You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/05/24 18:19:40 UTC

svn commit: r1127128 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j: PolicyBasedWSS4JInInterceptor.java policyvalidators/X509TokenPolicyValidator.java

Author: coheigea
Date: Tue May 24 16:19:39 2011
New Revision: 1127128

URL: http://svn.apache.org/viewvc?rev=1127128&view=rev
Log:
Added a policy validator for X.509 Tokens.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1127128&r1=1127127&r2=1127128&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Tue May 24 16:19:39 2011
@@ -76,6 +76,7 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
 import org.apache.neethi.Assertion;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDataRef;
@@ -467,7 +468,6 @@ public class PolicyBasedWSS4JInIntercept
             
             //stuff we can default to asserted and un-assert if a condition isn't met
             assertPolicy(aim, SP12Constants.KEYVALUE_TOKEN);
-            assertPolicy(aim, SP12Constants.X509_TOKEN);
 
             message.put(WSHandlerConstants.ACTION, action.trim());
         }
@@ -625,6 +625,9 @@ public class PolicyBasedWSS4JInIntercept
         assertSymetricBinding(aim, msg, prots, hasDerivedKeys);
         assertTransportBinding(aim);
         
+        X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results);
+        x509Validator.validatePolicy(aim);
+        
         //REVISIT - probably can verify some of these like if UT is encrypted and/or signed, etc...
         assertPolicy(aim, SP12Constants.SIGNED_SUPPORTING_TOKENS);
         assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java?rev=1127128&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java Tue May 24 16:19:39 2011
@@ -0,0 +1,108 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.X509Token;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+/**
+ * Validate a WSSecurityEngineResult corresponding to the processing of an X.509 Token
+ * against the appropriate policy.
+ */
+public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator {
+    
+    private static final String X509_V3_VALUETYPE = WSConstants.X509TOKEN_NS + "#X509v3";
+    private static final String PKI_VALUETYPE = WSConstants.X509TOKEN_NS + "#X509PKIPathv1";
+    
+    private List<WSSecurityEngineResult> bstResults;
+    private Message message;
+
+    public X509TokenPolicyValidator(
+        Message message,
+        List<WSSecurityEngineResult> results
+    ) {
+        this.message = message;
+        bstResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.BST, bstResults);
+    }
+    
+    public boolean validatePolicy(
+        AssertionInfoMap aim
+    ) {
+        Collection<AssertionInfo> x509Ais = aim.get(SP12Constants.X509_TOKEN);
+        if (x509Ais != null && !x509Ais.isEmpty()) {
+            for (AssertionInfo ai : x509Ais) {
+                X509Token x509TokenPolicy = (X509Token)ai.getAssertion();
+                ai.setAsserted(true);
+                
+                if (!isTokenRequired(x509TokenPolicy, message)) {
+                    continue;
+                }
+                
+                if (bstResults.isEmpty()) {
+                    ai.setNotAsserted(
+                        "The received token does not match the token inclusion requirement"
+                    );
+                    return false;
+                }
+                
+                if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType())) {
+                    ai.setNotAsserted("An incorrect X.509 Token Type is detected");
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+    
+    private boolean checkTokenType(String requiredVersionAndType) {
+        if (!bstResults.isEmpty()) {
+            String requiredType = X509_V3_VALUETYPE;
+            if (SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10.equals(requiredType)
+                || SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11.equals(requiredType)) {
+                requiredType = PKI_VALUETYPE;
+            }
+            
+            for (WSSecurityEngineResult result : bstResults) {
+                BinarySecurity binarySecurityToken = 
+                    (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                if (binarySecurityToken != null) {
+                    String type = binarySecurityToken.getValueType();
+                    if (requiredType.equals(type)) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+}