You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/04/08 14:30:54 UTC
cxf git commit: [CXF-6334] - Add the ability to plug in custom
security policy validators for various assertions
Repository: cxf
Updated Branches:
refs/heads/master 581964426 -> 9fce658c4
[CXF-6334] - Add the ability to plug in custom security policy validators for various assertions
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9fce658c
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9fce658c
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9fce658c
Branch: refs/heads/master
Commit: 9fce658c4611f790983a3d5cef7312eec8771461
Parents: 5819644
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Apr 8 13:27:58 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Apr 8 13:30:47 2015 +0100
----------------------------------------------------------------------
.../cxf/ws/security/SecurityConstants.java | 10 +-
.../cxf/ws/security/policy/PolicyUtils.java | 106 +++++++++++++++
.../IssuedTokenInterceptorProvider.java | 10 +-
.../KerberosTokenInterceptorProvider.java | 10 +-
.../wss4j/PolicyBasedWSS4JInInterceptor.java | 128 ++-----------------
.../wss4j/AbstractPolicySecurityTest.java | 2 +-
6 files changed, 139 insertions(+), 127 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 0516853..805d69e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -434,6 +434,14 @@ public final class SecurityConstants {
*/
public static final String SCT_TOKEN_VALIDATOR = "ws-security.sct.validator";
+ /**
+ * This refers to a Map of QName, SecurityPolicyValidator, which retrieves a SecurityPolicyValidator
+ * implementation to validate a particular security policy, based on the QName of the policy. Any
+ * SecurityPolicyValidator implementation defined in this map will override the default value
+ * used internally for the corresponding QName.
+ */
+ public static final String POLICY_VALIDATOR_MAP = "ws-security.policy.validator.map";
+
//
// STS Client Configuration tags
//
@@ -651,7 +659,7 @@ public final class SecurityConstants {
DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION,
KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE,
KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
- AUDIENCE_RESTRICTION_VALIDATION
+ AUDIENCE_RESTRICTION_VALIDATION, POLICY_VALIDATOR_MAP
}));
ALL_PROPERTIES = Collections.unmodifiableSet(s);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
index 48a1e61..95a2f6b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
@@ -20,12 +20,38 @@ package org.apache.cxf.ws.security.policy;
import java.util.Collection;
import java.util.Collections;
+import java.util.HashMap;
import java.util.HashSet;
+import java.util.Map;
import javax.xml.namespace.QName;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.KerberosTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.LayoutPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingEncryptedTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
@@ -36,6 +62,74 @@ import org.apache.wss4j.policy.model.AbstractBinding;
*/
public final class PolicyUtils {
+ // The default security policy validators
+ private static final Map<QName, SecurityPolicyValidator> DEFAULT_SECURITY_POLICY_VALIDATORS =
+ new HashMap<>();
+
+ static {
+ // Tokens
+ SecurityPolicyValidator validator = new X509TokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.X509_TOKEN, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.X509_TOKEN, validator);
+ validator = new UsernameTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.USERNAME_TOKEN, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.USERNAME_TOKEN, validator);
+ validator = new SamlTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SAML_TOKEN, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SAML_TOKEN, validator);
+ validator = new SecurityContextTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SECURITY_CONTEXT_TOKEN, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SECURITY_CONTEXT_TOKEN, validator);
+ validator = new WSS11PolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.WSS11, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.WSS11, validator);
+ validator = new IssuedTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ISSUED_TOKEN, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ISSUED_TOKEN, validator);
+ validator = new KerberosTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.KERBEROS_TOKEN, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.KERBEROS_TOKEN, validator);
+
+ // Bindings
+ validator = new TransportBindingPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.TRANSPORT_BINDING, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.TRANSPORT_BINDING, validator);
+ validator = new SymmetricBindingPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SYMMETRIC_BINDING, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SYMMETRIC_BINDING, validator);
