You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2012/02/20 11:06:06 UTC
Re: svn commit: r1291166 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/ r
Hi Freeman,
I'm -1 to the way you are configuring this patch. WSS10 and WSS11 are
standard policies defined in the WS-SP 1.3 spec, and so it's not a
good idea to add a custom policy for these.
The best way to configure it is to define a (boolean) tag in
SecurityConstants so that it can be set as a JAX-WS property.
Colm.
On Mon, Feb 20, 2012 at 9:51 AM, <ff...@apache.org> wrote:
> Author: ffang
> Date: Mon Feb 20 09:51:20 2012
> New Revision: 1291166
>
> URL: http://svn.apache.org/viewvc?rev=1291166&view=rev
> Log:
> [CXF-4119]support Certificates revocation check before encrypt when use CXF WS-SecurityPolicy
>
> Added:
> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks (with props)
> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks (with props)
> Modified:
> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
>
> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1291166&r1=1291165&r2=1291166&view=diff
> ==============================================================================
> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java (original)
> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java Mon Feb 20 09:51:20 2012
> @@ -386,6 +386,8 @@ public abstract class SPConstants {
>
> public static final String MUST_SUPPORT_ISSUED_TOKENS = "MustSupportIssuedTokens";
>
> + public static final String ENABLE_REVOCATION = "EnableRevocation";
> +
> public static final String REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION
> = "RequireRequestSecurityTokenCollection";
>
>
> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java?rev=1291166&r1=1291165&r2=1291166&view=diff
> ==============================================================================
> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java (original)
> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java Mon Feb 20 09:51:20 2012
> @@ -65,6 +65,8 @@ public class WSS10Builder implements Ass
> parent.setMustSupportRefExternalURI(true);
> } else if (SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN.equals(name)) {
> parent.setMustSupportRefEmbeddedToken(true);
> + } else if (SPConstants.ENABLE_REVOCATION.equals(name)) {
> + parent.setEnableRevocation(true);
> }
> child = DOMUtils.getNextElement(child);
> }
>
> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java?rev=1291166&r1=1291165&r2=1291166&view=diff
> ==============================================================================
> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java (original)
> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java Mon Feb 20 09:51:20 2012
> @@ -75,6 +75,8 @@ public class WSS11Builder implements Ass
>
> } else if (SPConstants.REQUIRE_SIGNATURE_CONFIRMATION.equals(name)) {
> parent.setRequireSignatureConfirmation(true);
> + } else if (SPConstants.ENABLE_REVOCATION.equals(name)) {
> + parent.setEnableRevocation(true);
> }
> child = DOMUtils.getNextElement(child);
> }
>
> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java?rev=1291166&r1=1291165&r2=1291166&view=diff
> ==============================================================================
> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java (original)
> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java Mon Feb 20 09:51:20 2012
> @@ -31,6 +31,7 @@ public class Wss10 extends AbstractSecur
> private boolean mustSupportRefIssuerSerial;
> private boolean mustSupportRefExternalURI;
> private boolean mustSupportRefEmbeddedToken;
> + private boolean enableRevocation;
>
> public Wss10(SPConstants version) {
> super(version);
> @@ -91,6 +92,20 @@ public class Wss10 extends AbstractSecur
> public void setMustSupportRefKeyIdentifier(boolean mustSupportRefKeyIdentifier) {
> this.mustSupportRefKeyIdentifier = mustSupportRefKeyIdentifier;
> }
> +
> + /**
> + * @return Returns the enableRevocation.
> + */
> + public boolean isEnableRevocation() {
> + return enableRevocation;
> + }
> +
> + /**
> + * @param enableRevocation The enableRevocation to set.
> + */
> + public void setEnableRevocation(boolean enableRevocation) {
> + this.enableRevocation = enableRevocation;
> + }
>
> public QName getRealName() {
> return constants.getWSS10();
> @@ -150,6 +165,13 @@ public class Wss10 extends AbstractSecur
> writer.writeEndElement();
>
> }
> +
> + if (isEnableRevocation()) {
> + // <sp:EnableRevocation />
> + writer.writeStartElement(prefix, SPConstants.ENABLE_REVOCATION, namespaceURI);
> + writer.writeEndElement();
> +
> + }
>
> // </wsp:Policy>
> writer.writeEndElement();
>
> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java?rev=1291166&r1=1291165&r2=1291166&view=diff
> ==============================================================================
> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java (original)
> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java Mon Feb 20 09:51:20 2012
> @@ -151,6 +151,13 @@ public class Wss11 extends Wss10 {
> writer.writeStartElement(prefix, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION, namespaceURI);
> writer.writeEndElement();
> }
> +
> + if (isEnableRevocation()) {
> + // <sp:EnableRevocation />
> + writer.writeStartElement(prefix, SPConstants.ENABLE_REVOCATION, namespaceURI);
> + writer.writeEndElement();
> +
> + }
>
> // </wsp:Policy>
> writer.writeEndElement();
>
> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1291166&r1=1291165&r2=1291166&view=diff
> ==============================================================================
> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Mon Feb 20 09:51:20 2012
> @@ -108,6 +108,7 @@ import org.apache.ws.security.WSSecurity
> import org.apache.ws.security.WSUsernameTokenPrincipal;
> import org.apache.ws.security.components.crypto.Crypto;
> import org.apache.ws.security.components.crypto.CryptoFactory;
> +import org.apache.ws.security.components.crypto.CryptoType;
> import org.apache.ws.security.conversation.ConversationConstants;
> import org.apache.ws.security.conversation.ConversationException;
> import org.apache.ws.security.handler.WSHandlerConstants;
> @@ -1371,9 +1372,28 @@ public abstract class AbstractBindingBui
>
>
> public Crypto getEncryptionCrypto(TokenWrapper wrapper) throws WSSecurityException {
> - return getCrypto(wrapper,
> - SecurityConstants.ENCRYPT_CRYPTO,
> - SecurityConstants.ENCRYPT_PROPERTIES);
> + Crypto crypto = getCrypto(wrapper, SecurityConstants.ENCRYPT_CRYPTO,
> + SecurityConstants.ENCRYPT_PROPERTIES);
> + Wss10 wss10 = getWss10();
> + boolean enableRevocation = wss10.isEnableRevocation();
> + if (enableRevocation && crypto != null) {
> + CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
> + String encrUser = (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
> + if (crypto != null && encrUser == null) {
> + try {
> + encrUser = crypto.getDefaultX509Identifier();
> + } catch (WSSecurityException e1) {
> + throw new Fault(e1);
> + }
> + }
> + cryptoType.setAlias(encrUser);
> + X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
> + if (certs != null && certs.length > 0) {
> + crypto.verifyTrust(certs, enableRevocation);
> + }
> + }
> + return crypto;
> +
> }
>
> public Crypto getCrypto(
>
> Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java?rev=1291166&r1=1291165&r2=1291166&view=diff
> ==============================================================================
> --- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java (original)
> +++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java Mon Feb 20 09:51:20 2012
> @@ -39,6 +39,7 @@ public class KeystorePasswordCallback im
> public KeystorePasswordCallback() {
> passwords.put("alice", "password");
> passwords.put("bob", "password");
> + passwords.put("wss40rev", "security");
> }
>
> /**
>
> Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1291166&r1=1291165&r2=1291166&view=diff
> ==============================================================================
> --- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java (original)
> +++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java Mon Feb 20 09:51:20 2012
> @@ -489,4 +489,42 @@ public class SecurityPolicyTest extends
> di.setNumberToDouble(5);
> assertEquals(10, pt.doubleIt(di, 1).getDoubledNumber());
> }
> +
> + @Test
> + public void testCXF4119() throws Exception {
> + SpringBusFactory bf = new SpringBusFactory();
> +
> + Bus bus = bf.createBus();
> + SpringBusFactory.setDefaultBus(bus);
> + SpringBusFactory.setThreadDefaultBus(bus);
> +
> + URL wsdl = SecurityPolicyTest.class.getResource("DoubleIt.wsdl");
> + Service service = Service.create(wsdl, SERVICE_QNAME);
> +
> + DoubleItPortTypeHeader pt;
> +
> + QName portQName = new QName(NAMESPACE, "DoubleItPortCXF4119");
> + pt = service.getPort(portQName, DoubleItPortTypeHeader.class);
> +
> + updateAddressPort(pt, PORT);
> + ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
> + new KeystorePasswordCallback());
> + ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
> + getClass().getResource("alice.properties"));
> + ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,
> + getClass().getResource("revocation.properties"));
> +
> + DoubleIt di = new DoubleIt();
> + di.setNumberToDouble(5);
> + try {
> + pt.doubleIt(di, 1);
> + fail("Failure expected on a revoked certificate");
> + } catch (Exception ex) {
> + String errorMessage = ex.getMessage();
> + // Different errors using different JDKs...
