Package com.sun.xml.wss.impl.misc
Class DefaultSecurityEnvironmentImpl
java.lang.Object
com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl
- All Implemented Interfaces:
SecurityEnvironment
-
Field Summary
-
Constructor Summary
ConstructorDescriptionDefaultSecurityEnvironmentImpl
(CallbackHandler cHandler, Properties confAssertions) -
Method Summary
Modifier and TypeMethodDescriptionauthenticateUser
(Map context, String username) Authenticate the user given the username and context.boolean
authenticateUser
(Map context, String username, String password) Authenticate the user against a list of known username-password pairs.boolean
Authenticate the user given the password digest.Perform a Kerberos Login and return a Kerberos Context KerberosContext stores the secretKey, GSSContext, kerberos BST etcdoKerberosLogin
(byte[] tokenValue) Perform a Kerberos Login and return a Kerberos Context KerberosContext stores the secretKey, GSSContext, kerberos BST etcgetAliasPrivKeyCertRequest
(String certIdentifier) getCertificate
(Map context, byte[] keyIdentifier) getCertificate
(Map context, byte[] identifier, String valueType) getCertificate
(Map context, String alias, boolean forSigning) getCertificate
(Map context, BigInteger serialNumber, String issuerName) getCertificate
(Map context, PublicKey publicKey, boolean forSign) getDefaultCertificate
(Map context) Retrieves a reasonable default value for the current user's X509Certificate if one exists.getDefaultPrivateKey
(Map context) getDefaultPrivKeyCertRequest
(Map context) getPassword
(Map context) getPrivateKey
(Map context, byte[] keyIdentifier) getPrivateKey
(Map context, byte[] identifier, String valueType) getPrivateKey
(Map context, String alias) getPrivateKey
(Map context, BigInteger serialNumber, String issuerName) getPrivateKey
(Map context, X509Certificate cert) getPrivateKey
(Map context, PublicKey publicKey, boolean forSign) getPublicKey
(Map context, byte[] keyIdentifier) getPublicKey
(Map context, byte[] identifier, String valueType) getPublicKey
(Map context, BigInteger serialNumber, String issuerName) getSecretKey
(Map context, String alias, boolean encryptMode) static Subject
getSubject
(FilterProcessingContext context) static Subject
getSubject
(Map context) getUsername
(Map context) boolean
locateSAMLAssertion
(Map context, Element binding, String assertionId, Document ownerDoc) Locate and return a SAML Assertion, given the Authority binding and assertionIdstatic WssSoapFaultException
newSOAPFaultException
(QName faultCode, String faultstring, Throwable th) Create and initialize a WssSoapFaultException.populateSAMLPolicy
(Map fpcontext, AuthenticationTokenPolicy.SAMLAssertionBinding policy, DynamicApplicationContext context) Locate and update the Policy argument with the SAML Assertion and/or the AuthorityBinding and Assertion ID information.void
updateOtherPartySubject
(Subject subject, Assertion assertion) Update the public credentials of the subject of the party whose Assertion is given.void
updateOtherPartySubject
(Subject subject, String ek) void
updateOtherPartySubject
(Subject subject, String username, String password) Update the public/private credentials of the subject of the party whose username password pair is given.void
updateOtherPartySubject
(Subject subject, X509Certificate cert) Update the public credentials of the subject of the party whose certificate is given.void
updateOtherPartySubject
(Subject subject, Key secretKey) void
updateOtherPartySubject
(Subject subject, Subject bootStrapSubject) Update the principal/credentials of the requesting party subjectvoid
updateOtherPartySubject
(Subject subject, XMLStreamReader assertion) Update the public credentials of the subject of the party whose Assertion is given.void
updateOtherPartySubject
(Subject subject, GSSName clientCred, GSSCredential gssCred) Update the principal/credentials of the requesting party subjectboolean
validateAndCacheNonce
(Map context, String nonce, String created, long nonceAge) Validate the given nonce.boolean
validateCertificate
(X509Certificate cert, Map context) Validate an X509Certificate.void
validateCreationTime
(Map context, String creationTime, long maxClockSkew, long timestampFreshnessLimit) Validate the creation time.void
validateSAMLAssertion
(Map context, XMLStreamReader assertion) Validate the received SAML Assertion Validations can include validating the Issuer and the Saml User, SAML Version etc.void
validateSAMLAssertion
(Map context, Element assertion) Validate the received SAML Assertion Validations can include validating the Issuer and the Saml User, SAML Version etc.boolean
validateSamlIssuer
(String issuer) boolean
validateSamlUser
