Source Code Cross Referenced for MessagePolicyVerifier.java in  » 6.0-JDK-Modules-com.sun » xws-security » com » sun » xml » wss » impl » policy » verifier » Java Source Code / Java DocumentationJava Source Code and Java Documentation

Java Source Code / Java Documentation
1. 6.0 JDK Core
2. 6.0 JDK Modules
3. 6.0 JDK Modules com.sun
4. 6.0 JDK Modules com.sun.java
5. 6.0 JDK Modules sun
6. 6.0 JDK Platform
7. Ajax
8. Apache Harmony Java SE
9. Aspect oriented
10. Authentication Authorization
11. Blogger System
12. Build
13. Byte Code
14. Cache
15. Chart
16. Chat
17. Code Analyzer
18. Collaboration
19. Content Management System
20. Database Client
21. Database DBMS
22. Database JDBC Connection Pool
23. Database ORM
24. Development
25. EJB Server geronimo
26. EJB Server GlassFish
27. EJB Server JBoss 4.2.1
28. EJB Server resin 3.1.5
29. ERP CRM Financial
30. ESB
31. Forum
32. GIS
33. Graphic Library
34. Groupware
35. HTML Parser
36. IDE
37. IDE Eclipse
38. IDE Netbeans
39. Installer
40. Internationalization Localization
41. Inversion of Control
42. Issue Tracking
43. J2EE
44. JBoss
45. JMS
46. JMX
47. Library
48. Mail Clients
49. Net
50. Parser
51. PDF
52. Portal
53. Profiler
54. Project Management
55. Report
56. RSS RDF
57. Rule Engine
58. Science
59. Scripting
60. Search Engine
61. Security
62. Sevlet Container
63. Source Control
64. Swing Library
65. Template Engine
66. Test Coverage
67. Testing
68. UML
69. Web Crawler
70. Web Framework
71. Web Mail
72. Web Server
73. Web Services
74. Web Services apache cxf 2.0.1
75. Web Services AXIS2
76. Wiki Engine
77. Workflow Engines
78. XML
79. XML UI
Java
Java Tutorial
Java Open Source
Jar File Download
Java Articles
Java Products
Java by API
Photoshop Tutorials
Maya Tutorials
Flash Tutorials
3ds-Max Tutorials
Illustrator Tutorials
GIMP Tutorials
C# / C Sharp
C# / CSharp Tutorial
C# / CSharp Open Source
ASP.Net
ASP.NET Tutorial
JavaScript DHTML
JavaScript Tutorial
JavaScript Reference
HTML / CSS
HTML CSS Reference
C / ANSI-C
C Tutorial
C++
C++ Tutorial
Ruby
PHP
Python
Python Tutorial
Python Open Source
SQL Server / T-SQL
SQL Server / T-SQL Tutorial
Oracle PL / SQL
Oracle PL/SQL Tutorial
PostgreSQL
SQL / MySQL
MySQL Tutorial
VB.Net
VB.Net Tutorial
Flash / Flex / ActionScript
VBA / Excel / Access / Word
XML
XML Tutorial
Microsoft Office PowerPoint 2007 Tutorial
Microsoft Office Excel 2007 Tutorial
Microsoft Office Word 2007 Tutorial
Java Source Code / Java Documentation » 6.0 JDK Modules com.sun » xws security » com.sun.xml.wss.impl.policy.verifier 
Source Cross Referenced  Class Diagram Java Document (Java Doc) 


001:        /*
002:         * MessagePolicyVerifier.java
003:         *
004:         * Created on 26 October, 2006, 5:52 PM
005:         *
006:         * To change this template, choose Tools | Template Manager
007:         * and open the template in the editor.
008:         */
009:
010:        package com.sun.xml.wss.impl.policy.verifier;
011:
012:        import com.sun.xml.wss.ProcessingContext;
013:        import com.sun.xml.wss.XWSSecurityException;
014:        import com.sun.xml.wss.impl.MessageConstants;
015:        import com.sun.xml.wss.impl.PolicyTypeUtil;
016:        import com.sun.xml.wss.impl.PolicyViolationException;
017:        import com.sun.xml.wss.impl.ProcessingContextImpl;
018:        import com.sun.xml.wss.impl.WSSAssertion;
019:        import com.sun.xml.wss.impl.policy.MLSPolicy;
020:        import com.sun.xml.wss.impl.policy.SecurityPolicy;
021:        import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
022:        import com.sun.xml.wss.impl.policy.mls.DerivedTokenKeyBinding;
023:        import com.sun.xml.wss.impl.policy.mls.EncryptionPolicy;
024:        import com.sun.xml.wss.impl.policy.mls.EncryptionTarget;
025:        import com.sun.xml.wss.impl.policy.mls.IssuedTokenKeyBinding;
026:        import com.sun.xml.wss.impl.policy.mls.MessagePolicy;
027:        import com.sun.xml.wss.impl.policy.mls.SecureConversationTokenKeyBinding;
028:        import com.sun.xml.wss.impl.policy.mls.SignaturePolicy;
029:        import com.sun.xml.wss.impl.policy.mls.SignatureTarget;
030:        import com.sun.xml.wss.impl.policy.mls.SymmetricKeyBinding;
031:        import com.sun.xml.wss.impl.policy.mls.Target;
032:        import com.sun.xml.wss.impl.policy.mls.TimestampPolicy;
033:        import com.sun.xml.wss.impl.policy.mls.WSSPolicy;
034:        import com.sun.xml.wss.impl.policy.spi.PolicyVerifier;
035:        import com.sun.xml.wss.logging.LogDomainConstants;
036:        import java.util.ArrayList;
037:        import java.util.List;
038:        import java.util.logging.Level;
039:        import java.util.logging.Logger;
040:
041:        /**
042:         *
043:         * @author
044:         */
045:        public class MessagePolicyVerifier implements  PolicyVerifier {
046:            private ProcessingContext ctx = null;
047:            private TargetResolver targetResolver;
048:
049:            private static Logger log = Logger.getLogger(
050:                    LogDomainConstants.WSS_API_DOMAIN,
051:                    LogDomainConstants.WSS_API_DOMAIN_BUNDLE);
052:
053:            /** Creates a new instance of MessagePolicyVerifier */
054:            public MessagePolicyVerifier(ProcessingContext ctx,
055:                    TargetResolver targetResolver) {
056:                this .ctx = ctx;
057:                this .targetResolver = targetResolver;
058:            }
059:
060:            public void verifyPolicy(SecurityPolicy ip, SecurityPolicy ap)
061:                    throws PolicyViolationException {
062:
063:                MessagePolicy actualPolicy = (MessagePolicy) ap;
064:                MessagePolicy inferredSecurityPolicy = (MessagePolicy) ip;
065:
066:                if (actualPolicy == null || actualPolicy.size() <= 0) {
067:                    if ((inferredSecurityPolicy != null)
068:                            && (inferredSecurityPolicy.size() > 0)) {
069:                        //this could be a plain SSL scenario
070:                        if (!checkAllowExtraTimestamp(inferredSecurityPolicy)) {
071:                            log.log(Level.SEVERE, "WSS0805.policy.null");
072:                            throw new PolicyViolationException(
073:                                    "ERROR: Policy for the service could not be obtained");
074:                        }
075:                    }
076:                } else if (inferredSecurityPolicy == null
