You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/05/24 18:19:40 UTC
svn commit: r1127128 - in
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j:
PolicyBasedWSS4JInInterceptor.java
policyvalidators/X509TokenPolicyValidator.java
Author: coheigea
Date: Tue May 24 16:19:39 2011
New Revision: 1127128
URL: http://svn.apache.org/viewvc?rev=1127128&view=rev
Log:
Added a policy validator for X.509 Tokens.
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1127128&r1=1127127&r2=1127128&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Tue May 24 16:19:39 2011
@@ -76,6 +76,7 @@ import org.apache.cxf.ws.security.wss4j.
import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
import org.apache.neethi.Assertion;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
@@ -467,7 +468,6 @@ public class PolicyBasedWSS4JInIntercept
//stuff we can default to asserted and un-assert if a condition isn't met
assertPolicy(aim, SP12Constants.KEYVALUE_TOKEN);
- assertPolicy(aim, SP12Constants.X509_TOKEN);
message.put(WSHandlerConstants.ACTION, action.trim());
}
@@ -625,6 +625,9 @@ public class PolicyBasedWSS4JInIntercept
assertSymetricBinding(aim, msg, prots, hasDerivedKeys);
assertTransportBinding(aim);
+ X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results);
+ x509Validator.validatePolicy(aim);
+
//REVISIT - probably can verify some of these like if UT is encrypted and/or signed, etc...
assertPolicy(aim, SP12Constants.SIGNED_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java?rev=1127128&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java Tue May 24 16:19:39 2011
@@ -0,0 +1,108 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.X509Token;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+/**
+ * Validate a WSSecurityEngineResult corresponding to the processing of an X.509 Token
+ * against the appropriate policy.
+ */
+public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator {
+
+ private static final String X509_V3_VALUETYPE = WSConstants.X509TOKEN_NS + "#X509v3";
+ private static final String PKI_VALUETYPE = WSConstants.X509TOKEN_NS + "#X509PKIPathv1";
+
+ private List<WSSecurityEngineResult> bstResults;
+ private Message message;
+
+ public X509TokenPolicyValidator(
+ Message message,
+ List<WSSecurityEngineResult> results
+ ) {
+ this.message = message;
+ bstResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.BST, bstResults);
+ }
+
+ public boolean validatePolicy(
+ AssertionInfoMap aim
+ ) {
+ Collection<AssertionInfo> x509Ais = aim.get(SP12Constants.X509_TOKEN);
+ if (x509Ais != null && !x509Ais.isEmpty()) {
+ for (AssertionInfo ai : x509Ais) {
+ X509Token x509TokenPolicy = (X509Token)ai.getAssertion();
+ ai.setAsserted(true);
+
+ if (!isTokenRequired(x509TokenPolicy, message)) {
+ continue;
+ }
+
+ if (bstResults.isEmpty()) {
+ ai.setNotAsserted(
+ "The received token does not match the token inclusion requirement"
+ );
+ return false;
+ }
+
+ if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType())) {
+ ai.setNotAsserted("An incorrect X.509 Token Type is detected");
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+ private boolean checkTokenType(String requiredVersionAndType) {
+ if (!bstResults.isEmpty()) {
+ String requiredType = X509_V3_VALUETYPE;
+ if (SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10.equals(requiredType)
+ || SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11.equals(requiredType)) {
+ requiredType = PKI_VALUETYPE;
+ }
+
+ for (WSSecurityEngineResult result : bstResults) {
+ BinarySecurity binarySecurityToken =
+ (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ if (binarySecurityToken != null) {
+ String type = binarySecurityToken.getValueType();
+ if (requiredType.equals(type)) {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
+ }
+}