You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/05/23 15:17:32 UTC
svn commit: r1485693 [8/14] - in /cxf/trunk: ./
distribution/src/main/release/samples/sts/src/main/java/demo/wssec/client/
distribution/src/main/release/samples/sts/src/main/java/demo/wssec/server/
distribution/src/main/release/samples/sts/src/main/jav...
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Thu May 23 13:17:26 2013
@@ -37,44 +37,46 @@ import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SpnegoContextToken;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.TokenWrapper;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSEncryptionPart;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.conversation.ConversationConstants;
-import org.apache.ws.security.conversation.ConversationException;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.message.WSSecBase;
-import org.apache.ws.security.message.WSSecDKEncrypt;
-import org.apache.ws.security.message.WSSecDKSign;
-import org.apache.ws.security.message.WSSecEncrypt;
-import org.apache.ws.security.message.WSSecEncryptedKey;
-import org.apache.ws.security.message.WSSecHeader;
-import org.apache.ws.security.message.WSSecSignature;
-import org.apache.ws.security.message.WSSecTimestamp;
-import org.apache.ws.security.message.WSSecUsernameToken;
-import org.apache.ws.security.message.token.SecurityTokenReference;
-import org.apache.ws.security.util.Base64;
-import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.derivedKey.ConversationConstants;
+import org.apache.wss4j.common.derivedKey.ConversationException;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSEncryptionPart;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.bsp.BSPEnforcer;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.message.WSSecBase;
+import org.apache.wss4j.dom.message.WSSecDKEncrypt;
+import org.apache.wss4j.dom.message.WSSecDKSign;
+import org.apache.wss4j.dom.message.WSSecEncrypt;
+import org.apache.wss4j.dom.message.WSSecEncryptedKey;
+import org.apache.wss4j.dom.message.WSSecHeader;
+import org.apache.wss4j.dom.message.WSSecSignature;
+import org.apache.wss4j.dom.message.WSSecTimestamp;
+import org.apache.wss4j.dom.message.WSSecUsernameToken;
+import org.apache.wss4j.dom.message.token.SecurityTokenReference;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.AbstractTokenWrapper;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SpnegoContextToken;
+import org.apache.wss4j.policy.model.SymmetricBinding;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
+import org.apache.xml.security.utils.Base64;
/**
*
@@ -95,14 +97,14 @@ public class SymmetricBindingHandler ext
protectionOrder = binding.getProtectionOrder();
}
- private TokenWrapper getSignatureToken() {
+ private AbstractTokenWrapper getSignatureToken() {
if (sbinding.getProtectionToken() != null) {
return sbinding.getProtectionToken();
}
return sbinding.getSignatureToken();
}
- private TokenWrapper getEncryptionToken() {
+ private AbstractTokenWrapper getEncryptionToken() {
if (sbinding.getProtectionToken() != null) {
return sbinding.getProtectionToken();
}
@@ -118,14 +120,17 @@ public class SymmetricBindingHandler ext
initializeTokens();
}
- if (sbinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
+ if (sbinding.getProtectionOrder()
+ == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
doEncryptBeforeSign();
+ policyAsserted(SPConstants.ENCRYPT_BEFORE_SIGNING);
} else {
doSignBeforeEncrypt();
+ policyAsserted(SPConstants.SIGN_BEFORE_ENCRYPTING);
}
//REVIST - what to do with these policies?
- policyAsserted(SP11Constants.TRUST_10);
- policyAsserted(SP12Constants.TRUST_13);
+ policyAsserted(SPConstants.TRUST_10);
+ policyAsserted(SPConstants.TRUST_13);
}
private void initializeTokens() {
@@ -146,8 +151,8 @@ public class SymmetricBindingHandler ext
private void doEncryptBeforeSign() {
try {
- TokenWrapper encryptionWrapper = getEncryptionToken();
- Token encryptionToken = encryptionWrapper.getToken();
+ AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
+ AbstractToken encryptionToken = encryptionWrapper.getToken();
List<WSEncryptionPart> encrParts = getEncryptedParts();
List<WSEncryptionPart> sigParts = getSignedParts();
@@ -195,7 +200,7 @@ public class SymmetricBindingHandler ext
boolean attached = false;
- if (includeToken(encryptionToken.getInclusion())) {
+ if (includeToken(encryptionToken.getIncludeTokenType())) {
Element el = tok.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
@@ -233,12 +238,12 @@ public class SymmetricBindingHandler ext
}
//Check for signature protection and encryption of UsernameToken
- if (sbinding.isSignatureProtection()
+ if (sbinding.isEncryptSignature()
|| encryptedTokensList.size() > 0 && isRequestor()) {
List<WSEncryptionPart> secondEncrParts = new ArrayList<WSEncryptionPart>();
//Now encrypt the signature using the above token
- if (sbinding.isSignatureProtection()) {
+ if (sbinding.isEncryptSignature()) {
if (this.mainSigId != null) {
WSEncryptionPart sigPart =
new WSEncryptionPart(this.mainSigId, "Element");
@@ -248,6 +253,7 @@ public class SymmetricBindingHandler ext
if (sigConfList != null && !sigConfList.isEmpty()) {
secondEncrParts.addAll(sigConfList);
}
+ policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
}
if (isRequestor()) {
@@ -256,7 +262,8 @@ public class SymmetricBindingHandler ext
Element secondRefList = null;
- if (encryptionToken.isDerivedKeys() && !secondEncrParts.isEmpty()) {
+ if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys
+ && !secondEncrParts.isEmpty()) {
secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null,
secondEncrParts);
this.addDerivedKeyElement(secondRefList);
@@ -275,10 +282,8 @@ public class SymmetricBindingHandler ext
}
private void doSignBeforeEncrypt() {
- TokenWrapper sigTokenWrapper = getSignatureToken();
- Token sigToken = sigTokenWrapper.getToken();
-
-
+ AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
+ AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
String sigTokId = null;
Element sigTokElem = null;
@@ -293,7 +298,7 @@ public class SymmetricBindingHandler ext
sigTok = getSecurityToken();
} else if (sigToken instanceof X509Token) {
if (isRequestor()) {
- sigTokId = setupEncryptedKey(sigTokenWrapper, sigToken);
+ sigTokId = setupEncryptedKey(sigAbstractTokenWrapper, sigToken);
} else {
sigTokId = getEncryptedKey();
}
@@ -310,10 +315,10 @@ public class SymmetricBindingHandler ext
}
if (sigTok == null && StringUtils.isEmpty(sigTokId)) {
- policyNotAsserted(sigTokenWrapper, "No signature token id");
