You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/04/03 13:35:32 UTC
[1/4] cxf git commit: Secure Conversation fix
Repository: cxf
Updated Branches:
refs/heads/master 102df12c6 -> 33c7781f4
Secure Conversation fix
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/33c7781f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/33c7781f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/33c7781f
Branch: refs/heads/master
Commit: 33c7781f4f847431a7bbdc9335657d3281cd525e
Parents: d5d87b8
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Apr 3 11:42:26 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Apr 3 12:33:57 2015 +0100
----------------------------------------------------------------------
.../policy/interceptors/NegotiationUtils.java | 42 ++++++++++----------
1 file changed, 22 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/33c7781f/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
index 2b0ca66..82862f3 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
@@ -221,31 +221,33 @@ final class NegotiationUtils {
}
for (WSHandlerResult rResult : results) {
+
List<WSSecurityEngineResult> sctResults =
rResult.getActionResults().get(WSConstants.SCT);
+ if (sctResults != null) {
+ for (WSSecurityEngineResult wser : sctResults) {
+ SecurityContextToken tok =
+ (SecurityContextToken)wser.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
+ message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
- for (WSSecurityEngineResult wser : sctResults) {
- SecurityContextToken tok =
- (SecurityContextToken)wser.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
- message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
-
- SecurityToken token = TokenStoreUtils.getTokenStore(message).getToken(tok.getIdentifier());
- if (token == null || token.isExpired()) {
- byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
- if (secret != null) {
- token = new SecurityToken(tok.getIdentifier());
- token.setToken(tok.getElement());
- token.setSecret(secret);
- token.setTokenType(tok.getTokenType());
- TokenStoreUtils.getTokenStore(message).add(token);
+ SecurityToken token = TokenStoreUtils.getTokenStore(message).getToken(tok.getIdentifier());
+ if (token == null || token.isExpired()) {
+ byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+ if (secret != null) {
+ token = new SecurityToken(tok.getIdentifier());
+ token.setToken(tok.getElement());
+ token.setSecret(secret);
+ token.setTokenType(tok.getTokenType());
+ TokenStoreUtils.getTokenStore(message).add(token);
+ }
}
- }
- if (token != null) {
- final SecurityContext sc = token.getSecurityContext();
- if (sc != null) {
- message.put(SecurityContext.class, sc);
+ if (token != null) {
+ final SecurityContext sc = token.getSecurityContext();
+ if (sc != null) {
+ message.put(SecurityContext.class, sc);
+ }
+ return true;
}
- return true;
}
}
}
[2/4] cxf git commit: Another sweep of the policy validation code
Posted by co...@apache.org.
Another sweep of the policy validation code
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2f164ec2
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2f164ec2
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2f164ec2
Branch: refs/heads/master
Commit: 2f164ec218a1e850d8cc4a6a9ffdb6dba248895f
Parents: f7a64ca
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Apr 3 00:39:02 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Apr 3 12:33:57 2015 +0100
----------------------------------------------------------------------
.../IssuedTokenInterceptorProvider.java | 4 +-
.../policy/interceptors/NegotiationUtils.java | 46 +++++-----
.../security/wss4j/CryptoCoverageChecker.java | 17 ++--
.../wss4j/PolicyBasedWSS4JInInterceptor.java | 10 +--
.../policyhandlers/AbstractBindingBuilder.java | 39 +++++----
.../policyhandlers/SymmetricBindingHandler.java | 12 +--
.../AbstractBindingPolicyValidator.java | 6 +-
.../AbstractSupportingTokenPolicyValidator.java | 91 +++++++++-----------
.../AlgorithmSuitePolicyValidator.java | 29 ++++---
.../KerberosTokenPolicyValidator.java | 9 +-
10 files changed, 130 insertions(+), 133 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
index c6f12b0..dd14252 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
@@ -179,9 +179,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
parameters.setMessage(message);
parameters.setResults(rResult);
- List<WSSecurityEngineResult> signedResults =
- rResult.getActionResults().get(WSConstants.SIGN);
- parameters.setSignedResults(signedResults);
+ parameters.setSignedResults(rResult.getActionResults().get(WSConstants.SIGN));
List<WSSecurityEngineResult> samlResults = new ArrayList<>();
if (rResult.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
index 6690523..2b0ca66 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
@@ -221,33 +221,31 @@ final class NegotiationUtils {
}
for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
+ List<WSSecurityEngineResult> sctResults =
+ rResult.getActionResults().get(WSConstants.SCT);
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.SCT) {
- SecurityContextToken tok =
- (SecurityContextToken)wser.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
- message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
-
- SecurityToken token = TokenStoreUtils.getTokenStore(message).getToken(tok.getIdentifier());
- if (token == null || token.isExpired()) {
- byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
- if (secret != null) {
- token = new SecurityToken(tok.getIdentifier());
- token.setToken(tok.getElement());
- token.setSecret(secret);
- token.setTokenType(tok.getTokenType());
- TokenStoreUtils.getTokenStore(message).add(token);
- }
+ for (WSSecurityEngineResult wser : sctResults) {
+ SecurityContextToken tok =
+ (SecurityContextToken)wser.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
+ message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
+
+ SecurityToken token = TokenStoreUtils.getTokenStore(message).getToken(tok.getIdentifier());
+ if (token == null || token.isExpired()) {
+ byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+ if (secret != null) {
+ token = new SecurityToken(tok.getIdentifier());
+ token.setToken(tok.getElement());
+ token.setSecret(secret);
+ token.setTokenType(tok.getTokenType());
+ TokenStoreUtils.getTokenStore(message).add(token);
}
- if (token != null) {
- final SecurityContext sc = token.getSecurityContext();
- if (sc != null) {
- message.put(SecurityContext.class, sc);
- }
- return true;
+ }
+ if (token != null) {
+ final SecurityContext sc = token.getSecurityContext();
+ if (sc != null) {
+ message.put(SecurityContext.class, sc);
}
+ return true;
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
index 9a71a9e..0b634d2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
@@ -139,11 +139,11 @@ public class CryptoCoverageChecker extends AbstractSoapInterceptor {
// Get all encrypted and signed references
for (WSHandlerResult wshr : results) {
- for (WSSecurityEngineResult result : wshr.getResults()) {
- Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt == WSConstants.SIGN) {
+ List<WSSecurityEngineResult> signedResults = wshr.getActionResults().get(WSConstants.SIGN);
+ if (signedResults != null) {
+ for (WSSecurityEngineResult signedResult : signedResults) {
List<WSDataRef> sl =
- CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (sl != null) {
if (sl.size() == 1
&& sl.get(0).getName().equals(new QName(WSConstants.SIG_NS, WSConstants.SIG_LN))) {
@@ -153,9 +153,14 @@ public class CryptoCoverageChecker extends AbstractSoapInterceptor {
signed.addAll(sl);
}
- } else if (actInt == WSConstants.ENCR) {
+ }
+ }
+
+ List<WSSecurityEngineResult> encryptedResults = wshr.getActionResults().get(WSConstants.ENCR);
+ if (encryptedResults != null) {
+ for (WSSecurityEngineResult encryptedResult : encryptedResults) {
List<WSDataRef> el =
- CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ CastUtils.cast((List<?>)encryptedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (el != null) {
encrypted.addAll(el);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 59c73f0..c4c8b37 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -429,7 +429,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
private boolean assertTokens(AssertionInfoMap aim,
String name,
- Collection<WSDataRef> signed,
+ Collection<WSDataRef> dataRefs,
SoapMessage msg,
Element soapHeader,
Element soapBody,
@@ -444,11 +444,11 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
try {
if (CoverageType.SIGNED.equals(type)) {
CryptoCoverageUtil.checkBodyCoverage(
- soapBody, signed, type, CoverageScope.ELEMENT
+ soapBody, dataRefs, type, CoverageScope.ELEMENT
);
} else {
CryptoCoverageUtil.checkBodyCoverage(
- soapBody, signed, type, CoverageScope.CONTENT
+ soapBody, dataRefs, type, CoverageScope.CONTENT
);
}
} catch (WSSecurityException e) {
@@ -459,7 +459,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
for (Header h : p.getHeaders()) {
try {
- CryptoCoverageUtil.checkHeaderCoverage(soapHeader, signed, h
+ CryptoCoverageUtil.checkHeaderCoverage(soapHeader, dataRefs, h
.getNamespace(), h.getName(), type,
CoverageScope.ELEMENT);
} catch (WSSecurityException e) {
@@ -474,7 +474,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
if (attachments.isContentSignatureTransform()) {
scope = CoverageScope.CONTENT;
}
- CryptoCoverageUtil.checkAttachmentsCoverage(msg.getAttachments(), signed,
+ CryptoCoverageUtil.checkAttachmentsCoverage(msg.getAttachments(), dataRefs,
type, scope);
} catch (WSSecurityException e) {
ai.setNotAsserted("An attachment was not signed/encrypted");
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index a866496..306dafd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -1581,16 +1581,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
* receiving Actor and the sending Actor match.
