You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2010/03/09 03:49:59 UTC
svn commit: r920630 - in /cxf/branches/2.2.x-fixes: ./
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/
Author: dkulp
Date: Tue Mar 9 02:49:59 2010
New Revision: 920630
URL: http://svn.apache.org/viewvc?rev=920630&view=rev
Log:
Merged revisions 920627 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r920627 | dkulp | 2010-03-08 21:31:58 -0500 (Mon, 08 Mar 2010) | 2 lines
[CXF-2655] Fix problem with token protection
Patch from David Valeri applied
........
Added:
cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref.xml
- copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref.xml
cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref_complement.xml
- copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref_complement.xml
cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial.xml
- copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial.xml
cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial_complement.xml
- copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial_complement.xml
Modified:
cxf/branches/2.2.x-fixes/ (props changed)
cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=920630&r1=920629&r2=920630&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Tue Mar 9 02:49:59 2010
@@ -1661,6 +1661,8 @@ public abstract class AbstractBindingBui
* @throws IllegalArgumentException
* if an element in {@code signedParts} contains a {@code
* WSEncryptionPart} with a {@code null} {@code id} value
+ * and the {@code WSEncryptionPart} {@code name} value is not
+ * "Token"
*/
public void handleEncryptedSignedHeaders(Vector<WSEncryptionPart> encryptedParts,
Vector<WSEncryptionPart> signedParts) {
@@ -1671,7 +1673,13 @@ public abstract class AbstractBindingBui
final Iterator<WSEncryptionPart> signedPartsIt = signedParts.iterator();
while (signedPartsIt.hasNext()) {
WSEncryptionPart signedPart = signedPartsIt.next();
- if (signedPart.getId() == null) {
+ // Everything has to be ID based except for the case of a part
+ // indicating "Token" as the element name. This name is a flag
+ // for WSS4J to sign the initiator token used in the signature.
+ // Since the encryption happened before the signature creation,
+ // this element can't possibly be encrypted so we can safely ignore
+ // if it were ever to be set before this method is called.
+ if (signedPart.getId() == null && !"Token".equals(signedPart.getName())) {
throw new IllegalArgumentException(
"WSEncryptionPart must be ID based but no id was found.");
} else if (encryptedPart.getEncModifier().equals("Element")
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=920630&r1=920629&r2=920630&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Tue Mar 9 02:49:59 2010
@@ -386,17 +386,23 @@ public class AsymmetricBindingHandler ex
} else {
WSSecSignature sig = getSignatureBuider(wrapper, sigToken, false);
sig.prependBSTElementToHeader(secHeader);
+ insertBeforeBottomUp(sig.getSignatureElement());
- if (abinding.isTokenProtection()
- && sig.getBSTTokenId() != null) {
- sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
+ if (abinding.isTokenProtection()) {
+ // Special flag telling WSS4J to sign the initiator token.
+ // Use this instead of the BST ID so that we don't
+ // have to deal with maintaining such logic here.
+ sigParts.add(new WSEncryptionPart("Token", null,
+ "Element", WSConstants.PART_TYPE_ELEMENT));
}
+
+ sig.prependBSTElementToHeader(secHeader);
sig.addReferencesToSign(sigParts, secHeader);
sig.computeSignature();
signatures.add(sig.getSignatureValue());
- insertBeforeBottomUp(sig.getSignatureElement());
+
mainSigId = addWsuIdToElement(sig.getSignatureElement());
}
}
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=920630&r1=920629&r2=920630&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java Tue Mar 9 02:49:59 2010
@@ -462,6 +462,118 @@ public class PolicyBasedWss4JInOutTest e
CoverageType.SIGNED));
}
+ @Test
+ public void testProtectTokenAssertion() throws Exception {
+
+ // ////////////////////////////////////////////////////
+ // x509 Direct Ref Tests
+
+ /* REVISIT
+ No inbound validation is available for the PROTECT_TOKENS assertion.
+ We cannot yet test inbound in the standard manner. Since we can't
+ test inbound, we can't test reound trip either and thus must take
+ a different approach for now.
+
+ this.runInInterceptorAndValidate(
+ "signed_x509_direct_ref_token_prot.xml",
+ "protect_token_policy_asym_x509_direct_ref.xml",
+ SP12Constants.PROTECT_TOKENS,
+ null,
+ CoverageType.SIGNED);
+
+ this.runInInterceptorAndValidate(
+ "signed_x509_direct_ref.xml",
+ "protect_token_policy_asym_x509_direct_ref.xml",
+ null,
+ SP12Constants.PROTECT_TOKENS,
+ CoverageType.SIGNED);
+
+ this.runAndValidate(
+ "wsse-request-clean.xml",
+ "protect_token_policy_asym_x509_direct_ref.xml",
+ null,
+ null,
+ Arrays.asList(new QName[] {SP12Constants.PROTECT_TOKENS }),
+ null,
+ Arrays.asList(new CoverageType[] {CoverageType.SIGNED }));
+ */
+
+ // REVISIT
+ // We test using a policy with ProtectTokens enabled on
+ // the outbound but with a policy using a SignedElements policy
+ // on the inbound to validate that the correct thing got signed.
+ this.runAndValidate(
+ "wsse-request-clean.xml",
+ "protect_token_policy_asym_x509_direct_ref.xml",
+ "protect_token_policy_asym_x509_direct_ref_complement.xml",
+ new AssertionsHolder(
+ Arrays.asList(new QName[] {SP12Constants.ASYMMETRIC_BINDING}),
+ null),
+ new AssertionsHolder(
+ Arrays.asList(new QName[] {SP12Constants.SIGNED_ELEMENTS}),
+ null),
+ Arrays.asList(new CoverageType[] {CoverageType.SIGNED }));
+
+ // ////////////////////////////////////////////////////
+ // x509 Issuer Serial Tests
+
+ /* REVISIT
+ No inbound validation is available for the PROTECT_TOKENS assertion.