+ policyNotAsserted(sigAbstractTokenWrapper, "No signature token id");
return;
} else {
- policyAsserted(sigTokenWrapper);
+ policyAsserted(sigAbstractTokenWrapper);
}
if (sigTok == null) {
sigTok = tokenStore.getToken(sigTokId);
@@ -323,7 +328,7 @@ public class SymmetricBindingHandler ext
//}
boolean tokIncluded = true;
- if (includeToken(sigToken.getInclusion())) {
+ if (includeToken(sigToken.getIncludeTokenType())) {
Element el = sigTok.getToken();
sigTokElem = cloneElement(el);
this.addEncryptedKeyElement(sigTokElem);
@@ -345,7 +350,7 @@ public class SymmetricBindingHandler ext
if (isRequestor()) {
addSupportingTokens(sigs);
if (!sigs.isEmpty()) {
- signatures.add(doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded));
+ signatures.add(doSignature(sigs, sigAbstractTokenWrapper, sigToken, sigTok, tokIncluded));
}
doEndorse();
} else {
@@ -353,13 +358,13 @@ public class SymmetricBindingHandler ext
assertSupportingTokens(sigs);
addSignatureConfirmation(sigs);
if (!sigs.isEmpty()) {
- doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded);
+ doSignature(sigs, sigAbstractTokenWrapper, sigToken, sigTok, tokIncluded);
}
}
//Encryption
- TokenWrapper encrTokenWrapper = getEncryptionToken();
- Token encrToken = encrTokenWrapper.getToken();
+ AbstractTokenWrapper encrAbstractTokenWrapper = getEncryptionToken();
+ AbstractToken encrToken = encrAbstractTokenWrapper.getToken();
SecurityToken encrTok = null;
if (sigToken.equals(encrToken)) {
//Use the same token
@@ -372,7 +377,7 @@ public class SymmetricBindingHandler ext
List<WSEncryptionPart> enc = getEncryptedParts();
//Check for signature protection
- if (sbinding.isSignatureProtection()) {
+ if (sbinding.isEncryptSignature()) {
if (mainSigId != null) {
WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
sigPart.setElement(bottomUpElement);
@@ -381,12 +386,13 @@ public class SymmetricBindingHandler ext
if (sigConfList != null && !sigConfList.isEmpty()) {
enc.addAll(sigConfList);
}
+ policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
}
if (isRequestor()) {
enc.addAll(encryptedTokensList);
}
- doEncryption(encrTokenWrapper,
+ doEncryption(encrAbstractTokenWrapper,
encrTok,
tokIncluded,
enc,
@@ -396,15 +402,15 @@ public class SymmetricBindingHandler ext
}
}
- private WSSecBase doEncryptionDerived(TokenWrapper recToken,
+ private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken,
SecurityToken encrTok,
- Token encrToken,
+ AbstractToken encrToken,
boolean attached,
List<WSEncryptionPart> encrParts,
boolean atEnd) {
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(wssConfig);
- if (recToken.getToken().getSPConstants() == SP12Constants.INSTANCE) {
+ if (recToken.getToken().getVersion() == SPConstants.SPVersion.SP12) {
dkEncr.setWscVersion(ConversationConstants.VERSION_05_12);
}
@@ -472,9 +478,9 @@ public class SymmetricBindingHandler ext
}
}
- dkEncr.setSymmetricEncAlgorithm(sbinding.getAlgorithmSuite().getEncryption());
- dkEncr.setDerivedKeyLength(sbinding.getAlgorithmSuite()
- .getEncryptionDerivedKeyLength() / 8);
+ AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
+ dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
+ dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
dkEncr.prepare(saaj.getSOAPPart());
Element encrDKTokenElem = null;
encrDKTokenElem = dkEncr.getdktElement();
@@ -492,18 +498,18 @@ public class SymmetricBindingHandler ext
return null;
}
- private WSSecBase doEncryption(TokenWrapper recToken,
+ private WSSecBase doEncryption(AbstractTokenWrapper recToken,
SecurityToken encrTok,
boolean attached,
List<WSEncryptionPart> encrParts,
boolean atEnd) {
//Do encryption
if (recToken != null && recToken.getToken() != null && encrParts.size() > 0) {
- Token encrToken = recToken.getToken();
+ AbstractToken encrToken = recToken.getToken();
policyAsserted(recToken);
policyAsserted(encrToken);
AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
- if (encrToken.isDerivedKeys()) {
+ if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
return doEncryptionDerived(recToken, encrTok, encrToken,
attached, encrParts, atEnd);
} else {
@@ -539,7 +545,7 @@ public class SymmetricBindingHandler ext
encr.setDocument(saaj.getSOAPPart());
encr.setEncryptSymmKey(false);
- encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
+ encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken) {
//Setting the AttachedReference or the UnattachedReference according to the flag
@@ -553,7 +559,7 @@ public class SymmetricBindingHandler ext
String tokenType = encrTok.getTokenType();
if (ref != null) {
SecurityTokenReference secRef =
- new SecurityTokenReference(cloneElement(ref), false);
+ new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
encr.setSecurityTokenReference(secRef);
} else if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
|| WSConstants.SAML_NS.equals(tokenType)) {
@@ -601,19 +607,19 @@ public class SymmetricBindingHandler ext
}
private byte[] doSignatureDK(List<WSEncryptionPart> sigs,
- TokenWrapper policyTokenWrapper,
- Token policyToken,
+ AbstractTokenWrapper policyAbstractTokenWrapper,
+ AbstractToken policyToken,
SecurityToken tok,
boolean included) throws WSSecurityException {
Document doc = saaj.getSOAPPart();
WSSecDKSign dkSign = new WSSecDKSign(wssConfig);
- if (policyTokenWrapper.getToken().getSPConstants() == SP12Constants.INSTANCE) {
+ if (policyAbstractTokenWrapper.getToken().getVersion() == SPConstants.SPVersion.SP12) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
}
//Check for whether the token is attached in the message or not
boolean attached = false;
- if (includeToken(policyToken.getInclusion())) {
+ if (includeToken(policyToken.getIncludeTokenType())) {
attached = true;
}
@@ -627,7 +633,8 @@ public class SymmetricBindingHandler ext
if (ref != null) {
dkSign.setExternalKey(tok.getSecret(), cloneElement(ref));
- } else if (!isRequestor() && policyToken.isDerivedKeys() && tok.getSHA1() != null) {
+ } else if (!isRequestor() && policyToken.getDerivedKeys()
+ == DerivedKeys.RequireDerivedKeys && tok.getSHA1() != null) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
// 7.7 Encrypted Key reference
@@ -651,7 +658,8 @@ public class SymmetricBindingHandler ext
//Set the algo info
dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
- dkSign.setDerivedKeyLength(sbinding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
+ AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
+ dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
if (tok.getSHA1() != null) {