+ validator = new AsymmetricBindingPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ASYMMETRIC_BINDING, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ASYMMETRIC_BINDING, validator);
+ validator = new AlgorithmSuitePolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ALGORITHM_SUITE, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ALGORITHM_SUITE, validator);
+ validator = new LayoutPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.LAYOUT, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.LAYOUT, validator);
+
+ // Supporting Tokens
+ validator = new ConcreteSupportingTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SUPPORTING_TOKENS, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SUPPORTING_TOKENS, validator);
+ validator = new SignedTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_SUPPORTING_TOKENS, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_SUPPORTING_TOKENS, validator);
+ validator = new EndorsingTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENDORSING_SUPPORTING_TOKENS, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ENDORSING_SUPPORTING_TOKENS, validator);
+ validator = new SignedEndorsingTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS, validator);
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS, validator);
+ validator = new EncryptedTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS, validator);
+ validator = new SignedEncryptedTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS, validator);
+ validator = new EndorsingEncryptedTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS, validator);
+ validator = new SignedEndorsingEncryptedTokenPolicyValidator();
+ DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS, validator);
+ }
+
private PolicyUtils() {
// complete
}
@@ -130,4 +224,16 @@ public final class PolicyUtils {
return null;
}
+ public static Map<QName, SecurityPolicyValidator> getSecurityPolicyValidators(Message message) {
+ Map<QName, SecurityPolicyValidator> mapToReturn = new HashMap<>(DEFAULT_SECURITY_POLICY_VALIDATORS);
+ Map<QName, SecurityPolicyValidator> policyMap =
+ CastUtils.cast((Map<?, ?>)message.getContextualProperty(SecurityConstants.POLICY_VALIDATOR_MAP));
+
+ // Allow overriding the default policies
+ if (policyMap != null && !policyMap.isEmpty()) {
+ mapToReturn.putAll(policyMap);
+ }
+
+ return mapToReturn;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
index dd14252..c129c2f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
@@ -23,6 +23,7 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
+import java.util.Map;
import javax.xml.namespace.QName;
@@ -42,7 +43,6 @@ import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator;
import org.apache.wss4j.dom.WSConstants;
@@ -190,8 +190,12 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
}
parameters.setSamlResults(samlResults);
- SecurityPolicyValidator issuedValidator = new IssuedTokenPolicyValidator();
- issuedValidator.validatePolicies(parameters, issuedAis);
+ QName qName = issuedAis.iterator().next().getAssertion().getName();
+ Map<QName, SecurityPolicyValidator> validators =
+ PolicyUtils.getSecurityPolicyValidators(message);
+ if (validators.containsKey(qName)) {
+ validators.get(qName).validatePolicies(parameters, issuedAis);
+ }
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
index 7d3bc51..79611a5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
@@ -27,6 +27,7 @@ import java.util.Map;
import java.util.logging.Logger;
import javax.crypto.SecretKey;
+import javax.xml.namespace.QName;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.endpoint.Endpoint;
@@ -51,7 +52,6 @@ import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor;
import org.apache.cxf.ws.security.wss4j.StaxSecurityContextInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.KerberosTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator;
import org.apache.wss4j.common.ext.WSSecurityException;
@@ -198,8 +198,12 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
parameters.setMessage(message);
parameters.setResults(rResult);
- SecurityPolicyValidator kerberosValidator = new KerberosTokenPolicyValidator();
- kerberosValidator.validatePolicies(parameters, ais);
+ QName qName = ais.iterator().next().getAssertion().getName();
+ Map<QName, SecurityPolicyValidator> validators =
+ PolicyUtils.getSecurityPolicyValidators(message);
+ if (validators.containsKey(qName)) {
+ validators.get(qName).validatePolicies(parameters, ais);
+ }
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index ad65a3c..833c8f9 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -38,6 +38,7 @@ import javax.xml.xpath.XPathFactory;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
+
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