(String user, String domain, String format) void
validateTimestamp
(Map context, Timestamp timestamp, long maxClockSkew, long freshnessLimit) Validate the creation time.void
validateTimestamp
(Map context, String created, String expires, long maxClockSkew, long freshnessLimit)
-
Field Details
-
log
logger
-
-
Constructor Details
-
DefaultSecurityEnvironmentImpl
-
DefaultSecurityEnvironmentImpl
-
-
Method Details
-
getDefaultCertificate
Description copied from interface:SecurityEnvironment
Retrieves a reasonable default value for the current user's X509Certificate if one exists.- Specified by:
getDefaultCertificate
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific properties- Returns:
- the default certificate for the current user
- Throws:
XWSSecurityException
-
getDefaultPrivKeyCertRequest
public SignatureKeyCallback.PrivKeyCertRequest getDefaultPrivKeyCertRequest(Map context) throws XWSSecurityException - Throws:
XWSSecurityException
-
getAliasPrivKeyCertRequest
public SignatureKeyCallback.AliasPrivKeyCertRequest getAliasPrivKeyCertRequest(String certIdentifier) throws XWSSecurityException - Throws:
XWSSecurityException
-
getDefaultPrivateKey
- Throws:
XWSSecurityException
-
getSecretKey
public SecretKey getSecretKey(Map context, String alias, boolean encryptMode) throws XWSSecurityException - Specified by:
getSecretKey
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesalias
- the alias for identifying the SecretKeyencryptMode
- whether this request is for an Encrypt or Decrypt operation- Returns:
- the SecretKey corresponding to the alias
- Throws:
XWSSecurityException
- if there was an error while trying to locate the SecretKey
-
getCertificate
public X509Certificate getCertificate(Map context, String alias, boolean forSigning) throws XWSSecurityException - Specified by:
getCertificate
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesalias
- the alias for identifying the certificateforSigning
- whether this request is for a Sign operation or Encrypt- Returns:
- the certificate corresponding to the alias
- Throws:
XWSSecurityException
- if there was an error while trying to locate the Cerificate
-
getCertificate
public X509Certificate getCertificate(Map context, PublicKey publicKey, boolean forSign) throws XWSSecurityException - Specified by:
getCertificate
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiespublicKey
- the publicKeyforSign
- set to true if the public key is to be used for SignatureVerification- Returns:
- the X509Certificate corresponding to a PublicKey
- Throws:
XWSSecurityException
- if there was an error while trying to locate the PublicKey
-
getPrivateKey
- Specified by:
getPrivateKey
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesalias
- the alias for identifying the PrivateKey- Returns:
- the PrivateKey corresponding to the alias
- Throws:
XWSSecurityException
- if there was an error while trying to locate the PrivateKey
-
getPrivateKey
public PrivateKey getPrivateKey(Map context, byte[] identifier, String valueType) throws XWSSecurityException - Specified by:
getPrivateKey
in interfaceSecurityEnvironment
- Throws:
XWSSecurityException
-
getPrivateKey
- Specified by:
getPrivateKey
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertieskeyIdentifier
- an Opaque identifier indicating the X509 certificate.- Returns:
- the PrivateKey corresponding to a KeyIdentifier
- Throws:
XWSSecurityException
- if there was an error while trying to locate the PrivateKey
-
getPrivateKey
public PrivateKey getPrivateKey(Map context, BigInteger serialNumber, String issuerName) throws XWSSecurityException - Specified by:
getPrivateKey
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesserialNumber
- the serialNumber of the certificateissuerName
- the issuerName of the certificate- Returns:
- the PrivateKey corresponding to (serialNumber, issuerName)
- Throws:
XWSSecurityException
- if there was an error while trying to locate the PrivateKey
-
getPublicKey
public PublicKey getPublicKey(Map context, byte[] identifier, String valueType) throws XWSSecurityException - Specified by:
getPublicKey
in interfaceSecurityEnvironment
- Throws:
XWSSecurityException
-
getPublicKey
- Specified by:
getPublicKey
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertieskeyIdentifier
- an Opaque identifier indicating the X509 certificate.- Returns:
- the PublicKey corresponding to a KeyIdentifier
- Throws:
XWSSecurityException
- if there was an error while trying to locate the PublicKey
-
getCertificate
public X509Certificate getCertificate(Map context, byte[] identifier, String valueType) throws XWSSecurityException - Specified by:
getCertificate
