0001: /*
0002:
0003: * The contents of this file are subject to the terms
0004:
0005: * of the Common Development and Distribution License
0006:
0007: * (the "License"). You may not use this file except
0008:
0009: * in compliance with the License.
0010:
0011: *
0012:
0013: * You can obtain a copy of the license at
0014:
0015: * https://jwsdp.dev.java.net/CDDLv1.0.html
0016:
0017: * See the License for the specific language governing
0018:
0019: * permissions and limitations under the License.
0020:
0021: *
0022:
0023: * When distributing Covered Code, include this CDDL
0024:
0025: * HEADER in each file and include the License file at
0026:
0027: * https://jwsdp.dev.java.net/CDDLv1.0.html If applicable,
0028:
0029: * add the following below this CDDL HEADER, with the
0030:
0031: * fields enclosed by brackets "[]" replaced with your
0032:
0033: * own identifying information: Portions Copyright [yyyy]
0034:
0035: * [name of copyright owner]
0036:
0037: */
0038:
0039: /**
0040:
0041: * $Id: WssProviderAuthModule.java,v 1.4 2007/08/01 11:08:18 ashutoshshahi Exp $
0042:
0043: *
0044:
0045: * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
0046:
0047: * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
0048:
0049: */package com.sun.xml.wss.provider;
0050:
0051: import java.io.File;
0052:
0053: import java.util.Map;
0054:
0055: import java.util.List;
0056:
0057: import java.util.Iterator;
0058:
0059: import java.util.ArrayList;
0060:
0061: import java.util.Collection;
0062:
0063: import java.io.FileInputStream;
0064:
0065: import java.io.BufferedInputStream;
0066:
0067: import java.io.InputStream;
0068:
0069: import javax.xml.soap.SOAPMessage;
0070:
0071: import javax.security.auth.callback.Callback;
0072:
0073: import javax.security.auth.callback.NameCallback;
0074:
0075: import javax.security.auth.callback.CallbackHandler;
0076:
0077: import javax.security.auth.callback.PasswordCallback;
0078:
0079: import com.sun.enterprise.security.jauth.AuthPolicy;
0080:
0081: import com.sun.xml.wss.XWSSecurityException;
0082:
0083: import com.sun.xml.wss.impl.WssProviderSecurityEnvironment;
0084:
0085: import com.sun.xml.wss.impl.policy.mls.MessagePolicy;
0086:
0087: import com.sun.xml.wss.impl.config.SecurityConfigurationXmlReader;
0088:
0089: import com.sun.xml.wss.impl.config.DeclarativeSecurityConfiguration;
0090:
0091: import com.sun.xml.wss.impl.MessageConstants;
0092:
0093: import com.sun.xml.wss.impl.policy.SecurityPolicy;
0094:
0095: import com.sun.xml.wss.impl.policy.PolicyGenerationException;
0096:
0097: import com.sun.xml.wss.impl.policy.mls.WSSPolicy;
0098:
0099: import com.sun.xml.wss.impl.policy.MLSPolicy;
0100:
0101: import com.sun.xml.wss.impl.policy.mls.SignaturePolicy;
0102:
0103: import com.sun.xml.wss.impl.policy.mls.EncryptionPolicy;
0104:
0105: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
0106:
0107: import com.sun.xml.wss.impl.policy.mls.Target;
0108:
0109: import com.sun.xml.wss.impl.PolicyTypeUtil;
0110:
0111: public class WssProviderAuthModule implements ModuleOptions,
0112: ConfigurationStates {
0113:
0114: protected SecurityPolicy _policy = null;
0115:
0116: protected WssProviderSecurityEnvironment _sEnvironment = null;
0117:
0118: private boolean runtimeUsernamePassword = false;
0119:
0120: private static final String SIGN_POLICY = "com.sun.xml.wss.impl.policy.mls.SignaturePolicy";
0121:
0122: private static final String ENCRYPT_POLICY = "com.sun.xml.wss.impl.policy.mls.EncryptionPolicy";
0123:
0124: private static final String TIMESTAMP_POLICY = "com.sun.xml.wss.impl.policy.mls.TimestampPolicy";
0125:
0126: private static final String AUTHENTICATION_POLICY =
0127:
0128: "com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy";
0129:
0130: private static final String USERNAMETOKEN_POLICY =
0131:
0132: "com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy.UsernameTokenBinding";
0133:
0134: private static final String USERNAMETOKEN = "UsernameToken";
0135:
0136: private static final String BODY = "Body";
0137:
0138: public static final String REQUESTER_SUBJECT = "REQUESTER_SUBJECT";
0139:
0140: public static final String REQUESTER_KEYID = "REQUESTER_KEYID";
0141:
0142: public static final String REQUESTER_ISSUERNAME = "REQUESTER_ISSUERNAME";
0143:
0144: public static final String REQUESTER_SERIAL = "REQUESTER_SERIAL";
0145:
0146: public static final String SELF_SUBJECT = "SELF_SUBJECT";