@@ -52,26 +53,8 @@ import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.LayoutPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingEncryptedTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.PasswordEncryptor;
import org.apache.wss4j.common.ext.WSSecurityException;
@@ -684,9 +667,14 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
parameters.setTimestampElement(timestamp);
- checkTokenCoverage(parameters);
- checkBindingCoverage(parameters);
- checkSupportingTokenCoverage(parameters);
+ // Validate security policies
+ Map<QName, SecurityPolicyValidator> validators = PolicyUtils.getSecurityPolicyValidators(msg);
+ for (QName qName : aim.keySet()) {
+ // Check to see if we have a security policy + if we can validate it
+ if (validators.containsKey(qName)) {
+ validators.get(qName).validatePolicies(parameters, aim.get(qName));
+ }
+ }
super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
}
@@ -735,104 +723,6 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
return check;
}
- /**
- * Check the token coverage
- */
- private void checkTokenCoverage(PolicyValidatorParameters parameters) {
-
- AssertionInfoMap aim = parameters.getAssertionInfoMap();
-
- Collection<AssertionInfo> ais =
- PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
- SecurityPolicyValidator x509Validator = new X509TokenPolicyValidator();
- x509Validator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
- SecurityPolicyValidator utValidator = new UsernameTokenPolicyValidator();
- utValidator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
- SecurityPolicyValidator samlValidator = new SamlTokenPolicyValidator();
- samlValidator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
- SecurityPolicyValidator sctValidator = new SecurityContextTokenPolicyValidator();
- sctValidator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11);
- SecurityPolicyValidator wss11Validator = new WSS11PolicyValidator();
- wss11Validator.validatePolicies(parameters, ais);
- }
-
- /**
- * Check the binding coverage
- */
- private void checkBindingCoverage(PolicyValidatorParameters parameters) {
- AssertionInfoMap aim = parameters.getAssertionInfoMap();
-
- Collection<AssertionInfo> ais =
- PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
- SecurityPolicyValidator transportValidator = new TransportBindingPolicyValidator();
- transportValidator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
- SecurityPolicyValidator symmetricValidator = new SymmetricBindingPolicyValidator();
- symmetricValidator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
- SecurityPolicyValidator asymmetricValidator = new AsymmetricBindingPolicyValidator();
- asymmetricValidator.validatePolicies(parameters, ais);
-
- // Check AlgorithmSuite + Layout that might not be tied to a binding
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
- SecurityPolicyValidator algorithmSuiteValidator = new AlgorithmSuitePolicyValidator();
- algorithmSuiteValidator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
- LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator();
- layoutValidator.validatePolicies(parameters, ais);
- }
-
- /**
- * Check the supporting token coverage
- */
- private void checkSupportingTokenCoverage(PolicyValidatorParameters parameters) {
- AssertionInfoMap aim = parameters.getAssertionInfoMap();
-
- Collection<AssertionInfo> ais =
- PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
- SecurityPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator();
- validator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
- validator = new SignedTokenPolicyValidator();
- validator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
- validator = new EndorsingTokenPolicyValidator();
- validator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
- validator = new SignedEndorsingTokenPolicyValidator();
- validator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
- validator = new SignedEncryptedTokenPolicyValidator();
- validator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
- validator = new EncryptedTokenPolicyValidator();
- validator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
- validator = new EndorsingEncryptedTokenPolicyValidator();
- validator.validatePolicies(parameters, ais);
-
- ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
- validator = new SignedEndorsingEncryptedTokenPolicyValidator();
- validator.validatePolicies(parameters, ais);
- }
-
private boolean assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header)
throws SOAPException {
http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
index 45d7277..dba08ba 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
@@ -226,7 +226,7 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest {
}
}
- private void checkAssertion(AssertionInfoMap aim,
+ protected void checkAssertion(AssertionInfoMap aim,
QName name,
AssertionInfo inf,
boolean asserted) {