077:                        || inferredSecurityPolicy.size() <= 0) {
078:                    throw new PolicyViolationException(
079:                            "ERROR: No security header found in the message");
080:                } else { // verify policy now
081:                    try {
082:                        for (int i = 0; i < actualPolicy.size(); i++) {
083:                            WSSPolicy actualPol = (WSSPolicy) actualPolicy
084:                                    .get(i);
085:                            if (PolicyTypeUtil.isSecondaryPolicy(actualPol)) {
086:                                processSecondaryPolicy(actualPol,
087:                                        inferredSecurityPolicy);
088:                            } else if (PolicyTypeUtil
089:                                    .isPrimaryPolicy(actualPol)) {
090:                                processPrimaryPolicy(actualPol,
091:                                        inferredSecurityPolicy);
092:                            }
093:                        }
094:
095:                    } catch (Exception e) {
096:                        throw new PolicyViolationException(e);
097:                    }
098:                }
099:            }
100:
101:            private void processSecondaryPolicy(WSSPolicy actualPol,
102:                    MessagePolicy inferredSecurityPolicy)
103:                    throws XWSSecurityException {
104:                try {
105:                    if (PolicyTypeUtil.timestampPolicy(actualPol)) {
106:                        boolean found = false;
107:                        for (int j = 0; j < inferredSecurityPolicy.size(); j++) {
108:                            WSSPolicy pol = (WSSPolicy) inferredSecurityPolicy
109:                                    .get(j);
110:                            if (PolicyTypeUtil.timestampPolicy(pol)) {
111:                                inferredSecurityPolicy.remove(pol);
112:                                found = true;
113:                                break;
114:                            }
115:                        }
116:                        if (!found) {
117:                            if (MessageConstants.debug) {
118:                                log
119:                                        .log(Level.WARNING,
120:                                                "Timestamp not found in message but occurs in configured policy");
121:                            }
122:                            // commenting for now, uncomment once this is corrected in SecurityPolicy
123:                            /*throw new XWSSecurityException("Policy Verification error:"
124:                                    + "Timestamp not found in configured policy but occurs in message");*/
125:                        }
126:                    } else if (PolicyTypeUtil.usernameTokenPolicy(actualPol
127:                            .getFeatureBinding())) {
128:                        boolean found = false;
129:                        for (int j = 0; j < inferredSecurityPolicy.size(); j++) {
130:                            WSSPolicy pol = (WSSPolicy) inferredSecurityPolicy
131:                                    .get(j);
132:                            if (PolicyTypeUtil.usernameTokenPolicy(pol)) {
133:                                inferredSecurityPolicy.remove(pol);
134:                                found = true;
135:                                break;
136:                            }
137:                        }
138:                        if (!found) {
139:                            throw new XWSSecurityException(
140:                                    "Policy Verification error:"
141:                                            + "UsernameToken not found in message but occurs in configured policy");
142:                        }
143:                    }
144:                } catch (Exception e) {
145:                    throw new XWSSecurityException(e);
146:                }
147:            }
148:
149:            private void processPrimaryPolicy(WSSPolicy actualPol,
150:                    MessagePolicy inferredSecurityPolicy)
151:                    throws XWSSecurityException {
152:
153:                //WSSAssertion wssAssertion = ((ProcessingContextImpl)ctx).getWSSAssertion();
154:                if (PolicyTypeUtil.signaturePolicy(actualPol)) {
155:                    SignaturePolicy actualSignPolicy = (SignaturePolicy) actualPol;
156:                    boolean isEndorsing = ((SignaturePolicy.FeatureBinding) actualSignPolicy
157:                            .getFeatureBinding()).isEndorsingSignature();
158:                    boolean isPrimary = ((SignaturePolicy.FeatureBinding) actualSignPolicy
159:                            .getFeatureBinding()).isPrimarySignature();
160:                    WSSPolicy pol = getFirstPrimaryPolicy(
161:                            inferredSecurityPolicy, isEndorsing, 0);
162:                    if (pol == null) {
163:                        throw new XWSSecurityException(
164:                                "Policy verification error:"
165:                                        + "Missing Signature Element");
166:                    }
167:
168:                    if (PolicyTypeUtil.signaturePolicy(pol)) {
169:                        SignaturePolicy inferredPol = (SignaturePolicy) pol;
170:                        // verify key binding
171:                        boolean isKBTrue = verifyKeyBinding(actualSignPolicy
172:                                .getKeyBinding(), inferredPol.getKeyBinding(),
173:                                false);
174:                        int nth = 1;
175:                        while (!isKBTrue && !isPrimary) {
176:                            pol = getFirstPrimaryPolicy(inferredSecurityPolicy,
177:                                    isEndorsing, nth);
178:                            if (pol == null) {
179:                                throw new XWSSecurityException(
180:                                        "Policy verification error:"
181:                                                + "Missing Signature Element - perhaps a second supporting signature or "
182:                                                + "Incorrect Key types or references were used in Signature");
183:                            }
184:                            inferredPol = (SignaturePolicy) pol;
185:                            isKBTrue = verifyKeyBinding(actualSignPolicy
