Package org.apache.cxf.ws.security.wss4j

Class CryptoCoverageUtil

  • public final class CryptoCoverageUtil
extends Object
    Utility to enable the checking of WS-Security signature / WS-Security encryption coverage based on the results of the WSS4J signature/encryption processor.

    • Method Detail

      • reconcileEncryptedSignedRefs

        public static void reconcileEncryptedSignedRefs​(Collection<org.apache.wss4j.dom.WSDataRef> signedRefs,
                                                Collection<org.apache.wss4j.dom.WSDataRef> encryptedRefs)
        Inspects the signed and encrypted content in the message and accurately resolves encrypted and then signed elements in signedRefs. Entries in signedRefs that correspond to an encrypted element are resolved to the decrypted element and added to signedRefs. The original reference to the encrypted content remains unaltered in the list to allow for matching against a requirement that xenc:EncryptedData and xenc:EncryptedKey elements be signed.
        Parameters:
        signedRefs - references to the signed content in the message
        encryptedRefs - references to the encrypted content in the message

      • checkBodyCoverage

        public static void checkBodyCoverage​(Element soapBody,
                                     Collection<org.apache.wss4j.dom.WSDataRef> refs,
                                     CryptoCoverageUtil.CoverageType type,
                                     CryptoCoverageUtil.CoverageScope scope)
                              throws org.apache.wss4j.common.ext.WSSecurityException
        Checks that the references provided refer to the signed/encrypted SOAP body element.
        Parameters:
        soapBody - the SOAP body element
        refs - the refs to the data extracted from the signature/encryption
        type - the type of cryptographic coverage to check for
        scope - the scope of the cryptographic coverage to check for, defaults to element
        Throws:
        org.apache.wss4j.common.ext.WSSecurityException - if there is an error evaluating the coverage or the body is not covered by the signature/encryption.

      • checkHeaderCoverage

        public static void checkHeaderCoverage​(Element soapHeader,
                                       Collection<org.apache.wss4j.dom.WSDataRef> refs,
                                       String namespace,
                                       String name,
                                       CryptoCoverageUtil.CoverageType type,
                                       CryptoCoverageUtil.CoverageScope scope)
                                throws org.apache.wss4j.common.ext.WSSecurityException
        Checks that the references provided refer to the required signed/encrypted SOAP header element(s) matching the provided name and namespace. If name is null, all headers from namespace are inspected for coverage.
        Parameters:
        soapHeader - the SOAP header element
        refs - the refs to the data extracted from the signature/encryption
        namespace - the namespace of the header(s) to check for coverage
        name - the local part of the header name to check for coverage, may be null
        type - the type of cryptographic coverage to check for
        scope - the scope of the cryptographic coverage to check for, defaults to element
        Throws:
        org.apache.wss4j.common.ext.WSSecurityException - if there is an error evaluating the coverage or a header is not covered by the signature/encryption.

      • checkCoverage

        public static void checkCoverage​(Element soapEnvelope,
                                 Collection<org.apache.wss4j.dom.WSDataRef> refs,
                                 Map<String,​String> namespaces,
                                 String xPath,
                                 CryptoCoverageUtil.CoverageType type,
                                 CryptoCoverageUtil.CoverageScope scope)
                          throws org.apache.wss4j.common.ext.WSSecurityException
        Checks that the references provided refer to the required signed/encrypted elements as defined by the XPath expression in xPath.
        Parameters:
        soapEnvelope - the SOAP Envelope element
        refs - the refs to the data extracted from the signature/encryption
        namespaces - the prefix to namespace mapping, may be null
        xPath - the XPath expression
        type - the type of cryptographic coverage to check for
        scope - the scope of the cryptographic coverage to check for, defaults to element
        Throws:
        org.apache.wss4j.common.ext.WSSecurityException - if there is an error evaluating an XPath or an element is not covered by the signature/encryption.

      • checkCoverage

        public static void checkCoverage​(Element soapEnvelope,
                                 Collection<org.apache.wss4j.dom.WSDataRef> refs,
                                 Map<String,​String> namespaces,
                                 Collection<String> xPaths,
                                 CryptoCoverageUtil.CoverageType type,
                                 CryptoCoverageUtil.CoverageScope scope)
                          throws org.apache.wss4j.common.ext.WSSecurityException
        Checks that the references provided refer to the required signed/encrypted elements as defined by the XPath expressions in xPaths.
        Parameters:
        soapEnvelope - the SOAP Envelope element
        refs - the refs to the data extracted from the signature/encryption
        namespaces - the prefix to namespace mapping, may be null
        xPaths - the collection of XPath expressions
        type - the type of cryptographic coverage to check for
        scope - the scope of the cryptographic coverage to check for, defaults to element
        Throws:
        org.apache.wss4j.common.ext.WSSecurityException - if there is an error evaluating an XPath or an element is not covered by the signature/encryption.