*/
for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
- /*
- * Scan the results for the first Signature action. Use the
- * certificate of this Signature to set the certificate for the
- * encryption action :-).
- */
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.SIGN) {
- return (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ List<WSSecurityEngineResult> signedResults =
+ rResult.getActionResults().get(WSConstants.SIGN);
+ if (signedResults != null) {
+ /*
+ * Scan the results for the first Signature action. Use the
+ * certificate of this Signature to set the certificate for the
+ * encryption action :-).
+ */
+ for (WSSecurityEngineResult signedResult : signedResults) {
+ if (signedResult.containsKey(WSSecurityEngineResult.TAG_X509_CERTIFICATE)) {
+ return (X509Certificate)signedResult.get(
+ WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ }
}
}
}
@@ -1634,15 +1637,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
.get(WSHandlerConstants.RECV_RESULTS));
for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
-
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- String encryptedKeyID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
- if (actInt.intValue() == WSConstants.ENCR
- && encryptedKeyID != null
- && encryptedKeyID.length() != 0) {
- return wser;
+ List<WSSecurityEngineResult> encryptedResults = rResult.getResults();
+ if (encryptedResults != null) {
+ for (WSSecurityEngineResult wser : encryptedResults) {
+ String encryptedKeyID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
+ if (encryptedKeyID != null && encryptedKeyID.length() != 0) {
+ return wser;
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index 65d4a2f..bfc67e0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -950,12 +950,12 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
.get(WSHandlerConstants.RECV_RESULTS));
for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
+ List<WSSecurityEngineResult> wsSecEngineResults =
+ rResult.getActionResults().get(WSConstants.UT_NOPASSWORD);
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- String utID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
- if (actInt.intValue() == WSConstants.UT_NOPASSWORD) {
+ if (wsSecEngineResults != null) {
+ for (WSSecurityEngineResult wser : wsSecEngineResults) {
+ String utID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
if (utID == null || utID.length() == 0) {
utID = wssConfig.getIdAllocator().createId("UsernameToken-", null);
}
@@ -963,7 +963,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
Date expires = new Date();
expires.setTime(created.getTime() + 300000);
SecurityToken tempTok = new SecurityToken(utID, created, expires);
-
+
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
tempTok.setSecret(secret);
tokenStore.add(tempTok);
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index d79470f..55a00b5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -310,12 +310,10 @@ public abstract class AbstractBindingPolicyValidator implements SecurityPolicyVa
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- for (int i = 0; i < signedResults.size(); i++) {
- WSSecurityEngineResult result = signedResults.get(i);
+ for (WSSecurityEngineResult result : signedResults) {
// Get the Token result that was used for the signature
- WSSecurityEngineResult tokenResult =
- findCorrespondingToken(result, results);
+ WSSecurityEngineResult tokenResult = findCorrespondingToken(result, results);
if (tokenResult == null) {
return false;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index 74cf2c0..ad0c835 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -39,7 +39,6 @@ import javax.xml.xpath.XPathFactory;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
-
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
@@ -57,6 +56,7 @@ import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
@@ -109,12 +109,12 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
return false;
}
- if (derived) {
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
for (WSSecurityEngineResult wser : parameters.getUsernameTokenResults()) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
if (secret != null) {
WSSecurityEngineResult dktResult =
- getMatchingDerivedKey(secret, parameters.getResults().getResults());
+ getMatchingDerivedKey(secret, parameters.getResults());
if (dktResult != null) {
tokenResults.add(dktResult);
}
@@ -173,10 +173,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* Process Kerberos Tokens.
*/
protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean derived) {
- List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
- for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.BST) {
+ List<WSSecurityEngineResult> tokenResults = null;
+ if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
+ tokenResults = new ArrayList<>();
+ for (WSSecurityEngineResult wser
+ : parameters.getResults().getActionResults().get(WSConstants.BST)) {
BinarySecurity binarySecurity =
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof KerberosSecurity) {
@@ -185,7 +186,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
}
}
- if (tokenResults.isEmpty()) {
+ if (tokenResults == null || tokenResults.isEmpty()) {
return false;
}
@@ -199,12 +200,12 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
return false;
}
- if (derived) {
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult =
- getMatchingDerivedKey(secret, parameters.getResults().getResults());
+ getMatchingDerivedKey(secret, parameters.getResults());
if (dktResult != null) {
dktResults.add(dktResult);
}
@@ -231,10 +232,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* Process X509 Tokens.
*/
protected boolean processX509Tokens(PolicyValidatorParameters parameters, boolean derived) {
- List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
- for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.BST) {
+ List<WSSecurityEngineResult> tokenResults = null;
+ if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
+ tokenResults = new ArrayList<>();
+ for (WSSecurityEngineResult wser
+ : parameters.getResults().getActionResults().get(WSConstants.BST)) {
BinarySecurity binarySecurity =
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof X509Security
@@ -244,7 +246,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
}
}
- if (tokenResults.isEmpty()) {
+ if (tokenResults == null || tokenResults.isEmpty()) {
return false;
}
@@ -258,11 +260,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
return false;
}
- if (derived) {
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
WSSecurityEngineResult resultToStore =
- processX509DerivedTokenResult(wser, parameters.getResults().getResults());
+ processX509DerivedTokenResult(wser, parameters.getResults());
if (resultToStore != null) {
dktResults.add(resultToStore);
}
@@ -289,16 +291,19 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* Process KeyValue Tokens.
*/
protected boolean processKeyValueTokens(PolicyValidatorParameters parameters) {
- List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
- for (WSSecurityEngineResult wser : parameters.getSignedResults()) {
- PublicKey publicKey =
- (PublicKey)wser.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
- if (publicKey != null) {
- tokenResults.add(wser);
+ List<WSSecurityEngineResult> tokenResults = null;
+ if (parameters.getSignedResults() != null && !parameters.getSignedResults().isEmpty()) {
+ tokenResults = new ArrayList<>();
+ for (WSSecurityEngineResult wser : parameters.getSignedResults()) {
+ PublicKey publicKey =
+ (PublicKey)wser.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+ if (publicKey != null) {
+ tokenResults.add(wser);
+ }
}
}
- if (tokenResults.isEmpty()) {
+ if (tokenResults == null || tokenResults.isEmpty()) {
return false;
}
@@ -359,17 +364,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* Process Security Context Tokens.