//Set the value type of the reference
String tokenType = tok.getTokenType();
@@ -679,10 +687,10 @@ public class SymmetricBindingHandler ext
try {
dkSign.prepare(doc, secHeader);
} catch (ConversationException e) {
- throw new WSSecurityException(e.getMessage(), e);
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
}
- if (sbinding.isTokenProtection()) {
+ if (sbinding.isProtectTokens()) {
String sigTokId = tok.getId();
if (included) {
sigTokId = tok.getWsuId();
@@ -694,6 +702,7 @@ public class SymmetricBindingHandler ext
}
}
sigs.add(new WSEncryptionPart(sigTokId));
+ policyAsserted(SPConstants.PROTECT_TOKENS);
}
dkSign.setParts(sigs);
@@ -717,12 +726,12 @@ public class SymmetricBindingHandler ext
}
private byte[] doSignature(List<WSEncryptionPart> sigs,
- TokenWrapper policyTokenWrapper,
- Token policyToken,
+ AbstractTokenWrapper policyAbstractTokenWrapper,
+ AbstractToken policyToken,
SecurityToken tok,
boolean included) throws WSSecurityException {
- if (policyToken.isDerivedKeys()) {
- return doSignatureDK(sigs, policyTokenWrapper, policyToken, tok, included);
+ if (policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ return doSignatureDK(sigs, policyAbstractTokenWrapper, policyToken, tok, included);
} else {
WSSecSignature sig = new WSSecSignature(wssConfig);
// If a EncryptedKeyToken is used, set the correct value type to
@@ -754,7 +763,7 @@ public class SymmetricBindingHandler ext
if (ref != null) {
SecurityTokenReference secRef =
- new SecurityTokenReference(cloneElement(ref), false);
+ new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
sig.setSecurityTokenReference(secRef);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
@@ -791,8 +800,9 @@ public class SymmetricBindingHandler ext
sigTokId = tok.getId();
}
- if (included && sbinding.isTokenProtection()) {
+ if (included && sbinding.isProtectTokens()) {
sigs.add(new WSEncryptionPart(sigTokId));
+ policyAsserted(SPConstants.PROTECT_TOKENS);
}
sig.setCustomTokenId(sigTokId);
@@ -802,7 +812,7 @@ public class SymmetricBindingHandler ext
if (sbinding.getProtectionToken() != null) {
crypto = getEncryptionCrypto(sbinding.getProtectionToken());
} else {
- crypto = getSignatureCrypto(policyTokenWrapper);
+ crypto = getSignatureCrypto(policyAbstractTokenWrapper);
}
this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
sig.prepare(saaj.getSOAPPart(), crypto, secHeader);
@@ -822,7 +832,7 @@ public class SymmetricBindingHandler ext
}
}
- private String setupEncryptedKey(TokenWrapper wrapper, Token sigToken) throws WSSecurityException {
+ private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException {
WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(wrapper, sigToken);
String id = encrKey.getId();
byte[] secret = encrKey.getEphemeralKey();
@@ -944,14 +954,16 @@ public class SymmetricBindingHandler ext
}
private boolean hasSignedPartsOrElements() {
- Collection<AssertionInfo> ais = aim.getAssertionInfo(SP12Constants.SIGNED_PARTS);
- if (ais != null && ais.size() > 0) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.SIGNED_PARTS);
+ if (ais.size() > 0) {
return true;
}
- ais = aim.getAssertionInfo(SP12Constants.SIGNED_ELEMENTS);
- if (ais != null && ais.size() > 0) {
+
+ ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ELEMENTS);
+ if (ais.size() > 0) {
return true;
}
+
return false;
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Thu May 23 13:17:26 2013
@@ -33,47 +33,48 @@ import javax.xml.xpath.XPathExpressionEx
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
-import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
-import org.apache.cxf.ws.security.policy.model.SpnegoContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.TokenWrapper;
-import org.apache.cxf.ws.security.policy.model.TransportBinding;
-import org.apache.cxf.ws.security.policy.model.TransportToken;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSEncryptionPart;
-import org.apache.ws.security.WSPasswordCallback;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.conversation.ConversationConstants;
-import org.apache.ws.security.message.WSSecDKSign;
-import org.apache.ws.security.message.WSSecEncryptedKey;
-import org.apache.ws.security.message.WSSecHeader;
-import org.apache.ws.security.message.WSSecSignature;
-import org.apache.ws.security.message.WSSecTimestamp;
-import org.apache.ws.security.message.WSSecUsernameToken;
-import org.apache.ws.security.message.token.SecurityTokenReference;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.derivedKey.ConversationConstants;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSEncryptionPart;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.bsp.BSPEnforcer;
+import org.apache.wss4j.dom.message.WSSecDKSign;
+import org.apache.wss4j.dom.message.WSSecEncryptedKey;
+import org.apache.wss4j.dom.message.WSSecHeader;
+import org.apache.wss4j.dom.message.WSSecSignature;
+import org.apache.wss4j.dom.message.WSSecTimestamp;
+import org.apache.wss4j.dom.message.WSSecUsernameToken;
+import org.apache.wss4j.dom.message.token.SecurityTokenReference;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SignedElements;
+import org.apache.wss4j.policy.model.SignedParts;
+import org.apache.wss4j.policy.model.SpnegoContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.TransportBinding;
+import org.apache.wss4j.policy.model.TransportToken;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;;
/**
*
@@ -91,9 +92,9 @@ public class TransportBindingHandler ext
this.tbinding = binding;
}
- private void addSignedSupportingTokens(SupportingToken sgndSuppTokens)
+ private void addSignedSupportingTokens(SupportingTokens sgndSuppTokens)
throws Exception {
- for (Token token : sgndSuppTokens.getTokens()) {
+ for (AbstractToken token : sgndSuppTokens.getTokens()) {
if (token instanceof UsernameToken) {
WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken)token);
if (utBuilder != null) {
@@ -103,12 +104,12 @@ public class TransportBindingHandler ext
} else if (token instanceof IssuedToken || token instanceof KerberosToken) {
SecurityToken secTok = getSecurityToken();
- if (includeToken(token.getInclusion())) {
+ if (includeToken(token.getIncludeTokenType())) {
//Add the token
addEncryptedKeyElement(cloneElement(secTok.getToken()));
}
} else if (token instanceof SamlToken) {
- AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
+ SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
if (assertionWrapper != null) {
addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
}
