* @throws org.apache.wss4j.stax.ext.WSSConfigurationException
* if the configuration is invalid
*/
public static WSSSecurityProperties validateAndApplyDefaultsToOutboundSecurityProperties(WSSSecurityProperties securityProperties) throws WSSConfigurationException {
if (securityProperties.getActions() == null || securityProperties.getActions().isEmpty()) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noOutputAction");
}
// Check for duplicate actions
if (new HashSet<XMLSecurityConstants.Action>(securityProperties.getActions()).size()
!= securityProperties.getActions().size()) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "stax.duplicateActions");
}
for (XMLSecurityConstants.Action action : securityProperties.getActions()) {
if (WSSConstants.TIMESTAMP.equals(action)) {
if (securityProperties.getTimestampTTL() == null) {
securityProperties.setTimestampTTL(300);
}
} else if (WSSConstants.SIGNATURE.equals(action)) {
if (!WSSConstants.NS_XMLDSIG_HMACSHA1.equals(securityProperties.getSignatureAlgorithm())) {
if (securityProperties.getSignatureKeyStore() == null
&& securityProperties.getSignatureCryptoProperties() == null
&& securityProperties.getSignatureCrypto() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "signatureKeyStoreNotSet");
}
if (securityProperties.getSignatureUser() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noSignatureUser");
}
if (securityProperties.getCallbackHandler() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
}
}
if (securityProperties.getSignatureAlgorithm() == null) {
securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_RSASHA1);
}
if (securityProperties.getSignatureDigestAlgorithm() == null) {
securityProperties.setSignatureDigestAlgorithm(WSSConstants.NS_XMLDSIG_SHA1);
}
if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
securityProperties.setSignatureCanonicalizationAlgorithm(WSSConstants.NS_C14N_EXCL);
}
if (securityProperties.getSignatureKeyIdentifier() == null) {
securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_IssuerSerial);
}
checkDefaultSecureParts(true, securityProperties);
} else if (WSSConstants.ENCRYPT.equals(action)) {
if (securityProperties.getEncryptionUseThisCertificate() == null
&& securityProperties.getEncryptionKeyStore() == null
&& securityProperties.getEncryptionCryptoProperties() == null
&& !securityProperties.isUseReqSigCertForEncryption()
&& securityProperties.isEncryptSymmetricEncryptionKey()
&& securityProperties.getEncryptionCrypto() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "encryptionKeyStoreNotSet");
}
if (securityProperties.getEncryptionUser() == null
&& securityProperties.getEncryptionUseThisCertificate() == null
&& !securityProperties.isUseReqSigCertForEncryption()
&& securityProperties.isEncryptSymmetricEncryptionKey()) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noEncryptionUser");
}
if (securityProperties.getEncryptionSymAlgorithm() == null) {
securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_AES256);
}
if (securityProperties.getEncryptionKeyTransportAlgorithm() == null) {
//@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5 :
//"RSA-OAEP is RECOMMENDED for the transport of AES keys"
//@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-oaep-mgf1p
securityProperties.setEncryptionKeyTransportAlgorithm(WSSConstants.NS_XENC_RSAOAEPMGF1P);
}
if (securityProperties.getEncryptionKeyIdentifier() == null) {
securityProperties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_IssuerSerial);
}
checkDefaultSecureParts(false, securityProperties);
} else if (WSSConstants.USERNAMETOKEN.equals(action)) {
if (securityProperties.getTokenUser() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noTokenUser");
}
if (securityProperties.getCallbackHandler() == null
&& WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE != securityProperties.getUsernameTokenPasswordType()) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
}
if (securityProperties.getUsernameTokenPasswordType() == null) {
securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST);
}
} else if (WSSConstants.USERNAMETOKEN_SIGNED.equals(action)) {
if (securityProperties.getTokenUser() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noTokenUser");
}
if (securityProperties.getCallbackHandler() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
}
if (securityProperties.getSignatureAlgorithm() == null) {
securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_HMACSHA1);
}
if (securityProperties.getSignatureDigestAlgorithm() == null) {
securityProperties.setSignatureDigestAlgorithm(WSSConstants.NS_XMLDSIG_SHA1);
}
if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
securityProperties.setSignatureCanonicalizationAlgorithm(WSSConstants.NS_C14N_EXCL);
}
securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_UsernameTokenReference);
if (securityProperties.getUsernameTokenPasswordType() == null) {
securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST);
}
checkDefaultSecureParts(true, securityProperties);
} else if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
if (securityProperties.getCallbackHandler() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
}
if (securityProperties.getSignatureAlgorithm() == null) {
securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_HMACSHA1);
}
if (securityProperties.getSignatureDigestAlgorithm() == null) {
securityProperties.setSignatureDigestAlgorithm(WSSConstants.NS_XMLDSIG_SHA1);
}
if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
securityProperties.setSignatureCanonicalizationAlgorithm(WSSConstants.NS_C14N_EXCL);