+ We cannot yet test inbound in the standard manner. Since we can't
+ test inbound, we can't test reound trip either and thus must take
+ a different approach for now.
+
+ this.runInInterceptorAndValidate(
+ "signed_x509_issuer_serial_token_prot.xml",
+ "protect_token_policy_asym_x509_issuer_serial.xml",
+ SP12Constants.PROTECT_TOKENS,
+ null,
+ CoverageType.SIGNED);
+
+ this.runInInterceptorAndValidate(
+ "signed_x509_issuer_serial.xml",
+ "protect_token_policy_asym_x509_issuer_serial.xml",
+ null,
+ SP12Constants.PROTECT_TOKENS,
+ CoverageType.SIGNED);
+
+ this.runAndValidate(
+ "wsse-request-clean.xml",
+ "protect_token_policy_asym_x509_issuer_serial.xml",
+ null,
+ null,
+ Arrays.asList(new QName[] { SP12Constants.PROTECT_TOKENS }),
+ null,
+ Arrays.asList(new CoverageType[] { CoverageType.SIGNED }));
+ */
+
+ // REVISIT
+ // We test using a policy with ProtectTokens enabled on
+ // the outbound but with a policy using a SignedElements policy
+ // on the inbound to validate that the correct thing got signed.
+ this.runAndValidate(
+ "wsse-request-clean.xml",
+ "protect_token_policy_asym_x509_issuer_serial.xml",
+ "protect_token_policy_asym_x509_issuer_serial_complement.xml",
+ new AssertionsHolder(
+ Arrays.asList(new QName[] {SP12Constants.ASYMMETRIC_BINDING}),
+ null),
+ new AssertionsHolder(
+ Arrays.asList(new QName[] {SP12Constants.SIGNED_ELEMENTS}),
+ null),
+ Arrays.asList(new CoverageType[] {CoverageType.SIGNED }));
+
+ // ////////////////////////////////////////////////////
+ // x509 Key Identifier Tests
+
+ // TODO: Tests for Key Identifier are needed but require that the
+ // certificates used in the test cases be updated to version 3
+ // according to WSS4J.
+
+ // TODO: Tests for derived keys.
+ }
+
+
protected Bus createBus() throws BusException {
Bus b = super.createBus();
this.policyBuilder =
@@ -474,17 +586,39 @@ public class PolicyBasedWss4JInOutTest e
List<QName> assertedInAssertions, List<QName> notAssertedInAssertions,
List<CoverageType> types) throws Exception {
- final Element policyElement =
- this.readDocument(policyDocument).getDocumentElement();
+ this.runAndValidate(document, policyDocument, null,
+ new AssertionsHolder(assertedOutAssertions, notAssertedOutAssertions),
+ new AssertionsHolder(assertedInAssertions, notAssertedInAssertions),
+ types);
+ }
+
+ private void runAndValidate(
+ String document,
+ String outPolicyDocument, String inPolicyDocument,
+ AssertionsHolder outAssertions,
+ AssertionsHolder inAssertions,
+ List<CoverageType> types) throws Exception {
+
+ final Element outPolicyElement = this.readDocument(outPolicyDocument)
+ .getDocumentElement();
+ final Element inPolicyElement;
+
+ if (inPolicyDocument != null) {
+ inPolicyElement = this.readDocument(inPolicyDocument)
+ .getDocumentElement();
+ } else {
+ inPolicyElement = outPolicyElement;
+ }
+
- final Policy outPolicy = this.policyBuilder.getPolicy(policyElement);
- final Policy inPolicy = this.policyBuilder.getPolicy(policyElement);
+ final Policy outPolicy = this.policyBuilder.getPolicy(outPolicyElement);
+ final Policy inPolicy = this.policyBuilder.getPolicy(inPolicyElement);
final Document originalDoc = this.readDocument(document);
final Document inDoc = this.runOutInterceptorAndValidate(
- originalDoc, outPolicy, assertedOutAssertions,
- notAssertedOutAssertions);
+ originalDoc, outPolicy, outAssertions.getAssertedAssertions(),
+ outAssertions.getNotAssertedAssertions());
// Can't use this method if you want output that is not mangled.
// Such is the case when you want to capture output to use
@@ -500,8 +634,8 @@ public class PolicyBasedWss4JInOutTest e
*/
this.runInInterceptorAndValidate(inDoc,
- inPolicy, assertedInAssertions,
- assertedOutAssertions, types);
+ inPolicy, inAssertions.getAssertedAssertions(),
+ inAssertions.getNotAssertedAssertions(), types);
}
private void runInInterceptorAndValidate(String document,
@@ -790,6 +924,28 @@ public class PolicyBasedWss4JInOutTest e
public void setOutFaultObserver(MessageObserver observer) {
}
+ }
+
+ /**
+ * A simple container used to reduce argument numbers to satisfy
+ * project code conventions.
+ */
+ private static final class AssertionsHolder {
+ private List<QName> assertedAssertions;
+ private List<QName> notAssertedAssertions;
+
+ public AssertionsHolder(List<QName> assertedAssertions,
+ List<QName> notAssertedAssertions) {
+ super();
+ this.assertedAssertions = assertedAssertions;
+ this.notAssertedAssertions = notAssertedAssertions;
+ }
+ public List<QName> getAssertedAssertions() {
+ return this.assertedAssertions;
+ }
+ public List<QName> getNotAssertedAssertions() {
+ return this.notAssertedAssertions;
+ }
}
}