@@ -133,7 +134,7 @@ public class TransportBindingHandler ext
if (this.isRequestor()) {
TransportToken transportTokenWrapper = tbinding.getTransportToken();
if (transportTokenWrapper != null) {
- Token transportToken = transportTokenWrapper.getToken();
+ AbstractToken transportToken = transportTokenWrapper.getToken();
if (transportToken instanceof IssuedToken) {
SecurityToken secToken = getSecurityToken();
if (secToken == null) {
@@ -142,7 +143,7 @@ public class TransportBindingHandler ext
} else {
policyAsserted(transportToken);
}
- if (includeToken(transportToken.getInclusion())) {
+ if (includeToken(transportToken.getIncludeTokenType())) {
Element el = secToken.getToken();
addEncryptedKeyElement(cloneElement(el));
}
@@ -168,10 +169,10 @@ public class TransportBindingHandler ext
private void handleNonEndorsingSupportingTokens() throws Exception {
Collection<AssertionInfo> ais;
- ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
- if (ais != null) {
+ ais = getAllAssertionsByLocalname(SPConstants.SIGNED_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- SupportingToken sgndSuppTokens = (SupportingToken)ai.getAssertion();
+ SupportingTokens sgndSuppTokens = (SupportingTokens)ai.getAssertion();
if (sgndSuppTokens != null) {
addSignedSupportingTokens(sgndSuppTokens);
}
@@ -179,10 +180,10 @@ public class TransportBindingHandler ext
}
}
- ais = aim.get(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
- if (ais != null) {
+ ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- SupportingToken sgndSuppTokens = (SupportingToken)ai.getAssertion();
+ SupportingTokens sgndSuppTokens = (SupportingTokens)ai.getAssertion();
if (sgndSuppTokens != null) {
addSignedSupportingTokens(sgndSuppTokens);
}
@@ -190,10 +191,10 @@ public class TransportBindingHandler ext
}
}
- ais = aim.get(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
- if (ais != null) {
+ ais = getAllAssertionsByLocalname(SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- SupportingToken encrSuppTokens = (SupportingToken)ai.getAssertion();
+ SupportingTokens encrSuppTokens = (SupportingTokens)ai.getAssertion();
if (encrSuppTokens != null) {
addSignedSupportingTokens(encrSuppTokens);
}
@@ -201,10 +202,10 @@ public class TransportBindingHandler ext
}
}
- ais = aim.get(SP12Constants.SUPPORTING_TOKENS);
- if (ais != null) {
+ ais = getAllAssertionsByLocalname(SPConstants.SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- SupportingToken suppTokens = (SupportingToken)ai.getAssertion();
+ SupportingTokens suppTokens = (SupportingTokens)ai.getAssertion();
if (suppTokens != null && suppTokens.getTokens() != null
&& suppTokens.getTokens().size() > 0) {
handleSupportingTokens(suppTokens, false);
@@ -220,58 +221,58 @@ public class TransportBindingHandler ext
private void handleEndorsingSupportingTokens() throws Exception {
Collection<AssertionInfo> ais;
- ais = aim.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
- if (ais != null) {
- SupportingToken sgndSuppTokens = null;
+ ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ SupportingTokens sgndSuppTokens = null;
for (AssertionInfo ai : ais) {
- sgndSuppTokens = (SupportingToken)ai.getAssertion();
+ sgndSuppTokens = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
}
if (sgndSuppTokens != null) {
- for (Token token : sgndSuppTokens.getTokens()) {
+ for (AbstractToken token : sgndSuppTokens.getTokens()) {
handleEndorsingToken(token, sgndSuppTokens);
}
}
}
- ais = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
- if (ais != null) {
- SupportingToken endSuppTokens = null;
+ ais = getAllAssertionsByLocalname(SPConstants.ENDORSING_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ SupportingTokens endSuppTokens = null;
for (AssertionInfo ai : ais) {
- endSuppTokens = (SupportingToken)ai.getAssertion();
+ endSuppTokens = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
}
if (endSuppTokens != null) {
- for (Token token : endSuppTokens.getTokens()) {
+ for (AbstractToken token : endSuppTokens.getTokens()) {
handleEndorsingToken(token, endSuppTokens);
}
}
}
- ais = aim.get(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
- if (ais != null) {
- SupportingToken endSuppTokens = null;
+ ais = getAllAssertionsByLocalname(SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ SupportingTokens endSuppTokens = null;
for (AssertionInfo ai : ais) {
- endSuppTokens = (SupportingToken)ai.getAssertion();
+ endSuppTokens = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
}
if (endSuppTokens != null) {
- for (Token token : endSuppTokens.getTokens()) {
+ for (AbstractToken token : endSuppTokens.getTokens()) {
handleEndorsingToken(token, endSuppTokens);
}
}
}
- ais = aim.get(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
- if (ais != null) {
- SupportingToken endSuppTokens = null;
+ ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ SupportingTokens endSuppTokens = null;
for (AssertionInfo ai : ais) {
- endSuppTokens = (SupportingToken)ai.getAssertion();
+ endSuppTokens = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
}
if (endSuppTokens != null) {
- for (Token token : endSuppTokens.getTokens()) {
+ for (AbstractToken token : endSuppTokens.getTokens()) {
handleEndorsingToken(token, endSuppTokens);
}
}
@@ -279,7 +280,7 @@ public class TransportBindingHandler ext
}
private void handleEndorsingToken(
- Token token, SupportingToken wrapper
+ AbstractToken token, SupportingTokens wrapper
) throws Exception {
if (token instanceof IssuedToken
|| token instanceof SecureConversationToken
@@ -291,7 +292,7 @@ public class TransportBindingHandler ext
|| token instanceof KeyValueToken) {
addSig(doX509TokenSignature(token, wrapper));
} else if (token instanceof SamlToken) {
- AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
+ SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
assertionWrapper.toDOM(saaj.getSOAPPart());
storeAssertionAsSecurityToken(assertionWrapper);
addSig(doIssuedTokenSignature(token, wrapper));
@@ -315,7 +316,7 @@ public class TransportBindingHandler ext
}
- private byte[] doX509TokenSignature(Token token, SupportingToken wrapper)
+ private byte[] doX509TokenSignature(AbstractToken token, SupportingTokens wrapper)
throws Exception {
Document doc = saaj.getSOAPPart();
@@ -323,7 +324,7 @@ public class TransportBindingHandler ext
List<WSEncryptionPart> sigParts =
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
- if (token.isDerivedKeys()) {
+ if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(wrapper, token);
Element bstElem = encrKey.getBinarySecurityTokenElement();