}
if (securityProperties.getSignatureKeyIdentifier() == null) {
securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference);
}
if (securityProperties.getEncryptionSymAlgorithm() == null) {
securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_AES256);
}
if (securityProperties.getEncryptionKeyTransportAlgorithm() == null) {
//@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5 :
//"RSA-OAEP is RECOMMENDED for the transport of AES keys"
//@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-oaep-mgf1p
securityProperties.setEncryptionKeyTransportAlgorithm(WSSConstants.NS_XENC_RSAOAEPMGF1P);
}
if (securityProperties.getEncryptionKeyIdentifier() == null) {
securityProperties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
}
if (securityProperties.getDerivedKeyKeyIdentifier() == null) {
securityProperties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
}
if (securityProperties.getDerivedKeyTokenReference() == null) {
securityProperties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.DirectReference);
}
if (securityProperties.getDerivedKeyTokenReference() != WSSConstants.DerivedKeyTokenReference.DirectReference) {
securityProperties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference);
}
checkDefaultSecureParts(true, securityProperties);
} else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
if (securityProperties.getCallbackHandler() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
}
if (securityProperties.getEncryptionUseThisCertificate() == null
&& securityProperties.getEncryptionKeyStore() == null
&& securityProperties.getEncryptionCryptoProperties() == null
&& !securityProperties.isUseReqSigCertForEncryption()
&& securityProperties.isEncryptSymmetricEncryptionKey()
&& securityProperties.getEncryptionCrypto() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "encryptionKeyStoreNotSet");
}
if (securityProperties.getEncryptionUser() == null
&& securityProperties.getEncryptionUseThisCertificate() == null
&& !securityProperties.isUseReqSigCertForEncryption()
&& securityProperties.isEncryptSymmetricEncryptionKey()) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noEncryptionUser");
}
if (securityProperties.getEncryptionSymAlgorithm() == null) {
securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_AES256);
}
if (securityProperties.getEncryptionKeyTransportAlgorithm() == null) {
//@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5 :
//"RSA-OAEP is RECOMMENDED for the transport of AES keys"
//@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-oaep-mgf1p
securityProperties.setEncryptionKeyTransportAlgorithm(WSSConstants.NS_XENC_RSAOAEPMGF1P);
}
if (securityProperties.getEncryptionKeyIdentifier() == null) {
securityProperties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
}
if (securityProperties.getDerivedKeyKeyIdentifier() == null) {
securityProperties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
}
if (securityProperties.getDerivedKeyTokenReference() == null) {
securityProperties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey);
}
if (securityProperties.getDerivedKeyTokenReference() != WSSConstants.DerivedKeyTokenReference.DirectReference) {
securityProperties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference);
}
checkDefaultSecureParts(false, securityProperties);
} else if (WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
if (securityProperties.getCallbackHandler() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
}
if (securityProperties.getSamlCallbackHandler() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noSAMLCallbackHandler");
}
if (securityProperties.getSignatureAlgorithm() == null) {
securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_RSASHA1);
}
if (securityProperties.getSignatureDigestAlgorithm() == null) {
securityProperties.setSignatureDigestAlgorithm(WSSConstants.NS_XMLDSIG_SHA1);
}
if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
securityProperties.setSignatureCanonicalizationAlgorithm(WSSConstants.NS_C14N_EXCL);
}
if (securityProperties.getSignatureKeyIdentifier() == null) {
securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference);
}
checkDefaultSecureParts(true, securityProperties);
} else if (WSSConstants.SAML_TOKEN_UNSIGNED.equals(action) &&
securityProperties.getSamlCallbackHandler() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noSAMLCallbackHandler");
} else if (WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(action)) {
if (securityProperties.getCallbackHandler() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
}
if (securityProperties.getSignatureAlgorithm() == null) {
securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_HMACSHA1);
}
if (securityProperties.getSignatureDigestAlgorithm() == null) {
securityProperties.setSignatureDigestAlgorithm(WSSConstants.NS_XMLDSIG_SHA1);
}
if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
securityProperties.setSignatureCanonicalizationAlgorithm(WSSConstants.NS_C14N_EXCL);
}
if (securityProperties.getSignatureKeyIdentifier() == null) {
securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference);
}
checkDefaultSecureParts(true, securityProperties);
} else if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(action)) {
if (securityProperties.getCallbackHandler() == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
}
if (securityProperties.getEncryptionSymAlgorithm() == null) {
securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_AES256);
}
if (securityProperties.getSignatureKeyIdentifier() == null) {