You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2013/06/12 09:35:40 UTC
svn commit: r1492093 - in
/webservices/wss4j/trunk/ws-security-policy-stax/src:
main/java/org/apache/wss4j/policy/stax/
main/java/org/apache/wss4j/policy/stax/assertionStates/
test/java/org/apache/wss4j/policy/stax/test/
Author: giger
Date: Wed Jun 12 07:35:39 2013
New Revision: 1492093
URL: http://svn.apache.org/r1492093
Log:
WSS-448 - OnlySignEntireHeadersAndBody policy validation is incorrect
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingIntegrationTest.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingTest.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/SymmetricBindingTest.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java Wed Jun 12 07:35:39 2013
@@ -123,10 +123,13 @@ public class PolicyEnforcer implements S
private final Deque<SecurityEvent> securityEventQueue = new LinkedList<SecurityEvent>();
private boolean operationSecurityEventOccured = false;
private boolean initiator;
+ private String actorOrRole;
- public PolicyEnforcer(List<OperationPolicy> operationPolicies, String soapAction, boolean initiator) throws WSSPolicyException {
+ public PolicyEnforcer(List<OperationPolicy> operationPolicies, String soapAction, boolean initiator,
+ String actorOrRole) throws WSSPolicyException {
this.operationPolicies = operationPolicies;
this.initiator = initiator;
+ this.actorOrRole = actorOrRole;
assertionStateMap = new LinkedList<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>>();
failedAssertionStateMap = new LinkedList<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>>();
@@ -306,7 +309,8 @@ public class PolicyEnforcer implements S
assertableList.add(new ProtectionOrderAssertionState(abstractSymmetricAsymmetricBinding, true));
assertableList.add(new SignatureProtectionAssertionState(abstractSymmetricAsymmetricBinding, true));
if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()) {
- assertableList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion, false));
+ //initialized with asserted=true because we do negative matching
+ assertableList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion, true, actorOrRole));
}
assertableList.add(new TokenProtectionAssertionState(abstractSecurityAssertion, true));
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java Wed Jun 12 07:35:39 2013
@@ -416,7 +416,15 @@ public class PolicyEnforcerFactory {
}
}
- public PolicyEnforcer newPolicyEnforcer(String soapAction, boolean initiator) throws WSSPolicyException {
- return new PolicyEnforcer(this.operationPolicies, soapAction, initiator);
+ /**
+ * creates a new PolicyEnforcer instance
+ * @param soapAction The requested soapAction of the actual request
+ * @param initiator Boolean flag to tell the engine if it is running in client or server mode
+ * @param roleOrActor The actor or role of the security processing. Must be set to the same value as WSSSecurityProperties#setActor()
+ * @return the newly created PolicyEnforcer instance
+ * @throws WSSPolicyException
+ */
+ public PolicyEnforcer newPolicyEnforcer(String soapAction, boolean initiator, String roleOrActor) throws WSSPolicyException {
+ return new PolicyEnforcer(this.operationPolicies, soapAction, initiator, roleOrActor);
}
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java Wed Jun 12 07:35:39 2013
@@ -21,61 +21,56 @@ package org.apache.wss4j.policy.stax.ass
import org.apache.wss4j.policy.AssertionState;
import org.apache.wss4j.policy.WSSPolicyException;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
-import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
+import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.wss4j.policy.stax.Assertable;
-import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSUtils;
-import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
+import javax.xml.namespace.QName;
+import java.util.List;
+
/**
* WSP1.3, 6.6 Entire Header and Body Signatures Property
*/
public class OnlySignEntireHeadersAndBodyAssertionState extends AssertionState implements Assertable {
- public OnlySignEntireHeadersAndBodyAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+ private String roleOrActor;
+
+ public OnlySignEntireHeadersAndBodyAssertionState(AbstractSecurityAssertion assertion, boolean asserted, String roleOrActor) {
super(assertion, asserted);
+ this.roleOrActor = roleOrActor;
}
@Override
public SecurityEventConstants.Event[] getSecurityEventType() {
return new SecurityEventConstants.Event[]{
- WSSecurityEventConstants.SignedPart
+ WSSecurityEventConstants.SignedPart,
+ WSSecurityEventConstants.SignedElement
};
}
@Override
public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
- SignedPartSecurityEvent signedPartSecurityEvent = (SignedPartSecurityEvent) securityEvent;
- AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding) getAssertion();