@@ -334,9 +335,10 @@ public class TransportBindingHandler ext
WSSecDKSign dkSig = new WSSecDKSign(wssConfig);
- dkSig.setSigCanonicalization(binding.getAlgorithmSuite().getInclusiveC14n());
+ dkSig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
- dkSig.setDerivedKeyLength(binding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
+ AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+ dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
@@ -373,17 +375,20 @@ public class TransportBindingHandler ext
}
private byte[] doIssuedTokenSignature(
- Token token, SupportingToken wrapper
+ AbstractToken token, SupportingTokens wrapper
) throws Exception {
boolean tokenIncluded = false;
// Get the issued token
SecurityToken secTok = getSecurityToken();
if (secTok == null) {
LOG.fine("The retrieved SecurityToken was null");
- throw new WSSecurityException("The retrieved SecurityToken was null");
+ Exception ex = new Exception("The retrieved SecurityToken was null");
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE, ex
+ );
}
- if (includeToken(token.getInclusion())) {
+ if (includeToken(token.getIncludeTokenType())) {
//Add the token
Element el = cloneElement(secTok.getToken());
//if (securityTok != null) {
@@ -399,7 +404,7 @@ public class TransportBindingHandler ext
List<WSEncryptionPart> sigParts =
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
- if (token.isDerivedKeys()) {
+ if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
return doDerivedKeySignature(tokenIncluded, secTok, token, sigParts);
} else {
return doSignature(tokenIncluded, secTok, token, wrapper, sigParts);
@@ -409,7 +414,7 @@ public class TransportBindingHandler ext
private byte[] doDerivedKeySignature(
boolean tokenIncluded,
SecurityToken secTok,
- Token token,
+ AbstractToken token,
List<WSEncryptionPart> sigParts
) throws Exception {
//Do Signature with derived keys
@@ -436,8 +441,9 @@ public class TransportBindingHandler ext
// Set the algo info
dkSign.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
- dkSign.setDerivedKeyLength(algorithmSuite.getSignatureDerivedKeyLength() / 8);
- if (token.getSPConstants() == SP12Constants.INSTANCE) {
+ AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+ dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
+ if (token.getVersion() == SPConstants.SPVersion.SP12) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
}
Document doc = saaj.getSOAPPart();
@@ -457,8 +463,8 @@ public class TransportBindingHandler ext
private byte[] doSignature(
boolean tokenIncluded,
SecurityToken secTok,
- Token token,
- TokenWrapper wrapper,
+ AbstractToken token,
+ SupportingTokens wrapper,
List<WSEncryptionPart> sigParts
) throws Exception {
WSSecSignature sig = new WSSecSignature(wssConfig);
@@ -473,7 +479,7 @@ public class TransportBindingHandler ext
if (ref != null) {
SecurityTokenReference secRef =
- new SecurityTokenReference(cloneElement(ref), false);
+ new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
sig.setSecurityTokenReference(secRef);
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (token instanceof UsernameToken) {
@@ -520,7 +526,7 @@ public class TransportBindingHandler ext
String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
uname = (String)message.getContextualProperty(userNameKey);
}
- String password = getPassword(uname, token, WSPasswordCallback.SIGNATURE);
+ String password = getPassword(uname, token, WSPasswordCallback.Usage.SIGNATURE);
if (password == null) {
password = "";
}
@@ -531,7 +537,7 @@ public class TransportBindingHandler ext
sig.setSecretKey(secTok.getSecret());
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
}
- sig.setSigCanonicalization(binding.getAlgorithmSuite().getInclusiveC14n());
+ sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
Document doc = saaj.getSOAPPart();
sig.prepare(doc, crypto, secHeader);
@@ -555,8 +561,8 @@ public class TransportBindingHandler ext
* Identifies the portions of the message to be signed/encrypted.
*/
private List<WSEncryptionPart> signPartsAndElements(
- SignedEncryptedParts signedParts,
- SignedEncryptedElements signedElements
+ SignedParts signedParts,
+ SignedElements signedElements
) throws SOAPException {
List<WSEncryptionPart> result = new ArrayList<WSEncryptionPart>();
@@ -594,8 +600,7 @@ public class TransportBindingHandler ext
try {
result.addAll(
this.getElements(
- "Element", signedElements.getXPathExpressions(),
- signedElements.getDeclaredNamespaces(), found, true
+ "Element", signedElements.getXPaths(), found, true
)
);
} catch (XPathExpressionException e) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java Thu May 23 13:17:26 2013
@@ -20,8 +20,8 @@
package org.apache.cxf.ws.security.wss4j.policyhandlers;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.message.WSSecBase;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.message.WSSecBase;
/**
*
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java Thu May 23 13:17:26 2013
@@ -22,6 +22,8 @@ package org.apache.cxf.ws.security.wss4j
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
import java.util.List;
import javax.xml.namespace.QName;
@@ -33,27 +35,31 @@ import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.EncryptionToken;
-import org.apache.cxf.ws.security.policy.model.Layout;
-import org.apache.cxf.ws.security.policy.model.ProtectionToken;
-import org.apache.cxf.ws.security.policy.model.SignatureToken;
-import org.apache.cxf.ws.security.policy.model.SymmetricAsymmetricBindingBase;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.TokenWrapper;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.neethi.Assertion;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.PKIPathSecurity;
-import org.apache.ws.security.message.token.Timestamp;
-import org.apache.ws.security.message.token.X509Security;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.PKIPathSecurity;
+import org.apache.wss4j.dom.message.token.Timestamp;
+import org.apache.wss4j.dom.message.token.X509Security;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
+import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding.ProtectionOrder;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.AbstractTokenWrapper;
+import org.apache.wss4j.policy.model.EncryptionToken;
+import org.apache.wss4j.policy.model.Layout;
+import org.apache.wss4j.policy.model.ProtectionToken;
+import org.apache.wss4j.policy.model.SignatureToken;
+import org.apache.wss4j.policy.model.X509Token;
/**
* Some abstract functionality for validating a security binding.
