Package com.sun.xml.wss.impl.misc

Class WSITProviderSecurityEnvironment

    • Field Detail

      • TIMESTAMP_FRESHNESS_LIMIT

        protected final long TIMESTAMP_FRESHNESS_LIMIT
        See Also:
        Constant Field Values

      • log

        protected static final Logger log
        logger

      • maxClockSkewG

        protected long maxClockSkewG

      • timestampFreshnessLimitG

        protected long timestampFreshnessLimitG

      • maxNonceAge

        protected long maxNonceAge

      • revocationEnabledAttr

        protected String revocationEnabledAttr

      • revocationEnabled

        protected boolean revocationEnabled

    • Constructor Detail

      • WSITProviderSecurityEnvironment

        public WSITProviderSecurityEnvironment​(CallbackHandler handler,
                                       Map options,
                                       Properties configAssertions)
                                throws com.sun.xml.wss.XWSSecurityException
        Creates a new instance of WSITProviderSecurityEnvironment
        Throws:
        com.sun.xml.wss.XWSSecurityException

    • Method Detail

      • getPrivateKey

        public PrivateKey getPrivateKey​(Map context,
                                String alias)
                         throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getPrivateKey in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        alias - the alias for identifying the PrivateKey
        Returns:
        the PrivateKey corresponding to the alias
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the PrivateKey

      • getPrivateKey

        public PrivateKey getPrivateKey​(Map context,
                                byte[] keyIdentifier)
                         throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getPrivateKey in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        keyIdentifier - an Opaque identifier indicating the X509 certificate.
        Returns:
        the PrivateKey corresponding to a KeyIdentifier
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the PrivateKey

      • getPrivateKey

        public PrivateKey getPrivateKey​(Map context,
                                X509Certificate cert)
                         throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getPrivateKey in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        cert - the X509Certificate
        Returns:
        the PrivateKey corresponding to the X509Certificate
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the PrivateKey

      • getPrivateKey

        public PrivateKey getPrivateKey​(Map context,
                                BigInteger serialNumber,
                                String issuerName)
                         throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getPrivateKey in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        serialNumber - the serialNumber of the certificate
        issuerName - the issuerName of the certificate
        Returns:
        the PrivateKey corresponding to (serialNumber, issuerName)
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the PrivateKey

      • getDefaultCertificate

        public X509Certificate getDefaultCertificate​(Map context)
                                      throws com.sun.xml.wss.XWSSecurityException
        Retrieves a reasonable default value for the current user's X509Certificate if one exists.
        Specified by:
        getDefaultCertificate in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        Returns:
        the default certificate for the current user
        Throws:
        com.sun.xml.wss.XWSSecurityException

      • authenticateUser

        public boolean authenticateUser​(Map context,
                                String username,
                                String password)
                         throws com.sun.xml.wss.XWSSecurityException
        Authenticate the user against a list of known username-password pairs.
        Specified by:
        authenticateUser in interface SecurityEnvironment
        Parameters:
        username -
        password -
        context - a Map of application and integration-layer specific properties
        Returns:
        true if the username-password pair is valid
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to authenticate the username

      • authenticateUser

        public String authenticateUser​(Map context,
                               String username)
                        throws com.sun.xml.wss.XWSSecurityException
        Authenticate the user against a list of known usernames
        Specified by:
        authenticateUser in interface SecurityEnvironment
        Parameters:
        username -
        context - a Map of application and integration-layer specific properties
        Returns:
        password if the username is valid
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to authenticate the username

      • authenticateUser

        public boolean authenticateUser​(Map context,
                                String username,
                                String passwordDigest,
                                String nonce,
                                String created)
                         throws com.sun.xml.wss.XWSSecurityException
        Authenticate the user given the password digest.
        Specified by:
        authenticateUser in interface SecurityEnvironment
        Parameters:
        username -
        passwordDigest -
        nonce -
        created -
        context - a Map of application and integration-layer specific properties
        Returns:
        true if the password digest is valid
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to authenticate the username

      • validateCertificate

        public boolean validateCertificate​(X509Certificate cert,
                                   Map context)
                            throws com.sun.xml.wss.XWSSecurityException
        Validate an X509Certificate.
        Specified by:
        validateCertificate in interface SecurityEnvironment
        Parameters:
        cert - the X509Certificate to be validated
        context - Map of application and integration-layer specific properties
        Returns:
        true, if the cert is a valid one, false o/w.
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there is some problem during validation.