186:                                    .getKeyBinding(), inferredPol
187:                                    .getKeyBinding(), false);
188:                            nth++;
189:                        }
190:                        // verify target binding
191:                        boolean isTBTrue = verifySignTargetBinding(
192:                                (SignaturePolicy.FeatureBinding) actualSignPolicy
193:                                        .getFeatureBinding(),
194:                                (SignaturePolicy.FeatureBinding) inferredPol
195:                                        .getFeatureBinding());
196:
197:                        inferredSecurityPolicy.remove(pol);
198:                        if (!isKBTrue) {
199:                            log.log(Level.SEVERE,
200:                                    "WSS0206.policy.violation.exception");
201:                            throw new XWSSecurityException(
202:                                    "Policy verification error: "
203:                                            + "Incorrect Key types or references were used in Signature");
204:                        }
205:                        if (!isTBTrue) {
206:                            log.log(Level.SEVERE,
207:                                    "WSS0206.policy.violation.exception");
208:                            throw new XWSSecurityException(
209:                                    "Policy verification error: "
210:                                            + "One or more Signed Parts could not be validated");
211:                        }
212:                        checkTargets(actualPol, pol);
213:                    } else {
214:                        //check to see for the case when no Signature Target present in message
215:                        //The incoming message will not have Signature policy in that case.
216:                        if (checkTargetPresence(actualPol)) {
217:                            log.log(Level.SEVERE,
218:                                    "WSS0206.policy.violation.exception");
219:                            throw new XWSSecurityException(
220:                                    "Signature Policy verification error: Looking for a Signature Element "
221:                                            + " in Security header, but found "
222:                                            + pol + ".");
223:                        }
224:                    }
225:                } else if (PolicyTypeUtil.encryptionPolicy(actualPol)) {
226:                    EncryptionPolicy actualEncryptionPolicy = (EncryptionPolicy) actualPol;
227:                    WSSPolicy pol = getFirstPrimaryPolicy(
228:                            inferredSecurityPolicy, false, 0);
229:                    if (pol == null) {
230:                        throw new XWSSecurityException(
231:                                "Encryption Policy verification error:"
232:                                        + "Missing encryption element");
233:                    }
234:
235:                    if (PolicyTypeUtil.encryptionPolicy(pol)) {
236:                        EncryptionPolicy inferredPol = (EncryptionPolicy) pol;
237:                        //verify key binding
238:                        boolean isKBTrue = verifyKeyBinding(
239:                                actualEncryptionPolicy.getKeyBinding(),
240:                                inferredPol.getKeyBinding(), true);
241:                        // verify target binding
242:                        boolean isTBTrue = verifyEncTargetBinding(
243:                                (EncryptionPolicy.FeatureBinding) actualEncryptionPolicy
244:                                        .getFeatureBinding(),
245:                                (EncryptionPolicy.FeatureBinding) inferredPol
246:                                        .getFeatureBinding());
247:
248:                        inferredSecurityPolicy.remove(pol);
249:                        if (!isKBTrue) {
250:                            log.log(Level.SEVERE,
251:                                    "WSS0206.policy.violation.exception");
252:                            throw new XWSSecurityException(
253:                                    "Encryption Policy verification error: "
254:                                            + "Incorrect Key types or references were used in encryption");
255:                        }
256:                        if (!isTBTrue) {
257:                            log.log(Level.SEVERE,
258:                                    "WSS0206.policy.violation.exception");
259:                            throw new XWSSecurityException(
260:                                    "Policy verification error: "
261:                                            + "One or more encrypted parts could not be validated");
262:                        }
263:                        List<Target> inferredList = ((EncryptionPolicy.FeatureBinding) pol
264:                                .getFeatureBinding()).getTargetBindings();
265:                        List<Target> actualList = ((EncryptionPolicy.FeatureBinding) actualPol
266:                                .getFeatureBinding()).getTargetBindings();
267:                        if (actualList.size() > inferredList.size()) {
268:                            int nthEncrypt = 0;
269:                            EncryptionPolicy inferredPol2 = getNthEncryptionPolicy(
270:                                    inferredSecurityPolicy, nthEncrypt);
271:                            while (inferredPol2 != null) {
272:                                boolean isKBTrue2 = verifyKeyBinding(
273:                                        actualEncryptionPolicy.getKeyBinding(),
274:                                        inferredPol2.getKeyBinding(), true);
275:                                boolean isTBTrue2 = verifyEncTargetBinding(
276:                                        (EncryptionPolicy.FeatureBinding) actualEncryptionPolicy
277:                                                .getFeatureBinding(),
278:                                        (EncryptionPolicy.FeatureBinding) inferredPol2
279:                                                .getFeatureBinding());
280:                                if (!isKBTrue2 || !isTBTrue2) {
281:                                    nthEncrypt++;
282:                                    inferredPol2 = getNthEncryptionPolicy(
