProperties(HashMap props,
2628: Element eachDefinitionElement) {
2629: String name = eachDefinitionElement
2630: .getAttribute(NAME_ATTRIBUTE_NAME);
2631: String value = eachDefinitionElement
2632: .getAttribute(VALUE_ATTRIBUTE_NAME);
2633: props.put(name, value);
2634: }
2635:
2636: private static boolean getBooleanValue(String valueString) {
2637: if ("0".equals(valueString)
2638: || "false".equalsIgnoreCase(valueString)) {
2639: return false;
2640: }
2641: if ("1".equals(valueString)
2642: || "true".equalsIgnoreCase(valueString)) {
2643: return true;
2644: }
2645: log.log(Level.SEVERE, "WSS0511.illegal.boolean.value",
2646: valueString);
2647: throw new IllegalArgumentException(valueString
2648: + " is not a valid boolean value");
2649: }
2650:
2651: private static void applyDefaults(TimestampPolicy policy, boolean dp) {
2652: if (policy.getTimeout() == 0) {
2653: policy.setTimeout(5000);
2654: }
2655: }
2656:
2657: private static void applyDefaults(EncryptionPolicy policy,
2658: boolean dp) {
2659:
2660: // get the target list
2661: EncryptionPolicy.FeatureBinding featureBinding = (EncryptionPolicy.FeatureBinding) policy
2662: .getFeatureBinding();
2663: boolean targetsEmpty = (featureBinding.getTargetBindings()
2664: .size() == 0);
2665: if (!dp && targetsEmpty) {
2666: // this much will automatically set the SOAPBody as target and
2667: // contentOnly as TRUE.
2668: Target t = new EncryptionTarget();
2669: featureBinding.addTargetBinding(t);
2670: }
2671: if (policy.getKeyBinding() == null) {
2672: AuthenticationTokenPolicy.X509CertificateBinding x509Policy = (AuthenticationTokenPolicy.X509CertificateBinding) policy
2673: .newX509CertificateKeyBinding();
2674: x509Policy
2675: .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
2676: }
2677:
2678: }
2679:
2680: private static void applyDefaults(SignaturePolicy policy, boolean dp) {
2681:
2682: // get the target list
2683: SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding) policy
2684: .getFeatureBinding();
2685:
2686: boolean targetsEmpty = (featureBinding.getTargetBindings()
2687: .size() == 0);
2688: if (MessageConstants.debug) {
2689: log.log(Level.FINEST, "In ApplyDefaults"
2690: + featureBinding.getTargetBindings().size());
2691: }
2692: if (!dp && targetsEmpty) {
2693: // this much will automatically set the SOAPBody as target
2694: SignatureTarget t = new SignatureTarget();
2695: t.setDigestAlgorithm(DigestMethod.SHA1); //SHA1
2696: featureBinding.addTargetBinding(t);
2697: }
2698: if (policy.getKeyBinding() == null) {
2699: AuthenticationTokenPolicy.X509CertificateBinding x509Binding = (AuthenticationTokenPolicy.X509CertificateBinding) policy
2700: .newX509CertificateKeyBinding();
2701: x509Binding.newPrivateKeyBinding();
2702: x509Binding
2703: .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
2704: }
2705: //If symmetricKey Binding set default algorithm to HMAC-SHA1 else to RSA-SHA1
2706: if (PolicyTypeUtil.symmetricKeyBinding(policy.getKeyBinding())) {
2707: setDefaultKeyAlgorithm(policy.getKeyBinding(),
2708: MessageConstants.HMAC_SHA1_SIGMETHOD);
2709: } else {
2710: setDefaultKeyAlgorithm(policy.getKeyBinding(),
2711: javax.xml.crypto.dsig.SignatureMethod.RSA_SHA1);
2712: }
2713: if ("".equals(featureBinding.getCanonicalizationAlgorithm())) {
2714: featureBinding
2715: .setCanonicalizationAlgorithm(CanonicalizationMethod.EXCLUSIVE);
2716: }
2717:
2718: }
2719:
2720: private static void applyDefaults(
2721: AuthenticationTokenPolicy.UsernameTokenBinding policy,
2722: boolean dp) {
2723:
2724: // defaults are applied here which is useNonce = true, doDigest=true
2725:
2726: }
2727:
2728: private static void applyDefaults(
2729: AuthenticationTokenPolicy.SAMLAssertionBinding policy,
2730: boolean dp) {
2731:
2732: if ("".equals(policy.getReferenceType())) {
2733: policy
2734: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
2735: }
2736: }
2737:
2738: private static void applyReceiverDefaults(SignaturePolicy policy,
2739: boolean bsp, boolean dp) {
2740:
2741: // get the target list
2742: SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding) policy
2743: .getFeatureBinding();
2744: boolean targetsEmpty = (featureBinding.getTargetBindings()
2745: .size() == 0);
2746: if (!dp && targetsEmpty) {
2747: // this much will automatically set the SOAPBody as target
2748: SignatureTarget t = new SignatureTarget();
2749: //if (!bsp)
2750: t.setDigestAlgorithm(DigestMethod.SHA1); //SHA1
2751: featureBinding.addTargetBinding(t);
2752: }
2753:
2754: // if bsp is true the filters will actually have code to verify that the
2755: // incoming algorithms (are BSP defined ones)
2756: // so nothing todo here
2757: //if (!bsp) {
2758: // if ("".equals(featureBinding.getCanonicalizationAlgorithm())) {
2759: // featureBinding.setCanonicalizationAlgorithm(CanonicalizationMethod.EXCLUSIVE);
2760: // }
2761: //}
2762: policy.isBSP(bsp);
2763: }
2764:
2765: private static void applyReceiverDefaults(EncryptionPolicy policy,
2766: boolean bsp, boolean dp) {
2767:
2768: // get the target list
2769: EncryptionPolicy.FeatureBinding featureBinding = (EncryptionPolicy.FeatureBinding) policy
2770: .getFeatureBinding();
2771: boolean targetsEmpty = (featureBinding.getTargetBindings()
2772: .size() == 0);
2773: if (!dp && targetsEmpty) {
2774: // this much will automatically set the SOAPBody as target and
2775: // contentOnly as TRUE.