*/
protected boolean processSCTokens(PolicyValidatorParameters parameters, boolean derived) {
- List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
- for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.SCT) {
- tokenResults.add(wser);
- }
- }
-
- if (tokenResults.isEmpty()) {
+ if (!parameters.getResults().getActionResults().containsKey(WSConstants.SCT)) {
return false;
}
+ List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
+ tokenResults.addAll(parameters.getResults().getActionResults().get(WSConstants.SCT));
if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(),
parameters.getEncryptedResults(),
@@ -381,12 +380,12 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
return false;
}
- if (derived) {
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult =
- getMatchingDerivedKey(secret, parameters.getResults().getResults());
+ getMatchingDerivedKey(secret, parameters.getResults());
if (dktResult != null) {
dktResults.add(dktResult);
}
@@ -414,7 +413,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* find a DerivedKey element that matches that EncryptedKey element.
*/
private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result,
- List<WSSecurityEngineResult> results) {
+ WSHandlerResult results) {
X509Certificate cert =
(X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert, results);
@@ -433,14 +432,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* matches the parameter.
*/
private WSSecurityEngineResult getMatchingDerivedKey(byte[] secret,
- List<WSSecurityEngineResult> results) {
- for (WSSecurityEngineResult wser : results) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.DKT) {
- byte[] dktSecret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
- if (Arrays.equals(secret, dktSecret)) {
- return wser;
- }
+ WSHandlerResult results) {
+ for (WSSecurityEngineResult wser : results.getActionResults().get(WSConstants.DKT)) {
+ byte[] dktSecret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+ if (Arrays.equals(secret, dktSecret)) {
+ return wser;
}
}
return null;
@@ -450,10 +446,9 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* Get a security result representing an EncryptedKey that matches the parameter.
*/
private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate cert,
- List<WSSecurityEngineResult> results) {
- for (WSSecurityEngineResult wser : results) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.ENCR) {
+ WSHandlerResult results) {
+ if (results.getActionResults().containsKey(WSConstants.ENCR)) {
+ for (WSSecurityEngineResult wser : results.getActionResults().get(WSConstants.ENCR)) {
X509Certificate encrCert =
(X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (cert.equals(encrCert)) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index 706e0a5..3add3ed 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -35,7 +35,6 @@ import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.transform.STRTransform;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
@@ -70,7 +69,8 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
AlgorithmSuite algorithmSuite = (AlgorithmSuite)ai.getAssertion();
ai.setAsserted(true);
- boolean valid = validatePolicy(ai, algorithmSuite, parameters.getResults());
+ boolean valid = validatePolicy(ai, algorithmSuite, parameters.getSignedResults(),
+ parameters.getEncryptedResults());
if (valid) {
String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
String name = algorithmSuite.getAlgorithmSuiteType().getName();
@@ -88,20 +88,23 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
}
private boolean validatePolicy(
- AssertionInfo ai, AlgorithmSuite algorithmPolicy, WSHandlerResult results
+ AssertionInfo ai, AlgorithmSuite algorithmPolicy,
+ List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults
) {
- boolean success = true;
- for (WSSecurityEngineResult result : results.getResults()) {
- Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
- if (WSConstants.SIGN == actInt
- && !checkSignatureAlgorithms(result, algorithmPolicy, ai)) {
- success = false;
- } else if (WSConstants.ENCR == actInt
- && !checkEncryptionAlgorithms(result, algorithmPolicy, ai)) {
- success = false;
+ for (WSSecurityEngineResult signedResult : signedResults) {
+ if (!checkSignatureAlgorithms(signedResult, algorithmPolicy, ai)) {
+ return false;
}
}
- return success;
+ if (encryptedResults != null) {
+ for (WSSecurityEngineResult encryptedResult : encryptedResults) {
+ if (!checkEncryptionAlgorithms(encryptedResult, algorithmPolicy, ai)) {
+ return false;
+ }
+ }
+ }
+
+ return true;
}
/**
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
index 6c05801..e8cb852 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
@@ -69,7 +69,7 @@ public class KerberosTokenPolicyValidator extends AbstractSecurityPolicyValidato
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
List<WSSecurityEngineResult> kerberosResults =
- findKerberosResults(parameters.getResults().getResults());
+ findKerberosResults(parameters.getResults().getActionResults().get(WSConstants.BST));
for (WSSecurityEngineResult kerberosResult : kerberosResults) {
KerberosSecurity kerberosToken =
@@ -146,11 +146,10 @@ public class KerberosTokenPolicyValidator extends AbstractSecurityPolicyValidato
return false;
}
- private List<WSSecurityEngineResult> findKerberosResults(List<WSSecurityEngineResult> wsSecEngineResults) {
+ private List<WSSecurityEngineResult> findKerberosResults(List<WSSecurityEngineResult> bstResults) {
List<WSSecurityEngineResult> results = new ArrayList<>();
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.BST) {
+ if (bstResults != null) {
+ for (WSSecurityEngineResult wser : bstResults) {
BinarySecurity binarySecurity =
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof KerberosSecurity) {
[3/4] cxf git commit: Fix for last commit
Posted by co...@apache.org.
Fix for last commit
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d5d87b8c
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d5d87b8c
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d5d87b8c
Branch: refs/heads/master
Commit: d5d87b8c7949bd0d8d8d5b5d5dc435e14aaf8fa4
Parents: 2f164ec
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Apr 3 11:12:52 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Apr 3 12:33:57 2015 +0100
----------------------------------------------------------------------
.../policyhandlers/AbstractBindingBuilder.java | 2 +-
.../AlgorithmSuitePolicyValidator.java | 23 +++++++++-----------
2 files changed, 11 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/d5d87b8c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 306dafd..0ceb193 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -1637,7 +1637,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
.get(WSHandlerConstants.RECV_RESULTS));
for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> encryptedResults = rResult.getResults();
+ List<WSSecurityEngineResult> encryptedResults = rResult.getActionResults().get(WSConstants.ENCR);
if (encryptedResults != null) {
for (WSSecurityEngineResult wser : encryptedResults) {
String encryptedKeyID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
http://git-wip-us.apache.org/repos/asf/cxf/blob/d5d87b8c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index 3add3ed..5488764 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -69,8 +69,7 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
AlgorithmSuite algorithmSuite = (AlgorithmSuite)ai.getAssertion();
ai.setAsserted(true);
- boolean valid = validatePolicy(ai, algorithmSuite, parameters.getSignedResults(),
- parameters.getEncryptedResults());
+ boolean valid = validatePolicy(ai, algorithmSuite, parameters.getResults().getResults());
if (valid) {
String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
String name = algorithmSuite.getAlgorithmSuiteType().getName();
@@ -88,19 +87,17 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
}
private boolean validatePolicy(
- AssertionInfo ai, AlgorithmSuite algorithmPolicy,
- List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults
+ AssertionInfo ai, AlgorithmSuite algorithmPolicy, List<WSSecurityEngineResult> results
) {
- for (WSSecurityEngineResult signedResult : signedResults) {
- if (!checkSignatureAlgorithms(signedResult, algorithmPolicy, ai)) {
+
+ for (WSSecurityEngineResult result : results) {
+ Integer action = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ if (WSConstants.SIGN == action
+ && !checkSignatureAlgorithms(result, algorithmPolicy, ai)) {
+ return false;
+ } else if (WSConstants.ENCR == action
+ && !checkEncryptionAlgorithms(result, algorithmPolicy, ai)) {
return false;
- }
- }
- if (encryptedResults != null) {
- for (WSSecurityEngineResult encryptedResult : encryptedResults) {
- if (!checkEncryptionAlgorithms(encryptedResult, algorithmPolicy, ai)) {
- return false;
- }
}
}
[4/4] cxf git commit: Picking up latest WSS4J changes
Posted by co...@apache.org.
