You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/04/15 14:41:59 UTC
cxf git commit: [CXF-6327] - Invalid Policy exception for
EndorsingSupportingTokens with more than one token assertions
Repository: cxf
Updated Branches:
refs/heads/master 790012b2b -> aaad96fdf
[CXF-6327] - Invalid Policy exception for EndorsingSupportingTokens with more than one token assertions
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/aaad96fd
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/aaad96fd
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/aaad96fd
Branch: refs/heads/master
Commit: aaad96fdf931cdc619a60fbffe3c9c894ae8ea43
Parents: 790012b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Apr 15 13:41:13 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Apr 15 13:41:13 2015 +0100
----------------------------------------------------------------------
.../policyhandlers/AbstractBindingBuilder.java | 57 ++++++++------------
.../AbstractStaxBindingHandler.java | 9 ++--
.../AsymmetricBindingHandler.java | 15 +++---
.../StaxAsymmetricBindingHandler.java | 4 +-
.../StaxSymmetricBindingHandler.java | 4 +-
.../StaxTransportBindingHandler.java | 4 +-
.../policyhandlers/SymmetricBindingHandler.java | 11 ++--
.../policyhandlers/TransportBindingHandler.java | 12 +++--
.../sts/transport/TransportBindingTest.java | 7 ++-
.../cxf/systest/sts/transport/DoubleIt.wsdl | 3 +-
.../cxf/systest/sts/transport/cxf-service.xml | 3 +-
.../systest/sts/transport/cxf-stax-service.xml | 3 +-
12 files changed, 64 insertions(+), 68 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index bb4aa46..9379c49 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -118,7 +118,6 @@ import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
-import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
import org.apache.wss4j.policy.model.AsymmetricBinding;
import org.apache.wss4j.policy.model.Attachments;
@@ -500,7 +499,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
} else if (token instanceof X509Token) {
//We have to use a cert. Prepare X509 signature
- WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
+ WSSecSignature sig = getSignatureBuilder(token, false, endorse);
+ assertPolicy(suppTokens);
Element bstElem = sig.getBinarySecurityTokenElement();
if (bstElem != null) {
if (lastEncryptedKeyElement != null) {
@@ -521,7 +521,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
}
ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
} else if (token instanceof KeyValueToken) {
- WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
+ WSSecSignature sig = getSignatureBuilder(token, false, endorse);
+ assertPolicy(suppTokens);
if (suppTokens.isEncryptedToken()) {
WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
encryptedTokensList.add(part);
@@ -865,7 +866,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
}
Crypto crypto = samlCallback.getIssuerCrypto();
if (crypto == null) {
- crypto = getSignatureCrypto(null);
+ crypto = getSignatureCrypto();
}
assertion.signAssertion(
@@ -1358,14 +1359,14 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return null;
}
- protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractTokenWrapper wrapper,
- AbstractToken token) throws WSSecurityException {
+ protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
encrKey.setIdAllocator(wssConfig.getIdAllocator());
encrKey.setCallbackLookup(callbackLookup);
- Crypto crypto = getEncryptionCrypto(wrapper);
+ Crypto crypto = getEncryptionCrypto();
message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
- setKeyIdentifierType(encrKey, wrapper, token);
+ setKeyIdentifierType(encrKey, token);
+
boolean alsoIncludeToken = false;
// Find out do we also need to include the token as per the Inclusion requirement
if (token instanceof X509Token
@@ -1374,7 +1375,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
alsoIncludeToken = true;
}
- String encrUser = setEncryptionUser(encrKey, wrapper, false, crypto);
+ String encrUser = setEncryptionUser(encrKey, token, false, crypto);
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
encrKey.setSymmetricEncAlgorithm(algType.getEncryption());
@@ -1414,15 +1415,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return null;
}
- public Crypto getSignatureCrypto(AbstractTokenWrapper wrapper) throws WSSecurityException {
- return getCrypto(wrapper, SecurityConstants.SIGNATURE_CRYPTO,
- SecurityConstants.SIGNATURE_PROPERTIES);
+ public Crypto getSignatureCrypto() throws WSSecurityException {
+ return getCrypto(SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES);
}
-
- public Crypto getEncryptionCrypto(AbstractTokenWrapper wrapper) throws WSSecurityException {
- Crypto crypto = getCrypto(wrapper, SecurityConstants.ENCRYPT_CRYPTO,
- SecurityConstants.ENCRYPT_PROPERTIES);
+ public Crypto getEncryptionCrypto() throws WSSecurityException {
+ Crypto crypto =
+ getCrypto(SecurityConstants.ENCRYPT_CRYPTO, SecurityConstants.ENCRYPT_PROPERTIES);
boolean enableRevocation = false;
String enableRevStr =
(String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, message);
@@ -1450,8 +1449,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
}
- public Crypto getCrypto(
- AbstractTokenWrapper wrapper,
+ protected Crypto getCrypto(