> + assertTrue(errorMessage.contains("Certificate has been revoked")
> + || errorMessage.contains("Certificate revocation")
> + || errorMessage.contains("Error during certificate path validation"));
> + }
> + }
> }
>
> Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl?rev=1291166&r1=1291165&r2=1291166&view=diff
> ==============================================================================
> --- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl (original)
> +++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl Mon Feb 20 09:51:20 2012
> @@ -205,6 +205,24 @@
> </wsdl:fault>
> </wsdl:operation>
> </wsdl:binding>
> + <wsdl:binding name="DoubleItBindingCXF4119" type="tns:DoubleItPortType">
> + <wsp:PolicyReference URI="#CXF4119" />
> + <soap:binding style="document"
> + transport="http://schemas.xmlsoap.org/soap/http" />
> + <wsdl:operation name="DoubleIt">
> + <soap:operation soapAction="" />
> + <wsdl:input>
> + <soap:body use="literal" />
> + </wsdl:input>
> + <wsdl:output>
> + <soap:body use="literal" />
> + </wsdl:output>
> + <wsdl:fault name="DoubleItFault">
> + <soap:body use="literal" name="DoubleItFault" />
> + </wsdl:fault>
> + </wsdl:operation>
> + </wsdl:binding>
> +
>
>
> <wsdl:service name="DoubleItService">
> @@ -241,6 +259,9 @@
> <wsdl:port name="DoubleItPortCXF3452" binding="tns:DoubleItBindingCXF3452">
> <soap:address location="http://localhost:9010/SecPolTestCXF3452" />
> </wsdl:port>
> + <wsdl:port name="DoubleItPortCXF4119" binding="tns:DoubleItBindingCXF4119">
> + <soap:address location="http://localhost:9010/SecPolTestCXF4119" />
> + </wsdl:port>
> </wsdl:service>
>
> <wsp:Policy wsu:Id="DoubleItBindingPolicy">
> @@ -785,5 +806,63 @@
> <sp:Header Namespace="http://cxf.apache.org/policytest/DoubleIt"/>
> </sp:SignedParts>
> </wsp:Policy>
> -
> + <wsp:Policy wsu:Id="CXF4119">
> + <wsp:ExactlyOne>
> + <wsp:All>
> + <sp:AsymmetricBinding
> + xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> + <wsp:Policy>
> + <sp:InitiatorToken>
> + <wsp:Policy>
> + <sp:X509Token
> + sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> + <wsp:Policy>
> + <sp:WssX509V1Token11 />
> + </wsp:Policy>
> + </sp:X509Token>
> + </wsp:Policy>
> + </sp:InitiatorToken>
> + <sp:RecipientToken>
> + <wsp:Policy>
> + <sp:X509Token
> + sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> + <wsp:Policy>
> + <sp:WssX509V1Token11 />
> + </wsp:Policy>
> + </sp:X509Token>
> + </wsp:Policy>
> + </sp:RecipientToken>
> + <sp:AlgorithmSuite>
> + <wsp:Policy>
> + <sp:TripleDesRsa15 />
> + </wsp:Policy>
> + </sp:AlgorithmSuite>
> + <sp:Layout>
> + <wsp:Policy>
> + <sp:Lax />
> + </wsp:Policy>
> + </sp:Layout>
> + <sp:IncludeTimestamp />
> + <sp:EncryptSignature />
> + <sp:OnlySignEntireHeadersAndBody />
> + <sp:EncryptBeforeSigning />
> + </wsp:Policy>
> + </sp:AsymmetricBinding>
> + <sp:SignedParts
> + xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> + <sp:Body />
> + </sp:SignedParts>
> + <sp:EncryptedParts
> + xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> + <sp:Body />
> + </sp:EncryptedParts>
> + <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> + <wsp:Policy>
> + <sp:MustSupportRefIssuerSerial />
> + <sp:EnableRevocation/>
> + </wsp:Policy>
> + </sp:Wss10>
> + </wsp:All>
> + </wsp:ExactlyOne>
> + </wsp:Policy>
> </wsdl:definitions>
>
> Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties?rev=1291166&view=auto
> ==============================================================================
> --- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties (added)
> +++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties Mon Feb 20 09:51:20 2012
> @@ -0,0 +1,26 @@
> +#
> +# Licensed to the Apache Software Foundation (ASF) under one
> +# or more contributor license agreements. See the NOTICE file
> +# distributed with this work for additional information
> +# regarding copyright ownership. The ASF licenses this file
> +# to you under the Apache License, Version 2.0 (the
> +# "License"); you may not use this file except in compliance
> +# with the License. You may obtain a copy of the License at
> +#
> +# http://www.apache.org/licenses/LICENSE-2.0
> +#
> +# Unless required by applicable law or agreed to in writing,
> +# software distributed under the License is distributed on an
> +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> +# KIND, either express or implied. See the License for the
> +# specific language governing permissions and limitations
> +# under the License.