Picking up latest WSS4J changes
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f7a64ca9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f7a64ca9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f7a64ca9
Branch: refs/heads/master
Commit: f7a64ca9f12fa2523c35bc5add4be3e979a7604f
Parents: 102df12
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Apr 2 21:48:49 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Apr 3 12:33:57 2015 +0100
----------------------------------------------------------------------
.../IssuedTokenInterceptorProvider.java | 19 +++---
.../KerberosTokenInterceptorProvider.java | 2 +-
.../wss4j/PolicyBasedWSS4JInInterceptor.java | 66 +++++++++++---------
.../ws/security/wss4j/WSS4JInInterceptor.java | 2 +-
.../policyhandlers/AbstractBindingBuilder.java | 12 ++--
.../AbstractBindingPolicyValidator.java | 15 +++--
.../AbstractSupportingTokenPolicyValidator.java | 26 ++++----
.../AlgorithmSuitePolicyValidator.java | 5 +-
.../AsymmetricBindingPolicyValidator.java | 13 ++--
.../IssuedTokenPolicyValidator.java | 5 +-
.../KerberosTokenPolicyValidator.java | 3 +-
.../policyvalidators/LayoutPolicyValidator.java | 55 ++++++++++------
.../PolicyValidatorParameters.java | 8 +--
.../SecurityContextTokenPolicyValidator.java | 5 +-
.../SymmetricBindingPolicyValidator.java | 13 ++--
.../policyvalidators/WSS11PolicyValidator.java | 7 +--
.../X509TokenPolicyValidator.java | 20 +++---
.../wss4j/AbstractPolicySecurityTest.java | 21 ++++---
.../cxf/ws/security/wss4j/CustomProcessor.java | 1 +
.../security/wss4j/SecurityActionTokenTest.java | 7 +--
.../cxf/ws/security/wss4j/WSS4JInOutTest.java | 13 ++--
.../ws/security/wss4j/saml/SamlTokenTest.java | 25 ++++----
.../cxf/sts/operation/AbstractOperation.java | 9 ++-
.../cxf/sts/token/canceller/SCTCanceller.java | 14 ++---
.../cxf/sts/token/renewer/SAMLTokenRenewer.java | 12 ++--
.../transformation/DoubleItPortTypeImpl.java | 3 +-
26 files changed, 194 insertions(+), 187 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
index 7014a77..c6f12b0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
@@ -49,7 +49,6 @@ import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
@@ -178,19 +177,19 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
PolicyValidatorParameters parameters = new PolicyValidatorParameters();
parameters.setAssertionInfoMap(message.get(AssertionInfoMap.class));
parameters.setMessage(message);
- parameters.setResults(rResult.getResults());
+ parameters.setResults(rResult);
- final List<Integer> actions = new ArrayList<>(1);
- actions.add(WSConstants.SIGN);
List<WSSecurityEngineResult> signedResults =
- WSSecurityUtil.fetchAllActionResults(rResult.getResults(), actions);
+ rResult.getActionResults().get(WSConstants.SIGN);
parameters.setSignedResults(signedResults);
- final List<Integer> samlActions = new ArrayList<>(2);
- samlActions.add(WSConstants.ST_SIGNED);
- samlActions.add(WSConstants.ST_UNSIGNED);
- List<WSSecurityEngineResult> samlResults =
- WSSecurityUtil.fetchAllActionResults(rResult.getResults(), samlActions);
+ List<WSSecurityEngineResult> samlResults = new ArrayList<>();
+ if (rResult.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
+ samlResults.addAll(rResult.getActionResults().get(WSConstants.ST_SIGNED));
+ }
+ if (rResult.getActionResults().containsKey(WSConstants.ST_UNSIGNED)) {
+ samlResults.addAll(rResult.getActionResults().get(WSConstants.ST_UNSIGNED));
+ }
parameters.setSamlResults(samlResults);
SecurityPolicyValidator issuedValidator = new IssuedTokenPolicyValidator();
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
index 03fe704..7d3bc51 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
@@ -196,7 +196,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
PolicyValidatorParameters parameters = new PolicyValidatorParameters();
parameters.setAssertionInfoMap(message.get(AssertionInfoMap.class));
parameters.setMessage(message);
- parameters.setResults(rResult.getResults());
+ parameters.setResults(rResult);
SecurityPolicyValidator kerberosValidator = new KerberosTokenPolicyValidator();
kerberosValidator.validatePolicies(parameters, ais);
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 683ea34..59c73f0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -82,7 +82,6 @@ import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.Timestamp;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SP13Constants;
@@ -603,12 +602,16 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
//
// Pre-fetch various results
//
- final List<Integer> actions = new ArrayList<>(3);
- actions.add(WSConstants.SIGN);
- actions.add(WSConstants.UT_SIGN);
- actions.add(WSConstants.ST_SIGNED);
- List<WSSecurityEngineResult> signedResults =
- WSSecurityUtil.fetchAllActionResults(results.getResults(), actions);
+ List<WSSecurityEngineResult> signedResults = new ArrayList<>();
+ if (results.getActionResults().containsKey(WSConstants.SIGN)) {
+ signedResults.addAll(results.getActionResults().get(WSConstants.SIGN));
+ }
+ if (results.getActionResults().containsKey(WSConstants.UT_SIGN)) {
+ signedResults.addAll(results.getActionResults().get(WSConstants.UT_SIGN));
+ }
+ if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
+ signedResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
+ }
Collection<WSDataRef> signed = new HashSet<>();
for (WSSecurityEngineResult result : signedResults) {
List<WSDataRef> sl =
@@ -620,15 +623,16 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
}
- List<WSSecurityEngineResult> encryptResults =
- WSSecurityUtil.fetchAllActionResults(results.getResults(), WSConstants.ENCR);
+ List<WSSecurityEngineResult> encryptResults = results.getActionResults().get(WSConstants.ENCR);
Collection<WSDataRef> encrypted = new HashSet<>();
- for (WSSecurityEngineResult result : encryptResults) {
- List<WSDataRef> sl =
- CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
- if (sl != null) {
- for (WSDataRef r : sl) {
- encrypted.add(r);
+ if (encryptResults != null) {
+ for (WSSecurityEngineResult result : encryptResults) {
+ List<WSDataRef> sl =
+ CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ if (sl != null) {
+ for (WSDataRef r : sl) {
+ encrypted.add(r);
+ }
}
}
}
@@ -645,28 +649,34 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
parameters.setAssertionInfoMap(aim);
parameters.setMessage(msg);
parameters.setSoapBody(soapBody);
- parameters.setResults(results.getResults());
+ parameters.setResults(results);
parameters.setSignedResults(signedResults);
parameters.setEncryptedResults(encryptResults);
parameters.setUtWithCallbacks(utWithCallbacks);
- final List<Integer> utActions = new ArrayList<>(2);
- utActions.add(WSConstants.UT);
- utActions.add(WSConstants.UT_NOPASSWORD);
- List<WSSecurityEngineResult> utResults =
- WSSecurityUtil.fetchAllActionResults(results.getResults(), utActions);
+ List<WSSecurityEngineResult> utResults = new ArrayList<>();
+ if (results.getActionResults().containsKey(WSConstants.UT)) {
+ utResults.addAll(results.getActionResults().get(WSConstants.UT));
+ }
+ if (results.getActionResults().containsKey(WSConstants.UT_NOPASSWORD)) {
+ utResults.addAll(results.getActionResults().get(WSConstants.UT_NOPASSWORD));
+ }
parameters.setUsernameTokenResults(utResults);
- final List<Integer> samlActions = new ArrayList<>(2);
- samlActions.add(WSConstants.ST_SIGNED);
- samlActions.add(WSConstants.ST_UNSIGNED);
- List<WSSecurityEngineResult> samlResults =
- WSSecurityUtil.fetchAllActionResults(results.getResults(), samlActions);
+ List<WSSecurityEngineResult> samlResults = new ArrayList<>();
+ if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
+ samlResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
+ }
+ if (results.getActionResults().containsKey(WSConstants.ST_UNSIGNED)) {
+ samlResults.addAll(results.getActionResults().get(WSConstants.ST_UNSIGNED));