0147:
0148: protected int optimize = MessageConstants.NOT_OPTIMIZED;
0149:
0150: protected boolean configOptimizeAttribute = true;
0151:
0152: public WssProviderAuthModule() {
0153:
0154: }
0155:
0156: /**
0157:
0158: * Initialization method for Client and Server Auth Modules
0159:
0160: * @param requestPolicy
0161:
0162: * used to validate request on server side
0163:
0164: * and to secure request on client side
0165:
0166: * @param responsePolicy
0167:
0168: * used to validate response on client side
0169:
0170: * and to secure response on server side
0171:
0172: * @param handler
0173:
0174: * CallbackHandler
0175:
0176: * @param options
0177:
0178: * Map of module options
0179:
0180: * @param isClientAuthModule
0181:
0182: * indicates if the current instance is client or server module
0183:
0184: * @throws RuntimeException
0185:
0186: */
0187:
0188: public void initialize(AuthPolicy requestPolicy,
0189:
0190: AuthPolicy responsePolicy,
0191:
0192: CallbackHandler handler,
0193:
0194: Map options,
0195:
0196: boolean isClientAuthModule) {
0197:
0198: boolean debugON = false;
0199:
0200: String bg = (String) options.get(DEBUG);
0201:
0202: if (bg != null && bg.equals("true"))
0203: debugON = true;
0204:
0205: // use the requestPolicy to configure recipient in
0206:
0207: // case of Server and annotator in case of Client -
0208:
0209: // use the responsePolicy to configure annotator in
0210:
0211: // case of Server and recipient in case of Client -
0212:
0213: // get the security configuration file from options
0214:
0215: String securityConfigurationURL = (String) options
0216: .get(SECURITY_CONFIGURATION_FILE);
0217:
0218: String signAlias = (String) options.get(SIGNING_KEY_ALIAS);
0219:
0220: String encryptAlias = (String) options
0221: .get(ENCRYPTION_KEY_ALIAS);
0222:
0223: try {
0224:
0225: InputStream is = null;
0226:
0227: if (securityConfigurationURL != null) {
0228:
0229: is = new BufferedInputStream(new FileInputStream(
0230: new File(securityConfigurationURL)));
0231:
0232: } else {
0233:
0234: // try to locate the config file from the classpath
0235:
0236: if (this instanceof ServerSecurityAuthModule) {
0237:
0238: is = this .getClass().getResourceAsStream(
0239: "wss-server-config-2.0.xml");
0240:
0241: } else {
0242:
0243: is = this .getClass().getResourceAsStream(
0244: "wss-client-config-2.0.xml");
0245:
0246: }
0247:
0248: }
0249:
0250: _policy = SecurityConfigurationXmlReader
0251: .createDeclarativeConfiguration(is);
0252:
0253: int request_policy_state = EMPTY_POLICY_STATE;
0254:
0255: int response_policy_state = EMPTY_POLICY_STATE;
0256:
0257: if (requestPolicy != null) {
0258:
0259: request_policy_state = resolveConfigurationState(
0260: requestPolicy, true, isClientAuthModule);
0261:
0262: }
0263:
0264: if (responsePolicy != null) {
0265:
0266: response_policy_state = resolveConfigurationState(
0267: responsePolicy, false, isClientAuthModule);
0268:
0269: }
0270:
0271: String obj = (String) options
0272: .get(DYNAMIC_USERNAME_PASSWORD);
0273:
0274: if (obj != null) {
0275:
0276: runtimeUsernamePassword = obj.equalsIgnoreCase("true") ? true
0277: : false;
0278:
0279: }
0280:
0281: if (isClientAuthModule) {
0282:
0283: augmentConfiguration(response_policy_state, true,
0284: handler, debugON, signAlias, encryptAlias);
0285:
0286: augmentConfiguration(request_policy_state, false,
0287: handler, debugON, signAlias, encryptAlias);
0288:
0289: } else {
0290:
0291: augmentConfiguration(response_policy_state, false,
0292: handler, debugON, signAlias, encryptAlias);
0293:
0294: augmentConfiguration(request_policy_state, true,
0295: handler, debugON, signAlias, encryptAlias);
0296:
0297: }
0298:
0299: _sEnvironment = new WssProviderSecurityEnvironment(handler,
0300: options);
0301:
0302: } catch (Exception e) {
0303:
0304: throw new RuntimeException(e);
0305:
0306: }
0307:
0308: }
0309:
0310: /**
0311:
0312: * Resolves the state of a policy object
0313:
0314: * @param policy
0315:
0316: * AuthPolicy object whose state is to be resolved
0317:
0318: * @return configurationState
0319:
0320: * returns one of the possible states defined in ConfigurationStates
0321:
0322: * @throws RuntimeException
0323:
0324: */
0325:
0326: public int resolveConfigurationState(AuthPolicy policy,
0327: boolean isRequestPolicy, boolean isClientAuthModule) {
0328:
0329: boolean orderForValidation = isClientAuthModule ?