- if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()
- && WSSUtils.pathMatches(signedPartSecurityEvent.getElementPath(), WSSConstants.SOAP_11_BODY_PATH, true, false)) {
- if (signedPartSecurityEvent.isSigned()) {
+ AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent) securityEvent;
+ if (abstractSecuredElementSecurityEvent.isSigned()) {
+ List<QName> elementPath = abstractSecuredElementSecurityEvent.getElementPath();
+ if (elementPath.size() == 4 && WSSUtils.isInSecurityHeader(abstractSecuredElementSecurityEvent.getXmlSecEvent(), elementPath, roleOrActor)) {
setAsserted(true);
return true;
- } else {
- setAsserted(false);
- setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
- return false;
}
- }
- //body processed above. so this must be a header element
- if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()) {
- if (signedPartSecurityEvent.isSigned()
- //todo revisit: the equality check for wsse_Security probably opens the door
- //for a rewriting attack! If the Security Header is not signed then all child
- //elements must be signed!
- // @see http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html#_Toc212617840
- || WSSUtils.pathMatches(signedPartSecurityEvent.getElementPath(), WSSConstants.WSSE_SECURITY_HEADER_PATH, true, false)) {
+ if (elementPath.size() == 3 && WSSUtils.isInSOAPHeader(elementPath)) {
+ setAsserted(true);
+ return true;
+ }
+ if (elementPath.size() == 2 && WSSUtils.isInSOAPBody(elementPath)) {
setAsserted(true);
return true;
- } else {
- setAsserted(false);
- setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
- return false;
}
+ setAsserted(false);
+ setErrorMessage("OnlySignEntireHeadersAndBody not fulfilled, offending element: " + WSSUtils.pathAsString(elementPath));
+ return false;
}
return true;
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java Wed Jun 12 07:35:39 2013
@@ -45,7 +45,8 @@ import java.util.List;
public class TokenProtectionAssertionState extends AssertionState implements Assertable {
private final List<SignedElementSecurityEvent> signedElementEvents = new LinkedList<SignedElementSecurityEvent>();
- private final List<TokenSecurityEvent<?>> tokenSecurityEvents = new LinkedList<TokenSecurityEvent<?>>();
+ private final List<TokenSecurityEvent<? extends SecurityToken>> tokenSecurityEvents =
+ new LinkedList<TokenSecurityEvent<? extends SecurityToken>>();
public TokenProtectionAssertionState(Assertion assertion, boolean initialAssertionState) {
super(assertion, initialAssertionState);
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java Wed Jun 12 07:35:39 2013
@@ -92,7 +92,7 @@ public class AbstractPolicyTestBase exte
element.appendChild(policyNode);
}
PolicyEnforcerFactory policyEnforcerFactory = PolicyEnforcerFactory.newInstance(document, customAssertionBuilders);
- PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("", false);
+ PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("", false, null);
return policyEnforcer;
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingIntegrationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingIntegrationTest.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingIntegrationTest.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingIntegrationTest.java Wed Jun 12 07:35:39 2013
@@ -1914,7 +1914,7 @@ public class AsymmetricBindingIntegratio
" <wsp:Policy>\n" +
" <sp:InitiatorToken>\n" +
" <wsp:Policy>\n" +
- " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
+ " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
" <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
" <wsp:Policy>\n" +
" <sp:WssX509V3Token11/>\n" +
@@ -1924,7 +1924,7 @@ public class AsymmetricBindingIntegratio
" </sp:InitiatorToken>\n" +
" <sp:RecipientToken>\n" +
" <wsp:Policy>\n" +
- " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
+ " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
" <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
" <wsp:Policy>\n" +
" <sp:WssX509V3Token11/>\n" +
@@ -1946,14 +1946,112 @@ public class AsymmetricBindingIntegratio
" <sp:OnlySignEntireHeadersAndBody/>\n" +
" </wsp:Policy>\n" +
" </sp:AsymmetricBinding>\n" +
- " <sp:SignedParts>\n" +
+ " <sp:EncryptedParts>\n" +
" <sp:Body/>\n" +
- " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
+ " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
" <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
- " </sp:SignedParts>\n" +
- " <sp:SignedElements>\n" +
+ " </sp:EncryptedParts>\n" +
+ " <sp:EncryptedElements>\n" +
" <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
- " </sp:SignedElements>\n" +
+ " </sp:EncryptedElements>\n" +
+ " <sp:ContentEncryptedElements>\n" +
+ " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
+ " </sp:ContentEncryptedElements>\n" +
+ " </wsp:All>\n" +
+ " </wsp:ExactlyOne>";
+
+ WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
+ outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ outSecurityProperties.setEncryptionUser("receiver");
+ outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ outSecurityProperties.setSignatureUser("transmitter");
+ outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+
+ outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsu_Timestamp, SecurePart.Modifier.Element));
+ outSecurityProperties.addSignaturePart(new SecurePart(new QName("http://schemas.xmlsoap.org/wsdl/", "definitions"), SecurePart.Modifier.Element));
+ outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Created, SecurePart.Modifier.Element));
+ outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Expires, SecurePart.Modifier.Content));
+ outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_soap11_Body, SecurePart.Modifier.Content));
+ WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP, WSSConstants.SIGNATURE, WSSConstants.ENCRYPT};
+ outSecurityProperties.setOutAction(actions);
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
+
+ WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
+ inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+
+ PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+ inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
+
+ try {
+ Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
+
+ //read the whole stream:
+ Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ transformer.transform(new DOMSource(document), new StreamResult(
+ new OutputStream() {
+ @Override
+ public void write(int b) throws IOException {
+ // > /dev/null
+ }
+ }
+ ));
+ Assert.fail("Exception expected");
+ } catch (XMLStreamException e) {
+ Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+ Assert.assertEquals(e.getCause().getMessage(),
+ "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
+ "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body/{http://schemas.xmlsoap.org/wsdl/}definitions");
+ Assert.assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
+ }
+ }
+
+ @Test
+ public void testEntireHeaderAndBodySignatureNegative2() throws Exception {
+
+ String policyString =
+ "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
+ "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
+ " <wsp:All>\n" +
+ " <sp:AsymmetricBinding>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:InitiatorToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
+ " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:WssX509V3Token11/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:X509Token>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:InitiatorToken>\n" +
+ " <sp:RecipientToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n" +
+ " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:WssX509V3Token11/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:X509Token>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:RecipientToken>\n" +
+ " <sp:AlgorithmSuite>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Basic256/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:AlgorithmSuite>\n" +
+ " <sp:Layout>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Lax/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:Layout>\n" +
+ " <sp:IncludeTimestamp/>\n" +
+ " <sp:OnlySignEntireHeadersAndBody/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:AsymmetricBinding>\n" +
" <sp:EncryptedParts>\n" +
" <sp:Body/>\n" +
" <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
@@ -1976,7 +2074,7 @@ public class AsymmetricBindingIntegratio
outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsu_Timestamp, SecurePart.Modifier.Element));
- outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_soap11_Body, SecurePart.Modifier.Element));
+ outSecurityProperties.addSignaturePart(new SecurePart(new QName("http://schemas.xmlsoap.org/wsdl/", "service"), SecurePart.Modifier.Element));
outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Created, SecurePart.Modifier.Element));
outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Expires, SecurePart.Modifier.Content));
outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_soap11_Body, SecurePart.Modifier.Content));
@@ -2011,7 +2109,8 @@ public class AsymmetricBindingIntegratio
} catch (XMLStreamException e) {
Assert.assertTrue(e.getCause() instanceof WSSecurityException);
Assert.assertEquals(e.getCause().getMessage(),
- "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://schemas.xmlsoap.org/wsdl/}definitions must be signed");
+ "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
+ "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://schemas.xmlsoap.org/wsdl/}definitions/{http://schemas.xmlsoap.org/wsdl/}service");
Assert.assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
}