> +#
> +org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> +org.apache.ws.security.crypto.merlin.keystore.type=jks
> +org.apache.ws.security.crypto.merlin.keystore.password=security
> +org.apache.ws.security.crypto.merlin.keystore.alias=wss40rev
> +org.apache.ws.security.crypto.merlin.keystore.file=org/apache/cxf/systest/ws/security/wss40rev.jks
> +org.apache.ws.security.crypto.merlin.truststore.password=security
> +org.apache.ws.security.crypto.merlin.truststore.file=org/apache/cxf/systest/ws/security/wss40CA.jks
> +org.apache.ws.security.crypto.merlin.x509crl.file=org/apache/cxf/systest/ws/security/wss40CACRL.pem
>
> Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks
> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks?rev=1291166&view=auto
> ==============================================================================
> Binary file - no diff available.
>
> Propchange: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks
> ------------------------------------------------------------------------------
> svn:mime-type = application/octet-stream
>
> Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem?rev=1291166&view=auto
> ==============================================================================
> --- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem (added)
> +++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem Mon Feb 20 09:51:20 2012
> @@ -0,0 +1,9 @@
> +-----BEGIN X509 CRL-----
> +MIIBQTCBqzANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJERTEPMA0GA1UECBMG
> +QmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUxFTATBgNVBAsT
> +DEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyFw0xMTA1MzAxMTU0MzFaFw0y
> +MTA1MjcxMTU0MzFaMBQwEgIBGRcNMTEwNTMwMTE1MzU3WjANBgkqhkiG9w0BAQQF
> +AAOBgQB0fgOhsp2l0wL/TYiXJqXuKbkhmzQv8LFXmKKCpLSVktrXvVNCBAM9TWVJ
> +35SrZ9eqjoI1sQPsbWSDp+QSieasQf9VgC3P4SFhki6ZupeXqrFgdbzOsXEm0FIR
> +uY1WJGFrF0Co/YUM00ee8jy89jX2rDCgmonKHrKBf7CkD+R2bw==
> +-----END X509 CRL-----
>
> Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks
> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks?rev=1291166&view=auto
> ==============================================================================
> Binary file - no diff available.
>
> Propchange: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks
> ------------------------------------------------------------------------------
> svn:mime-type = application/octet-stream
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: svn commit: r1291166 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/ r
Posted by Colm O hEigeartaigh <co...@apache.org>.
Thanks, it looks good now.
Colm.
On Mon, Feb 20, 2012 at 10:57 AM, Freeman Fang <fr...@gmail.com> wrote:
> Hi Colm,
>
> Thanks for the input, will revise it accordingly.
>
> Freeman
>
> On 2012-2-20, at 下午6:06, Colm O hEigeartaigh wrote:
>
>> Hi Freeman,
>>
>> I'm -1 to the way you are configuring this patch. WSS10 and WSS11 are
>> standard policies defined in the WS-SP 1.3 spec, and so it's not a
>> good idea to add a custom policy for these.
>>
>> The best way to configure it is to define a (boolean) tag in
>> SecurityConstants so that it can be set as a JAX-WS property.
>>
>> Colm.
>>
>> On Mon, Feb 20, 2012 at 9:51 AM, <ff...@apache.org> wrote:
>>>
>>> Author: ffang
>>> Date: Mon Feb 20 09:51:20 2012
>>> New Revision: 1291166
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1291166&view=rev
>>> Log:
>>> [CXF-4119]support Certificates revocation check before encrypt when use
>>> CXF WS-SecurityPolicy
>>>
>>> Added:
>>>
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
>>>
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks
>>> (with props)
>>>
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
>>>
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks
>>> (with props)
>>> Modified:
>>>
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
>>>
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
>>>
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
>>>
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
>>>
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
>>>
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
>>>
>>> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
>>>
>>> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
>>>
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
>>>
>>> Modified:
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
>>> (original)
>>> +++
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
>>> Mon Feb 20 09:51:20 2012
>>> @@ -386,6 +386,8 @@ public abstract class SPConstants {
>>>
>>> public static final String MUST_SUPPORT_ISSUED_TOKENS =
>>> "MustSupportIssuedTokens";
>>>
>>> + public static final String ENABLE_REVOCATION = "EnableRevocation";
>>> +
>>> public static final String REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION
>>> = "RequireRequestSecurityTokenCollection";
>>>
>>>
>>> Modified:
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
>>> (original)
>>> +++
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
>>> Mon Feb 20 09:51:20 2012
>>> @@ -65,6 +65,8 @@ public class WSS10Builder implements Ass
>>> parent.setMustSupportRefExternalURI(true);
>>> } else if
>>> (SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN.equals(name)) {
>>> parent.setMustSupportRefEmbeddedToken(true);
>>> + } else if (SPConstants.ENABLE_REVOCATION.equals(name)) {
>>> + parent.setEnableRevocation(true);
>>> }
>>> child = DOMUtils.getNextElement(child);
>>> }
>>>
>>> Modified:
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
>>> (original)
>>> +++
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
>>> Mon Feb 20 09:51:20 2012
>>> @@ -75,6 +75,8 @@ public class WSS11Builder implements Ass
>>>
>>> } else if
>>> (SPConstants.REQUIRE_SIGNATURE_CONFIRMATION.equals(name)) {
>>> parent.setRequireSignatureConfirmation(true);
>>> + } else if (SPConstants.ENABLE_REVOCATION.equals(name)) {
>>> + parent.setEnableRevocation(true);
>>> }
>>> child = DOMUtils.getNextElement(child);
>>> }
>>>
>>> Modified:
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
>>> (original)
>>> +++
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
>>> Mon Feb 20 09:51:20 2012
>>> @@ -31,6 +31,7 @@ public class Wss10 extends AbstractSecur
>>> private boolean mustSupportRefIssuerSerial;
>>> private boolean mustSupportRefExternalURI;
>>> private boolean mustSupportRefEmbeddedToken;
>>> + private boolean enableRevocation;
>>>
>>> public Wss10(SPConstants version) {
>>> super(version);
>>> @@ -91,6 +92,20 @@ public class Wss10 extends AbstractSecur
>>> public void setMustSupportRefKeyIdentifier(boolean
>>> mustSupportRefKeyIdentifier) {
>>> this.mustSupportRefKeyIdentifier = mustSupportRefKeyIdentifier;
>>> }
>>> +
>>> + /**
>>> + * @return Returns the enableRevocation.
>>> + */
>>> + public boolean isEnableRevocation() {
>>> + return enableRevocation;
>>> + }
>>> +
>>> + /**
>>> + * @param enableRevocation The enableRevocation to set.