283:                                            inferredSecurityPolicy, nthEncrypt);
284:                                } else {
285:                                    List<Target> moreTargets = ((EncryptionPolicy.FeatureBinding) inferredPol2
286:                                            .getFeatureBinding())
287:                                            .getTargetBindings();
288:                                    for (Target moreTarget : moreTargets) {
289:                                        ((EncryptionPolicy.FeatureBinding) inferredPol
290:                                                .getFeatureBinding())
291:                                                .addTargetBinding(moreTarget);
292:                                    }
293:                                    if (actualList.size() == inferredList
294:                                            .size()) {
295:                                        inferredSecurityPolicy
296:                                                .remove(inferredPol2);
297:                                        break;
298:                                    }
299:                                    inferredSecurityPolicy.remove(inferredPol2);
300:                                    nthEncrypt++;
301:                                    inferredPol2 = getNthEncryptionPolicy(
302:                                            inferredSecurityPolicy, nthEncrypt);
303:                                }
304:                            }
305:                        }
306:                        checkTargets(actualPol, pol);
307:                    } else {
308:                        //check to see for the case when no Encryption Target present in message
309:                        //The incoming message will not have Encryption policy in that case.
310:                        if (checkTargetPresence(actualPol)) {
311:                            log.log(Level.SEVERE,
312:                                    "WSS0206.policy.violation.exception");
313:                            throw new XWSSecurityException(
314:                                    "Encryption Policy verification error: Looking for an Encryption Element "
315:                                            + " in Security header, but found "
316:                                            + pol + ".");
317:                        }
318:                    }
319:
320:                }
321:
322:            }
323:
324:            private void checkTargets(WSSPolicy actualPol, WSSPolicy inferredPol)
325:                    throws XWSSecurityException {
326:
327:                List<Target> inferredTargets = null;
328:                List<Target> actualTargets = null;
329:
330:                if (PolicyTypeUtil.signaturePolicy(actualPol)) {
331:
332:                    SignaturePolicy.FeatureBinding inferredFeatureBinding = (SignaturePolicy.FeatureBinding) inferredPol
333:                            .getFeatureBinding();
334:                    SignaturePolicy.FeatureBinding actualFeatureBinding = (SignaturePolicy.FeatureBinding) actualPol
335:                            .getFeatureBinding();
336:
337:                    inferredTargets = (List<Target>) inferredFeatureBinding
338:                            .getTargetBindings();
339:                    actualTargets = (List<Target>) actualFeatureBinding
340:                            .getTargetBindings();
341:
342:                } else if (PolicyTypeUtil.encryptionPolicy(actualPol)) {
343:
344:                    EncryptionPolicy.FeatureBinding inferredFeatureBinding = (EncryptionPolicy.FeatureBinding) inferredPol
345:                            .getFeatureBinding();
346:                    EncryptionPolicy.FeatureBinding actualFeatureBinding = (EncryptionPolicy.FeatureBinding) actualPol
347:                            .getFeatureBinding();
348:
349:                    inferredTargets = (List<Target>) inferredFeatureBinding
350:                            .getTargetBindings();
351:                    actualTargets = (List<Target>) actualFeatureBinding
352:                            .getTargetBindings();
353:
354:                }
355:                targetResolver.resolveAndVerifyTargets(actualTargets,
356:                        inferredTargets, actualPol);
357:            }
358:
359:            private boolean verifyKeyBinding(MLSPolicy actualKeyBinding,
360:                    MLSPolicy inferredKeyBinding, boolean isEncryptPolicy)
361:                    throws XWSSecurityException {
362:                boolean verified = false;
363:                if (actualKeyBinding != null && inferredKeyBinding != null) {
364:                    if (PolicyTypeUtil.x509CertificateBinding(actualKeyBinding)
365:                            && PolicyTypeUtil
366:                                    .x509CertificateBinding(inferredKeyBinding)) {
367:                        /* TODO: cannot change actual policy, there seems to be a bug in
368:                         * security policy
369:                        AuthenticationTokenPolicy.X509CertificateBinding actualX509Bind =
370:                                (AuthenticationTokenPolicy.X509CertificateBinding)actualKeyBinding;
371:                        AuthenticationTokenPolicy.X509CertificateBinding inferredX509Bind =
372:                                (AuthenticationTokenPolicy.X509CertificateBinding)inferredKeyBinding;
373:                        // workaround - policy sets reference type as Thumprint
374:                        if(actualX509Bind.getReferenceType().equals(MessageConstants.THUMB_PRINT_TYPE))
375:                            actualX509Bind.setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
376:                        correctIncludeTokenPolicy(actualX509Bind, wssAssertion);
377:                        if(actualX509Bind.getReferenceType().equals(inferredX509Bind.getReferenceType()))*/
378:                        verified = true;
379:                    } else if (PolicyTypeUtil
380:                            .symmetricKeyBinding(actualKeyBinding)
381:                            && PolicyTypeUtil
382:                                    .symmetricKeyBinding(inferredKeyBinding)) {
383:                        verified = verifyKeyBinding(actualKeyBinding
384:                                .getKeyBinding(), inferredKeyBinding
385:                                .getKeyBinding(), isEncryptPolicy);