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingTest.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingTest.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingTest.java Wed Jun 12 07:35:39 2013
@@ -26,6 +26,7 @@ import org.apache.wss4j.stax.securityTok
import org.apache.wss4j.stax.impl.securityToken.X509SecurityTokenImpl;
import org.apache.wss4j.stax.securityEvent.*;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.ext.stax.XMLSecEventFactory;
import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
import org.apache.xml.security.stax.securityEvent.X509TokenSecurityEvent;
import org.testng.Assert;
@@ -295,8 +296,14 @@ public class AsymmetricBindingTest exten
headerPath.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
encryptedElementSecurityEvent.setElementPath(headerPath);
policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
- SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, false, protectionOrder);
- signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
+
+ SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
+ QName elementName = new QName("http://www.example.com", "bodyChildElement");
+ signedPartSecurityEvent.setXmlSecEvent(XMLSecEventFactory.createXmlSecStartElement(elementName, null, null));
+ List<QName> elementPath = new ArrayList<QName>();
+ elementPath.addAll(WSSConstants.SOAP_11_BODY_PATH);
+ elementPath.add(elementName);
+ signedPartSecurityEvent.setElementPath(elementPath);
policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
@@ -307,8 +314,104 @@ public class AsymmetricBindingTest exten
} catch (WSSecurityException e) {
Assert.assertTrue(e.getCause() instanceof PolicyViolationException);
Assert.assertEquals(e.getCause().getMessage(),
- "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body must be signed");
+ "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
+ "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body/{http://www.example.com}bodyChildElement");
Assert.assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
}
}
+
+ @Test
+ public void testPolicyNotWholeSecurityHeaderChildSigned() throws Exception {
+ String policyString =
+ "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
+ "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+ " <sp:AlgorithmSuite>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Basic256/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:AlgorithmSuite>\n" +
+ "<sp:IncludeTimestamp/>\n" +
+ "<sp:EncryptSignature/>\n" +
+ "<sp:ProtectTokens/>\n" +
+ "<sp:OnlySignEntireHeadersAndBody/>\n" +
+ "</wsp:Policy>\n" +
+ "</sp:AsymmetricBinding>";
+ PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+ TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
+ policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
+
+ X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
+ X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
+ securityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+ x509TokenSecurityEvent.setSecurityToken(securityToken);
+ policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
+
+ x509TokenSecurityEvent = new X509TokenSecurityEvent();
+ securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
+ securityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainEncryption);
+ x509TokenSecurityEvent.setSecurityToken(securityToken);
+
+ policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
+
+ List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<XMLSecurityConstants.ContentType>();
+ protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
+ protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
+ EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
+ List<QName> headerPath = new ArrayList<QName>();
+ headerPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+ headerPath.add(WSSConstants.TAG_dsig_Signature);
+ encryptedElementSecurityEvent.setElementPath(headerPath);
+ policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
+
+ encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
+ headerPath = new ArrayList<QName>();
+ headerPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+ headerPath.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
+ encryptedElementSecurityEvent.setElementPath(headerPath);
+ policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
+
+ SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
+ QName elementName = WSSConstants.TAG_wsse_Username;
+ signedPartSecurityEvent.setXmlSecEvent(XMLSecEventFactory.createXmlSecStartElement(elementName, null, null));
+ List<QName> elementPath = new ArrayList<QName>();
+ elementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+ elementPath.add(WSSConstants.TAG_wsse_UsernameToken);
+ elementPath.add(elementName);
+ signedPartSecurityEvent.setElementPath(elementPath);
+ policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
+
+ OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