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesidentifier
- an Opaque identifier indicating the X509 certificate.- Returns:
- the X509Certificate corresponding to a KeyIdentifier
- Throws:
XWSSecurityException
- if there was an error while trying to locate the X509Certificate
-
getCertificate
public X509Certificate getCertificate(Map context, byte[] keyIdentifier) throws XWSSecurityException - Specified by:
getCertificate
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertieskeyIdentifier
- an Opaque identifier indicating the X509 certificate.- Returns:
- the X509Certificate corresponding to a KeyIdentifier
- Throws:
XWSSecurityException
- if there was an error while trying to locate the X509Certificate
-
getPublicKey
public PublicKey getPublicKey(Map context, BigInteger serialNumber, String issuerName) throws XWSSecurityException - Specified by:
getPublicKey
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesserialNumber
- the serialNumber of the certificateissuerName
- the issuerName of the certificate- Returns:
- the PublicKey corresponding to (serialNumber, issuerName)
- Throws:
XWSSecurityException
- if there was an error while trying to locate the PublicKey
-
getCertificate
public X509Certificate getCertificate(Map context, BigInteger serialNumber, String issuerName) throws XWSSecurityException - Specified by:
getCertificate
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesserialNumber
- the serialNumber of the certificateissuerName
- the issuerName of the certificate- Returns:
- the X509Certificate corresponding to (serialNumber, issuerName)
- Throws:
XWSSecurityException
- if there was an error while trying to locate the X509Certificate
-
validateCertificate
Description copied from interface:SecurityEnvironment
Validate an X509Certificate.- Specified by:
validateCertificate
in interfaceSecurityEnvironment
- Parameters:
cert
- the X509Certificate to be validatedcontext
- Map of application and integration-layer specific properties- Returns:
- true, if the cert is a valid one, false otherwise.
- Throws:
XWSSecurityException
- if there is some problem during validation. public boolean validateCertificate(X509Certificate cert) throws XWSSecurityException; / /** Validate an X509Certificate.
-
updateOtherPartySubject
Description copied from interface:SecurityEnvironment
Update the public/private credentials of the subject of the party whose username password pair is given.- Specified by:
updateOtherPartySubject
in interfaceSecurityEnvironment
- Parameters:
subject
- the Subject of the requesting partyusername
- the username of the requesting partypassword
- the password of the requesting party
-
updateOtherPartySubject
Description copied from interface:SecurityEnvironment
Update the public credentials of the subject of the party whose certificate is given.- Specified by:
updateOtherPartySubject
in interfaceSecurityEnvironment
- Parameters:
subject
- the Subject of the requesting partycert
- the X509Certificate of the requesting party
-
updateOtherPartySubject
Description copied from interface:SecurityEnvironment
Update the public credentials of the subject of the party whose Assertion is given.- Specified by:
updateOtherPartySubject
in interfaceSecurityEnvironment
- Parameters:
subject
- the Subject of the requesting partyassertion
- the SAML Assertion of the requesting party
-
updateOtherPartySubject
-
updateOtherPartySubject
-
getSubject
-
getSubject
-
getPrivateKey
- Specified by:
getPrivateKey
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiescert
- the X509Certificate- Returns:
- the PrivateKey corresponding to the X509Certificate
- Throws:
XWSSecurityException
- if there was an error while trying to locate the PrivateKey
-
getPrivateKey
public PrivateKey getPrivateKey(Map context, PublicKey publicKey, boolean forSign) throws XWSSecurityException - Specified by:
getPrivateKey
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiespublicKey
- the publicKeyforSign
- set to true if the purpose is Signature- Returns:
- the PrivateKey corresponding to a PublicKey
- Throws:
XWSSecurityException
- if there was an error while trying to locate the PrivateKey
-
getSubject
- Specified by:
getSubject
in interfaceSecurityEnvironment
- Returns:
- the host/sender Subject, null if subject is not available/initialized
-
authenticateUser
public boolean authenticateUser(Map context, String username, String passwordDigest, String nonce, String created) throws XWSSecurityException Description copied from interface:SecurityEnvironment
Authenticate the user given the password digest.- Specified by:
authenticateUser
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesusername
- the usernamepasswordDigest
