in rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java [166:307]
public <T extends UsernameSecurityToken & InboundSecurityToken> T validate(UsernameTokenType usernameTokenType,
TokenContext tokenContext)
throws WSSecurityException {
// If the UsernameToken is to be used for key derivation, the (1.1)
// spec says that it cannot contain a password, and it must contain
// an Iteration element
final byte[] salt = XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE11_SALT);
PasswordString passwordType =
XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE_PASSWORD);
final Long iteration =
XMLSecurityUtils.getQNameType(usernameTokenType.getAny(), WSSConstants.TAG_WSSE11_ITERATION);
if (salt != null && (passwordType != null || iteration == null)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "badTokenType01");
}
boolean handleCustomPasswordTypes =
tokenContext.getWssSecurityProperties().getHandleCustomPasswordTypes();
boolean allowUsernameTokenNoPassword =
tokenContext.getWssSecurityProperties().isAllowUsernameTokenNoPassword()
|| Boolean.parseBoolean((String)tokenContext.getWsSecurityContext().get(
WSSConstants.PROP_ALLOW_USERNAMETOKEN_NOPASSWORD));
// Check received password type against required type
WSSConstants.UsernameTokenPasswordType requiredPasswordType =
tokenContext.getWssSecurityProperties().getUsernameTokenPasswordType();
if (requiredPasswordType != null) {
if (passwordType == null || passwordType.getType() == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType =
WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(passwordType.getType());
if (requiredPasswordType != usernameTokenPasswordType) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
}
WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType =
WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE;
if (passwordType != null && passwordType.getType() != null) {
usernameTokenPasswordType =
WSSConstants.UsernameTokenPasswordType.getUsernameTokenPasswordType(
passwordType.getType());
}
final AttributedString username = usernameTokenType.getUsername();
if (username == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
"badTokenType01");
}
final EncodedString encodedNonce =
XMLSecurityUtils.getQNameType(usernameTokenType.getAny(),
WSSConstants.TAG_WSSE_NONCE);
byte[] nonceVal = null;
if (encodedNonce != null && encodedNonce.getValue() != null) {
nonceVal = Base64.decodeBase64(encodedNonce.getValue());
}
final AttributedDateTime attributedDateTimeCreated =
XMLSecurityUtils.getQNameType(usernameTokenType.getAny(),
WSSConstants.TAG_WSU_CREATED);
String created = null;
if (attributedDateTimeCreated != null) {
created = attributedDateTimeCreated.getValue();
}
// Validate to STS if required
boolean valid = false;
final SoapMessage message =
(SoapMessage)tokenContext.getWssSecurityProperties().getMsgContext();
if (alwaysValidateToSts) {
Element tokenElement =
convertToDOM(username.getValue(), passwordType.getValue(),
passwordType.getType(), usernameTokenType.getId());
validateTokenToSTS(tokenElement, message);
valid = true;
}
if (!valid) {
try {
if (usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
if (encodedNonce == null || attributedDateTimeCreated == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
"badTokenType01");
}
if (!WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING.equals(encodedNonce.getEncodingType())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_SECURITY_TOKEN,
"badTokenType01");
}
verifyDigestPassword(username.getValue(), passwordType, nonceVal, created, tokenContext);
} else if (usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT
|| passwordType != null && passwordType.getValue() != null
&& usernameTokenPasswordType == WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
verifyPlaintextPassword(username.getValue(), passwordType, tokenContext);
} else if (passwordType != null && passwordType.getValue() != null) {
if (!handleCustomPasswordTypes) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
verifyPlaintextPassword(username.getValue(), passwordType, tokenContext);
} else {
if (!allowUsernameTokenNoPassword) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
}
} catch (WSSecurityException ex) {
Element tokenElement =
convertToDOM(username.getValue(), passwordType.getValue(),
passwordType.getType(), usernameTokenType.getId());
validateTokenToSTS(tokenElement, message);
}
}
final String password;
if (passwordType != null) {
password = passwordType.getValue();
} else if (salt != null) {
WSPasswordCallback pwCb = new WSPasswordCallback(username.getValue(),
WSPasswordCallback.USERNAME_TOKEN);
try {
WSSUtils.doPasswordCallback(tokenContext.getWssSecurityProperties().getCallbackHandler(), pwCb);
} catch (WSSecurityException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e);
}
password = pwCb.getPassword();
} else {
password = null;
}
UsernameSecurityTokenImpl usernameSecurityToken = new UsernameSecurityTokenImpl(
usernameTokenPasswordType, username.getValue(), password, created,
nonceVal, salt, iteration,
tokenContext.getWsSecurityContext(), usernameTokenType.getId(),
WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
usernameSecurityToken.setElementPath(tokenContext.getElementPath());
usernameSecurityToken.setXMLSecEvent(tokenContext.getFirstXMLSecEvent());
return (T)usernameSecurityToken;
}