You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/02/04 14:35:13 UTC
svn commit: r1564295 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/
Author: coheigea
Date: Tue Feb 4 13:35:12 2014
New Revision: 1564295
URL: http://svn.apache.org/r1564295
Log:
[CXF-5537] - Support an X.509 Token as a EndorsingEncryptedSupportingTokens
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1564295&r1=1564294&r2=1564295&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Tue Feb 4 13:35:12 2014
@@ -106,7 +106,6 @@ import org.apache.wss4j.dom.message.WSSe
import org.apache.wss4j.dom.message.WSSecTimestamp;
import org.apache.wss4j.dom.message.WSSecUsernameToken;
import org.apache.wss4j.dom.message.token.BinarySecurity;
-import org.apache.wss4j.dom.message.token.PKIPathSecurity;
import org.apache.wss4j.dom.message.token.SecurityTokenReference;
import org.apache.wss4j.dom.message.token.X509Security;
import org.apache.wss4j.dom.util.WSSecurityUtil;
@@ -485,16 +484,25 @@ public abstract class AbstractBindingBui
}
} else if (token instanceof X509Token) {
- //We have to use a cert
- //Prepare X509 signature
+ //We have to use a cert. Prepare X509 signature
WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
Element bstElem = sig.getBinarySecurityTokenElement();
if (bstElem != null) {
- sig.prependBSTElementToHeader(secHeader);
- }
- if (suppTokens.isEncryptedToken()) {
- WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
- encryptedTokensList.add(part);
+ if (lastEncryptedKeyElement != null) {
+ if (lastEncryptedKeyElement.getNextSibling() != null) {
+ secHeader.getSecurityHeader().insertBefore(bstElem,
+ lastEncryptedKeyElement.getNextSibling());
+ } else {
+ secHeader.getSecurityHeader().appendChild(bstElem);
+ }
+ } else {
+ sig.prependBSTElementToHeader(secHeader);
+ }
+ if (suppTokens.isEncryptedToken()) {
+ WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
+ part.setElement(bstElem);
+ encryptedTokensList.add(part);
+ }
}
ret.add(new SupportingToken(token, sig));
} else if (token instanceof KeyValueToken) {
@@ -1641,7 +1649,6 @@ public abstract class AbstractBindingBui
WSSecSignature sig = new WSSecSignature(wssConfig);
sig.setAttachmentCallbackHandler(new AttachmentOutCallbackHandler(message));
checkForX509PkiPath(sig, token);
- boolean alsoIncludeToken = false;
if (token instanceof IssuedToken || token instanceof SamlToken) {
assertPolicy(token);
assertPolicy(wrapper);
@@ -1698,7 +1705,7 @@ public abstract class AbstractBindingBui
&& token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER
&& (sig.getKeyIdentifierType() != WSConstants.BST_DIRECT_REFERENCE
&& sig.getKeyIdentifierType() != WSConstants.KEY_VALUE)) {
- alsoIncludeToken = true;
+ sig.setIncludeSignatureToken(true);
}
}
@@ -1758,32 +1765,9 @@ public abstract class AbstractBindingBui
policyNotAsserted(token, e);
}
- if (alsoIncludeToken) {
- includeToken(user, crypto, sig);
- }
-
return sig;
}
- private void includeToken(String user, Crypto crypto, WSSecSignature sig) throws WSSecurityException {
- CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
- cryptoType.setAlias(user);
- X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
- BinarySecurity bstToken = null;
- if (!sig.isUseSingleCertificate()) {
- bstToken = new PKIPathSecurity(saaj.getSOAPPart());
- ((PKIPathSecurity) bstToken).setX509Certificates(certs, crypto);
- } else {
- bstToken = new X509Security(saaj.getSOAPPart());
- ((X509Security) bstToken).setX509Certificate(certs[0]);
- }
- bstToken.setID(wssConfig.getIdAllocator().createSecureId("X509-", certs[0]));
- WSSecurityUtil.prependChildElement(
- secHeader.getSecurityHeader(), bstToken.getElement()
- );
- bstElement = bstToken.getElement();
- }
-
protected void doEndorsedSignatures(List<SupportingToken> tokenList,
boolean isTokenProtection,
boolean isSigProtect) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1564295&r1=1564294&r2=1564295&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Tue Feb 4 13:35:12 2014
@@ -665,11 +665,6 @@ public class AsymmetricBindingHandler ex
new WSEncryptionPart(sig.getBSTTokenId());
bstPart.setElement(sig.getBinarySecurityTokenElement());
sigParts.add(bstPart);
- } else if (bstElement != null) {
- WSEncryptionPart bstPart =
- new WSEncryptionPart(bstElement.getAttributeNS(WSConstants.WSU_NS, "Id"));
- bstPart.setElement(bstElement);
- sigParts.add(bstPart);
}
sig.prependBSTElementToHeader(secHeader);
}
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1564295&r1=1564294&r2=1564295&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Tue Feb 4 13:35:12 2014
@@ -353,6 +353,31 @@ public class X509TokenTest extends Abstr
}
@org.junit.Test
+ public void testSymmetricEndorsingEncrypted() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = X509TokenTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSymmetricEndorsingEncryptedPort");
+ DoubleItPortType x509Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(x509Port, test.getPort());