+ }
parameters.setSamlResults(samlResults);
// Store the timestamp element
- WSSecurityEngineResult tsResult =
- WSSecurityUtil.fetchActionResult(results.getResults(), WSConstants.TS);
+ WSSecurityEngineResult tsResult = null;
+ if (results.getActionResults().containsKey(WSConstants.TS)) {
+ tsResult = results.getActionResults().get(WSConstants.TS).get(0);
+ }
Element timestamp = null;
if (tsResult != null) {
Timestamp ts = (Timestamp)tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index aa4794b..78a7647 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -282,7 +282,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
if (!(wsResult.getResults() == null || wsResult.getResults().isEmpty())) {
// security header found
if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
- checkSignatureConfirmation(reqData, wsResult.getResults());
+ checkSignatureConfirmation(reqData, wsResult);
}
checkActions(msg, reqData, wsResult.getResults(), actions, SAAJUtils.getBody(doc));
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 8b902a0..a866496 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -2093,13 +2093,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
* signature results in the signatureActions list
*/
List<WSSecurityEngineResult> signatureActions = new ArrayList<>();
- final List<Integer> signedActions = new ArrayList<>(2);
- signedActions.add(WSConstants.SIGN);
- signedActions.add(WSConstants.UT_SIGN);
for (WSHandlerResult wshResult : results) {
- signatureActions.addAll(
- WSSecurityUtil.fetchAllActionResults(wshResult.getResults(), signedActions)
- );
+ if (wshResult.getActionResults().containsKey(WSConstants.SIGN)) {
+ signatureActions.addAll(wshResult.getActionResults().get(WSConstants.SIGN));
+ }
+ if (wshResult.getActionResults().containsKey(WSConstants.UT_SIGN)) {
+ signatureActions.addAll(wshResult.getActionResults().get(WSConstants.UT_SIGN));
+ }
}
sigConfList = new ArrayList<>();
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index 5dda038..d79470f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -26,7 +26,6 @@ import java.util.List;
import javax.xml.namespace.QName;
import org.w3c.dom.Element;
-
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
@@ -41,8 +40,8 @@ import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.Timestamp;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding.ProtectionOrder;
@@ -72,18 +71,18 @@ public abstract class AbstractBindingPolicyValidator implements SecurityPolicyVa
protected boolean validateTimestamp(
boolean includeTimestamp,
boolean transportBinding,
- List<WSSecurityEngineResult> results,
+ WSHandlerResult results,
List<WSSecurityEngineResult> signedResults,
Message message
) {
List<WSSecurityEngineResult> timestampResults =
- WSSecurityUtil.fetchAllActionResults(results, WSConstants.TS);
+ results.getActionResults().get(WSConstants.TS);
// Check whether we received a timestamp and compare it to the policy
- if (includeTimestamp && timestampResults.size() != 1) {
+ if (includeTimestamp && (timestampResults == null || timestampResults.size() != 1)) {
return false;
} else if (!includeTimestamp) {
- if (timestampResults.isEmpty()) {
+ if (timestampResults == null || timestampResults.isEmpty()) {
return true;
}
return false;
@@ -154,7 +153,7 @@ public abstract class AbstractBindingPolicyValidator implements SecurityPolicyVa
AbstractSymmetricAsymmetricBinding binding,
AssertionInfo ai,
AssertionInfoMap aim,
- List<WSSecurityEngineResult> results,
+ WSHandlerResult results,
List<WSSecurityEngineResult> signedResults,
Message message
) {
@@ -177,7 +176,7 @@ public abstract class AbstractBindingPolicyValidator implements SecurityPolicyVa
PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
// Check whether the signatures were encrypted or not
- if (binding.isEncryptSignature() && !isSignatureEncrypted(results)) {
+ if (binding.isEncryptSignature() && !isSignatureEncrypted(results.getResults())) {
ai.setNotAsserted("The signature is not protected");
return false;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index f74b2db..74cf2c0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -114,7 +114,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
if (secret != null) {
WSSecurityEngineResult dktResult =
- getMatchingDerivedKey(secret, parameters.getResults());
+ getMatchingDerivedKey(secret, parameters.getResults().getResults());
if (dktResult != null) {
tokenResults.add(dktResult);
}
@@ -174,7 +174,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
*/
protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean derived) {
List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
- for (WSSecurityEngineResult wser : parameters.getResults()) {
+ for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.BST) {
BinarySecurity binarySecurity =
@@ -204,7 +204,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
for (WSSecurityEngineResult wser : tokenResults) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult =
- getMatchingDerivedKey(secret, parameters.getResults());
+ getMatchingDerivedKey(secret, parameters.getResults().getResults());
if (dktResult != null) {
dktResults.add(dktResult);
}
@@ -232,7 +232,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
*/
protected boolean processX509Tokens(PolicyValidatorParameters parameters, boolean derived) {
List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
- for (WSSecurityEngineResult wser : parameters.getResults()) {
+ for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.BST) {
BinarySecurity binarySecurity =
@@ -262,7 +262,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
WSSecurityEngineResult resultToStore =
- processX509DerivedTokenResult(wser, parameters.getResults());
+ processX509DerivedTokenResult(wser, parameters.getResults().getResults());
if (resultToStore != null) {
dktResults.add(resultToStore);
}
@@ -360,7 +360,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
*/
protected boolean processSCTokens(PolicyValidatorParameters parameters, boolean derived) {
List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
- for (WSSecurityEngineResult wser : parameters.getResults()) {
+ for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.SCT) {
tokenResults.add(wser);
@@ -385,7 +385,8 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
- WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, parameters.getResults());
+ WSSecurityEngineResult dktResult =
+ getMatchingDerivedKey(secret, parameters.getResults().getResults());
if (dktResult != null) {
dktResults.add(dktResult);
}
@@ -859,12 +860,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
for (WSSecurityEngineResult result : encryptedResults) {
List<WSDataRef> dataRefs =
CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
- if (dataRefs == null) {
- return false;
- }
- for (WSDataRef dataRef : dataRefs) {
- if (token == dataRef.getProtectedElement()) {
- return true;
+ if (dataRefs != null) {
+ for (WSDataRef dataRef : dataRefs) {
+ if (token == dataRef.getProtectedElement()) {
+ return true;
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index b8ca765..706e0a5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -35,6 +35,7 @@ import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.transform.STRTransform;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
@@ -87,10 +88,10 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
}
private boolean validatePolicy(
- AssertionInfo ai, AlgorithmSuite algorithmPolicy, List<WSSecurityEngineResult> results
+ AssertionInfo ai, AlgorithmSuite algorithmPolicy, WSHandlerResult results
) {
boolean success = true;
- for (WSSecurityEngineResult result : results) {
+ for (WSSecurityEngineResult result : results.getResults()) {
Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