- the digested passwordnonce
- the nonce which was part of the digestcreated
- the creation time which was part of the digest- Returns:
- true if the password digest is valid, false otherwise
- Throws:
XWSSecurityException
- if there was an error while trying to authenticate the username
-
authenticateUser
public boolean authenticateUser(Map context, String username, String password) throws XWSSecurityException Description copied from interface:SecurityEnvironment
Authenticate the user against a list of known username-password pairs.- Specified by:
authenticateUser
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesusername
- the usernamepassword
- the password- Returns:
- true if the username-password pair is valid, false otherwise
- Throws:
XWSSecurityException
- if there was an error while trying to authenticate the username
-
authenticateUser
Description copied from interface:SecurityEnvironment
Authenticate the user given the username and context.- Specified by:
authenticateUser
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesusername
- the username- Returns:
- password if the username is valid
- Throws:
XWSSecurityException
- if there was an error while trying to authenticate the username
-
validateCreationTime
public void validateCreationTime(Map context, String creationTime, long maxClockSkew, long timestampFreshnessLimit) throws XWSSecurityException Description copied from interface:SecurityEnvironment
Validate the creation time. It is an error if the creation time is older than current local time minus TIMESTAMP_FRESHNESS_LIMIT minus MAX_CLOCK_SKEW- Specified by:
validateCreationTime
in interfaceSecurityEnvironment
- Parameters:
creationTime
-context
- a Map of application and integration-layer specific propertiesmaxClockSkew
- (in milliseconds) the maximum clockskewtimestampFreshnessLimit
- (in milliseconds) the limit for which timestamps are considered fresh- Throws:
XWSSecurityException
-
validateSamlIssuer
-
validateSamlUser
-
getUsername
- Specified by:
getUsername
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific properties- Returns:
- the username using UsernameCallback
- Throws:
XWSSecurityException
- if there was an error while trying obtain the username
-
getPassword
- Specified by:
getPassword
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific properties- Returns:
- the password using PasswordCallback
- Throws:
XWSSecurityException
- if there was an error while trying obtain the password
-
validateTimestamp
public void validateTimestamp(Map context, Timestamp timestamp, long maxClockSkew, long freshnessLimit) throws XWSSecurityException Description copied from interface:SecurityEnvironment
Validate the creation time. It is an error if the creation time is older than current local time minus TIMESTAMP_FRESHNESS_LIMIT minus MAX_CLOCK_SKEW- Specified by:
validateTimestamp
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiestimestamp
- the Timestamp elementmaxClockSkew
- (in milliseconds) the maximum clockskewfreshnessLimit
- (in milliseconds) the limit for which timestamps are considered fresh- Throws:
XWSSecurityException
- if there was an error while trying validate the Timestamp
-
validateTimestamp
public void validateTimestamp(Map context, String created, String expires, long maxClockSkew, long freshnessLimit) throws XWSSecurityException - Specified by:
validateTimestamp
in interfaceSecurityEnvironment
- Throws:
XWSSecurityException
-
newSOAPFaultException
public static WssSoapFaultException newSOAPFaultException(QName faultCode, String faultstring, Throwable th) Create and initialize a WssSoapFaultException. This method is used in conjunction with generateClientFault. -
validateSAMLAssertion
Description copied from interface:SecurityEnvironment
Validate the received SAML Assertion Validations can include validating the Issuer and the Saml User, SAML Version etc. Note: The SAML Condition (notBefore, notOnOrAfter) is validated by the XWS runtime- Specified by:
validateSAMLAssertion
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesassertion
- the Assertion to be validated- Throws:
XWSSecurityException
- if there was an error while validating the SAML Assertion
-
locateSAMLAssertion
public Element locateSAMLAssertion(Map context, Element binding, String assertionId, Document ownerDoc) throws XWSSecurityException Description copied from interface:SecurityEnvironment
Locate and return a SAML Assertion, given the Authority binding and assertionId- Specified by:
locateSAMLAssertion
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesbinding
- an org.w3c.dom.Element representing the SAML AuthorityBindingassertionId
- the Assertion ID of the SAML AssertionownerDoc