@@ -78,7 +84,7 @@ public abstract class AbstractBindingPol
Message message
) {
List<WSSecurityEngineResult> timestampResults =
- WSS4JUtils.fetchAllActionResults(results, WSConstants.TS);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.TS);
// Check whether we received a timestamp and compare it to the policy
if (includeTimestamp && timestampResults.size() != 1) {
@@ -150,7 +156,7 @@ public abstract class AbstractBindingPol
* Check various properties set in the policy of the binding
*/
protected boolean checkProperties(
- SymmetricAsymmetricBindingBase binding,
+ AbstractSymmetricAsymmetricBinding binding,
AssertionInfo ai,
AssertionInfoMap aim,
List<WSSecurityEngineResult> results,
@@ -162,15 +168,23 @@ public abstract class AbstractBindingPol
if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) {
return false;
}
+ assertPolicy(aim, binding.getAlgorithmSuite());
+ String namespace = binding.getAlgorithmSuite().getAlgorithmSuiteType().getNamespace();
+ String name = binding.getAlgorithmSuite().getAlgorithmSuiteType().getName();
+ Collection<AssertionInfo> algSuiteAis = aim.get(new QName(namespace, name));
+ if (algSuiteAis != null) {
+ for (AssertionInfo algSuiteAi : algSuiteAis) {
+ algSuiteAi.setAsserted(true);
+ }
+ }
// Check the IncludeTimestamp
if (!validateTimestamp(binding.isIncludeTimestamp(), false, results, signedResults, message)) {
String error = "Received Timestamp does not match the requirements";
- notAssertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP, error);
ai.setNotAsserted(error);
return false;
}
- assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
+ assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
// Check the Layout
Layout layout = binding.getLayout();
@@ -182,20 +196,27 @@ public abstract class AbstractBindingPol
return false;
}
assertPolicy(aim, layout);
+ assertPolicy(aim, SPConstants.LAYOUT_LAX);
+ assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
+ assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
+ assertPolicy(aim, SPConstants.LAYOUT_STRICT);
// Check the EntireHeaderAndBodySignatures property
- if (binding.isEntireHeadersAndBodySignatures()
+ if (binding.isOnlySignEntireHeadersAndBody()
&& !validateEntireHeaderAndBodySignatures(signedResults)) {
String error = "OnlySignEntireHeadersAndBody does not match the requirements";
ai.setNotAsserted(error);
return false;
}
+ assertPolicy(aim, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
// Check whether the signatures were encrypted or not
- if (binding.isSignatureProtection() && !isSignatureEncrypted(results)) {
+ if (binding.isEncryptSignature() && !isSignatureEncrypted(results)) {
ai.setNotAsserted("The signature is not protected");
return false;
}
+ assertPolicy(aim, SPConstants.ENCRYPT_SIGNATURE);
+ assertPolicy(aim, SPConstants.PROTECT_TOKENS);
/*
// Check ProtectTokens
@@ -212,18 +233,24 @@ public abstract class AbstractBindingPol
* Check the Protection Order of the binding
*/
protected boolean checkProtectionOrder(
- SymmetricAsymmetricBindingBase binding,
+ AbstractSymmetricAsymmetricBinding binding,
+ AssertionInfoMap aim,
AssertionInfo ai,
List<WSSecurityEngineResult> results
) {
- if (binding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
- if (!binding.isSignatureProtection() && isSignedBeforeEncrypted(results)) {
+ ProtectionOrder protectionOrder = binding.getProtectionOrder();
+ if (protectionOrder == ProtectionOrder.EncryptBeforeSigning) {
+ if (!binding.isProtectTokens() && isSignedBeforeEncrypted(results)) {
ai.setNotAsserted("Not encrypted before signed");
return false;
}
- } else if (isEncryptedBeforeSigned(results)) {
- ai.setNotAsserted("Not signed before encrypted");
- return false;
+ assertPolicy(aim, SPConstants.ENCRYPT_BEFORE_SIGNING);
+ } else if (protectionOrder == ProtectionOrder.SignBeforeEncrypting) {
+ if (isEncryptedBeforeSigned(results)) {
+ ai.setNotAsserted("Not signed before encrypted");
+ return false;
+ }
+ assertPolicy(aim, SPConstants.SIGN_BEFORE_ENCRYPTING);
}
return true;
}
@@ -284,14 +311,15 @@ public abstract class AbstractBindingPol
* Check the derived key requirement.
*/
protected boolean checkDerivedKeys(
- TokenWrapper tokenWrapper,
+ AbstractTokenWrapper tokenWrapper,
boolean hasDerivedKeys,
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Token token = tokenWrapper.getToken();
+ AbstractToken token = tokenWrapper.getToken();
+ boolean isDerivedKeys = token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys;
// If derived keys are not required then just return
- if (!(token instanceof X509Token && token.isDerivedKeys())) {
+ if (!(token instanceof X509Token && isDerivedKeys)) {
return true;
}
if (tokenWrapper instanceof EncryptionToken
@@ -381,8 +409,8 @@ public abstract class AbstractBindingPol
}
} else if (actInt.intValue() == WSConstants.ST_SIGNED
|| actInt.intValue() == WSConstants.ST_UNSIGNED) {
- AssertionWrapper assertionWrapper =
- (AssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ SamlAssertionWrapper assertionWrapper =
+ (SamlAssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (samlKeyInfo != null) {
X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
@@ -472,6 +500,17 @@ public abstract class AbstractBindingPol
}
}
+ protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
protected boolean assertPolicy(AssertionInfoMap aim, QName q) {
Collection<AssertionInfo> ais = aim.get(q);
if (ais != null && !ais.isEmpty()) {
@@ -491,4 +530,25 @@ public abstract class AbstractBindingPol
}
}
}
+
+ protected Collection<AssertionInfo> getAllAssertionsByLocalname(
+ AssertionInfoMap aim,
+ String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+ if (sp11Ais != null) {
+ ais.addAll(sp11Ais);
+ }
+ if (sp12Ais != null) {
+ ais.addAll(sp12Ais);
+ }
+ return ais;
+ }
+
+ return Collections.emptySet();
+ }
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java Thu May 23 13:17:26 2013
@@ -24,12 +24,12 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.wss4j.SAMLUtils;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.saml.DOMSAMLUtil;
+import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
+import org.apache.wss4j.policy.model.AbstractToken;
/**
* Some abstract functionality for validating SAML Assertions
@@ -43,10 +43,10 @@ public abstract class AbstractSamlPolicy
* @return true if the token is required
*/
protected boolean isTokenRequired(
- Token token,
+ AbstractToken token,
Message message
) {
- IncludeTokenType inclusion = token.getInclusion();
+ IncludeTokenType inclusion = token.getIncludeTokenType();
if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
return false;
} else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
@@ -73,11 +73,11 @@ public abstract class AbstractSamlPolicy
* @param signedResults a list of all of the signed results
*/
public boolean checkHolderOfKey(
- AssertionWrapper assertionWrapper,
+ SamlAssertionWrapper assertionWrapper,
List<WSSecurityEngineResult> signedResults,
Certificate[] tlsCerts
) {
- return SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts);
+ return DOMSAMLUtil.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts);
}
/**
@@ -93,7 +93,7 @@ public abstract class AbstractSamlPolicy
List<WSSecurityEngineResult> signedResults,
Certificate[] tlsCerts
) {
- return SAMLUtils.compareCredentials(subjectKeyInfo, signedResults, tlsCerts);
+ return DOMSAMLUtil.compareCredentials(subjectKeyInfo, signedResults, tlsCerts);
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -45,19 +45,22 @@ import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.helpers.MapNamespaceContext;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
-import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngine;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.KerberosSecurity;
-import org.apache.ws.security.message.token.PKIPathSecurity;
-import org.apache.ws.security.message.token.X509Security;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngine;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.KerberosSecurity;
+import org.apache.wss4j.dom.message.token.PKIPathSecurity;
+import org.apache.wss4j.dom.message.token.X509Security;
+import org.apache.wss4j.policy.model.EncryptedElements;
+import org.apache.wss4j.policy.model.EncryptedParts;
+import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.RequiredElements;
+import org.apache.wss4j.policy.model.SignedElements;
+import org.apache.wss4j.policy.model.SignedParts;
/**
* A base class to use to validate various SupportingToken policies.