if (WSConstants.SIGN == actInt
&& !checkSignatureAlgorithms(result, algorithmPolicy, ai)) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
index 3bd9eac..2c12a30 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
@@ -61,21 +61,16 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
- boolean hasDerivedKeys = false;
- for (WSSecurityEngineResult result : parameters.getResults()) {
- Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.DKT) {
- hasDerivedKeys = true;
- break;
- }
- }
+ boolean hasDerivedKeys =
+ parameters.getResults().getActionResults().containsKey(WSConstants.DKT);
for (AssertionInfo ai : ais) {
AsymmetricBinding binding = (AsymmetricBinding)ai.getAssertion();
ai.setAsserted(true);
// Check the protection order
- if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai, parameters.getResults())) {
+ if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai,
+ parameters.getResults().getResults())) {
continue;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
index 3335d88..dcac606 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
@@ -22,7 +22,6 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
-import java.util.Collections;
import java.util.List;
import javax.xml.namespace.QName;
@@ -41,7 +40,6 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
@@ -90,8 +88,7 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
}
List<WSSecurityEngineResult> bstResults =
- WSSecurityUtil.fetchAllActionResults(parameters.getResults(),
- Collections.singletonList(WSConstants.BST));
+ parameters.getResults().getActionResults().get(WSConstants.BST);
if (bstResults != null) {
for (WSSecurityEngineResult bstResult : bstResults) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
index f7710fb..6c05801 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
@@ -68,7 +68,8 @@ public class KerberosTokenPolicyValidator extends AbstractSecurityPolicyValidato
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
- List<WSSecurityEngineResult> kerberosResults = findKerberosResults(parameters.getResults());
+ List<WSSecurityEngineResult> kerberosResults =
+ findKerberosResults(parameters.getResults().getResults());
for (WSSecurityEngineResult kerberosResult : kerberosResults) {
KerberosSecurity kerberosToken =
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
index a0b1b4b..b74025a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
@@ -75,7 +75,8 @@ public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
ai.setAsserted(true);
assertToken(layout, parameters.getAssertionInfoMap());
- if (!validatePolicy(layout, parameters.getResults(), parameters.getSignedResults())) {
+ if (!validatePolicy(layout, parameters.getResults().getResults(),
+ parameters.getSignedResults())) {
String error = "Layout does not match the requirements";
ai.setNotAsserted(error);
}
@@ -119,7 +120,7 @@ public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
}
} else if (strict && (!validateStrictSignaturePlacement(results, signedResults)
|| !validateStrictSignatureTokenPlacement(results)
- || !checkSignatureIsSignedPlacement(signedResults))) {
+ || !checkSignatureIsSignedPlacement(results, signedResults))) {
return false;
}
@@ -184,9 +185,11 @@ public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
return true;
}
- private boolean checkSignatureIsSignedPlacement(List<WSSecurityEngineResult> signedResults) {
- for (int i = 0; i < signedResults.size(); i++) {
- WSSecurityEngineResult signedResult = signedResults.get(i);
+ private boolean checkSignatureIsSignedPlacement(
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ ) {
+ for (WSSecurityEngineResult signedResult : signedResults) {
List<WSDataRef> sl =
CastUtils.cast((List<?>)signedResult.get(
WSSecurityEngineResult.TAG_DATA_REF_URIS
@@ -196,21 +199,9 @@ public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
QName signedQName = dataRef.getName();
if (WSSecurityEngine.SIGNATURE.equals(signedQName)) {
Element protectedElement = dataRef.getProtectedElement();
- boolean endorsingSigFound = false;
- // Results are stored in reverse order
- for (WSSecurityEngineResult result : signedResults) {
- if (result == signedResult) {
- endorsingSigFound = true;
- }
- Element resultElement =
- (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
- if (resultElement == protectedElement) {
- if (endorsingSigFound) {
- break;
- } else {
- return false;
- }
- }
+ if (!isEndorsingSignatureInCorrectPlace(results, signedResult,
+ protectedElement)) {
+ return false;
}
}
}
@@ -219,6 +210,30 @@ public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
return true;
}
+ private boolean isEndorsingSignatureInCorrectPlace(List<WSSecurityEngineResult> results,
+ WSSecurityEngineResult signedResult,
+ Element protectedElement) {
+ boolean endorsingSigFound = false;
+ // Results are stored in reverse order
+ for (WSSecurityEngineResult result : results) {
+ Integer action = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ if (WSConstants.SIGN == action || WSConstants.ST_SIGNED == action
+ || WSConstants.UT_SIGN == action) {
+ if (result == signedResult) {
+ endorsingSigFound = true;
+ }
+ Element resultElement =
+ (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ if (endorsingSigFound && resultElement == protectedElement) {
+ return true;
+ } else if (resultElement == protectedElement) {
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
/**
* Find the index of the token corresponding to either the X509Certificate or PublicKey used
* to sign the "signatureResult" argument.
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java
index 24f3d13..5c032e5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java
@@ -22,10 +22,10 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
import java.util.List;
import org.w3c.dom.Element;
-
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
/**
* Holds various parameters to the policy validators
@@ -34,7 +34,7 @@ public class PolicyValidatorParameters {
private AssertionInfoMap assertionInfoMap;
private Message message;
private Element soapBody;
- private List<WSSecurityEngineResult> results;
+ private WSHandlerResult results;
private List<WSSecurityEngineResult> signedResults;
private List<WSSecurityEngineResult> encryptedResults;
private List<WSSecurityEngineResult> usernameTokenResults;
@@ -58,11 +58,11 @@ public class PolicyValidatorParameters {
this.soapBody = soapBody;
}
- public List<WSSecurityEngineResult> getResults() {
+ public WSHandlerResult getResults() {
return results;
}
- public void setResults(List<WSSecurityEngineResult> results) {
+ public void setResults(WSHandlerResult results) {
this.results = results;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
index 2b58882..9c6444e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
@@ -27,7 +27,6 @@ import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.model.SecurityContextToken;
@@ -56,7 +55,7 @@ public class SecurityContextTokenPolicyValidator extends AbstractSecurityPolicyV
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
List<WSSecurityEngineResult> sctResults =
- WSSecurityUtil.fetchAllActionResults(parameters.getResults(), WSConstants.SCT);
+ parameters.getResults().getActionResults().get(WSConstants.SCT);
for (AssertionInfo ai : ais) {
SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
@@ -67,7 +66,7 @@ public class SecurityContextTokenPolicyValidator extends AbstractSecurityPolicyV
continue;
}
- if (sctResults.isEmpty()) {
+ if (sctResults == null || sctResults.isEmpty()) {
ai.setNotAsserted(
"The received token does not match the token inclusion requirement"
);
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
index 2c6d355..08b1699 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
@@ -59,21 +59,16 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
* Validate policies.