>>> + */
>>> + public void setEnableRevocation(boolean enableRevocation) {
>>> + this.enableRevocation = enableRevocation;
>>> + }
>>>
>>> public QName getRealName() {
>>> return constants.getWSS10();
>>> @@ -150,6 +165,13 @@ public class Wss10 extends AbstractSecur
>>> writer.writeEndElement();
>>>
>>> }
>>> +
>>> + if (isEnableRevocation()) {
>>> + // <sp:EnableRevocation />
>>> + writer.writeStartElement(prefix,
>>> SPConstants.ENABLE_REVOCATION, namespaceURI);
>>> + writer.writeEndElement();
>>> +
>>> + }
>>>
>>> // </wsp:Policy>
>>> writer.writeEndElement();
>>>
>>> Modified:
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
>>> (original)
>>> +++
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
>>> Mon Feb 20 09:51:20 2012
>>> @@ -151,6 +151,13 @@ public class Wss11 extends Wss10 {
>>> writer.writeStartElement(prefix,
>>> SPConstants.REQUIRE_SIGNATURE_CONFIRMATION, namespaceURI);
>>> writer.writeEndElement();
>>> }
>>> +
>>> + if (isEnableRevocation()) {
>>> + // <sp:EnableRevocation />
>>> + writer.writeStartElement(prefix,
>>> SPConstants.ENABLE_REVOCATION, namespaceURI);
>>> + writer.writeEndElement();
>>> +
>>> + }
>>>
>>> // </wsp:Policy>
>>> writer.writeEndElement();
>>>
>>> Modified:
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
>>> (original)
>>> +++
>>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
>>> Mon Feb 20 09:51:20 2012
>>> @@ -108,6 +108,7 @@ import org.apache.ws.security.WSSecurity
>>> import org.apache.ws.security.WSUsernameTokenPrincipal;
>>> import org.apache.ws.security.components.crypto.Crypto;
>>> import org.apache.ws.security.components.crypto.CryptoFactory;
>>> +import org.apache.ws.security.components.crypto.CryptoType;
>>> import org.apache.ws.security.conversation.ConversationConstants;
>>> import org.apache.ws.security.conversation.ConversationException;
>>> import org.apache.ws.security.handler.WSHandlerConstants;
>>> @@ -1371,9 +1372,28 @@ public abstract class AbstractBindingBui
>>>
>>>
>>> public Crypto getEncryptionCrypto(TokenWrapper wrapper) throws
>>> WSSecurityException {
>>> - return getCrypto(wrapper,
>>> - SecurityConstants.ENCRYPT_CRYPTO,
>>> - SecurityConstants.ENCRYPT_PROPERTIES);
>>> + Crypto crypto = getCrypto(wrapper,
>>> SecurityConstants.ENCRYPT_CRYPTO,
>>> + SecurityConstants.ENCRYPT_PROPERTIES);
>>> + Wss10 wss10 = getWss10();
>>> + boolean enableRevocation = wss10.isEnableRevocation();
>>> + if (enableRevocation && crypto != null) {
>>> + CryptoType cryptoType = new
>>> CryptoType(CryptoType.TYPE.ALIAS);
>>> + String encrUser =
>>> (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
>>> + if (crypto != null && encrUser == null) {
>>> + try {
>>> + encrUser = crypto.getDefaultX509Identifier();
>>> + } catch (WSSecurityException e1) {
>>> + throw new Fault(e1);
>>> + }
>>> + }
>>> + cryptoType.setAlias(encrUser);
>>> + X509Certificate[] certs =
>>> crypto.getX509Certificates(cryptoType);
>>> + if (certs != null && certs.length > 0) {
>>> + crypto.verifyTrust(certs, enableRevocation);
>>> + }
>>> + }
>>> + return crypto;
>>> +
>>> }
>>>
>>> public Crypto getCrypto(
>>>
>>> Modified:
>>> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
>>> (original)
>>> +++
>>> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
>>> Mon Feb 20 09:51:20 2012
>>> @@ -39,6 +39,7 @@ public class KeystorePasswordCallback im
>>> public KeystorePasswordCallback() {
>>> passwords.put("alice", "password");
>>> passwords.put("bob", "password");
>>> + passwords.put("wss40rev", "security");
>>> }
>>>
>>> /**
>>>
>>> Modified:
>>> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
>>> (original)
>>> +++
>>> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
>>> Mon Feb 20 09:51:20 2012
>>> @@ -489,4 +489,42 @@ public class SecurityPolicyTest extends
>>> di.setNumberToDouble(5);
>>> assertEquals(10, pt.doubleIt(di, 1).getDoubledNumber());
>>> }
>>> +
>>> + @Test
>>> + public void testCXF4119() throws Exception {
>>> + SpringBusFactory bf = new SpringBusFactory();
>>> +
>>> + Bus bus = bf.createBus();
>>> + SpringBusFactory.setDefaultBus(bus);
>>> + SpringBusFactory.setThreadDefaultBus(bus);
>>> +
>>> + URL wsdl =
>>> SecurityPolicyTest.class.getResource("DoubleIt.wsdl");
>>> + Service service = Service.create(wsdl, SERVICE_QNAME);
>>> +
>>> + DoubleItPortTypeHeader pt;
>>> +
>>> + QName portQName = new QName(NAMESPACE, "DoubleItPortCXF4119");
>>> + pt = service.getPort(portQName, DoubleItPortTypeHeader.class);
>>> +
>>> + updateAddressPort(pt, PORT);
>>> +
>>> ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
>>> + new
>>> KeystorePasswordCallback());
>>> +
>>> ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
>>> +
>>> getClass().getResource("alice.properties"));
>>> +
>>> ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,
>>> +
>>> getClass().getResource("revocation.properties"));
>>> +
>>> + DoubleIt di = new DoubleIt();
>>> + di.setNumberToDouble(5);
>>> + try {
>>> + pt.doubleIt(di, 1);
>>> + fail("Failure expected on a revoked certificate");
>>> + } catch (Exception ex) {
>>> + String errorMessage = ex.getMessage();
>>> + // Different errors using different JDKs...