      • getMatchingCertificate

        public X509Certificate getMatchingCertificate​(Map context,
                                              byte[] keyIdMatch)
                                       throws com.sun.xml.wss.XWSSecurityException
        Parameters:
        keyIdMatch - KeyIdentifier to search for
        Returns:
        the matching Certificate
        Throws:
        com.sun.xml.wss.XWSSecurityException

      • getMatchingCertificate

        public X509Certificate getMatchingCertificate​(Map context,
                                              BigInteger serialNumber,
                                              String issuerName)
                                       throws com.sun.xml.wss.XWSSecurityException
        Throws:
        com.sun.xml.wss.XWSSecurityException

      • getMatchingCertificate

        public X509Certificate getMatchingCertificate​(Map context,
                                              byte[] keyIdMatch,
                                              String valueType)
                                       throws com.sun.xml.wss.XWSSecurityException
        Parameters:
        keyIdMatch - KeyIdentifier to search for
        Returns:
        the matching Certificate
        Throws:
        com.sun.xml.wss.XWSSecurityException

      • getSecretKey

        public SecretKey getSecretKey​(Map context,
                              String alias,
                              boolean encryptMode)
                       throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getSecretKey in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        alias - the alias for identifying the SecretKey
        encryptMode - whether this request is for an Encrypt or Decrypt operation
        Returns:
        the SecretKey corresponding to the alias
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the SecretKey

      • getCertificate

        public X509Certificate getCertificate​(Map context,
                                      String alias,
                                      boolean forSigning)
                               throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getCertificate in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        alias - the alias for identifying the certificate
        forSigning - whether this request is for a Sign operation or Encrypt
        Returns:
        the certificate corresponding to the alias
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the Cerificate

      • updateOtherPartySubject

        public void updateOtherPartySubject​(Subject subject,
                                    String username,
                                    String password)
        Description copied from interface: SecurityEnvironment
        Update the public/private credentials of the subject of the party whose username password pair is given.
        Specified by:
        updateOtherPartySubject in interface SecurityEnvironment
        Parameters:
        subject - the Subject of the requesting party
        username - the username of the requesting party
        password - the password of the requesting party

      • updateOtherPartySubject

        public void updateOtherPartySubject​(Subject subject,
                                    X509Certificate cert)
        Description copied from interface: SecurityEnvironment
        Update the public credentials of the subject of the party whose certificate is given.
        Specified by:
        updateOtherPartySubject in interface SecurityEnvironment
        Parameters:
        subject - the Subject of the requesting party
        cert - the X509Certificate of the requesting party

      • updateOtherPartySubject

        public void updateOtherPartySubject​(Subject subject,
                                    Assertion assertion)
        Description copied from interface: SecurityEnvironment
        Update the public credentials of the subject of the party whose Assertion is given.
        Specified by:
        updateOtherPartySubject in interface SecurityEnvironment
        Parameters:
        subject - the Subject of the requesting party
        assertion - the SAML Assertion of the requesting party

      • getPublicKey

        public PublicKey getPublicKey​(Map context,
                              BigInteger serialNumber,
                              String issuerName)
                       throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getPublicKey in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        serialNumber - the serialNumber of the certificate
        issuerName - the issuerName of the certificate
        Returns:
        the PublicKey corresponding to (serialNumber, issuerName)
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the PublicKey

      • getPublicKey

        public PublicKey getPublicKey​(String keyIdentifier)
                       throws com.sun.xml.wss.XWSSecurityException
        Throws:
        com.sun.xml.wss.XWSSecurityException

      • getPublicKey

        public PublicKey getPublicKey​(Map context,
                              byte[] keyIdentifier)
                       throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getPublicKey in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        keyIdentifier - an Opaque identifier indicating the X509 certificate.
        Returns:
        the PublicKey corresponding to a KeyIdentifier
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the PublicKey

      • getPublicKey

        public PublicKey getPublicKey​(Map context,
                              byte[] identifier,
                              String valueType)
                       throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getPublicKey in interface SecurityEnvironment
        Throws:
        com.sun.xml.wss.XWSSecurityException

      • getCertificate

        public X509Certificate getCertificate​(Map context,
                                      BigInteger serialNumber,
                                      String issuerName)
                               throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getCertificate in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        serialNumber - the serialNumber of the certificate
        issuerName - the issuerName of the certificate
        Returns:
        the X509Certificate corresponding to (serialNumber, issuerName)
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the X509Certificate

      • getCertificate

        public X509Certificate getCertificate​(String keyIdentifier)
                               throws com.sun.xml.wss.XWSSecurityException
        Throws:
        com.sun.xml.wss.XWSSecurityException

      • getPrivateKey

        public PrivateKey getPrivateKey​(Map context,
                                PublicKey publicKey,
                                boolean forSign)
        Specified by:
        getPrivateKey in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        publicKey - the publicKey
        forSign - set to true if the purpose is Signature
        Returns:
        the PrivateKey corresponding to a PublicKey

      • getCertificate

        public X509Certificate getCertificate​(Map context,
                                      byte[] ski)
        Specified by:
        getCertificate in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        ski - an Opaque identifier indicating the X509 certificate.
        Returns:
        the X509Certificate corresponding to a KeyIdentifier