386:                    } else if (PolicyTypeUtil
387:                            .issuedTokenKeyBinding(actualKeyBinding)
388:                            && PolicyTypeUtil
389:                                    .issuedTokenKeyBinding(inferredKeyBinding)) {
390:
391:                        verified = true;
392:                    } else if (PolicyTypeUtil
393:                            .secureConversationTokenKeyBinding(actualKeyBinding)
394:                            && PolicyTypeUtil
395:                                    .secureConversationTokenKeyBinding(inferredKeyBinding)) {
396:
397:                        verified = true;
398:                    } else if (PolicyTypeUtil
399:                            .derivedTokenKeyBinding(actualKeyBinding)
400:                            && PolicyTypeUtil
401:                                    .derivedTokenKeyBinding(inferredKeyBinding)) {
402:
403:                        verified = verifyKeyBinding(
404:                                ((DerivedTokenKeyBinding) actualKeyBinding)
405:                                        .getOriginalKeyBinding(),
406:                                ((DerivedTokenKeyBinding) inferredKeyBinding)
407:                                        .getOriginalKeyBinding(),
408:                                isEncryptPolicy);
409:                    } else if (PolicyTypeUtil
410:                            .x509CertificateBinding(actualKeyBinding)
411:                            && PolicyTypeUtil
412:                                    .symmetricKeyBinding(inferredKeyBinding)) {
413:                        MLSPolicy ikbkb = inferredKeyBinding.getKeyBinding();
414:                        if (isEncryptPolicy
415:                                && PolicyTypeUtil.x509CertificateBinding(ikbkb)) {
416:                            verified = true;
417:                        }
418:                    } else if (PolicyTypeUtil.samlTokenPolicy(actualKeyBinding)
419:                            && PolicyTypeUtil
420:                                    .symmetricKeyBinding(inferredKeyBinding)) {
421:                        MLSPolicy ikbkb = inferredKeyBinding.getKeyBinding();
422:                        if (isEncryptPolicy
423:                                && PolicyTypeUtil.samlTokenPolicy(ikbkb)) {
424:                            verified = true;
425:                        }
426:                    } else if (PolicyTypeUtil.samlTokenPolicy(actualKeyBinding)
427:                            && PolicyTypeUtil
428:                                    .samlTokenPolicy(inferredKeyBinding)) {
429:
430:                        verified = true;
431:                    } else if (PolicyTypeUtil
432:                            .symmetricKeyBinding(actualKeyBinding)
433:                            && PolicyTypeUtil
434:                                    .x509CertificateBinding(inferredKeyBinding)) {
435:                        MLSPolicy akbkb = actualKeyBinding.getKeyBinding();
436:                        if (isEncryptPolicy
437:                                && PolicyTypeUtil.x509CertificateBinding(akbkb)) {
438:                            verified = true;
439:                        }
440:                    } else if (PolicyTypeUtil
441:                            .derivedTokenKeyBinding(actualKeyBinding)) {
442:                        //workaround for IssuedToken under Endorsing, with PublicKey inside IssuedToken
443:                        if (PolicyTypeUtil
444:                                .issuedTokenKeyBinding(inferredKeyBinding)
445:                                && PolicyTypeUtil
446:                                        .issuedTokenKeyBinding(((DerivedTokenKeyBinding) actualKeyBinding)
447:                                                .getOriginalKeyBinding())) {
448:                            verified = true;
449:                        }
450:                    }
451:                }
452:
453:                return verified;
454:            }
455:
456:            private boolean verifySignTargetBinding(
457:                    SignaturePolicy.FeatureBinding actualFeatureBinding,
458:                    SignaturePolicy.FeatureBinding inferredFeatureBinding)
459:                    throws XWSSecurityException {
460:                String actualCanonAlgo = actualFeatureBinding
461:                        .getCanonicalizationAlgorithm();
462:                String inferredCanonAlgo = inferredFeatureBinding
463:                        .getCanonicalizationAlgorithm();
464:
465:                if (actualCanonAlgo == null || inferredCanonAlgo == null) {
466:                    throw new XWSSecurityException(
467:                            "ActualCanonicalizationAlgorithm or InferredCanonicalizationAlgorithm "
468:                                    + " is null while verifying SignatureTargetBinding");
469:                }
470:                if (actualCanonAlgo.length() > 0
471:                        && inferredCanonAlgo.length() > 0) {
472:                    if (!inferredCanonAlgo.equals(actualCanonAlgo)) {
473:                        log
474:                                .warning("Receiver side requirement verification failed,"
475:                                        + " canonicalization algorithm received in the message is "
476:                                        + inferredCanonAlgo
477:                                        + " policy requires " + actualCanonAlgo);
478:                        return false;
479:                    }
480:                }
481:
482:                return true;
483:            }
484:
485:            private boolean verifyEncTargetBinding(
486:                    EncryptionPolicy.FeatureBinding actualFeatureBinding,
487:                    EncryptionPolicy.FeatureBinding inferredFeatureBinding) {
488:                String rDA = inferredFeatureBinding
489:                        .getDataEncryptionAlgorithm();
490:                String cDA = actualFeatureBinding.getDataEncryptionAlgorithm();
491:                if (cDA != null && cDA.length() > 0) {
492:                    if (!cDA.equals(rDA)) {
493:                        log
494:                                .warning("Receiver side requirement verification failed, "
495:                                        + "DataEncryptionAlgorithm specified in the receiver requirements did match with"
496:                                        + " DataEncryptionAlgorithm used to encrypt the message."