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
- boolean hasDerivedKeys = false;
- for (WSSecurityEngineResult result : parameters.getResults()) {
- Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.DKT) {
- hasDerivedKeys = true;
- break;
- }
- }
+ boolean hasDerivedKeys =
+ parameters.getResults().getActionResults().containsKey(WSConstants.DKT);
for (AssertionInfo ai : ais) {
SymmetricBinding binding = (SymmetricBinding)ai.getAssertion();
ai.setAsserted(true);
// Check the protection order
- if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai, parameters.getResults())) {
+ if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai,
+ parameters.getResults().getResults())) {
continue;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
index 68c54c5..14e4180 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
@@ -30,7 +30,6 @@ import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
@@ -60,7 +59,7 @@ public class WSS11PolicyValidator extends AbstractSecurityPolicyValidator {
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
List<WSSecurityEngineResult> scResults =
- WSSecurityUtil.fetchAllActionResults(parameters.getResults(), WSConstants.SC);
+ parameters.getResults().getActionResults().get(WSConstants.SC);
for (AssertionInfo ai : ais) {
Wss11 wss11 = (Wss11)ai.getAssertion();
@@ -71,8 +70,8 @@ public class WSS11PolicyValidator extends AbstractSecurityPolicyValidator {
continue;
}
- if ((wss11.isRequireSignatureConfirmation() && scResults.isEmpty())
- || (!wss11.isRequireSignatureConfirmation() && !scResults.isEmpty())) {
+ if ((wss11.isRequireSignatureConfirmation() && (scResults == null || scResults.isEmpty()))
+ || (!wss11.isRequireSignatureConfirmation() && !(scResults == null || scResults.isEmpty()))) {
ai.setNotAsserted(
"Signature Confirmation policy validation failed"
);
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
index f3d9195..20ffd2a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
@@ -41,7 +41,6 @@ import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.str.STRParser;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
@@ -77,7 +76,7 @@ public class X509TokenPolicyValidator extends AbstractSecurityPolicyValidator {
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
List<WSSecurityEngineResult> bstResults =
- WSSecurityUtil.fetchAllActionResults(parameters.getResults(), WSConstants.BST);
+ parameters.getResults().getActionResults().get(WSConstants.BST);
for (AssertionInfo ai : ais) {
X509Token x509TokenPolicy = (X509Token)ai.getAssertion();
@@ -88,7 +87,7 @@ public class X509TokenPolicyValidator extends AbstractSecurityPolicyValidator {
continue;
}
- if (bstResults.isEmpty() && parameters.getSignedResults().isEmpty()) {
+ if ((bstResults == null || bstResults.isEmpty()) && parameters.getSignedResults().isEmpty()) {
ai.setNotAsserted(
"The received token does not match the token inclusion requirement"
);
@@ -134,7 +133,7 @@ public class X509TokenPolicyValidator extends AbstractSecurityPolicyValidator {
List<WSSecurityEngineResult> bstResults,
List<WSSecurityEngineResult> signedResults
) {
- if (bstResults.isEmpty() && signedResults.isEmpty()) {
+ if ((bstResults == null || bstResults.isEmpty()) && signedResults.isEmpty()) {
return false;
}
@@ -148,16 +147,15 @@ public class X509TokenPolicyValidator extends AbstractSecurityPolicyValidator {
v3certRequired = true;
}
- for (WSSecurityEngineResult result : bstResults) {
- BinarySecurity binarySecurityToken =
- (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- if (binarySecurityToken != null) {
- String type = binarySecurityToken.getValueType();
- if (requiredType.equals(type)) {
+ if (bstResults != null) {
+ for (WSSecurityEngineResult result : bstResults) {
+ BinarySecurity binarySecurityToken =
+ (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ if (binarySecurityToken != null && requiredType.equals(binarySecurityToken.getValueType())) {
if (v3certRequired && binarySecurityToken instanceof X509Security) {
try {
X509Certificate cert =
- ((X509Security)binarySecurityToken).getX509Certificate(null);
+ ((X509Security)binarySecurityToken).getX509Certificate(null);
if (cert != null && cert.getVersion() == 3) {
return true;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
index 2a36ab9..45d7277 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
@@ -73,7 +73,6 @@ import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.model.AsymmetricBinding;
@@ -437,8 +436,8 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest {
assertTrue(results != null && results.size() == 1);
List<WSSecurityEngineResult> signatureResults =
- WSSecurityUtil.fetchAllActionResults(results.get(0).getResults(), WSConstants.SIGN);
- assertTrue(!signatureResults.isEmpty());
+ results.get(0).getActionResults().get(WSConstants.SIGN);
+ assertTrue(!(signatureResults == null || signatureResults.isEmpty()));
}
protected void verifyWss4jEncResults(SoapMessage inmsg) {
@@ -451,16 +450,22 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest {
assertSame(handlerResults.size(), 1);
final List<WSSecurityEngineResult> protectionResults =
- WSSecurityUtil.fetchAllActionResults(handlerResults.get(0).getResults(), WSConstants.ENCR);
+ handlerResults.get(0).getActionResults().get(WSConstants.ENCR);
assertNotNull(protectionResults);
//
// This result should contain a reference to the decrypted element
//
- final Map<String, Object> result = protectionResults.get(0);
- final List<WSDataRef> protectedElements =
- CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
- assertNotNull(protectedElements);
+ boolean foundReferenceList = false;
+ for (Map<String, Object> result : protectionResults) {
+ final List<WSDataRef> protectedElements =
+ CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ if (protectedElements != null) {
+ foundReferenceList = true;
+ break;
+ }
+ }
+ assertTrue(foundReferenceList);
}
// TODO: This method can be removed when runOutInterceptorAndValidateAsymmetricBinding
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java
index b820be0..7dfc971 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java
@@ -39,6 +39,7 @@ public class CustomProcessor implements Processor {
final WSSecurityEngineResult result =
new WSSecurityEngineResult(WSConstants.SIGN);
result.put("foo", this);
+ wsDocInfo.addResult(result);
return java.util.Collections.singletonList(result);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityActionTokenTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityActionTokenTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityActionTokenTest.java
index 43d9dd3..6540449 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityActionTokenTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityActionTokenTest.java
@@ -53,7 +53,6 @@ import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.HandlerAction;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.junit.Test;
@@ -70,11 +69,11 @@ public class SecurityActionTokenTest extends AbstractSecurityTest {
List<HandlerAction> actions =
Collections.singletonList(new HandlerAction(WSConstants.SIGN, actionToken));
- Map<String, Object> outProperties = new HashMap<String, Object>();
+ Map<String, Object> outProperties = new HashMap<>();
outProperties.put(WSHandlerConstants.HANDLER_ACTIONS, actions);
outProperties.put(WSHandlerConstants.PW_CALLBACK_REF, new TestPwdCallback());
- Map<String, String> inProperties = new HashMap<String, String>();
+ Map<String, String> inProperties = new HashMap<>();
inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
inProperties.put(WSHandlerConstants.SIG_VER_PROP_FILE, "insecurity.properties");
@@ -85,7 +84,7 @@ public class SecurityActionTokenTest extends AbstractSecurityTest {
List<WSHandlerResult> handlerResults =
getResults(makeInvocation(outProperties, xpaths, inProperties));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+ handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
X509Certificate certificate =
(X509Certificate) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
index c07ab6c..d298905 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
@@ -61,7 +61,6 @@ import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.junit.Test;
@@ -109,7 +108,7 @@ public class WSS4JInOutTest extends AbstractSecurityTest {
List<WSHandlerResult> handlerResults =
getResults(makeInvocation(outProperties, xpaths, inProperties));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+ handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
X509Certificate certificate =
(X509Certificate) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
@@ -137,7 +136,7 @@ public class WSS4JInOutTest extends AbstractSecurityTest {
List<WSHandlerResult> handlerResults =
getResults(makeInvocation(outProperties, xpaths, inProperties));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+ handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