+
+ if (!test.isStreaming()) {
+ x509Port.doubleIt(25);
+ }
+
+ ((java.io.Closeable)x509Port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testContentEncryptedElements() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl?rev=1564295&r1=1564294&r2=1564295&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl Tue Feb 4 13:35:12 2014
@@ -145,6 +145,24 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItSymmetricEndorsingEncryptedBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItSymmetricEndorsingEncryptedPolicy"/>
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction=""/>
+ <wsdl:input>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault"/>
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:binding name="DoubleItContentEncryptedElementsBinding" type="tns:DoubleItPortType">
<wsp:PolicyReference URI="#DoubleItThumbprintPolicy"/>
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
@@ -539,7 +557,10 @@
binding="tns:DoubleItSymmetricThumbprintEndorsingBinding">
<soap:address location="http://localhost:9001/DoubleItX509SymmetricThumbprintEndorsing"/>
</wsdl:port>
- DoubleItSymmetricThumbprintEndorsingBinding
+ <wsdl:port name="DoubleItSymmetricEndorsingEncryptedPort"
+ binding="tns:DoubleItSymmetricEndorsingEncryptedBinding">
+ <soap:address location="http://localhost:9001/DoubleItX509SymmetricEndorsingEncrypted"/>
+ </wsdl:port>
<wsdl:port name="DoubleItContentEncryptedElementsPort" binding="tns:DoubleItContentEncryptedElementsBinding">
<soap:address location="http://localhost:9001/DoubleItX509ContentEncryptedElements"/>
</wsdl:port>
@@ -860,6 +881,50 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItSymmetricEndorsingEncryptedPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SymmetricBinding>
+ <wsp:Policy>
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ <sp:RequireDerivedKeys/>
+ <sp:RequireThumbprintReference/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Strict/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:EncryptSignature/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+ <sp:EndorsingEncryptedSupportingTokens>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:RequireThumbprintReference/>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:EndorsingEncryptedSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
<wsp:Policy wsu:Id="DoubleItAsymmetricIssuerSerialPolicy">
<wsp:ExactlyOne>
<wsp:All>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml?rev=1564295&r1=1564294&r2=1564295&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml Tue Feb 4 13:35:12 2014
@@ -75,6 +75,15 @@
<entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricEndorsingEncryptedPort" createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties" value="bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.signature.properties" value="alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItContentEncryptedElementsPort" createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.encryption.properties" value="bob.properties"/>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml?rev=1564295&r1=1564294&r2=1564295&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml Tue Feb 4 13:35:12 2014
@@ -100,6 +100,12 @@
<entry key="ws-security.signature.properties" value="bob.properties"/>
</jaxws:properties>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricEndorsingEncrypted" address="http://localhost:${testutil.ports.Server}/DoubleItX509SymmetricEndorsingEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricEndorsingEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties" value="bob.properties"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="ContentEncryptedElements" address="http://localhost:${testutil.ports.Server}/DoubleItX509ContentEncryptedElements" serviceName="s:DoubleItService" endpointName="s:DoubleItContentEncryptedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
<jaxws:properties>
<entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml?rev=1564295&r1=1564294&r2=1564295&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml Tue Feb 4 13:35:12 2014
@@ -108,6 +108,13 @@
<entry key="ws-security.enable.streaming" value="true"/>
</jaxws:properties>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricEndorsingEncrypted" address="http://localhost:${testutil.ports.StaxServer}/DoubleItX509SymmetricEndorsingEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricEndorsingEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties" value="bob.properties"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="ContentEncryptedElements" address="http://localhost:${testutil.ports.StaxServer}/DoubleItX509ContentEncryptedElements" serviceName="s:DoubleItService" endpointName="s:DoubleItContentEncryptedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
<jaxws:properties>
<entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>