@@ -79,10 +82,10 @@ public abstract class AbstractSupporting
private boolean encrypted;
private boolean derived;
private boolean endorsed;
- private SignedEncryptedElements signedElements;
- private SignedEncryptedElements encryptedElements;
- private SignedEncryptedParts signedParts;
- private SignedEncryptedParts encryptedParts;
+ private SignedElements signedElements;
+ private EncryptedElements encryptedElements;
+ private SignedParts signedParts;
+ private EncryptedParts encryptedParts;
/**
* Set the list of UsernameToken results
@@ -584,8 +587,8 @@ public abstract class AbstractSupporting
}
} else if (actInt.intValue() == WSConstants.ST_SIGNED
|| actInt.intValue() == WSConstants.ST_UNSIGNED) {
- AssertionWrapper assertionWrapper =
- (AssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ SamlAssertionWrapper assertionWrapper =
+ (SamlAssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (samlKeyInfo != null) {
X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
@@ -621,7 +624,7 @@ public abstract class AbstractSupporting
* Validate the SignedParts or EncryptedParts policies
*/
private boolean validateSignedEncryptedParts(
- SignedEncryptedParts parts,
+ SignedParts parts,
boolean content,
List<WSSecurityEngineResult> protResults,
List<WSSecurityEngineResult> tokenResults
@@ -701,7 +704,7 @@ public abstract class AbstractSupporting
* Validate SignedElements or EncryptedElements policies
*/
private boolean validateSignedEncryptedElements(
- SignedEncryptedElements elements,
+ RequiredElements elements,
boolean content,
List<WSSecurityEngineResult> protResults,
List<WSSecurityEngineResult> tokenResults
@@ -710,15 +713,18 @@ public abstract class AbstractSupporting
return true;
}
- Map<String, String> namespaces = elements.getDeclaredNamespaces();
- List<String> xpaths = elements.getXPathExpressions();
+ List<org.apache.wss4j.policy.model.XPath> xpaths = elements.getXPaths();
+
+ //Map<String, String> namespaces = elements.getDeclaredNamespaces();
+ //List<String> xpaths = elements.getXPathExpressions();
if (xpaths != null) {
SOAPMessage soapMessage = message.getContent(SOAPMessage.class);
Element soapEnvelope = soapMessage.getSOAPPart().getDocumentElement();
- for (String xPath : xpaths) {
- if (!checkXPathResult(soapEnvelope, xPath, namespaces, protResults, tokenResults)) {
+ for (org.apache.wss4j.policy.model.XPath xPath : xpaths) {
+ if (!checkXPathResult(soapEnvelope, xPath.getXPath(), xPath.getPrefixNamespaceMap(),
+ protResults, tokenResults)) {
return false;
}
}
@@ -823,19 +829,19 @@ public abstract class AbstractSupporting
this.timestamp = timestamp;
}
- public void setSignedElements(SignedEncryptedElements signedElements) {
+ public void setSignedElements(SignedElements signedElements) {
this.signedElements = signedElements;
}
- public void setEncryptedElements(SignedEncryptedElements encryptedElements) {
+ public void setEncryptedElements(EncryptedElements encryptedElements) {
this.encryptedElements = encryptedElements;
}
- public void setSignedParts(SignedEncryptedParts signedParts) {
+ public void setSignedParts(SignedParts signedParts) {
this.signedParts = signedParts;
}
- public void setEncryptedParts(SignedEncryptedParts encryptedParts) {
+ public void setEncryptedParts(EncryptedParts encryptedParts) {
this.encryptedParts = encryptedParts;
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -19,10 +19,20 @@
package org.apache.cxf.ws.security.wss4j.policyvalidators;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+
+import javax.xml.namespace.QName;
+
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
-import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
+import org.apache.wss4j.policy.model.AbstractToken;
/**
* Some abstract functionality for validating a Security Token.
@@ -36,10 +46,10 @@ public abstract class AbstractTokenPolic
* @return true if the token is required
*/
protected boolean isTokenRequired(
- Token token,
+ AbstractToken token,
Message message
) {
- IncludeTokenType inclusion = token.getInclusion();
+ IncludeTokenType inclusion = token.getIncludeTokenType();
if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
return false;
} else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
@@ -56,4 +66,46 @@ public abstract class AbstractTokenPolic
}
}
+ protected boolean assertPolicy(AssertionInfoMap aim, QName name) {
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
+ if (aim != null && !ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
+ protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
+ protected Collection<AssertionInfo> getAllAssertionsByLocalname(
+ AssertionInfoMap aim,
+ String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+ if (sp11Ais != null) {
+ ais.addAll(sp11Ais);
+ }
+ if (sp12Ais != null) {
+ ais.addAll(sp12Ais);
+ }
+ return ais;
+ }
+
+ return Collections.emptySet();
+ }
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java Thu May 23 13:17:26 2013
@@ -28,12 +28,13 @@ import java.util.List;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.transform.STRTransform;
+import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.transform.STRTransform;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
/**
* Validate a WSSecurityEngineResult corresponding to the processing of a Signature, EncryptedKey or
@@ -85,7 +86,7 @@ public class AlgorithmSuitePolicyValidat
}
String c14nMethod =
(String)result.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
- if (!algorithmPolicy.getInclusiveC14n().equals(c14nMethod)) {
+ if (!algorithmPolicy.getC14n().getValue().equals(c14nMethod)) {
ai.setNotAsserted(
"The c14n method does not match the requirement"
);
@@ -113,9 +114,10 @@ public class AlgorithmSuitePolicyValidat
AlgorithmSuite algorithmPolicy,
AssertionInfo ai
) {
+ AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
for (WSDataRef dataRef : dataRefs) {
String digestMethod = dataRef.getDigestAlgorithm();
- if (!algorithmPolicy.getDigest().equals(digestMethod)) {
+ if (!algorithmSuiteType.getDigest().equals(digestMethod)) {
ai.setNotAsserted(
"The digest method does not match the requirement"
);
@@ -129,7 +131,7 @@ public class AlgorithmSuitePolicyValidat
return false;
}
for (String transformAlgorithm : transformAlgorithms) {
- if (!(algorithmPolicy.getInclusiveC14n().equals(transformAlgorithm)
+ if (!(algorithmPolicy.getC14n().getValue().equals(transformAlgorithm)
|| STRTransform.TRANSFORM_URI.equals(transformAlgorithm))) {
ai.setNotAsserted("The transform algorithms do not match the requirement");
return false;
@@ -147,11 +149,12 @@ public class AlgorithmSuitePolicyValidat
AlgorithmSuite algorithmPolicy,
AssertionInfo ai
) {
+ AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
String transportMethod =
(String)result.get(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD);