497:                                        + "Configured DataEncryptionAlgorithm is "
498:                                        + cDA
499:                                        + "  DataEncryptionAlgorithm used in the"
500:                                        + "message is " + rDA);
501:                        return false;
502:                    }
503:                }
504:                return true;
505:            }
506:
507:            private EncryptionPolicy getNthEncryptionPolicy(
508:                    MessagePolicy securityPolicy, int nth)
509:                    throws XWSSecurityException {
510:                try {
511:                    int count = nth;
512:                    for (int i = 0; i < securityPolicy.size(); i++) {
513:                        WSSPolicy pol = (WSSPolicy) securityPolicy.get(i);
514:                        if (PolicyTypeUtil.isPrimaryPolicy(pol)
515:                                && PolicyTypeUtil.encryptionPolicy(pol)) {
516:                            if (((EncryptionPolicy.FeatureBinding) pol
517:                                    .getFeatureBinding()).encryptsIssuedToken()) {
518:                                continue;
519:                            }
520:                            if (count > 0) {
521:                                count--;
522:                                continue;
523:                            } else {
524:                                return (EncryptionPolicy) pol;
525:                            }
526:                        }
527:                    }
528:                } catch (Exception e) {
529:                    throw new XWSSecurityException(e);
530:                }
531:                return null;
532:            }
533:
534:            private WSSPolicy getFirstPrimaryPolicy(
535:                    MessagePolicy securityPolicy, boolean isEndorsingSign,
536:                    int nth) throws XWSSecurityException {
537:                try {
538:
539:                    int count = nth;
540:                    if (!isEndorsingSign) {
541:                        for (int i = 0; i < securityPolicy.size(); i++) {
542:                            WSSPolicy pol = (WSSPolicy) securityPolicy.get(i);
543:                            if (PolicyTypeUtil.isPrimaryPolicy(pol)) {
544:                                // accounts for encrypted SAML tokens issued by STS
545:                                if (PolicyTypeUtil.encryptionPolicy(pol)
546:                                        && ((EncryptionPolicy.FeatureBinding) pol
547:                                                .getFeatureBinding())
548:                                                .encryptsIssuedToken()) {
549:                                    continue;
550:                                } else if (count > 0) {
551:                                    if (PolicyTypeUtil.signaturePolicy(pol))
552:                                        count--;
553:                                    continue;
554:                                } else if (nth != 0
555:                                        && !PolicyTypeUtil.signaturePolicy(pol)) {
556:                                    continue;
557:                                } else {
558:                                    return pol;
559:                                }
560:                            }
561:                        }
562:                    } else {
563:                        // endorsingSign policy is not placed correctly in actual policy
564:                        for (int i = 0; i < securityPolicy.size(); i++) {
565:                            WSSPolicy pol = (WSSPolicy) securityPolicy.get(i);
566:                            if (PolicyTypeUtil.isPrimaryPolicy(pol)
567:                                    && PolicyTypeUtil.signaturePolicy(pol)) {
568:                                SignaturePolicy signPol = (SignaturePolicy) pol;
569:                                SignaturePolicy.FeatureBinding fb = (SignaturePolicy.FeatureBinding) signPol
570:                                        .getFeatureBinding();
571:                                for (int no_of_sig_targets = 0; no_of_sig_targets < fb
572:                                        .getTargetBindings().size(); no_of_sig_targets++) {
573:                                    SignatureTarget target = (SignatureTarget) fb
574:                                            .getTargetBindings().get(
575:                                                    no_of_sig_targets);
576:                                    if ("{http://www.w3.org/2000/09/xmldsig#}Signature"
577:                                            .equals(target.getValue()))
578:                                        return pol;
579:                                }
580:                            }
581:                        }
582:                    }
583:                } catch (Exception e) {
584:                    throw new XWSSecurityException(e);
585:                }
586:                return null;
587:            }
588:
589:            private void correctIncludeTokenPolicy(
590:                    AuthenticationTokenPolicy.X509CertificateBinding x509Bind,
591:                    WSSAssertion wssAssertion) {
592:                if (x509Bind.INCLUDE_NEVER.equals(x509Bind.getIncludeToken())) {
593:                    if (MessageConstants.DIRECT_REFERENCE_TYPE.equals(x509Bind
594:                            .getReferenceType())) {
595:                        if (wssAssertion != null) {
596:                            if (wssAssertion
597:                                    .getRequiredProperties()
598:                                    .contains(
599:                                            WSSAssertion.MUST_SUPPORT_REF_KEYIDENTIFIER))
600:                                x509Bind
601:                                        .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
602:                            else if (wssAssertion
603:                                    .getRequiredProperties()
604:                                    .contains(