String cryptoKey,
String propKey
) throws WSSecurityException {
@@ -1504,7 +1502,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return null;
}
- public void setKeyIdentifierType(WSSecBase secBase, AbstractTokenWrapper wrapper, AbstractToken token) {
+ public void setKeyIdentifierType(WSSecBase secBase, AbstractToken token) {
boolean tokenTypeSet = false;
if (token instanceof X509Token) {
@@ -1525,7 +1523,6 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
}
assertPolicy(token);
- assertPolicy(wrapper);
if (!tokenTypeSet) {
boolean requestor = isRequestor();
@@ -1552,7 +1549,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
}
}
- public String setEncryptionUser(WSSecEncryptedKey encrKeyBuilder, AbstractTokenWrapper token,
+ public String setEncryptionUser(WSSecEncryptedKey encrKeyBuilder, AbstractToken token,
boolean sign, Crypto crypto) {
// Check for prepared certificate property
X509Certificate encrCert =
@@ -1683,13 +1680,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
}
protected WSSecSignature getSignatureBuilder(
- AbstractTokenWrapper wrapper, AbstractToken token, boolean endorse
- ) throws WSSecurityException {
- return getSignatureBuilder(wrapper, token, false, endorse);
- }
-
- protected WSSecSignature getSignatureBuilder(
- AbstractTokenWrapper wrapper, AbstractToken token, boolean attached, boolean endorse
+ AbstractToken token, boolean attached, boolean endorse
) throws WSSecurityException {
WSSecSignature sig = new WSSecSignature();
sig.setIdAllocator(wssConfig.getIdAllocator());
@@ -1698,7 +1689,6 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
checkForX509PkiPath(sig, token);
if (token instanceof IssuedToken || token instanceof SamlToken) {
assertPolicy(token);
- assertPolicy(wrapper);
SecurityToken securityToken = getSecurityToken();
String tokenType = securityToken.getTokenType();
@@ -1746,7 +1736,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
sig.setCustomTokenId(sigTokId);
} else {
- setKeyIdentifierType(sig, wrapper, token);
+ setKeyIdentifierType(sig, token);
// Find out do we also need to include the token as per the Inclusion requirement
if (token instanceof X509Token
&& token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER
@@ -1764,13 +1754,12 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
userNameKey = SecurityConstants.ENCRYPT_USERNAME;
}
- Crypto crypto = encryptCrypto ? getEncryptionCrypto(wrapper)
- : getSignatureCrypto(wrapper);
+ Crypto crypto = encryptCrypto ? getEncryptionCrypto() : getSignatureCrypto();
if (endorse && crypto == null && binding instanceof SymmetricBinding) {
type = "encryption";
userNameKey = SecurityConstants.ENCRYPT_USERNAME;
- crypto = getEncryptionCrypto(wrapper);
+ crypto = getEncryptionCrypto();
}
if (!endorse) {
@@ -2033,7 +2022,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
sig.setSecretKey(tok.getSecret());
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
- sig.prepare(doc, getSignatureCrypto(null), secHeader);
+ sig.prepare(doc, getSignatureCrypto(), secHeader);
sig.getParts().addAll(sigParts);
List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
index 9483fff..8ed0bc1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
@@ -60,7 +60,6 @@ import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AbstractToken;
-import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
import org.apache.wss4j.policy.model.Attachments;
import org.apache.wss4j.policy.model.ContentEncryptedElements;
@@ -499,7 +498,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
}
protected void configureSignature(
- AbstractTokenWrapper wrapper, AbstractToken token, boolean attached
+ AbstractToken token, boolean attached
) throws WSSecurityException {
if (token instanceof X509Token) {
@@ -511,7 +510,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
}
}
- properties.setSignatureKeyIdentifier(getKeyIdentifierType(wrapper, token));
+ properties.setSignatureKeyIdentifier(getKeyIdentifierType(token));
// Find out do we also need to include the token as per the Inclusion requirement
WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getSignatureKeyIdentifier();
@@ -552,7 +551,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
}
protected WSSecurityTokenConstants.KeyIdentifier getKeyIdentifierType(
- AbstractTokenWrapper wrapper, AbstractToken token
+ AbstractToken token
) {
WSSecurityTokenConstants.KeyIdentifier identifier = null;
if (token instanceof X509Token) {
@@ -669,7 +668,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
}
} else if (token instanceof X509Token || token instanceof KeyValueToken) {
assertToken(token);
- configureSignature(suppTokens, token, false);
+ configureSignature(token, false);
if (suppTokens.isEncryptedToken()) {
SecurePart part =
new SecurePart(WSSConstants.TAG_wsse_BinarySecurityToken, Modifier.Element);
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index efc03b4..6406974 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -487,7 +487,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
encr.setDocument(saaj.getSOAPPart());
- Crypto crypto = getEncryptionCrypto(recToken);
+ Crypto crypto = getEncryptionCrypto();
SecurityToken securityToken = getSecurityToken();