>>> + assertTrue(errorMessage.contains("Certificate has been
>>> revoked")
>>> + || errorMessage.contains("Certificate
>>> revocation")
>>> + || errorMessage.contains("Error during
>>> certificate path validation"));
>>> + }
>>> + }
>>> }
>>>
>>> Modified:
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl?rev=1291166&r1=1291165&r2=1291166&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
>>> (original)
>>> +++
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
>>> Mon Feb 20 09:51:20 2012
>>> @@ -205,6 +205,24 @@
>>> </wsdl:fault>
>>> </wsdl:operation>
>>> </wsdl:binding>
>>> + <wsdl:binding name="DoubleItBindingCXF4119"
>>> type="tns:DoubleItPortType">
>>> + <wsp:PolicyReference URI="#CXF4119" />
>>> + <soap:binding style="document"
>>> + transport="http://schemas.xmlsoap.org/soap/http" />
>>> + <wsdl:operation name="DoubleIt">
>>> + <soap:operation soapAction="" />
>>> + <wsdl:input>
>>> + <soap:body use="literal" />
>>> + </wsdl:input>
>>> + <wsdl:output>
>>> + <soap:body use="literal" />
>>> + </wsdl:output>
>>> + <wsdl:fault name="DoubleItFault">
>>> + <soap:body use="literal" name="DoubleItFault" />
>>> + </wsdl:fault>
>>> + </wsdl:operation>
>>> + </wsdl:binding>
>>> +
>>>
>>>
>>> <wsdl:service name="DoubleItService">
>>> @@ -241,6 +259,9 @@
>>> <wsdl:port name="DoubleItPortCXF3452"
>>> binding="tns:DoubleItBindingCXF3452">
>>> <soap:address
>>> location="http://localhost:9010/SecPolTestCXF3452" />
>>> </wsdl:port>
>>> + <wsdl:port name="DoubleItPortCXF4119"
>>> binding="tns:DoubleItBindingCXF4119">
>>> + <soap:address
>>> location="http://localhost:9010/SecPolTestCXF4119" />
>>> + </wsdl:port>
>>> </wsdl:service>
>>>
>>> <wsp:Policy wsu:Id="DoubleItBindingPolicy">
>>> @@ -785,5 +806,63 @@
>>> <sp:Header
>>> Namespace="http://cxf.apache.org/policytest/DoubleIt"/>
>>> </sp:SignedParts>
>>> </wsp:Policy>
>>> -
>>> + <wsp:Policy wsu:Id="CXF4119">
>>> + <wsp:ExactlyOne>
>>> + <wsp:All>
>>> + <sp:AsymmetricBinding
>>> +
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> + <wsp:Policy>
>>> + <sp:InitiatorToken>
>>> + <wsp:Policy>
>>> + <sp:X509Token
>>> +
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>>> + <wsp:Policy>
>>> + <sp:WssX509V1Token11 />
>>> + </wsp:Policy>
>>> + </sp:X509Token>
>>> + </wsp:Policy>
>>> + </sp:InitiatorToken>
>>> + <sp:RecipientToken>
>>> + <wsp:Policy>
>>> + <sp:X509Token
>>> +
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
>>> + <wsp:Policy>
>>> + <sp:WssX509V1Token11 />
>>> + </wsp:Policy>
>>> + </sp:X509Token>
>>> + </wsp:Policy>
>>> + </sp:RecipientToken>
>>> + <sp:AlgorithmSuite>
>>> + <wsp:Policy>
>>> + <sp:TripleDesRsa15 />
>>> + </wsp:Policy>
>>> + </sp:AlgorithmSuite>
>>> + <sp:Layout>
>>> + <wsp:Policy>
>>> + <sp:Lax />
>>> + </wsp:Policy>
>>> + </sp:Layout>
>>> + <sp:IncludeTimestamp />
>>> + <sp:EncryptSignature />
>>> + <sp:OnlySignEntireHeadersAndBody />
>>> + <sp:EncryptBeforeSigning />
>>> + </wsp:Policy>
>>> + </sp:AsymmetricBinding>
>>> + <sp:SignedParts
>>> +
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> + <sp:Body />
>>> + </sp:SignedParts>
>>> + <sp:EncryptedParts
>>> +
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> + <sp:Body />
>>> + </sp:EncryptedParts>
>>> + <sp:Wss10
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> + <wsp:Policy>
>>> + <sp:MustSupportRefIssuerSerial />
>>> + <sp:EnableRevocation/>
>>> + </wsp:Policy>
>>> + </sp:Wss10>
>>> + </wsp:All>
>>> + </wsp:ExactlyOne>
>>> + </wsp:Policy>
>>> </wsdl:definitions>
>>>
>>> Added:
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties?rev=1291166&view=auto
>>>
>>> ==============================================================================
>>> ---
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
>>> (added)
>>> +++
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
>>> Mon Feb 20 09:51:20 2012
>>> @@ -0,0 +1,26 @@
>>> +#
>>> +# Licensed to the Apache Software Foundation (ASF) under one
>>> +# or more contributor license agreements. See the NOTICE file
>>> +# distributed with this work for additional information
>>> +# regarding copyright ownership. The ASF licenses this file
>>> +# to you under the Apache License, Version 2.0 (the
>>> +# "License"); you may not use this file except in compliance
>>> +# with the License. You may obtain a copy of the License at
>>> +#
>>> +# http://www.apache.org/licenses/LICENSE-2.0
>>> +#
>>> +# Unless required by applicable law or agreed to in writing,
>>> +# software distributed under the License is distributed on an
>>> +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>> +# KIND, either express or implied. See the License for the
>>> +# specific language governing permissions and limitations
>>> +# under the License.
>>> +#
>>>
>>> +org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
>>> +org.apache.ws.security.crypto.merlin.keystore.type=jks
>>> +org.apache.ws.security.crypto.merlin.keystore.password=security
>>> +org.apache.ws.security.crypto.merlin.keystore.alias=wss40rev
>>>
>>> +org.apache.ws.security.crypto.merlin.keystore.file=org/apache/cxf/systest/ws/security/wss40rev.jks
>>> +org.apache.ws.security.crypto.merlin.truststore.password=security
>>>
>>> +org.apache.ws.security.crypto.merlin.truststore.file=org/apache/cxf/systest/ws/security/wss40CA.jks
>>>
>>> +org.apache.ws.security.crypto.merlin.x509crl.file=org/apache/cxf/systest/ws/security/wss40CACRL.pem
>>>
>>> Added:
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks?rev=1291166&view=auto
>>>
>>> ==============================================================================
>>> Binary file - no diff available.
>>>
>>> Propchange:
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks
>>>
>>> ------------------------------------------------------------------------------
>>> svn:mime-type = application/octet-stream
>>>
>>> Added:
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem?rev=1291166&view=auto
>>>
>>> ==============================================================================
>>> ---
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
>>> (added)
>>> +++
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
>>> Mon Feb 20 09:51:20 2012
>>> @@ -0,0 +1,9 @@
>>> +-----BEGIN X509 CRL-----
>>> +MIIBQTCBqzANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJERTEPMA0GA1UECBMG
>>> +QmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUxFTATBgNVBAsT
>>> +DEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyFw0xMTA1MzAxMTU0MzFaFw0y
>>> +MTA1MjcxMTU0MzFaMBQwEgIBGRcNMTEwNTMwMTE1MzU3WjANBgkqhkiG9w0BAQQF
>>> +AAOBgQB0fgOhsp2l0wL/TYiXJqXuKbkhmzQv8LFXmKKCpLSVktrXvVNCBAM9TWVJ
>>> +35SrZ9eqjoI1sQPsbWSDp+QSieasQf9VgC3P4SFhki6ZupeXqrFgdbzOsXEm0FIR
>>> +uY1WJGFrF0Co/YUM00ee8jy89jX2rDCgmonKHrKBf7CkD+R2bw==
>>> +-----END X509 CRL-----
>>>
>>> Added:
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks
>>> URL:
>>> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks?rev=1291166&view=auto
>>>
>>> ==============================================================================
>>> Binary file - no diff available.