if (transportMethod != null
- && !algorithmPolicy.getSymmetricKeyWrap().equals(transportMethod)
- && !algorithmPolicy.getAsymmetricKeyWrap().equals(transportMethod)) {
+ && !algorithmSuiteType.getSymmetricKeyWrap().equals(transportMethod)
+ && !algorithmSuiteType.getAsymmetricKeyWrap().equals(transportMethod)) {
ai.setNotAsserted(
"The Key transport method does not match the requirement"
);
@@ -163,7 +166,7 @@ public class AlgorithmSuitePolicyValidat
if (dataRefs != null) {
for (WSDataRef dataRef : dataRefs) {
String encryptionAlgorithm = dataRef.getAlgorithm();
- if (!algorithmPolicy.getEncryption().equals(encryptionAlgorithm)) {
+ if (!algorithmSuiteType.getEncryption().equals(encryptionAlgorithm)) {
ai.setNotAsserted(
"The encryption algorithm does not match the requirement"
);
@@ -199,11 +202,12 @@ public class AlgorithmSuitePolicyValidat
return false;
}
+ AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
if (signature) {
Principal principal = (Principal)result.get(WSSecurityEngineResult.TAG_PRINCIPAL);
if (principal instanceof WSDerivedKeyTokenPrincipal) {
- int requiredLength = algorithmPolicy.getSignatureDerivedKeyLength();
+ int requiredLength = algorithmSuiteType.getSignatureDerivedKeyLength();
if (secret == null || secret.length != (requiredLength / 8)) {
ai.setNotAsserted(
"The signature derived key length does not match the requirement"
@@ -211,16 +215,16 @@ public class AlgorithmSuitePolicyValidat
return false;
}
} else if (secret != null
- && (secret.length < (algorithmPolicy.getMinimumSymmetricKeyLength() / 8)
- || secret.length > (algorithmPolicy.getMaximumSymmetricKeyLength() / 8))) {
+ && (secret.length < (algorithmSuiteType.getMinimumSymmetricKeyLength() / 8)
+ || secret.length > (algorithmSuiteType.getMaximumSymmetricKeyLength() / 8))) {
ai.setNotAsserted(
"The symmetric key length does not match the requirement"
);
return false;
}
} else if (secret != null
- && (secret.length < (algorithmPolicy.getMinimumSymmetricKeyLength() / 8)
- || secret.length > (algorithmPolicy.getMaximumSymmetricKeyLength() / 8))) {
+ && (secret.length < (algorithmSuiteType.getMinimumSymmetricKeyLength() / 8)
+ || secret.length > (algorithmSuiteType.getMaximumSymmetricKeyLength() / 8))) {
ai.setNotAsserted(
"The symmetric key length does not match the requirement"
);
@@ -238,10 +242,11 @@ public class AlgorithmSuitePolicyValidat
AlgorithmSuite algorithmPolicy,
AssertionInfo ai
) {
+ AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
if (publicKey instanceof RSAPublicKey) {
int modulus = ((RSAPublicKey)publicKey).getModulus().bitLength();
- if (modulus < algorithmPolicy.getMinimumAsymmetricKeyLength()
- || modulus > algorithmPolicy.getMaximumAsymmetricKeyLength()) {
+ if (modulus < algorithmSuiteType.getMinimumAsymmetricKeyLength()
+ || modulus > algorithmSuiteType.getMaximumAsymmetricKeyLength()) {
ai.setNotAsserted(
"The asymmetric key length does not match the requirement"
);
@@ -249,8 +254,8 @@ public class AlgorithmSuitePolicyValidat
}
} else if (publicKey instanceof DSAPublicKey) {
int length = ((DSAPublicKey)publicKey).getParams().getP().bitLength();
- if (length < algorithmPolicy.getMinimumAsymmetricKeyLength()
- || length > algorithmPolicy.getMaximumAsymmetricKeyLength()) {
+ if (length < algorithmSuiteType.getMinimumAsymmetricKeyLength()
+ || length > algorithmSuiteType.getMaximumAsymmetricKeyLength()) {
ai.setNotAsserted(
"The asymmetric key length does not match the requirement"
);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java Thu May 23 13:17:26 2013
@@ -28,13 +28,13 @@ import org.w3c.dom.Element;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.TokenWrapper;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractTokenWrapper;
+import org.apache.wss4j.policy.model.AsymmetricBinding;
+import org.apache.wss4j.policy.model.X509Token;
/**
* Validate an AsymmetricBinding policy.
@@ -49,11 +49,23 @@ public class AsymmetricBindingPolicyVali
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults);
}
+ return true;
+ }
+
+ private void parsePolicies(
+ AssertionInfoMap aim,
+ Collection<AssertionInfo> ais,
+ Message message,
+ Element soapBody,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults,
+ List<WSSecurityEngineResult> encryptedResults
+ ) {
boolean hasDerivedKeys = false;
for (WSSecurityEngineResult result : results) {
Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
@@ -68,7 +80,7 @@ public class AsymmetricBindingPolicyVali
ai.setAsserted(true);
// Check the protection order
- if (!checkProtectionOrder(binding, ai, results)) {
+ if (!checkProtectionOrder(binding, aim, ai, results)) {
continue;
}
@@ -82,11 +94,8 @@ public class AsymmetricBindingPolicyVali
continue;
}
}
-
- return true;
}
-
/**
* Check various tokens of the binding
*/
@@ -128,7 +137,7 @@ public class AsymmetricBindingPolicyVali
}
private boolean checkInitiatorTokens(
- TokenWrapper wrapper,
+ AbstractTokenWrapper wrapper,
AsymmetricBinding binding,
AssertionInfo ai,
AssertionInfoMap aim,
@@ -136,7 +145,7 @@ public class AsymmetricBindingPolicyVali
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults) {
- Token token = wrapper.getToken();
+ AbstractToken token = wrapper.getToken();
if (token instanceof X509Token) {
boolean foundCert = false;
for (WSSecurityEngineResult result : signedResults) {
@@ -159,12 +168,15 @@ public class AsymmetricBindingPolicyVali
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
+ assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+ assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+ assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
return true;
}
private boolean checkRecipientTokens(
- TokenWrapper wrapper,
+ AbstractTokenWrapper wrapper,
AsymmetricBinding binding,
AssertionInfo ai,
AssertionInfoMap aim,
@@ -177,6 +189,9 @@ public class AsymmetricBindingPolicyVali
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
+ assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+ assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+ assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
return true;
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,7 +25,7 @@ import org.w3c.dom.Element;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
/**
* Validate a WS-SecurityPolicy corresponding to a binding.
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java Thu May 23 13:17:26 2013
@@ -21,7 +21,7 @@ package org.apache.cxf.ws.security.wss4j
import org.w3c.dom.Element;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
/**
* Validate a WS-SecurityPolicy Claims policy.
@@ -34,7 +34,7 @@ public interface ClaimsPolicyValidator {
*/
boolean validatePolicy(
Element claimsPolicy,
- AssertionWrapper assertion
+ SamlAssertionWrapper assertion
);
/**