      • getCertificate

        public X509Certificate getCertificate​(Map context,
                                      PublicKey publicKey,
                                      boolean forSign)
                               throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getCertificate in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        publicKey - the publicKey
        forSign - set to true if the public key is to be used for SignatureVerification
        Returns:
        the X509Certificate corresponding to a PublicKey
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the PublicKey

      • getCertificate

        public X509Certificate getCertificate​(Map context,
                                      byte[] identifier,
                                      String valueType)
                               throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getCertificate in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        identifier - an Opaque identifier indicating the X509 certificate.
        Returns:
        the X509Certificate corresponding to a KeyIdentifier
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the X509Certificate

      • validateSamlIssuer

        public boolean validateSamlIssuer​(String issuer)

      • validateSamlUser

        public boolean validateSamlUser​(String user,
                                String domain,
                                String format)

      • setSubject

        public void setSubject​(Subject subject,
                       Map context)

      • setRequesterSubject

        public void setRequesterSubject​(Subject subject,
                                Map context)

      • getSubject

        public Subject getSubject()
        Specified by:
        getSubject in interface SecurityEnvironment
        Returns:
        the host/sender Subject, null if subject is not available/initialized

      • getSubject

        public Subject getSubject​(Map context)

      • getRequesterSubject

        public Subject getRequesterSubject​(Map context)

      • getUsername

        public String getUsername​(Map context)
                   throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getUsername in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        Returns:
        the username using UsernameCallback
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying obtain the username

      • getPassword

        public String getPassword​(Map context)
                   throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getPassword in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        Returns:
        the password using PasswordCallback
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying obtain the password

      • validateAndCacheNonce

        public boolean validateAndCacheNonce​(Map context,
                                     String nonce,
                                     String created,
                                     long nonceAge)
                              throws com.sun.xml.wss.XWSSecurityException
        Description copied from interface: SecurityEnvironment
        Validate the given nonce. It is an error if the nonce matches any stored nonce values on the server if there is no error then the nonce is Cached.
        Specified by:
        validateAndCacheNonce in interface SecurityEnvironment
        Parameters:
        context - a context containing runtime properties
        nonce - the encoded nonce value
        created - the creation time value
        nonceAge - the time in milliseconds for which this nonce will be stored on the receiver.
        Returns:
        true if this nonce is valid
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to validate the Nonce

      • validateTimestamp

        public void validateTimestamp​(Map context,
                              String created,
                              String expires,
                              long maxClockSkew,
                              long freshnessLimit)
                       throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        validateTimestamp in interface SecurityEnvironment
        Throws:
        com.sun.xml.wss.XWSSecurityException

      • validateTimestamp

        public void validateTimestamp​(Map context,
                              Timestamp timestamp,
                              long maxClockSkew,
                              long freshnessLimit)
                       throws com.sun.xml.wss.XWSSecurityException
        Description copied from interface: SecurityEnvironment
        Validate the creation time. It is an error if the creation time is older than current local time minus TIMESTAMP_FRESHNESS_LIMIT minus MAX_CLOCK_SKEW
        Specified by:
        validateTimestamp in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        timestamp - the Timestamp element
        maxClockSkew - (in milliseconds) the maximum clockskew
        freshnessLimit - (in milliseconds) the limit for which timestamps are considered fresh
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying validate the Timestamp

      • validateCreationTime

        public void validateCreationTime​(Map context,
                                 String creationTime,
                                 long maxClockSkew,
                                 long timestampFreshnessLimit)
                          throws com.sun.xml.wss.XWSSecurityException
        Description copied from interface: SecurityEnvironment
        Validate the creation time. It is an error if the creation time is older than current local time minus TIMESTAMP_FRESHNESS_LIMIT minus MAX_CLOCK_SKEW
        Specified by:
        validateCreationTime in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        creationTime - the creation-time value
        maxClockSkew - (in milliseconds) the maximum clockskew
        timestampFreshnessLimit - (in milliseconds) the limit for which timestamps are considered fresh
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to validate the creationTime

      • getCallbackHandler

        public CallbackHandler getCallbackHandler()
                                   throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getCallbackHandler in interface SecurityEnvironment
        Returns:
        any Callback Handler associated with this Environment, null otherwise
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying retrieve the CallbackHandler

      • validateSAMLAssertion

        public void validateSAMLAssertion​(Map context,
                                  Element assertion)
                           throws com.sun.xml.wss.XWSSecurityException
        Description copied from interface: SecurityEnvironment
        Validate the received SAML Assertion Validations can include validating the Issuer and the Saml User, SAML Version etc. Note: The SAML Condition (notBefore, notOnOrAfter) is validated by the XWS runtime
        Specified by:
        validateSAMLAssertion in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        assertion - the Assertion to be validated
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while validating the SAML Assertion