if (!isRequestor() && securityToken != null
@@ -504,10 +504,10 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
encr.setCustomEKTokenId(securityToken.getId());
} else {
- setKeyIdentifierType(encr, recToken, encrToken);
+ setKeyIdentifierType(encr, encrToken);
}
} else {
- setKeyIdentifierType(encr, recToken, encrToken);
+ setKeyIdentifierType(encr, encrToken);
}
//
// Using a stored cert is only suitable for the Issued Token case, where
@@ -517,7 +517,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
&& securityToken.getX509Certificate() != null) {
encr.setUseThisCert(securityToken.getX509Certificate());
} else {
- setEncryptionUser(encr, recToken, false, crypto);
+ setEncryptionUser(encr, encrToken, false, crypto);
}
if (!encr.isCertSet() && crypto == null) {
unassertPolicy(recToken, "Missing security configuration. "
@@ -609,7 +609,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
if (sigParts.isEmpty()) {
// Add the BST to the security header if required
if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) {
- WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, attached, false);
+ WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
sig.appendBSTElementToHeader(secHeader);
}
return;
@@ -676,7 +676,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
throw new Fault(ex);
}
} else {
- WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, attached, false);
+ WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
// This action must occur before sig.prependBSTElementToHeader
if (abinding.isProtectTokens()) {
@@ -750,7 +750,8 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
private void createEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken token)
throws WSSecurityException {
//Set up the encrypted key to use
- encrKey = this.getEncryptedKeyBuilder(wrapper, token);
+ encrKey = this.getEncryptedKeyBuilder(token);
+ assertPolicy(wrapper);
Element bstElem = encrKey.getBinarySecurityTokenElement();
if (bstElem != null) {
// If a BST is available then use it
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
index 43af2fb..ab4537e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
@@ -358,7 +358,7 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler {
properties.addAction(actionToPerform);
properties.getEncryptionSecureParts().addAll(encrParts);
- properties.setEncryptionKeyIdentifier(getKeyIdentifierType(recToken, encrToken));
+ properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
// Find out do we also need to include the token as per the Inclusion requirement
WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getEncryptionKeyIdentifier();
@@ -427,7 +427,7 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler {
properties.getSignatureSecureParts().addAll(sigParts);
AbstractToken sigToken = wrapper.getToken();
- configureSignature(wrapper, sigToken, false);
+ configureSignature(sigToken, false);
if (abinding.isProtectTokens() && (sigToken instanceof X509Token)
&& sigToken.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
index 39c60e3..6b4e5c9 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
@@ -424,7 +424,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler {
properties.addAction(actionToPerform);
if (isRequestor()) {
- properties.setEncryptionKeyIdentifier(getKeyIdentifierType(recToken, encrToken));
+ properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
properties.setDerivedKeyKeyIdentifier(
WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference);
} else if (recToken.getToken() instanceof KerberosToken && !isRequestor()) {
@@ -540,7 +540,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler {
properties.addSignaturePart(securePart);
}
- configureSignature(wrapper, sigToken, false);
+ configureSignature(sigToken, false);
if (policyToken instanceof X509Token) {
properties.setIncludeSignatureToken(false);
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
index 5983b91..21be9d0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
@@ -349,7 +349,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
} else if (token instanceof KerberosToken) {
WSSSecurityProperties properties = getProperties();
properties.addAction(WSSConstants.SIGNATURE);
- configureSignature(wrapper, token, false);
+ configureSignature(token, false);
addKerberosToken((KerberosToken)token, false, true, false);
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
@@ -376,7 +376,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
}
properties.addAction(actionToPerform);
- configureSignature(wrapper, token, false);
+ configureSignature(token, false);
if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setSignatureAlgorithm(
tbinding.getAlgorithmSuite().getSymmetricSignature());
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index e16a550..64f6d5e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -541,10 +541,10 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
encr.setEncKeyId(encrTokId);
encr.setEphemeralKey(encrTok.getSecret());
- Crypto crypto = getEncryptionCrypto(recToken);
+ Crypto crypto = getEncryptionCrypto();
if (crypto != null) {
this.message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
- setEncryptionUser(encr, recToken, false, crypto);
+ setEncryptionUser(encr, encrToken, false, crypto);