2776: Target t = new EncryptionTarget();
2777: featureBinding.addTargetBinding(t);
2778: }
2779:
2780: // if bsp is true the filters will actually have code to verify that the
2781: // incoming algorithms (for key and data enc are BSP defined ones)
2782: // so nothing todo here
2783: //if (!bsp) {
2784: // if ("".equals(((EncryptionPolicy.FeatureBinding)
2785: // policy.getFeatureBinding()).getDataEncryptionAlgorithm())) {
2786: // ((EncryptionPolicy.FeatureBinding)
2787: // policy.getFeatureBinding()).
2788: // setDataEncryptionAlgorithm(DEFAULT_DATA_ENC_ALGO);
2789: // }
2790: //}
2791: policy.isBSP(bsp);
2792: }
2793:
2794: private static void applyReceiverDefaults(
2795: AuthenticationTokenPolicy.UsernameTokenBinding policy,
2796: boolean bsp, String securityHandlerClass, boolean dp)
2797: throws PolicyGenerationException {
2798:
2799: // defaults are applied here which is RequireNonce = true, RequireDigest=true
2800: policy.isBSP(bsp);
2801: }
2802:
2803: private static void applyReceiverDefaults(
2804: TimestampPolicy timestampPolicy, boolean bsp,
2805: String securityHandlerClass, boolean dp) {
2806: if (timestampPolicy.getMaxClockSkew() == 0) {
2807: timestampPolicy.setMaxClockSkew(Timestamp.MAX_CLOCK_SKEW);
2808: }
2809:
2810: if (timestampPolicy.getTimestampFreshness() == 0) {
2811: timestampPolicy
2812: .setTimestampFreshness(Timestamp.TIMESTAMP_FRESHNESS_LIMIT);
2813: }
2814:
2815: timestampPolicy.isBSP(bsp);
2816: }
2817:
2818: private static void applyReceiverDefaults(
2819: AuthenticationTokenPolicy.SAMLAssertionBinding policy,
2820: boolean bsp, boolean dp) {
2821:
2822: if ("".equals(policy.getReferenceType())) {
2823: policy
2824: .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
2825: }
2826: policy.isBSP(bsp);
2827: }
2828:
2829: private static boolean configHasSingleService(Element config) {
2830:
2831: NodeList services = config.getElementsByTagNameNS(
2832: CONFIGURATION_URL, SERVICE_ELEMENT_NAME);
2833: if ((services.getLength() > 1) || (services.getLength() == 0)) {
2834: return false;
2835: }
2836: return true;
2837: }
2838:
2839: private static boolean configHasSingleServiceAndNoPorts(
2840: Element config) {
2841:
2842: NodeList services = config.getElementsByTagNameNS(
2843: CONFIGURATION_URL, SERVICE_ELEMENT_NAME);
2844: if ((services.getLength() > 1) || (services.getLength() == 0)) {
2845: return false;
2846: }
2847:
2848: NodeList ports = config.getElementsByTagNameNS(
2849: CONFIGURATION_URL, PORT_ELEMENT_NAME);
2850:
2851: if (ports.getLength() == 0) {
2852: return true;
2853: }
2854: return false;
2855: }
2856:
2857: private static boolean configHasOperations(Element config) {
2858: NodeList ops = config.getElementsByTagNameNS(CONFIGURATION_URL,
2859: OPERATION_ELEMENT_NAME);
2860: if (ops.getLength() > 0) {
2861: return true;
2862: }
2863: return false;
2864: }
2865:
2866: private static void checkIdUniqueness(Element elem) {
2867:
2868: NodeList nl = elem.getElementsByTagNameNS(CONFIGURATION_URL,
2869: "*");
2870: int len = nl.getLength();
2871: HashMap map = new HashMap();
2872: for (int i = 0; i < len; i++) {
2873: Element subElem = (Element) nl.item(i);
2874: String idAttr = subElem.getAttribute(ID_ATTRIBUTE_NAME);
2875: if (!"".equals(idAttr)) {
2876: if (map.containsKey(idAttr)) {
2877: throw new IllegalArgumentException(
2878: "id attribute value '" + idAttr
2879: + "' not unique");
2880: } else {
2881: map.put(idAttr, idAttr);
2882: }
2883: }
2884:
2885: idAttr = subElem.getAttribute(STRID);
2886: if (!"".equals(idAttr)) {
2887: if (map.containsKey(idAttr)) {
2888: throw new IllegalArgumentException(
2889: "strId/id attribute value '" + idAttr
2890: + "' not unique");
2891: } else {
2892: map.put(idAttr, idAttr);
2893: }
2894: }
2895: }
2896:
2897: }
2898:
2899: }
|