0330:
0331: (isRequestPolicy ? false : true) :
0332:
0333: (isRequestPolicy ? true : false);
0334:
0335: boolean sourceAuthRequired = policy.isSourceAuthRequired();
0336:
0337: boolean recipientAuthRequired = policy
0338: .isRecipientAuthRequired();
0339:
0340: boolean senderAuthRequired = policy.isSenderAuthRequired();
0341:
0342: boolean contentAuthRequired = policy.isContentAuthRequired();
0343:
0344: boolean beforeContent = policy
0345: .isRecipientAuthBeforeContent(orderForValidation);
0346:
0347: int configurationState = -1;
0348:
0349: if (sourceAuthRequired && !recipientAuthRequired) {
0350:
0351: if (senderAuthRequired)
0352:
0353: configurationState = AUTHENTICATE_SENDER_TOKEN_ONLY;
0354:
0355: else if (contentAuthRequired)
0356:
0357: configurationState = AUTHENTICATE_SENDER_SIGNATURE_ONLY;
0358:
0359: } else if (!sourceAuthRequired && recipientAuthRequired) {
0360:
0361: configurationState = AUTHENTICATE_RECIPIENT_ONLY;
0362:
0363: } else if (sourceAuthRequired && recipientAuthRequired) {
0364:
0365: if (beforeContent) {
0366:
0367: if (senderAuthRequired) {
0368:
0369: configurationState = AUTHENTICATE_RECIPIENT_AUTHENTICATE_SENDER_TOKEN;
0370:
0371: } else if (contentAuthRequired) {
0372:
0373: configurationState = AUTHENTICATE_RECIPIENT_AUTHENTICATE_SENDER_SIGNATURE;
0374:
0375: }
0376:
0377: } else {
0378:
0379: if (senderAuthRequired) {
0380:
0381: configurationState = AUTHENTICATE_SENDER_TOKEN_AUTHENTICATE_RECIPIENT;
0382:
0383: } else if (contentAuthRequired) {
0384:
0385: configurationState = AUTHENTICATE_SENDER_SIGNATURE_AUTHENTICATE_RECIPIENT;
0386:
0387: }
0388:
0389: }
0390:
0391: } else {
0392:
0393: configurationState = EMPTY_POLICY_STATE;
0394:
0395: }
0396:
0397: if (configurationState == -1) {
0398:
0399: // log
0400:
0401: throw new RuntimeException(
0402: "AuthPolicy configuration error: Invalid policy specification");
0403:
0404: }
0405:
0406: return configurationState;
0407:
0408: }
0409:
0410: private Collection getEncryptPolicies(
0411:
0412: MessagePolicy mPolicy, CallbackHandler handler,
0413: boolean senderConfiguration)
0414:
0415: throws PolicyGenerationException {
0416:
0417: Collection requiredElements = new ArrayList();
0418:
0419: Iterator it = mPolicy.iterator();
0420:
0421: while (it.hasNext()) {
0422:
0423: WSSPolicy policy = (WSSPolicy) it.next();
0424:
0425: if (PolicyTypeUtil.encryptionPolicy(policy)) {
0426:
0427: if (!hasEncryptUsernamePolicy(
0428: (EncryptionPolicy) policy, mPolicy)) {
0429:
0430: requiredElements.add(policy);
0431:
0432: }
0433:
0434: }
0435:
0436: }
0437:
0438: if (requiredElements.isEmpty()) {
0439:
0440: throw new RuntimeException("Operation/Requirement ("
0441: +
0442:
0443: translate2configurationName(ENCRYPT_POLICY,
0444: senderConfiguration) +
0445:
0446: ") not specified "
0447: + "in the Config. file is required by the policy");
0448:
0449: }
0450:
0451: return requiredElements;
0452:
0453: }
0454:
0455: private Collection getEncryptPoliciesOptional(
0456:
0457: MessagePolicy mPolicy, CallbackHandler handler,
0458: boolean senderConfiguration)
0459:
0460: throws PolicyGenerationException {
0461:
0462: Collection requiredElements = new ArrayList();
0463:
0464: Iterator it = mPolicy.iterator();
0465:
0466: while (it.hasNext()) {
0467:
0468: WSSPolicy policy = (WSSPolicy) it.next();
0469:
0470: if (PolicyTypeUtil.encryptionPolicy(policy)) {
0471:
0472: if (!hasEncryptUsernamePolicy(
0473: (EncryptionPolicy) policy, mPolicy)) {
0474:
0475: requiredElements.add(policy);
0476:
0477: }
0478:
0479: }
0480:
0481: }
0482:
0483: return requiredElements;
0484:
0485: }
0486:
0487: private Collection getSignPolicies(
0488:
0489: MessagePolicy mPolicy, CallbackHandler handler,
0490: boolean senderConfiguration)
0491:
0492: throws PolicyGenerationException {
0493:
0494: Collection requiredElements = new ArrayList();
0495:
0496: Iterator it = mPolicy.iterator();
0497:
0498: while (it.hasNext()) {
0499:
0500: WSSPolicy policy = (WSSPolicy) it.next();
0501:
0502: if (PolicyTypeUtil.signaturePolicy(policy)) {
0503:
0504: requiredElements.add(policy);
0505:
0506: }
0507:
0508: }
0509:
0510: if (requiredElements.isEmpty()) {
0511:
0512: throw new RuntimeException("Operation/Requirement ("
0513: +
0514:
0515: translate2configurationName(SIGN_POLICY,
0516: senderConfiguration) +
0517:
0518: ") not specified "
0519: + "in the Config. file is required by the policy");
0520:
0521: }
0522:
0523: return requiredElements;
0524:
0525: }
0526:
0527: private WSSPolicy getUsernamePolicy(MessagePolicy mPolicy,
0528: CallbackHandler handler, boolean senderConfiguration)
0529:
0530: throws PolicyGenerationException {
0531:
0532: WSSPolicy usernamePolicy = null;
0533:
0534: Iterator it = mPolicy.iterator();
0535:
0536: while (it.hasNext()) {
0537:
0538: WSSPolicy policy = (WSSPolicy) it.next();
0539:
0540: if (PolicyTypeUtil.authenticationTokenPolicy(policy)) {
0541:
0542: if ((policy.getFeatureBinding() != null)
0543: &&
0544:
0545: (PolicyTypeUtil.usernameTokenPolicy(policy
0546: .getFeatureBinding()))) {
0547:
0548: if (senderConfiguration && !runtimeUsernamePassword) {
0549:
0550: setUsernamePassword(
0551: (AuthenticationTokenPolicy) policy,
0552: handler);
0553:
0554: }
0555:
0556: usernamePolicy = policy;
0557:
0558: break;
0559:
0560: }
0561:
0562: }
0563:
0564: }
0565:
0566: if (usernamePolicy == null) {
0567:
0568: throw new RuntimeException("Operation/Requirement ("
0569: +
0570:
0571: translate2configurationName(USERNAMETOKEN_POLICY,
0572: senderConfiguration) +
0573:
0574: ") not specified "
0575: + "in the Config. file is required by the policy");
0576:
0577: }
0578:
0579: return usernamePolicy;
0580:
0581: }
0582:
0583: private Collection getUsernamePolicies(MessagePolicy mPolicy,
0584: CallbackHandler handler, boolean senderConfiguration)
0585:
0586: throws PolicyGenerationException {
0587:
0588: Collection requiredElements = new ArrayList();
0589:
0590: WSSPolicy encryptUsernamePolicy = null;
0591:
0592: Iterator it = mPolicy.iterator();
0593:
0594: while (it.hasNext()) {
0595:
0596: WSSPolicy policy = (WSSPolicy) it.next();
0597:
0598: if (PolicyTypeUtil.authenticationTokenPolicy(policy)) {
0599:
0600: if ((policy.getFeatureBinding() != null)
0601: &&
0602:
0603: (PolicyTypeUtil.usernameTokenPolicy(policy
0604: .getFeatureBinding()))) {
0605:
0606: if (senderConfiguration && !runtimeUsernamePassword) {
0607:
0608: setUsernamePassword(
0609: (AuthenticationTokenPolicy) policy,
0610: handler);
0611:
0612: }
0613:
0614: requiredElements.add(policy);
0615:
0616: }
0617:
0618: } else if (PolicyTypeUtil.encryptionPolicy(policy)) {
0619:
0620: if (isEncryptUsernamePolicy((EncryptionPolicy) policy,
0621: mPolicy)) {
0622:
0623: encryptUsernamePolicy = policy;
0624:
0625: }
0626:
0627: }
0628:
0629: }
0630:
0631: if (requiredElements.isEmpty()) {
0632:
0633: throw new RuntimeException("Operation/Requirement ("
0634: +
0635:
0636: translate2configurationName(USERNAMETOKEN_POLICY,
0637: senderConfiguration) +
0638:
0639: ") not specified "
0640: + "in the Config. file is required by the policy");
0641:
0642: }
0643:
0644: if (encryptUsernamePolicy != null) {
0645:
0646: requiredElements.add(encryptUsernamePolicy);
0647:
0648: }
0649:
0650: return requiredElements;
0651:
0652: }
0653:
0654: private Collection getEncryptUsernamePolicies(
0655:
0656: MessagePolicy mPolicy, CallbackHandler handler,
0657: boolean senderConfiguration)
0658:
0659: throws PolicyGenerationException {
0660:
0661: Collection requiredElements = new ArrayList();
0662:
0663: WSSPolicy eBU = getEncryptBodyUsernamePolicy(mPolicy);
0664:
0665: if (eBU != null) {
0666:
0667: Collection ePolicies = getNonBodyUsernameEncryptPolicies(
0668:
0669: mPolicy, handler, senderConfiguration);
0670:
0671: requiredElements.addAll(ePolicies);
0672:
0673: requiredElements.add(getUsernamePolicy(mPolicy, handler,
0674: senderConfiguration));
0675:
0676: requiredElements.add(eBU);
0677:
0678: } else {
0679:
0680: //FOR BC Reasons we allow this
0681:
0682: Collection ePolicies = getEncryptPoliciesOptional(mPolicy,
0683: handler, senderConfiguration);
0684:
0685: requiredElements.addAll(ePolicies);
0686:
0687: requiredElements.addAll(getUsernamePolicies(mPolicy,
0688: handler, senderConfiguration));
0689:
0690: }
0691:
0692: if (requiredElements.isEmpty()) {
0693:
0694: throw new RuntimeException("Operation/Requirement ("
0695: +
