You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/12/12 16:14:09 UTC
svn commit: r1550435 - in
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j:
PolicyStaxActionInInterceptor.java StaxActionInInterceptor.java
Author: coheigea
Date: Thu Dec 12 15:14:08 2013
New Revision: 1550435
URL: http://svn.apache.org/r1550435
Log:
Skip action checking/policy asserting for the streaming code when we have a SOAP Fault with no security header for the initiator
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxActionInInterceptor.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java?rev=1550435&r1=1550434&r2=1550435&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java Thu Dec 12 15:14:08 2013
@@ -20,11 +20,14 @@ package org.apache.cxf.ws.security.wss4j
import java.util.Collection;
import java.util.List;
+import java.util.logging.Logger;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.ws.policy.AssertionInfo;
@@ -35,7 +38,10 @@ import org.apache.wss4j.policy.SP13Const
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
+import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEventConstants.Event;
/**
* This interceptor marks the CXF AssertionInfos as asserted. WSS4J 2.0 (StAX) takes care of all
@@ -44,6 +50,9 @@ import org.apache.xml.security.stax.secu
*/
public class PolicyStaxActionInInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
+ private static final Logger LOG =
+ LogUtils.getL7dLogger(PolicyStaxActionInInterceptor.class);
+
public PolicyStaxActionInInterceptor() {
super(Phase.PRE_PROTOCOL);
this.getBefore().add(StaxSecurityContextInInterceptor.class.getName());
@@ -60,11 +69,44 @@ public class PolicyStaxActionInIntercept
return;
}
+ // First check for a SOAP Fault with no security header if we are the client
+ // In this case don't blanket assert security policies
+ if (MessageUtils.isRequestor(soapMessage)
+ && isEventInResults(WSSecurityEventConstants.NoSecurity, incomingSecurityEventList)) {
+ OperationSecurityEvent securityEvent =
+ (OperationSecurityEvent)findEvent(
+ WSSecurityEventConstants.Operation, incomingSecurityEventList
+ );
+ if (securityEvent != null
+ && soapMessage.getVersion().getFault().equals(securityEvent.getOperation())) {
+ LOG.warning("Request does not contain Security header, but it's a fault.");
+ return;
+ }
+ }
+
assertAllSecurityAssertions(aim);
assertAllAlgorithmSuites(SP11Constants.SP_NS, aim);
assertAllAlgorithmSuites(SP12Constants.SP_NS, aim);
}
+ private boolean isEventInResults(Event event, List<SecurityEvent> incomingSecurityEventList) {
+ for (SecurityEvent incomingEvent : incomingSecurityEventList) {
+ if (event == incomingEvent.getSecurityEventType()) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private SecurityEvent findEvent(Event event, List<SecurityEvent> incomingSecurityEventList) {
+ for (SecurityEvent incomingEvent : incomingSecurityEventList) {
+ if (event == incomingEvent.getSecurityEventType()) {
+ return incomingEvent;
+ }
+ }
+ return null;
+ }
+
private void assertAllSecurityAssertions(AssertionInfoMap aim) {
for (QName key : aim.keySet()) {
if (SP11Constants.SP_NS.equals(key.getNamespaceURI())
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxActionInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxActionInInterceptor.java?rev=1550435&r1=1550434&r2=1550435&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxActionInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxActionInInterceptor.java Thu Dec 12 15:14:08 2013
@@ -26,10 +26,12 @@ import org.apache.cxf.binding.soap.SoapM
import org.apache.cxf.binding.soap.SoapVersion;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.stax.ext.WSSConstants;
+import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
@@ -71,6 +73,20 @@ public class StaxActionInInterceptor ext
throw createSoapFault(soapMessage.getVersion(), ex);
}
+ // First check for a SOAP Fault with no security header if we are the client
+ if (MessageUtils.isRequestor(soapMessage)
+ && isEventInResults(WSSecurityEventConstants.NoSecurity, incomingSecurityEventList)) {
+ OperationSecurityEvent securityEvent =
+ (OperationSecurityEvent)findEvent(
+ WSSecurityEventConstants.Operation, incomingSecurityEventList
+ );
+ if (securityEvent != null
+ && soapMessage.getVersion().getFault().equals(securityEvent.getOperation())) {
+ LOG.warning("Request does not contain Security header, but it's a fault.");
+ return;
+ }
+ }
+
for (XMLSecurityConstants.Action action : inActions) {
Event requiredEvent = null;
if (WSSConstants.TIMESTAMP.equals(action)) {
@@ -118,6 +134,15 @@ public class StaxActionInInterceptor ext
return false;
}
+ private SecurityEvent findEvent(Event event, List<SecurityEvent> incomingSecurityEventList) {
+ for (SecurityEvent incomingEvent : incomingSecurityEventList) {
+ if (event == incomingEvent.getSecurityEventType()) {
+ return incomingEvent;
+ }
+ }
+ return null;
+ }
+
/**
* Create a SoapFault from a WSSecurityException, following the SOAP Message Security
* 1.1 specification, chapter 12 "Error Handling".