>>>
>>> Propchange:
>>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks
>>>
>>> ------------------------------------------------------------------------------
>>> svn:mime-type = application/octet-stream
>>>
>>>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>
>
> ---------------------------------------------
> Freeman Fang
>
> FuseSource
> Email:ffang@fusesource.com
> Web: fusesource.com
> Twitter: freemanfang
> Blog: http://freemanfang.blogspot.com
>
>
>
>
>
>
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: svn commit: r1291166 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/ r
Posted by Freeman Fang <fr...@gmail.com>.
Hi Colm,
Thanks for the input, will revise it accordingly.
Freeman
On 2012-2-20, at 下午6:06, Colm O hEigeartaigh wrote:
> Hi Freeman,
>
> I'm -1 to the way you are configuring this patch. WSS10 and WSS11 are
> standard policies defined in the WS-SP 1.3 spec, and so it's not a
> good idea to add a custom policy for these.
>
> The best way to configure it is to define a (boolean) tag in
> SecurityConstants so that it can be set as a JAX-WS property.
>
> Colm.
>
> On Mon, Feb 20, 2012 at 9:51 AM, <ff...@apache.org> wrote:
>> Author: ffang
>> Date: Mon Feb 20 09:51:20 2012
>> New Revision: 1291166
>>
>> URL: http://svn.apache.org/viewvc?rev=1291166&view=rev
>> Log:
>> [CXF-4119]support Certificates revocation check before encrypt when
>> use CXF WS-SecurityPolicy
>>
>> Added:
>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/
>> systest/ws/security/revocation.properties
>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/
>> systest/ws/security/wss40CA.jks (with props)
>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/
>> systest/ws/security/wss40CACRL.pem
>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/
>> systest/ws/security/wss40rev.jks (with props)
>> Modified:
>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/SPConstants.java
>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/builders/WSS10Builder.java
>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/builders/WSS11Builder.java
>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/model/Wss10.java
>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/model/Wss11.java
>> cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/wss4j/policyhandlers/AbstractBindingBuilder.java
>> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/
>> systest/ws/security/KeystorePasswordCallback.java
>> cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/
>> systest/ws/security/SecurityPolicyTest.java
>> cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/
>> systest/ws/security/DoubleIt.wsdl
>>
>> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/SPConstants.java
>> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/SPConstants.java (original)
>> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/SPConstants.java Mon Feb 20 09:51:20 2012
>> @@ -386,6 +386,8 @@ public abstract class SPConstants {
>>
>> public static final String MUST_SUPPORT_ISSUED_TOKENS =
>> "MustSupportIssuedTokens";
>>
>> + public static final String ENABLE_REVOCATION =
>> "EnableRevocation";
>> +
>> public static final String
>> REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION
>> = "RequireRequestSecurityTokenCollection";
>>
>>
>> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/builders/WSS10Builder.java
>> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/builders/WSS10Builder.java (original)
>> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/builders/WSS10Builder.java Mon Feb 20 09:51:20 2012
>> @@ -65,6 +65,8 @@ public class WSS10Builder implements Ass
>> parent.setMustSupportRefExternalURI(true);
>> } else if
>> (SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN.equals(name)) {
>> parent.setMustSupportRefEmbeddedToken(true);
>> + } else if
>> (SPConstants.ENABLE_REVOCATION.equals(name)) {
>> + parent.setEnableRevocation(true);
>> }
>> child = DOMUtils.getNextElement(child);
>> }
>>
>> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/builders/WSS11Builder.java
>> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/builders/WSS11Builder.java (original)
>> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/builders/WSS11Builder.java Mon Feb 20 09:51:20 2012
>> @@ -75,6 +75,8 @@ public class WSS11Builder implements Ass
>>
>> } else if
>> (SPConstants.REQUIRE_SIGNATURE_CONFIRMATION.equals(name)) {
>> parent.setRequireSignatureConfirmation(true);
>> + } else if
>> (SPConstants.ENABLE_REVOCATION.equals(name)) {
>> + parent.setEnableRevocation(true);
>> }
>> child = DOMUtils.getNextElement(child);
>> }
>>
>> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/model/Wss10.java
>> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/model/Wss10.java (original)
>> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/model/Wss10.java Mon Feb 20 09:51:20 2012
>> @@ -31,6 +31,7 @@ public class Wss10 extends AbstractSecur
>> private boolean mustSupportRefIssuerSerial;
>> private boolean mustSupportRefExternalURI;
>> private boolean mustSupportRefEmbeddedToken;
>> + private boolean enableRevocation;
>>
>> public Wss10(SPConstants version) {
>> super(version);
>> @@ -91,6 +92,20 @@ public class Wss10 extends AbstractSecur
>> public void setMustSupportRefKeyIdentifier(boolean
>> mustSupportRefKeyIdentifier) {
>> this.mustSupportRefKeyIdentifier =
>> mustSupportRefKeyIdentifier;
>> }
>> +
>> + /**
>> + * @return Returns the enableRevocation.
>> + */
>> + public boolean isEnableRevocation() {
>> + return enableRevocation;
>> + }
>> +
>> + /**
>> + * @param enableRevocation The enableRevocation to set.