605:                                            WSSAssertion.MUSTSUPPORT_REF_THUMBPRINT))
606:                                x509Bind
607:                                        .setReferenceType(MessageConstants.THUMB_PRINT_TYPE);
608:                        } else {
609:                            // when wssAssertion is not set use KeyIdentifier
610:                            x509Bind
611:                                    .setReferenceType(MessageConstants.KEY_INDETIFIER_TYPE);
612:                        }
613:                    }
614:                } else if (x509Bind.INCLUDE_ALWAYS_TO_RECIPIENT.equals(x509Bind
615:                        .getIncludeToken())
616:                        || x509Bind.INCLUDE_ALWAYS.equals(x509Bind
617:                                .getIncludeToken())) {
618:                    x509Bind
619:                            .setReferenceType(MessageConstants.DIRECT_REFERENCE_TYPE);
620:                }
621:            }
622:
623:            public void printInferredSecurityPolicy(
624:                    MessagePolicy inferredSecurityPolicy) throws Exception {
625:                StringBuffer buffer = new StringBuffer();
626:                if (inferredSecurityPolicy == null) {
627:                    buffer.append("Security Policy not set\n");
628:                } else {
629:                    buffer.append("Size of Policy:: "
630:                            + inferredSecurityPolicy.size() + "\n");
631:                    for (int i = 0; i < inferredSecurityPolicy.size(); i++) {
632:                        WSSPolicy pol = (WSSPolicy) inferredSecurityPolicy
633:                                .get(i);
634:                        if (PolicyTypeUtil.timestampPolicy(pol)) {
635:                            buffer.append("Timestamp Policy\n");
636:                        } else if (PolicyTypeUtil.usernameTokenPolicy(pol)) {
637:                            buffer.append("UsernameToken Policy\n");
638:                        } else if (PolicyTypeUtil.signaturePolicy(pol)) {
639:                            buffer.append("Signature Policy\n");
640:                            SignaturePolicy sigPol = (SignaturePolicy) pol;
641:                            SignaturePolicy.FeatureBinding featureBinding = (SignaturePolicy.FeatureBinding) sigPol
642:                                    .getFeatureBinding();
643:                            ArrayList targets = featureBinding
644:                                    .getTargetBindings();
645:                            buffer.append("\tCanonicalizationAlgorithm"
646:                                    + featureBinding
647:                                            .getCanonicalizationAlgorithm()
648:                                    + "\n");
649:                            buffer.append("\t Targets\n");
650:                            for (int j = 0; j < targets.size(); j++) {
651:                                SignatureTarget target = (SignatureTarget) targets
652:                                        .get(j);
653:                                buffer.append("\t " + j + ":Type:"
654:                                        + target.getType() + "\n");
655:                                buffer.append("\t  Value:" + target.getValue()
656:                                        + "\n");
657:                                buffer.append("\t  DigestAlgorithm:"
658:                                        + target.getDigestAlgorithm() + "\n");
659:                                ArrayList transforms = target.getTransforms();
660:
661:                                if (transforms != null) {
662:                                    buffer.append("\t  " + "Transforms::\n");
663:                                    for (int k = 0; k < transforms.size(); k++) {
664:                                        buffer
665:                                                .append("\t "
666:                                                        + "   "
667:                                                        + ((SignatureTarget.Transform) transforms
668:                                                                .get(k))
669:                                                                .getTransform()
670:                                                        + "\n");
671:                                    }
672:                                }
673:                            }
674:                            MLSPolicy keyBinding = sigPol.getKeyBinding();
675:                            if (keyBinding != null) {
676:                                buffer.append("\tKeyBinding\n");
677:                                printKeyBinding(keyBinding, buffer);
678:                            }
679:                        } else if (PolicyTypeUtil.encryptionPolicy(pol)) {
680:                            buffer.append("Encryption Policy\n");
681:                            EncryptionPolicy encPol = (EncryptionPolicy) pol;
682:                            EncryptionPolicy.FeatureBinding featureBinding = (EncryptionPolicy.FeatureBinding) encPol
683:                                    .getFeatureBinding();
684:                            ArrayList targets = featureBinding
685:                                    .getTargetBindings();
686:                            buffer.append("\t Targets\n");
687:                            for (int j = 0; j < targets.size(); j++) {
688:                                EncryptionTarget target = (EncryptionTarget) targets
689:                                        .get(j);
690:                                buffer.append("\t " + j + ":" + "Type:"
691:                                        + target.getType() + "\n");
692:                                buffer.append("\t  Value:" + target.getValue()
693:                                        + "\n");
694:                                buffer.append("\t  ContentOnly:"
695:                                        + target.getContentOnly() + "\n");
696:                                buffer.append("\t  DataEncryptionAlgorithm:"
697:                                        + target.getDataEncryptionAlgorithm()