}
encr.setDocument(saaj.getSOAPPart());
@@ -845,9 +845,9 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
sig.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue());
Crypto crypto = null;
if (sbinding.getProtectionToken() != null) {
- crypto = getEncryptionCrypto(sbinding.getProtectionToken());
+ crypto = getEncryptionCrypto();
} else {
- crypto = getSignatureCrypto(policyAbstractTokenWrapper);
+ crypto = getSignatureCrypto();
}
this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
sig.prepare(saaj.getSOAPPart(), crypto, secHeader);
@@ -868,7 +868,8 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException {
- WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(wrapper, sigToken);
+ WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken);
+ assertPolicy(wrapper);
String id = encrKey.getId();
byte[] secret = encrKey.getEphemeralKey();
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
index 6d7f9ac..34e2c56 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
@@ -350,7 +350,8 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(wrapper, token);
+ WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token);
+ assertPolicy(wrapper);
Element bstElem = encrKey.getBinarySecurityTokenElement();
if (bstElem != null) {
@@ -361,7 +362,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
WSSecDKSign dkSig = new WSSecDKSign();
dkSig.setIdAllocator(wssConfig.getIdAllocator());
dkSig.setCallbackLookup(callbackLookup);
- if (wrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
+ if (token.getVersion() == SPConstants.SPVersion.SP11) {
dkSig.setWscVersion(ConversationConstants.VERSION_05_02);
}
@@ -383,7 +384,8 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
return dkSig.getSignatureValue();
} else {
- WSSecSignature sig = getSignatureBuilder(wrapper, token, false);
+ WSSecSignature sig = getSignatureBuilder(token, false, false);
+ assertPolicy(wrapper);
if (sig != null) {
sig.prependBSTElementToHeader(secHeader);
@@ -553,7 +555,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
crypto = secTok.getCrypto();
if (crypto == null) {
- crypto = getSignatureCrypto(wrapper);
+ crypto = getSignatureCrypto();
}
if (crypto == null) {
LOG.fine("No signature Crypto properties are available");
@@ -575,7 +577,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
sig.setUserInfo(uname, password);
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
} else {
- crypto = getSignatureCrypto(wrapper);
+ crypto = getSignatureCrypto();
sig.setSecretKey(secTok.getSecret());
sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
index ba23de9..6a91247 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
@@ -378,10 +378,13 @@ public class TransportBindingTest extends AbstractBusClientServerTestBase {
bus.shutdown(true);
}
- // TODO Not supported for now
@org.junit.Test
- @org.junit.Ignore
public void testSAML2EndorsingX509() throws Exception {
+
+ // Only works for DOM (clients)
+ if (test.isStreaming()) {
+ return;
+ }
SpringBusFactory bf = new SpringBusFactory();
URL busFile = TransportBindingTest.class.getResource("cxf-client.xml");
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
index d08b102..fe0e803 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
@@ -349,10 +349,9 @@
</wsaw:Metadata>
</sp:Issuer>
</sp:IssuedToken>
- <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
- <sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
index a5dbcc4..3fbf5a2 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
@@ -48,7 +48,8 @@
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2x509" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportSAML2X509EndorsingPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleittransportsaml2x509endorsing" wsdlLocation="org/apache/cxf/systest/sts/transport/DoubleIt.wsdl">
<jaxws:properties>
<entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
- <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/>
+ <entry key="ws-security.signature.properties" value="stsKeystore.properties"/>
+ <entry key="ws-security.enable.timestamp.cache" value="false"/>
</jaxws:properties>
</jaxws:endpoint>
<httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
http://git-wip-us.apache.org/repos/asf/cxf/blob/aaad96fd/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
index f9d7a0c..6aa03e8 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
@@ -51,9 +51,10 @@
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2x509endorsing" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportSAML2X509EndorsingPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.StaxServer}/doubleit/services/doubleittransportsaml2x509endorsing" wsdlLocation="org/apache/cxf/systest/sts/transport/DoubleIt.wsdl">
<jaxws:properties>
<entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
- <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/>
+ <entry key="ws-security.signature.properties" value="stsKeystore.properties"/>
<entry key="ws-security.is-bsp-compliant" value="false"/>
<entry key="ws-security.enable.streaming" value="true"/>
+ <entry key="ws-security.enable.timestamp.cache" value="false"/>
</jaxws:properties>
</jaxws:endpoint>
<httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">