X509Certificate certificate =
(X509Certificate) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
@@ -342,8 +341,8 @@ public class WSS4JInOutTest extends AbstractSecurityTest {
List<WSHandlerResult> results = getResults(inmsg);
assertTrue(results != null && results.size() == 1);
List<WSSecurityEngineResult> signatureResults =
- WSSecurityUtil.fetchAllActionResults(results.get(0).getResults(), WSConstants.SIGN);
- assertTrue(signatureResults.size() == 0);
+ results.get(0).getActionResults().get(WSConstants.SIGN);
+ assertTrue(signatureResults == null || signatureResults.size() == 0);
}
@Test
@@ -416,7 +415,7 @@ public class WSS4JInOutTest extends AbstractSecurityTest {
List<WSHandlerResult> results = getResults(inmsg);
assertTrue(results != null && results.size() == 1);
List<WSSecurityEngineResult> signatureResults =
- WSSecurityUtil.fetchAllActionResults(results.get(0).getResults(), WSConstants.SIGN);
+ results.get(0).getActionResults().get(WSConstants.SIGN);
assertTrue(signatureResults.size() == 1);
Object obj = signatureResults.get(0).get("foo");
@@ -447,7 +446,7 @@ public class WSS4JInOutTest extends AbstractSecurityTest {
List<WSHandlerResult> handlerResults =
getResults(makeInvocation(outProperties, xpaths, inProperties));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+ handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
X509Certificate[] certificates =
(X509Certificate[]) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
index 1e021ea..6103b6e 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
@@ -62,7 +62,6 @@ import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.junit.Test;
/**
@@ -119,7 +118,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
+ handlerResults.get(0).getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
SamlAssertionWrapper receivedAssertion =
(SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
@@ -164,7 +163,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
+ handlerResults.get(0).getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
SamlAssertionWrapper receivedAssertion =
(SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
@@ -204,7 +203,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
+ handlerResults.get(0).getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
SamlAssertionWrapper receivedAssertion =
(SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
@@ -249,7 +248,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
+ handlerResults.get(0).getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
SamlAssertionWrapper receivedAssertion =
(SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
@@ -305,14 +304,13 @@ public class SamlTokenTest extends AbstractSecurityTest {
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+ handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
SamlAssertionWrapper receivedAssertion =
(SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
assert receivedAssertion.isSigned();
- actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+ actionResult = handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
assertTrue(actionResult != null);
}
@@ -372,14 +370,13 @@ public class SamlTokenTest extends AbstractSecurityTest {
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+ handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
SamlAssertionWrapper receivedAssertion =
(SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
assert receivedAssertion.isSigned();
- actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+ actionResult = handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
assertTrue(actionResult != null);
}
@@ -436,7 +433,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
assertTrue(sc.isUserInRole("admin"));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+ handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
SamlAssertionWrapper receivedAssertion =
(SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
@@ -496,7 +493,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
assertTrue(sc.isUserInRole("admin"));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+ handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
SamlAssertionWrapper receivedAssertion =
(SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
@@ -555,7 +552,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
assertTrue(sc.isUserInRole("admin"));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+ handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
SamlAssertionWrapper receivedAssertion =
(SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
index 0ee5a6c..5837b71 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
@@ -543,11 +543,10 @@ public abstract class AbstractOperation {
// DOM
if (results != null) {
for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- int wserAction =
- ((java.lang.Integer)wser.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
- if (wserAction == WSConstants.SIGN) {
+ List<WSSecurityEngineResult> signedResults =
+ rResult.getActionResults().get(WSConstants.SIGN);
+ if (signedResults != null) {
+ for (WSSecurityEngineResult wser : signedResults) {
X509Certificate cert =
(X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (cert != null) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
index 7d146f7..e8685db 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
@@ -156,17 +156,17 @@ public class SCTCanceller implements TokenCanceller {
if (handlerResults != null && handlerResults.size() > 0) {
WSHandlerResult handlerResult = handlerResults.get(0);
- List<WSSecurityEngineResult> engineResults = handlerResult.getResults();
+ List<WSSecurityEngineResult> signedResults =
+ handlerResult.getActionResults().get(WSConstants.SIGN);
- for (WSSecurityEngineResult engineResult : engineResults) {
- Integer action = (Integer)engineResult.get(WSSecurityEngineResult.TAG_ACTION);
- if (action.equals(WSConstants.SIGN)) {
+ if (signedResults != null) {
+ for (WSSecurityEngineResult engineResult : signedResults) {
byte[] receivedKey = (byte[])engineResult.get(WSSecurityEngineResult.TAG_SECRET);
if (Arrays.equals(secretToMatch, receivedKey)) {
LOG.log(
- Level.FINE,
- "Verification of the proof of possession of the key associated with "
- + "the security context successful."
+ Level.FINE,
+ "Verification of the proof of possession of the key associated with "
+ + "the security context successful."
);
return true;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
index ea6b016..7325520 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
@@ -67,7 +67,6 @@ import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.saml.DOMSAMLUtil;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.xml.security.stax.impl.util.IDGenerator;
import org.joda.time.DateTime;
import org.opensaml.saml.common.SAMLVersion;
@@ -555,12 +554,13 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
List<WSSecurityEngineResult> signedResults = new ArrayList<>();
if (handlerResults != null && handlerResults.size() > 0) {
WSHandlerResult handlerResult = handlerResults.get(0);
- List<WSSecurityEngineResult> results = handlerResult.getResults();
- final List<Integer> signedActions = new ArrayList<>(2);
- signedActions.add(WSConstants.SIGN);
- signedActions.add(WSConstants.UT_SIGN);
- signedResults.addAll(WSSecurityUtil.fetchAllActionResults(results, signedActions));
+ if (handlerResult.getActionResults().containsKey(WSConstants.SIGN)) {
+ signedResults.addAll(handlerResult.getActionResults().get(WSConstants.SIGN));
+ }
+ if (handlerResult.getActionResults().containsKey(WSConstants.UT_SIGN)) {
+ signedResults.addAll(handlerResult.getActionResults().get(WSConstants.UT_SIGN));
+ }
}
TLSSessionInfo tlsInfo = (TLSSessionInfo)messageContext.get(TLSSessionInfo.class.getName());
http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/DoubleItPortTypeImpl.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/DoubleItPortTypeImpl.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/DoubleItPortTypeImpl.java
index 270a8f7..9b995b7 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/DoubleItPortTypeImpl.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/DoubleItPortTypeImpl.java
@@ -32,7 +32,6 @@ import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.example.contract.doubleit.DoubleItPortType;
import org.junit.Assert;
@@ -53,7 +52,7 @@ public class DoubleItPortTypeImpl implements DoubleItPortType {
final List<WSHandlerResult> handlerResults =
CastUtils.cast((List<?>)context.get(WSHandlerConstants.RECV_RESULTS));
WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.UT);
+ handlerResults.get(0).getActionResults().get(WSConstants.UT).get(0);
SamlAssertionWrapper assertion =
(SamlAssertionWrapper)actionResult.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
Assert.assertTrue(assertion != null && "DoubleItSTSIssuer".equals(assertion.getIssuerString()));