>> + */
>> + public void setEnableRevocation(boolean enableRevocation) {
>> + this.enableRevocation = enableRevocation;
>> + }
>>
>> public QName getRealName() {
>> return constants.getWSS10();
>> @@ -150,6 +165,13 @@ public class Wss10 extends AbstractSecur
>> writer.writeEndElement();
>>
>> }
>> +
>> + if (isEnableRevocation()) {
>> + // <sp:EnableRevocation />
>> + writer.writeStartElement(prefix,
>> SPConstants.ENABLE_REVOCATION, namespaceURI);
>> + writer.writeEndElement();
>> +
>> + }
>>
>> // </wsp:Policy>
>> writer.writeEndElement();
>>
>> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/model/Wss11.java
>> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/model/Wss11.java (original)
>> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/policy/model/Wss11.java Mon Feb 20 09:51:20 2012
>> @@ -151,6 +151,13 @@ public class Wss11 extends Wss10 {
>> writer.writeStartElement(prefix,
>> SPConstants.REQUIRE_SIGNATURE_CONFIRMATION, namespaceURI);
>> writer.writeEndElement();
>> }
>> +
>> + if (isEnableRevocation()) {
>> + // <sp:EnableRevocation />
>> + writer.writeStartElement(prefix,
>> SPConstants.ENABLE_REVOCATION, namespaceURI);
>> + writer.writeEndElement();
>> +
>> + }
>>
>> // </wsp:Policy>
>> writer.writeEndElement();
>>
>> Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/wss4j/policyhandlers/AbstractBindingBuilder.java
>> URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
>> +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/
>> security/wss4j/policyhandlers/AbstractBindingBuilder.java Mon Feb
>> 20 09:51:20 2012
>> @@ -108,6 +108,7 @@ import org.apache.ws.security.WSSecurity
>> import org.apache.ws.security.WSUsernameTokenPrincipal;
>> import org.apache.ws.security.components.crypto.Crypto;
>> import org.apache.ws.security.components.crypto.CryptoFactory;
>> +import org.apache.ws.security.components.crypto.CryptoType;
>> import org.apache.ws.security.conversation.ConversationConstants;
>> import org.apache.ws.security.conversation.ConversationException;
>> import org.apache.ws.security.handler.WSHandlerConstants;
>> @@ -1371,9 +1372,28 @@ public abstract class AbstractBindingBui
>>
>>
>> public Crypto getEncryptionCrypto(TokenWrapper wrapper) throws
>> WSSecurityException {
>> - return getCrypto(wrapper,
>> - SecurityConstants.ENCRYPT_CRYPTO,
>> - SecurityConstants.ENCRYPT_PROPERTIES);
>> + Crypto crypto = getCrypto(wrapper,
>> SecurityConstants.ENCRYPT_CRYPTO,
>> +
>> SecurityConstants.ENCRYPT_PROPERTIES);
>> + Wss10 wss10 = getWss10();
>> + boolean enableRevocation = wss10.isEnableRevocation();
>> + if (enableRevocation && crypto != null) {
>> + CryptoType cryptoType = new
>> CryptoType(CryptoType.TYPE.ALIAS);
>> + String encrUser =
>> (String
>> )message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
>> + if (crypto != null && encrUser == null) {
>> + try {
>> + encrUser = crypto.getDefaultX509Identifier();
>> + } catch (WSSecurityException e1) {
>> + throw new Fault(e1);
>> + }
>> + }
>> + cryptoType.setAlias(encrUser);
>> + X509Certificate[] certs =
>> crypto.getX509Certificates(cryptoType);
>> + if (certs != null && certs.length > 0) {
>> + crypto.verifyTrust(certs, enableRevocation);
>> + }
>> + }
>> + return crypto;
>> +
>> }
>>
>> public Crypto getCrypto(
>>
>> Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/
>> cxf/systest/ws/security/KeystorePasswordCallback.java
>> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/
>> systest/ws/security/KeystorePasswordCallback.java (original)
>> +++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/
>> systest/ws/security/KeystorePasswordCallback.java Mon Feb 20
>> 09:51:20 2012
>> @@ -39,6 +39,7 @@ public class KeystorePasswordCallback im
>> public KeystorePasswordCallback() {
>> passwords.put("alice", "password");
>> passwords.put("bob", "password");
>> + passwords.put("wss40rev", "security");
>> }
>>
>> /**
>>
>> Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/
>> cxf/systest/ws/security/SecurityPolicyTest.java
>> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1291166&r1=1291165&r2=1291166&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/
>> systest/ws/security/SecurityPolicyTest.java (original)
>> +++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/
>> systest/ws/security/SecurityPolicyTest.java Mon Feb 20 09:51:20 2012
>> @@ -489,4 +489,42 @@ public class SecurityPolicyTest extends
>> di.setNumberToDouble(5);
>> assertEquals(10, pt.doubleIt(di, 1).getDoubledNumber());
>> }
>> +
>> + @Test
>> + public void testCXF4119() throws Exception {
>> + SpringBusFactory bf = new SpringBusFactory();
>> +
>> + Bus bus = bf.createBus();
>> + SpringBusFactory.setDefaultBus(bus);
>> + SpringBusFactory.setThreadDefaultBus(bus);
>> +
>> + URL wsdl =
>> SecurityPolicyTest.class.getResource("DoubleIt.wsdl");
>> + Service service = Service.create(wsdl, SERVICE_QNAME);
>> +
>> + DoubleItPortTypeHeader pt;
>> +
>> + QName portQName = new QName(NAMESPACE,
>> "DoubleItPortCXF4119");
>> + pt = service.getPort(portQName,
>> DoubleItPortTypeHeader.class);
>> +
>> + updateAddressPort(pt, PORT);
>> +
>> ((BindingProvider
>> )pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
>> + new
>> KeystorePasswordCallback());
>> +
>> ((BindingProvider
>> )pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
>> +
>> getClass().getResource("alice.properties"));
>> +
>> ((BindingProvider
>> )pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,
>> +
>> getClass().getResource("revocation.properties"));
>> +
>> + DoubleIt di = new DoubleIt();
>> + di.setNumberToDouble(5);
>> + try {
>> + pt.doubleIt(di, 1);
>> + fail("Failure expected on a revoked certificate");
>> + } catch (Exception ex) {
>> + String errorMessage = ex.getMessage();
>> + // Different errors using different JDKs...
>> + assertTrue(errorMessage.contains("Certificate has been
>> revoked")
>> + || errorMessage.contains("Certificate
>> revocation")
>> + || errorMessage.contains("Error during
>> certificate path validation"));
>> + }
>> + }
>> }
>>
>> Modified: cxf/trunk/systests/ws-security/src/test/resources/org/
>> apache/cxf/systest/ws/security/DoubleIt.wsdl
>> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl?rev=1291166&r1=1291165&r2=1291166&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- cxf/trunk/systests/ws-security/src/test/resources/org/apache/
>> cxf/systest/ws/security/DoubleIt.wsdl (original)
>> +++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/
>> cxf/systest/ws/security/DoubleIt.wsdl Mon Feb 20 09:51:20 2012
>> @@ -205,6 +205,24 @@
>> </wsdl:fault>
>> </wsdl:operation>
>> </wsdl:binding>
>> + <wsdl:binding name="DoubleItBindingCXF4119"
>> type="tns:DoubleItPortType">
>> + <wsp:PolicyReference URI="#CXF4119" />
>> + <soap:binding style="document"
>> + transport="http://schemas.xmlsoap.org/soap/http" />
>> + <wsdl:operation name="DoubleIt">
>> + <soap:operation soapAction="" />
>> + <wsdl:input>