      • locateSAMLAssertion

        public Element locateSAMLAssertion​(Map context,
                                   Element binding,
                                   String assertionId,
                                   Document ownerDoc)
                            throws com.sun.xml.wss.XWSSecurityException
        Description copied from interface: SecurityEnvironment
        Locate and return a SAML Assertion, given the Authority binding and assertionId
        Specified by:
        locateSAMLAssertion in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        binding - an org.w3c.dom.Element representing the SAML AuthorityBinding
        assertionId - the Assertion ID of the SAML Assertion
        ownerDoc - the owner document into which the returned SAML Assertion should be imported to
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to locate the SAML Assertion

      • populateSAMLPolicy

        public AuthenticationTokenPolicy.SAMLAssertionBinding populateSAMLPolicy​(Map fpcontext,
                                                                         AuthenticationTokenPolicy.SAMLAssertionBinding samlBinding,
                                                                         DynamicApplicationContext context)
                                                                  throws com.sun.xml.wss.XWSSecurityException
        Description copied from interface: SecurityEnvironment
        Locate and update the Policy argument with the SAML Assertion and/or the AuthorityBinding and Assertion ID information. The DynamicApplicationContext may contain information to be used by the implementation to make its runtime decisions on how to obtaim the SAML Assertion
        Specified by:
        populateSAMLPolicy in interface SecurityEnvironment
        Parameters:
        fpcontext - a Map of application and integration-layer specific properties
        samlBinding - the SAML Assertion Policy to be populated
        context - the DynamicApplicationContext
        Returns:
        populated SAML Assertion policy
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while trying to populate the SAML Assertion Policy

      • getPrivateKey

        public PrivateKey getPrivateKey​(Map context,
                                byte[] keyIdentifier,
                                String valueType)
                         throws com.sun.xml.wss.XWSSecurityException
        Specified by:
        getPrivateKey in interface SecurityEnvironment
        Throws:
        com.sun.xml.wss.XWSSecurityException

      • validateSAMLAssertion

        public void validateSAMLAssertion​(Map context,
                                  XMLStreamReader assertion)
                           throws com.sun.xml.wss.XWSSecurityException
        Description copied from interface: SecurityEnvironment
        Validate the received SAML Assertion Validations can include validating the Issuer and the Saml User, SAML Version etc. Note: The SAML Condition (notBefore, notOnOrAfter) is validated by the XWS runtime In case HOK SAML Assertion the enveloped signature is removed from this SAML Assertion and verified. (i,e one will not find Signature element under this SAMLAssertion)
        Specified by:
        validateSAMLAssertion in interface SecurityEnvironment
        Parameters:
        context - a Map of application and integration-layer specific properties
        assertion - the Assertion to be validated
        Throws:
        com.sun.xml.wss.XWSSecurityException - if there was an error while validating the SAML Assertion

      • updateOtherPartySubject

        public void updateOtherPartySubject​(Subject subject,
                                    XMLStreamReader assertion)
        Description copied from interface: SecurityEnvironment
        Update the public credentials of the subject of the party whose Assertion is given.
        Specified by:
        updateOtherPartySubject in interface SecurityEnvironment
        Parameters:
        subject - the Subject of the requesting party
        assertion - the SAML Assertion of the requesting party

      • updateOtherPartySubject

        public void updateOtherPartySubject​(Subject subject,
                                    Subject bootStrapSubject)
        Description copied from interface: SecurityEnvironment
        Update the principal/credentials of the requesting party subject
        Specified by:
        updateOtherPartySubject in interface SecurityEnvironment
        Parameters:
        subject - the Subject of the requesting party
        bootStrapSubject - the bootstrap Credentials (during a SecureConversation Bootstrap) of the requesting party

      • doKerberosLogin

        public KerberosContext doKerberosLogin()
                                throws com.sun.xml.wss.XWSSecurityException
        Description copied from interface: SecurityEnvironment
        Perform a Kerberos Login and return a Kerberos Context KerberosContext stores the secretKey, GSSContext, kerberos BST etc
        Specified by:
        doKerberosLogin in interface SecurityEnvironment
        Throws:
        com.sun.xml.wss.XWSSecurityException

      • doKerberosLogin

        public KerberosContext doKerberosLogin​(byte[] tokenValue)
                                throws com.sun.xml.wss.XWSSecurityException
        Description copied from interface: SecurityEnvironment
        Perform a Kerberos Login and return a Kerberos Context KerberosContext stores the secretKey, GSSContext, kerberos BST etc
        Specified by:
        doKerberosLogin in interface SecurityEnvironment
        Throws:
        com.sun.xml.wss.XWSSecurityException