- the owner document into which the returned SAML Assertion should be imported to- Throws:
XWSSecurityException
- if there was an error while trying to locate the SAML Assertion
-
populateSAMLPolicy
public AuthenticationTokenPolicy.SAMLAssertionBinding populateSAMLPolicy(Map fpcontext, AuthenticationTokenPolicy.SAMLAssertionBinding policy, DynamicApplicationContext context) throws XWSSecurityException Description copied from interface:SecurityEnvironment
Locate and update the Policy argument with the SAML Assertion and/or the AuthorityBinding and Assertion ID information. The DynamicApplicationContext may contain information to be used by the implementation to make its runtime decisions on how to obtaim the SAML Assertion- Specified by:
populateSAMLPolicy
in interfaceSecurityEnvironment
- Parameters:
fpcontext
- a Map of application and integration-layer specific propertiespolicy
- the SAML Assertion Policy to be populatedcontext
- the DynamicApplicationContext- Returns:
- populated SAML Assertion policy
- Throws:
XWSSecurityException
- if there was an error while trying to populate the SAML Assertion Policy
-
getCallbackHandler
- Specified by:
getCallbackHandler
in interfaceSecurityEnvironment
- Returns:
- any Callback Handler associated with this Environment, null otherwise
-
validateSAMLAssertion
public void validateSAMLAssertion(Map context, XMLStreamReader assertion) throws XWSSecurityException Description copied from interface:SecurityEnvironment
Validate the received SAML Assertion Validations can include validating the Issuer and the Saml User, SAML Version etc. Note: The SAML Condition (notBefore, notOnOrAfter) is validated by the XWS runtime In case HOK SAML Assertion the enveloped signature is removed from this SAML Assertion and verified. (i,e one will not find Signature element under this SAMLAssertion)- Specified by:
validateSAMLAssertion
in interfaceSecurityEnvironment
- Parameters:
context
- a Map of application and integration-layer specific propertiesassertion
- the Assertion to be validated- Throws:
XWSSecurityException
- if there was an error while validating the SAML Assertion
-
updateOtherPartySubject
Description copied from interface:SecurityEnvironment
Update the public credentials of the subject of the party whose Assertion is given.- Specified by:
updateOtherPartySubject
in interfaceSecurityEnvironment
- Parameters:
subject
- the Subject of the requesting partyassertion
- the SAML Assertion of the requesting party
-
isSelfCertificate
- Specified by:
isSelfCertificate
in interfaceSecurityEnvironment
- Returns:
- true if the certificate is a self certificate, false otherwise
-
updateOtherPartySubject
Description copied from interface:SecurityEnvironment
Update the principal/credentials of the requesting party subject- Specified by:
updateOtherPartySubject
in interfaceSecurityEnvironment
- Parameters:
subject
- the Subject of the requesting partybootStrapSubject
- the bootstrap Credentials (during a SecureConversation Bootstrap) of the requesting party
-
doKerberosLogin
Description copied from interface:SecurityEnvironment
Perform a Kerberos Login and return a Kerberos Context KerberosContext stores the secretKey, GSSContext, kerberos BST etc- Specified by:
doKerberosLogin
in interfaceSecurityEnvironment
- Throws:
XWSSecurityException
-
doKerberosLogin
Description copied from interface:SecurityEnvironment
Perform a Kerberos Login and return a Kerberos Context KerberosContext stores the secretKey, GSSContext, kerberos BST etc- Specified by:
doKerberosLogin
in interfaceSecurityEnvironment
- Throws:
XWSSecurityException
-
updateOtherPartySubject
Description copied from interface:SecurityEnvironment
Update the principal/credentials of the requesting party subject- Specified by:
updateOtherPartySubject
in interfaceSecurityEnvironment
- Parameters:
subject
- the Subject of the requesting partyclientCred
- the GSSName of the requesting party
-
validateAndCacheNonce
public boolean validateAndCacheNonce(Map context, String nonce, String created, long nonceAge) throws XWSSecurityException Description copied from interface:SecurityEnvironment
Validate the given nonce. It is an error if the nonce matches any stored nonce values on the server if there is no error then the nonce is Cached.- Specified by:
validateAndCacheNonce
in interfaceSecurityEnvironment
- Parameters:
context
- a context containing runtime propertiesnonce
- the encoded nonce valuecreated
- the creation time valuenonceAge
- the time in milliseconds for which this nonce will be stored on the receiver.- Returns:
- true if this nonce is valid
- Throws:
XWSSecurityException
- if there was an error while trying to validate the Nonce
-