+ operationSecurityEvent.setOperation(new QName("definitions"));
+ try {
+ policyEnforcer.registerSecurityEvent(operationSecurityEvent);
+ Assert.fail("Exception expected");
+ } catch (WSSecurityException e) {
+ Assert.assertTrue(e.getCause() instanceof PolicyViolationException);
+ Assert.assertEquals(e.getCause().getMessage(),
+ "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
+ "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Username");
+ Assert.assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
+ }
+ }
+
+ @Test
+ public void testOnlySignEntireHeadersAndBodyPolicyNothingSigned() throws Exception {
+ String policyString =
+ "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
+ "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+ " <sp:AlgorithmSuite>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Basic256/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:AlgorithmSuite>\n" +
+ "<sp:OnlySignEntireHeadersAndBody/>\n" +
+ "</wsp:Policy>\n" +
+ "</sp:AsymmetricBinding>";
+ PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+
+ OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
+ operationSecurityEvent.setOperation(new QName("definitions"));
+ policyEnforcer.registerSecurityEvent(operationSecurityEvent);
+ policyEnforcer.doFinal();
+ }
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/SymmetricBindingTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/SymmetricBindingTest.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/SymmetricBindingTest.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/SymmetricBindingTest.java Wed Jun 12 07:35:39 2013
@@ -26,6 +26,7 @@ import org.apache.wss4j.stax.securityTok
import org.apache.wss4j.stax.impl.securityToken.SecureConversationSecurityTokenImpl;
import org.apache.wss4j.stax.securityEvent.*;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.ext.stax.XMLSecEventFactory;
import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
import org.testng.Assert;
import org.testng.annotations.Test;
@@ -101,6 +102,7 @@ public class SymmetricBindingTest extend
policyEnforcer.registerSecurityEvent(operationSecurityEvent);
SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
+ signedPartSecurityEvent.setXmlSecEvent(XMLSecEventFactory.createXmlSecStartElement(WSSConstants.TAG_soap11_Body, null, null));
signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
policyEnforcer.doFinal();
@@ -313,15 +315,21 @@ public class SymmetricBindingTest extend
operationSecurityEvent.setOperation(new QName("definitions"));
policyEnforcer.registerSecurityEvent(operationSecurityEvent);
- SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, false, protectionOrder);
- signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
+ SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
+ QName elementName = new QName("http://www.example.com", "bodyChildElement");
+ signedPartSecurityEvent.setXmlSecEvent(XMLSecEventFactory.createXmlSecStartElement(elementName, null, null));
+ List<QName> elementPath = new ArrayList<QName>();
+ elementPath.addAll(WSSConstants.SOAP_11_BODY_PATH);
+ elementPath.add(elementName);
+ signedPartSecurityEvent.setElementPath(elementPath);
try {
policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
Assert.fail("Exception expected");
} catch (WSSecurityException e) {
Assert.assertTrue(e.getCause() instanceof PolicyViolationException);
Assert.assertEquals(e.getCause().getMessage(),
- "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body must be signed");
+ "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
+ "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body/{http://www.example.com}bodyChildElement");
Assert.assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
}
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java Wed Jun 12 07:35:39 2013
@@ -74,7 +74,7 @@ public class VulnerabliltyVectorsTest ex
inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
PolicyEnforcerFactory policyEnforcerFactory = PolicyEnforcerFactory.newInstance(this.getClass().getClassLoader().getResource("testdata/wsdl/actionSpoofing.wsdl"));
- PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("emptyPolicy", false);
+ PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("emptyPolicy", false, null);
inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
try {
@@ -126,7 +126,7 @@ public class VulnerabliltyVectorsTest ex
inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
PolicyEnforcerFactory policyEnforcerFactory = PolicyEnforcerFactory.newInstance(this.getClass().getClassLoader().getResource("testdata/wsdl/actionSpoofing.wsdl"));
- PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("goodPolicy", false);
+ PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("goodPolicy", false, null);
inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
try {