0696:
0697: translate2configurationName(ENCRYPT_POLICY,
0698: senderConfiguration) +
0699:
0700: ") not specified "
0701: + "in the Config. file is required by the policy");
0702:
0703: }
0704:
0705: return requiredElements;
0706:
0707: }
0708:
0709: private Collection getUsernameEncryptPolicies(
0710:
0711: MessagePolicy mPolicy, CallbackHandler handler,
0712: boolean senderConfiguration)
0713:
0714: throws PolicyGenerationException {
0715:
0716: Collection requiredElements = new ArrayList();
0717:
0718: WSSPolicy eUB = getEncryptUsernameBodyPolicy(mPolicy);
0719:
0720: if (eUB != null) {
0721:
0722: requiredElements.add(getUsernamePolicy(mPolicy, handler,
0723: senderConfiguration));
0724:
0725: requiredElements.add(eUB);
0726:
0727: Collection ePolicies = getNonBodyUsernameEncryptPolicies(
0728:
0729: mPolicy, handler, senderConfiguration);
0730:
0731: requiredElements.addAll(ePolicies);
0732:
0733: } else {
0734:
0735: requiredElements.addAll(getUsernamePolicies(mPolicy,
0736: handler, senderConfiguration));
0737:
0738: //FOR BC Reasons we allow this
0739:
0740: Collection ePolicies = getEncryptPoliciesOptional(mPolicy,
0741: handler, senderConfiguration);
0742:
0743: requiredElements.addAll(ePolicies);
0744:
0745: }
0746:
0747: if (requiredElements.isEmpty()) {
0748:
0749: throw new RuntimeException("Operation/Requirement ("
0750: +
0751:
0752: translate2configurationName(USERNAMETOKEN_POLICY,
0753: senderConfiguration) +
0754:
0755: ") not specified "
0756: + "in the Config. file is required by the policy");
0757:
0758: }
0759:
0760: return requiredElements;
0761:
0762: }
0763:
0764: private WSSPolicy getTimestampPolicy(
0765:
0766: MessagePolicy mPolicy, CallbackHandler handler,
0767: boolean senderConfiguration) {
0768:
0769: WSSPolicy timestampPolicy = null;
0770:
0771: Iterator it = mPolicy.iterator();
0772:
0773: while (it.hasNext()) {
0774:
0775: WSSPolicy policy = (WSSPolicy) it.next();
0776:
0777: if (PolicyTypeUtil.timestampPolicy(policy)) {
0778:
0779: timestampPolicy = (policy);
0780:
0781: break;
0782:
0783: }
0784:
0785: }
0786:
0787: return timestampPolicy;
0788:
0789: }
0790:
0791: /**
0792:
0793: * Modifies the sender/receiver settings according to the corresponding policy
0794:
0795: * @param requiredState
0796:
0797: * the state of the policy object
0798:
0799: * @param modifyReceiverSettings
0800:
0801: * indicates if sender/receiver settings need to be modified
0802:
0803: * @throws RuntimeException
0804:
0805: */
0806:
0807: private void augmentConfiguration(int requiredState,
0808: boolean modifyReceiverSettings, CallbackHandler handler,
0809: boolean debugON,
0810:
0811: String signAlias, String encryptAlias)
0812: throws PolicyGenerationException {
0813:
0814: MessagePolicy mPolicy = null;
0815:
0816: DeclarativeSecurityConfiguration dConfiguration = (DeclarativeSecurityConfiguration) _policy;
0817:
0818: boolean senderConfiguration = false;
0819:
0820: if (requiredState == EMPTY_POLICY_STATE) {
0821:
0822: if (modifyReceiverSettings) {
0823:
0824: mPolicy = dConfiguration.receiverSettings();
0825:
0826: mPolicy.removeAll();
0827:
0828: } else {
0829:
0830: mPolicy = dConfiguration.senderSettings();
0831:
0832: mPolicy.removeAll();
0833:
0834: }
0835:
0836: if (debugON) {
0837:
0838: mPolicy.dumpMessages(true);
0839:
0840: }
0841:
0842: return;
0843:
0844: }
0845:
0846: if (modifyReceiverSettings) {
0847:
0848: mPolicy = dConfiguration.receiverSettings();
0849:
0850: } else {
0851:
0852: mPolicy = dConfiguration.senderSettings();
0853:
0854: senderConfiguration = !senderConfiguration;
0855:
0856: }
0857:
0858: Collection newMPolicy = null;
0859:
0860: WSSPolicy ts = getTimestampPolicy(mPolicy, handler,
0861: senderConfiguration);
0862:
0863: boolean requireTimestampPolicy = false;
0864:
0865: switch (requiredState) {
0866:
0867: case AUTHENTICATE_RECIPIENT_ONLY:
0868:
0869: // Resultant List: (encrypt+)
0870:
0871: newMPolicy = getEncryptPolicies(mPolicy, handler,
0872: senderConfiguration);
0873:
0874: mPolicy.removeAll();
0875:
0876: mPolicy.appendAll(newMPolicy);
0877:
0878: break;
0879:
0880: case AUTHENTICATE_SENDER_TOKEN_ONLY:
0881:
0882: // Resultant List: (authenticate, encrypt?)