>> + <soap:body use="literal" />
>> + </wsdl:input>
>> + <wsdl:output>
>> + <soap:body use="literal" />
>> + </wsdl:output>
>> + <wsdl:fault name="DoubleItFault">
>> + <soap:body use="literal" name="DoubleItFault" />
>> + </wsdl:fault>
>> + </wsdl:operation>
>> + </wsdl:binding>
>> +
>>
>>
>> <wsdl:service name="DoubleItService">
>> @@ -241,6 +259,9 @@
>> <wsdl:port name="DoubleItPortCXF3452"
>> binding="tns:DoubleItBindingCXF3452">
>> <soap:address location="http://localhost:9010/SecPolTestCXF3452
>> " />
>> </wsdl:port>
>> + <wsdl:port name="DoubleItPortCXF4119"
>> binding="tns:DoubleItBindingCXF4119">
>> + <soap:address location="http://localhost:9010/SecPolTestCXF4119
>> " />
>> + </wsdl:port>
>> </wsdl:service>
>>
>> <wsp:Policy wsu:Id="DoubleItBindingPolicy">
>> @@ -785,5 +806,63 @@
>> <sp:Header Namespace="http://cxf.apache.org/policytest/DoubleIt
>> "/>
>> </sp:SignedParts>
>> </wsp:Policy>
>> -
>> + <wsp:Policy wsu:Id="CXF4119">
>> + <wsp:ExactlyOne>
>> + <wsp:All>
>> + <sp:AsymmetricBinding
>> + xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>> ">
>> + <wsp:Policy>
>> + <sp:InitiatorToken>
>> + <wsp:Policy>
>> + <sp:X509Token
>> + sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
>> ">
>> + <wsp:Policy>
>> + <sp:WssX509V1Token11 />
>> + </wsp:Policy>
>> + </sp:X509Token>
>> + </wsp:Policy>
>> + </sp:InitiatorToken>
>> + <sp:RecipientToken>
>> + <wsp:Policy>
>> + <sp:X509Token
>> + sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
>> ">
>> + <wsp:Policy>
>> + <sp:WssX509V1Token11 />
>> + </wsp:Policy>
>> + </sp:X509Token>
>> + </wsp:Policy>
>> + </sp:RecipientToken>
>> + <sp:AlgorithmSuite>
>> + <wsp:Policy>
>> + <sp:TripleDesRsa15 />
>> + </wsp:Policy>
>> + </sp:AlgorithmSuite>
>> + <sp:Layout>
>> + <wsp:Policy>
>> + <sp:Lax />
>> + </wsp:Policy>
>> + </sp:Layout>
>> + <sp:IncludeTimestamp />
>> + <sp:EncryptSignature />
>> + <sp:OnlySignEntireHeadersAndBody />
>> + <sp:EncryptBeforeSigning />
>> + </wsp:Policy>
>> + </sp:AsymmetricBinding>
>> + <sp:SignedParts
>> + xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>> ">
>> + <sp:Body />
>> + </sp:SignedParts>
>> + <sp:EncryptedParts
>> + xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>> ">
>> + <sp:Body />
>> + </sp:EncryptedParts>
>> + <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
>> ">
>> + <wsp:Policy>
>> + <sp:MustSupportRefIssuerSerial />
>> + <sp:EnableRevocation/>
>> + </wsp:Policy>
>> + </sp:Wss10>
>> + </wsp:All>
>> + </wsp:ExactlyOne>
>> + </wsp:Policy>
>> </wsdl:definitions>
>>
>> Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/
>> cxf/systest/ws/security/revocation.properties
>> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties?rev=1291166&view=auto
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- cxf/trunk/systests/ws-security/src/test/resources/org/apache/
>> cxf/systest/ws/security/revocation.properties (added)
>> +++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/
>> cxf/systest/ws/security/revocation.properties Mon Feb 20 09:51:20
>> 2012
>> @@ -0,0 +1,26 @@
>> +#
>> +# Licensed to the Apache Software Foundation (ASF) under one
>> +# or more contributor license agreements. See the NOTICE file
>> +# distributed with this work for additional information
>> +# regarding copyright ownership. The ASF licenses this file
>> +# to you under the Apache License, Version 2.0 (the
>> +# "License"); you may not use this file except in compliance
>> +# with the License. You may obtain a copy of the License at
>> +#
>> +# http://www.apache.org/licenses/LICENSE-2.0
>> +#
>> +# Unless required by applicable law or agreed to in writing,
>> +# software distributed under the License is distributed on an
>> +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>> +# KIND, either express or implied. See the License for the
>> +# specific language governing permissions and limitations
>> +# under the License.
>> +#
>> +
>> org
>> .apache
>> .ws
>> .security
>> .crypto.provider=org.apache.ws.security.components.crypto.Merlin
>> +org.apache.ws.security.crypto.merlin.keystore.type=jks
>> +org.apache.ws.security.crypto.merlin.keystore.password=security
>> +org.apache.ws.security.crypto.merlin.keystore.alias=wss40rev
>> +org.apache.ws.security.crypto.merlin.keystore.file=org/apache/cxf/
>> systest/ws/security/wss40rev.jks
>> +org.apache.ws.security.crypto.merlin.truststore.password=security
>> +org.apache.ws.security.crypto.merlin.truststore.file=org/apache/
>> cxf/systest/ws/security/wss40CA.jks
>> +org.apache.ws.security.crypto.merlin.x509crl.file=org/apache/cxf/
>> systest/ws/security/wss40CACRL.pem
>>
>> Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/
>> cxf/systest/ws/security/wss40CA.jks
>> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks?rev=1291166&view=auto
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> Binary file - no diff available.
>>
>> Propchange: cxf/trunk/systests/ws-security/src/test/resources/org/
>> apache/cxf/systest/ws/security/wss40CA.jks
>> ------------------------------------------------------------------------------
>> svn:mime-type = application/octet-stream
>>
>> Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/
>> cxf/systest/ws/security/wss40CACRL.pem
>> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem?rev=1291166&view=auto
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- cxf/trunk/systests/ws-security/src/test/resources/org/apache/
>> cxf/systest/ws/security/wss40CACRL.pem (added)
>> +++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/
>> cxf/systest/ws/security/wss40CACRL.pem Mon Feb 20 09:51:20 2012
>> @@ -0,0 +1,9 @@
>> +-----BEGIN X509 CRL-----
>> +MIIBQTCBqzANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJERTEPMA0GA1UECBMG
>> +QmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUxFTATBgNVBAsT
>> +DEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyFw0xMTA1MzAxMTU0MzFaFw0y
>> +MTA1MjcxMTU0MzFaMBQwEgIBGRcNMTEwNTMwMTE1MzU3WjANBgkqhkiG9w0BAQQF
>> +AAOBgQB0fgOhsp2l0wL/TYiXJqXuKbkhmzQv8LFXmKKCpLSVktrXvVNCBAM9TWVJ
>> +35SrZ9eqjoI1sQPsbWSDp+QSieasQf9VgC3P4SFhki6ZupeXqrFgdbzOsXEm0FIR
>> +uY1WJGFrF0Co/YUM00ee8jy89jX2rDCgmonKHrKBf7CkD+R2bw==
>> +-----END X509 CRL-----
>>
>> Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/
>> cxf/systest/ws/security/wss40rev.jks
>> URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks?rev=1291166&view=auto
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> Binary file - no diff available.
>>
>> Propchange: cxf/trunk/systests/ws-security/src/test/resources/org/
>> apache/cxf/systest/ws/security/wss40rev.jks
>> ------------------------------------------------------------------------------
>> svn:mime-type = application/octet-stream
>>
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
---------------------------------------------
Freeman Fang
FuseSource
Email:ffang@fusesource.com
Web: fusesource.com
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com