698:                                        + "\n");
699:                            }
700:                            MLSPolicy keyBinding = encPol.getKeyBinding();
701:                            if (keyBinding != null) {
702:                                buffer.append("\tKeyBinding\n");
703:                                printKeyBinding(keyBinding, buffer);
704:                            }
705:                        } else if (PolicyTypeUtil
706:                                .signatureConfirmationPolicy(pol)) {
707:                            buffer.append("SignatureConfirmation Policy\n");
708:                        } else {
709:                            buffer.append(pol + "\n");
710:                        }
711:                    }
712:                }
713:                if (MessageConstants.debug) {
714:                    System.out.println(buffer.toString());
715:                }
716:            }
717:
718:            private void printKeyBinding(MLSPolicy keyBinding,
719:                    StringBuffer buffer) {
720:                if (keyBinding != null) {
721:                    if (keyBinding instanceof  AuthenticationTokenPolicy.X509CertificateBinding) {
722:                        AuthenticationTokenPolicy.X509CertificateBinding x509Binding = (AuthenticationTokenPolicy.X509CertificateBinding) keyBinding;
723:                        buffer.append("\t  X509CertificateBinding\n");
724:                        buffer.append("\t    ValueType:"
725:                                + x509Binding.getValueType() + "\n");
726:                        buffer.append("\t    ReferenceType:"
727:                                + x509Binding.getReferenceType() + "\n");
728:                    } else if (keyBinding instanceof  AuthenticationTokenPolicy.SAMLAssertionBinding) {
729:                        AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding = (AuthenticationTokenPolicy.SAMLAssertionBinding) keyBinding;
730:                        buffer.append("\t  SAMLAssertionBinding\n");
731:                        //buffer.append("\t    ValueType:" + samlBinding.getValueType() + "\n");
732:                        buffer.append("\t    ReferenceType:"
733:                                + samlBinding.getReferenceType() + "\n");
734:                    } else if (keyBinding instanceof  SymmetricKeyBinding) {
735:                        SymmetricKeyBinding skBinding = (SymmetricKeyBinding) keyBinding;
736:                        buffer.append("\t  SymmetricKeyBinding\n");
737:                        AuthenticationTokenPolicy.X509CertificateBinding x509Binding = (AuthenticationTokenPolicy.X509CertificateBinding) skBinding
738:                                .getKeyBinding();
739:                        if (x509Binding != null) {
740:                            buffer.append("\t     X509CertificateBinding\n");
741:                            buffer.append("\t       ValueType:"
742:                                    + x509Binding.getValueType() + "\n");
743:                            buffer.append("\t       ReferenceType:"
744:                                    + x509Binding.getReferenceType() + "\n");
745:                        }
746:                    } else if (keyBinding instanceof  IssuedTokenKeyBinding) {
747:                        buffer.append("\t  IssuedTokenKeyBinding\n");
748:
749:                    } else if (keyBinding instanceof  SecureConversationTokenKeyBinding) {
750:                        buffer
751:                                .append("\t  SecureConversationTokenKeyBinding\n");
752:
753:                    } else if (keyBinding instanceof  DerivedTokenKeyBinding) {
754:                        buffer.append("\t  DerivedTokenKeyBinding\n");
755:                        DerivedTokenKeyBinding dtkBinding = (DerivedTokenKeyBinding) keyBinding;
756:                        buffer.append("\t  OriginalKeyBinding:\n");
757:                        printKeyBinding(dtkBinding.getOriginalKeyBinding(),
758:                                buffer);
759:                    }
760:                }
761:            }
762:
763:            private boolean checkTargetPresence(WSSPolicy actualPol)
764:                    throws XWSSecurityException {
765:                List<Target> actualTargets = null;
766:                if (PolicyTypeUtil.signaturePolicy(actualPol)) {
767:                    SignaturePolicy.FeatureBinding actualFeatureBinding = (SignaturePolicy.FeatureBinding) actualPol
768:                            .getFeatureBinding();
769:                    actualTargets = (List<Target>) actualFeatureBinding
770:                            .getTargetBindings();
771:                } else if (PolicyTypeUtil.encryptionPolicy(actualPol)) {
772:                    EncryptionPolicy.FeatureBinding actualFeatureBinding = (EncryptionPolicy.FeatureBinding) actualPol
773:                            .getFeatureBinding();
774:                    actualTargets = (List<Target>) actualFeatureBinding
775:                            .getTargetBindings();
776:                }
777:
778:                return targetResolver.isTargetPresent(actualTargets);
779:            }
780:
781:            private boolean checkAllowExtraTimestamp(
782:                    MessagePolicy inferredSecurityPolicy) {
783:                //assumption : inferredSecurityPolicy != null and size > 0
784:                if (inferredSecurityPolicy.size() > 1) {
785:                    return false;
786:                }
787:                SecurityPolicy pol = null;
788:                try {
789:                    pol = inferredSecurityPolicy.get(0);
790:                } catch (Exception ex) {
791:                    //ignore for now;
792:                }
793:                if (pol instanceof  TimestampPolicy) {
794:                    return true;
795:                }
796:                return false;
797:            }
798:        }
w__w___w__.j_a___va__2_s_.___co__m___ | Contact Us
Copyright 2009 - 12 Demo Source and Support. All rights reserved.
All other trademarks are property of their respective owners.