0883:
0884: newMPolicy = getUsernamePolicies(mPolicy, handler,
0885: senderConfiguration);
0886:
0887: mPolicy.removeAll();
0888:
0889: mPolicy.appendAll(newMPolicy);
0890:
0891: if (!modifyReceiverSettings && configOptimizeAttribute) {
0892:
0893: optimize = MessageConstants.SECURITY_HEADERS;
0894:
0895: }
0896:
0897: break;
0898:
0899: case AUTHENTICATE_SENDER_SIGNATURE_ONLY:
0900:
0901: // Resultant List: (sign+)
0902:
0903: newMPolicy = getSignPolicies(mPolicy, handler,
0904: senderConfiguration);
0905:
0906: requireTimestampPolicy = !(newMPolicy.isEmpty());
0907:
0908: mPolicy.removeAll();
0909:
0910: mPolicy.appendAll(newMPolicy);
0911:
0912: if (!modifyReceiverSettings && configOptimizeAttribute) {
0913:
0914: optimize = MessageConstants.SIGN_BODY;
0915:
0916: }
0917:
0918: break;
0919:
0920: case AUTHENTICATE_RECIPIENT_AUTHENTICATE_SENDER_TOKEN:
0921:
0922: /* Resultant List: (encrypt+, authenticate, encrypt?) */
0923:
0924: newMPolicy = getEncryptUsernamePolicies(mPolicy, handler,
0925: senderConfiguration);
0926:
0927: mPolicy.removeAll();
0928:
0929: mPolicy.appendAll(newMPolicy);
0930:
0931: break;
0932:
0933: case AUTHENTICATE_SENDER_TOKEN_AUTHENTICATE_RECIPIENT:
0934:
0935: /* Resultant List: (authenticate, encrypt+) */
0936:
0937: newMPolicy = getUsernameEncryptPolicies(mPolicy, handler,
0938: senderConfiguration);
0939:
0940: mPolicy.removeAll();
0941:
0942: mPolicy.appendAll(newMPolicy);
0943:
0944: break;
0945:
0946: case AUTHENTICATE_RECIPIENT_AUTHENTICATE_SENDER_SIGNATURE:
0947:
0948: /* Resultant List: (encrypt+, sign+) */
0949:
0950: newMPolicy = getEncryptPolicies(mPolicy, handler,
0951: senderConfiguration);
0952:
0953: Collection signPolicies = getSignPolicies(mPolicy, handler,
0954: senderConfiguration);
0955:
0956: requireTimestampPolicy = !(signPolicies.isEmpty());
0957:
0958: newMPolicy.addAll(signPolicies);
0959:
0960: mPolicy.removeAll();
0961:
0962: mPolicy.appendAll(newMPolicy);
0963:
0964: break;
0965:
0966: case AUTHENTICATE_SENDER_SIGNATURE_AUTHENTICATE_RECIPIENT:
0967:
0968: /* Resultant List: (sign+, encrypt+) */
0969:
0970: newMPolicy = getSignPolicies(mPolicy, handler,
0971: senderConfiguration);
0972:
0973: requireTimestampPolicy = !(newMPolicy.isEmpty());
0974:
0975: newMPolicy.addAll(getEncryptPolicies(mPolicy, handler,
0976: senderConfiguration));
0977:
0978: mPolicy.removeAll();
0979:
0980: mPolicy.appendAll(newMPolicy);
0981:
0982: if (!modifyReceiverSettings && configOptimizeAttribute) {
0983:
0984: optimize = MessageConstants.SIGN_ENCRYPT_BODY;
0985:
0986: }
0987:
0988: break;
0989:
0990: default:
0991:
0992: break;
0993:
0994: }
0995:
0996: if ((ts != null) && requireTimestampPolicy) {
0997:
0998: mPolicy.prepend(ts);
0999:
1000: }
1001:
1002: if (debugON) {
1003:
1004: mPolicy.dumpMessages(true);
1005:
1006: }
1007:
1008: augmentSignAlias(mPolicy, signAlias);
1009:
1010: augmentEncryptAlias(mPolicy, encryptAlias);
1011:
1012: }
1013:
1014: private String translate2configurationName(String opName,
1015: boolean senderConfiguration) {
1016:
1017: String value = null;
1018:
1019: if (opName == SIGN_POLICY)
1020:
1021: value = senderConfiguration ? "xwss:Sign"
1022: : "xwss:RequireSignature";
1023:
1024: else
1025:
1026: if (opName == ENCRYPT_POLICY)
1027:
1028: value = senderConfiguration ? "xwss:Encrypt"
1029: : "xwss:RequireEncryption";
1030:
1031: else
1032:
1033: if (opName == USERNAMETOKEN_POLICY)
1034:
1035: value = senderConfiguration ? "xwss:UsernameToken"
1036: : "xwss:RequireUsernameToken";
1037:
1038: return value;
1039:
1040: }
1041:
1042: private boolean isEncryptUsernamePolicy(EncryptionPolicy policy,
1043: MessagePolicy mPolicy) {
1044:
1045: EncryptionPolicy.FeatureBinding fb =
1046:
1047: (EncryptionPolicy.FeatureBinding) policy.getFeatureBinding();
1048:
1049: int numTargets = fb.getTargetBindings().size();
1050:
1051: if (numTargets != 1)
1052:
1053: return false;
1054:
1055: Iterator it1 = fb.getTargetBindings().iterator();
1056:
1057: Target target = (Target) it1.next();
1058:
1059: if (target.getType() == Target.TARGET_TYPE_VALUE_URI) {
1060:
1061: //get the URI fragment
1062:
1063: return uriIsUsernameToken(mPolicy, target.getValue());
1064:
1065: } else {
1066:
1067: int idx = target.getValue().indexOf(USERNAMETOKEN);
1068:
1069: if (idx > -1) {
1070:
1071: return true;
1072:
1073: }
1074:
1075: }
1076:
1077: return false;
1078:
1079: }
1080:
1081: private boolean hasEncryptUsernamePolicy(EncryptionPolicy policy,
1082: MessagePolicy mPolicy) {
1083:
1084: EncryptionPolicy.FeatureBinding fb =
1085:
1086: (EncryptionPolicy.FeatureBinding) policy.getFeatureBinding();
1087:
1088: Iterator it = fb.getTargetBindings().iterator();
1089:
1090: while (it.hasNext()) {
1091:
1092: Target target = (Target) it.next();
1093:
1094: if (target.getType() == Target.TARGET_TYPE_VALUE_URI) {
1095:
1096: //get the URI fragment
1097:
1098: return uriIsUsernameToken(mPolicy, target.getValue());
1099:
1100: } else {
1101:
1102: int idx = target.getValue().indexOf(USERNAMETOKEN);
1103:
1104: if (idx > -1) {
1105:
1106: return true;
1107:
1108: }
1109:
1110: }
1111:
1112: }
1113:
1114: return false;
1115:
1116: }
1117:
1118: private boolean uriIsUsernameToken(MessagePolicy mPolicy, String uri) {
1119:
1120: String fragment = uri;
1121:
1122: if (uri.startsWith("#")) {
1123:
1124: fragment = uri.substring(1);
1125:
1126: }
1127:
1128: Iterator it = mPolicy.iterator();
1129:
1130: while (it.hasNext()) {
1131:
1132: WSSPolicy policy = (WSSPolicy) it.next();
1133:
1134: if (PolicyTypeUtil.authenticationTokenPolicy(policy)) {
1135:
1136: MLSPolicy feature = policy.getFeatureBinding();
1137:
1138: if ((feature != null)
1139: && PolicyTypeUtil.usernameTokenPolicy(feature)) {
1140:
1141: AuthenticationTokenPolicy.UsernameTokenBinding fb =
1142:
1143: (AuthenticationTokenPolicy.UsernameTokenBinding) feature;
1144:
1145: if (fragment.equals(fb.getUUID())) {
1146:
1147: return true;
1148:
1149: }
1150:
1151: }
1152:
1153: }
1154:
1155: }
1156:
1157: return false;
1158:
1159: }
1160:
1161: private WSSPolicy getEncryptBodyUsernamePolicy(MessagePolicy mPolicy) {
1162:
1163: WSSPolicy ret = null;
1164:
1165: Iterator it = mPolicy.iterator();
1166:
1167: while (it.hasNext()) {
1168:
1169: WSSPolicy policy = (WSSPolicy) it.next();
1170:
1171: if (PolicyTypeUtil.encryptionPolicy(policy)) {
1172:
1173: EncryptionPolicy.FeatureBinding fb =
1174:
1175: (EncryptionPolicy.FeatureBinding) policy
1176: .getFeatureBinding();
1177:
1178: int numTargets = fb.getTargetBindings().size();
1179:
1180: if (numTargets <= 1) {
1181:
1182: continue;
1183:
1184: }
1185:
1186: if (hasBodyFollowedByUsername((ArrayList) fb
1187: .getTargetBindings())) {
1188:
1189: ret = policy;
1190:
1191: return ret;
1192:
1193: }
1194:
1195: }
1196:
1197: }
1198:
1199: return ret;
1200:
1201: }
1202:
1203: private WSSPolicy getEncryptUsernameBodyPolicy(MessagePolicy mPolicy) {
1204:
1205: WSSPolicy ret = null;
1206:
1207: Iterator it = mPolicy.iterator();
1208:
1209: while (it.hasNext()) {
1210:
1211: WSSPolicy policy = (WSSPolicy) it.next();
1212:
1213: if (PolicyTypeUtil.encryptionPolicy(policy)) {
1214:
1215: EncryptionPolicy.FeatureBinding fb =
1216:
1217: (EncryptionPolicy.FeatureBinding) policy
1218: .getFeatureBinding();
1219:
1220: int numTargets = fb.getTargetBindings().size();
1221:
1222: if (numTargets <= 1) {
1223:
1224: continue;
1225:
1226: }
1227:
1228: if (hasUsernameFollowedByBody((ArrayList) fb
1229: .getTargetBindings())) {
1230:
1231: ret = policy;
1232:
1233: return ret;
1234:
1235: }
1236:
1237: }
1238:
1239: }
1240:
1241: return ret;
1242:
1243: }
1244:
1245: //Assuming single username target
1246:
1247: //TODO: This logic fails if we have more than 2 targets in the ArrayList
1248:
1249: private boolean hasUsernameFollowedByBody(ArrayList targets) {
1250:
1251: Target t = (Target) targets.get(0);
1252:
1253: int idx = t.getValue().indexOf(USERNAMETOKEN);
1254:
1255: if (idx == -1) {
1256:
1257: return false;
1258:
1259: }
1260:
1261: return true;
1262:
1263: }
1264:
1265: //TODO: This logic fails if we have more than 2 targets in the ArrayList
1266:
1267: private boolean hasBodyFollowedByUsername(ArrayList targets) {
1268:
1269: Target t = (Target) targets.get(targets.size() - 1);
1270:
1271: int idx = t.getValue().indexOf(USERNAMETOKEN);
1272:
1273: if (idx == -1) {
1274:
1275: return false;
1276:
1277: }
1278:
1279: return true;
1280:
1281: }
1282:
1283: private void setUsernamePassword(AuthenticationTokenPolicy policy,
