You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/05/30 14:58:36 UTC
svn commit: r1487839 - in /cxf/branches/2.7.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/
systests/ws-security/src/test/resources/org/apache/cxf...
Author: coheigea
Date: Thu May 30 12:58:35 2013
New Revision: 1487839
URL: http://svn.apache.org/r1487839
Log:
[CXF-5046] - EncryptedSupportingTokens used with EncryptBeforeSigning does not encrypt Username token
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/stax-server.xml
Modified:
cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1487839&r1=1487838&r2=1487839&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Thu May 30 12:58:35 2013
@@ -166,9 +166,9 @@ public abstract class AbstractBindingBui
protected Element bottomUpElement;
protected Element topDownElement;
protected Element bstElement;
+ protected Element lastEncryptedKeyElement;
private Element lastSupportingTokenElement;
- private Element lastEncryptedKeyElement;
private Element lastDerivedKeyElement;
public AbstractBindingBuilder(
@@ -187,7 +187,7 @@ public abstract class AbstractBindingBui
message.getExchange().put(WSHandlerConstants.SEND_SIGV, signatures);
}
- private void insertAfter(Element child, Element sib) {
+ protected void insertAfter(Element child, Element sib) {
if (sib.getNextSibling() == null) {
secHeader.getSecurityHeader().appendChild(child);
} else {
Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1487839&r1=1487838&r2=1487839&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Thu May 30 12:58:35 2013
@@ -308,15 +308,16 @@ public class AsymmetricBindingHandler ex
doEndorse();
}
- checkForSignatureProtection(encryptionToken, encrBase);
+ encryptTokensInSecurityHeader(encryptionToken, encrBase);
}
}
- private void checkForSignatureProtection(Token encryptionToken, WSSecBase encrBase) {
+ private void encryptTokensInSecurityHeader(Token encryptionToken, WSSecBase encrBase) {
+ List<WSEncryptionPart> secondEncrParts = new ArrayList<WSEncryptionPart>();
+
// Check for signature protection
if (abinding.isSignatureProtection()) {
- List<WSEncryptionPart> secondEncrParts = new ArrayList<WSEncryptionPart>();
// Now encrypt the signature using the above token
if (mainSigId != null) {
@@ -328,35 +329,43 @@ public class AsymmetricBindingHandler ex
if (sigConfList != null && !sigConfList.isEmpty()) {
secondEncrParts.addAll(sigConfList);
}
+ }
- if (isRequestor()) {
- secondEncrParts.addAll(encryptedTokensList);
- }
-
- if (encryptionToken.isDerivedKeys() && !secondEncrParts.isEmpty()
- && encrBase instanceof WSSecDKEncrypt) {
- try {
- Element secondRefList
- = ((WSSecDKEncrypt)encrBase).encryptForExternalRef(null, secondEncrParts);
- ((WSSecDKEncrypt)encrBase).addExternalRefElement(secondRefList, secHeader);
+ // Add any SupportingTokens that need to be encrypted
+ if (isRequestor()) {
+ secondEncrParts.addAll(encryptedTokensList);
+ }
+
+ if (secondEncrParts.isEmpty()) {
+ return;
+ }
- } catch (WSSecurityException ex) {
- throw new Fault(ex);
- }
- } else if (!secondEncrParts.isEmpty() && encrBase instanceof WSSecEncrypt) {
- try {
- // Encrypt, get hold of the ref list and add it
- Element secondRefList = saaj.getSOAPPart()
- .createElementNS(WSConstants.ENC_NS,
- WSConstants.ENC_PREFIX + ":ReferenceList");
+ // Perform encryption
+ if (encryptionToken.isDerivedKeys() && encrBase instanceof WSSecDKEncrypt) {
+ try {
+ Element secondRefList =
+ ((WSSecDKEncrypt)encrBase).encryptForExternalRef(null, secondEncrParts);
+ ((WSSecDKEncrypt)encrBase).addExternalRefElement(secondRefList, secHeader);
+ } catch (WSSecurityException ex) {
+ throw new Fault(ex);
+ }
+ } else if (encrBase instanceof WSSecEncrypt) {
+ try {
+ // Encrypt, get hold of the ref list and add it
+ Element secondRefList = saaj.getSOAPPart()
+ .createElementNS(WSConstants.ENC_NS,
+ WSConstants.ENC_PREFIX + ":ReferenceList");
+ if (lastEncryptedKeyElement != null) {
+ insertAfter(secondRefList, lastEncryptedKeyElement);
+ } else {
this.insertBeforeBottomUp(secondRefList);
- ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts);
-
- } catch (WSSecurityException ex) {
- throw new Fault(ex);
}
+ ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts);
+
+ } catch (WSSecurityException ex) {
+ throw new Fault(ex);
}
- }
+ }
}
private WSSecBase doEncryption(TokenWrapper recToken,
Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1487839&r1=1487838&r2=1487839&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Thu May 30 12:58:35 2013
@@ -281,6 +281,29 @@ public class X509TokenTest extends Abstr
}
@org.junit.Test
+ public void testAsymmetricUsernameToken() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricUsernameTokenPort");
+ DoubleItPortType x509Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(x509Port, PORT);
+
+ x509Port.doubleIt(25);
+
+ ((java.io.Closeable)x509Port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testSymmetricProtectTokens() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl?rev=1487839&r1=1487838&r2=1487839&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl (original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl Thu May 30 12:58:35 2013
@@ -163,6 +163,25 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItAsymmetricUsernameTokenBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItAsymmetricUsernameTokenPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:binding name="DoubleItSymmetricProtectTokensBinding" type="tns:DoubleItPortType">
<wsp:PolicyReference URI="#DoubleItSymmetricProtectTokensPolicy" />
<soap:binding style="document"
@@ -354,6 +373,10 @@
binding="tns:DoubleItAsymmetricProtectTokensBinding">
<soap:address location="http://localhost:9001/DoubleItX509AsymmetricProtect" />
</wsdl:port>
+ <wsdl:port name="DoubleItAsymmetricUsernameTokenPort"
+ binding="tns:DoubleItAsymmetricUsernameTokenBinding">
+ <soap:address location="http://localhost:9001/DoubleItX509AsymmetricUsernameToken" />
+ </wsdl:port>
<wsdl:port name="DoubleItSymmetricProtectTokensPort"
binding="tns:DoubleItSymmetricProtectTokensBinding">
<soap:address location="http://localhost:9001/DoubleItX509SymmetricProtect" />
@@ -651,6 +674,60 @@
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItAsymmetricUsernameTokenPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:EncryptBeforeSigning/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:EncryptedSupportingTokens>
+ <wsp:Policy>
+ <sp:UsernameToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssUsernameToken11/>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:EncryptedSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
<wsp:Policy wsu:Id="DoubleItSymmetricProtectTokensPolicy">
<wsp:ExactlyOne>
<wsp:All>
Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1487839&r1=1487838&r2=1487839&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml (original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml Thu May 30 12:58:35 2013
@@ -165,6 +165,21 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricUsernameTokenPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
+
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricProtectTokensPort"
createdFromAPI="true">
<jaxws:properties>
Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1487839&r1=1487838&r2=1487839&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Thu May 30 12:58:35 2013
@@ -286,6 +286,26 @@
</jaxws:endpoint>
<jaxws:endpoint
+ id="AsymmetricUsernameToken"
+ address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricUsernameToken"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItAsymmetricUsernameTokenPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
+ <jaxws:endpoint
id="SymmetricProtectTokens"
address="http://localhost:${testutil.ports.Server}/DoubleItX509SymmetricProtect"
serviceName="s:DoubleItService"