1284: CallbackHandler handler) {
1285:
1286: AuthenticationTokenPolicy.UsernameTokenBinding
1287:
1288: up = (AuthenticationTokenPolicy.UsernameTokenBinding) policy
1289: .getFeatureBinding();
1290:
1291: NameCallback nameCallback = new NameCallback("Username: ");
1292:
1293: PasswordCallback pwdCallback = new PasswordCallback(
1294: "Password: ", false);
1295:
1296: try {
1297:
1298: Callback[] cbs = new Callback[] { nameCallback, pwdCallback };
1299:
1300: handler.handle(cbs);
1301:
1302: } catch (Exception e) {
1303:
1304: throw new RuntimeException(e);
1305:
1306: }
1307:
1308: up.setUsername(nameCallback.getName());
1309:
1310: up.setPassword(new String(pwdCallback.getPassword()));
1311:
1312: }
1313:
1314: private Collection getNonBodyUsernameEncryptPolicies(
1315:
1316: MessagePolicy mPolicy, CallbackHandler handler,
1317: boolean senderConfiguration) {
1318:
1319: Collection requiredElements = new ArrayList();
1320:
1321: Iterator it = mPolicy.iterator();
1322:
1323: while (it.hasNext()) {
1324:
1325: WSSPolicy policy = (WSSPolicy) it.next();
1326:
1327: if (PolicyTypeUtil.encryptionPolicy(policy)) {
1328:
1329: if (!hasEncryptBodyPolicy((EncryptionPolicy) policy)
1330: &&
1331:
1332: !hasEncryptUsernamePolicy(
1333: (EncryptionPolicy) policy, mPolicy)) {
1334:
1335: requiredElements.add(policy);
1336:
1337: }
1338:
1339: }
1340:
1341: }
1342:
1343: return requiredElements;
1344:
1345: }
1346:
1347: private boolean hasEncryptBodyPolicy(EncryptionPolicy policy) {
1348:
1349: EncryptionPolicy.FeatureBinding fb =
1350:
1351: (EncryptionPolicy.FeatureBinding) policy.getFeatureBinding();
1352:
1353: Iterator it = fb.getTargetBindings().iterator();
1354:
1355: while (it.hasNext()) {
1356:
1357: Target target = (Target) it.next();
1358:
1359: int idx = target.getValue().indexOf(BODY);
1360:
1361: if (idx > -1) {
1362:
1363: return true;
1364:
1365: }
1366:
1367: }
1368:
1369: return false;
1370:
1371: }
1372:
1373: protected boolean isOptimized(SOAPMessage msg) {
1374:
1375: // System.out.println("ClassName"+(msg.getClass().getName()));
1376:
1377: if (msg
1378: .getClass()
1379: .getName()
1380: .equals(
1381: "com.sun.xml.messaging.saaj.soap.ver1_1.ExpressMessage1_1Impl")
1382: || msg
1383: .getClass()
1384: .getName()
1385: .equals(
1386: "com.sun.xml.messaging.saaj.soap.ver1_2.ExpressMessage1_2Impl")) {
1387:
1388: return true;
1389:
1390: }
1391:
1392: return false;
1393:
1394: }
1395:
1396: private void augmentSignAlias(MessagePolicy mPolicy,
1397: String signAlias) {
1398:
1399: if (signAlias == null) {
1400:
1401: return;
1402:
1403: }
1404:
1405: for (Iterator it = mPolicy.iterator(); it.hasNext();) {
1406:
1407: WSSPolicy sp = (WSSPolicy) it.next();
1408:
1409: SecurityPolicy keyBinding = sp.getKeyBinding();
1410:
1411: if (sp instanceof SignaturePolicy) {
1412:
1413: if ((keyBinding != null)
1414: && (keyBinding instanceof AuthenticationTokenPolicy.X509CertificateBinding)) {
1415:
1416: AuthenticationTokenPolicy.X509CertificateBinding x509KB =
1417:
1418: (AuthenticationTokenPolicy.X509CertificateBinding) keyBinding;
1419:
1420: String certId = x509KB.getCertificateIdentifier();
1421:
1422: if (certId != null) {
1423:
1424: x509KB.setCertificateIdentifier(signAlias);
1425:
1426: }
1427:
1428: }
1429:
1430: }
1431:
1432: }
1433:
1434: }
1435:
1436: private void augmentEncryptAlias(MessagePolicy mPolicy,
1437: String encryptAlias) {
1438:
1439: if (encryptAlias == null) {
1440:
1441: return;
1442:
1443: }
1444:
1445: for (Iterator it = mPolicy.iterator(); it.hasNext();) {
1446:
1447: WSSPolicy sp = (WSSPolicy) it.next();
1448:
1449: SecurityPolicy keyBinding = sp.getKeyBinding();
1450:
1451: if (sp instanceof EncryptionPolicy) {
1452:
1453: if ((keyBinding != null)
1454: && (keyBinding instanceof AuthenticationTokenPolicy.X509CertificateBinding)) {
1455:
1456: AuthenticationTokenPolicy.X509CertificateBinding x509KB =
1457:
1458: (AuthenticationTokenPolicy.X509CertificateBinding) keyBinding;
1459:
1460: String certId = x509KB.getCertificateIdentifier();
1461:
1462: if (certId != null) {
1463:
1464: x509KB.setCertificateIdentifier(encryptAlias);
1465:
1466: }
1467:
1468: }
1469:
1470: }
1471:
1472: }
1473:
1474: }
1475:
1476: }
|