You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2014/07/03 18:34:45 UTC
svn commit: r1607692 [1/2] - in
/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax:
./ assertionStates/
Author: coheigea
Date: Thu Jul 3 16:34:44 2014
New Revision: 1607692
URL: http://svn.apache.org/r1607692
Log:
Introducing a new PolicyAsserter interface to allow third-party SOAP stacks to assert policies directly
Added:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/DummyPolicyAsserter.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyAsserter.java
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/AlgorithmSuiteAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ContentEncryptedElementsAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedElementsAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedPartsAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IncludeTimeStampAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KeyValueTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ProtectionOrderAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RelTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredElementsAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredPartsAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SamlTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecureConversationTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecurityContextTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureConfirmationAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedElementsAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedPartsAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/UsernameTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/X509TokenAssertionState.java
Added: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/DummyPolicyAsserter.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/DummyPolicyAsserter.java?rev=1607692&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/DummyPolicyAsserter.java (added)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/DummyPolicyAsserter.java Thu Jul 3 16:34:44 2014
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.wss4j.policy.stax;
+
+import javax.xml.namespace.QName;
+
+import org.apache.neethi.Assertion;
+
+/**
+ * A dummy policy asserter
+ */
+public class DummyPolicyAsserter implements PolicyAsserter {
+
+ public void assertPolicy(Assertion assertion) {
+ // Do nothing
+ }
+
+ public void unassertPolicy(Assertion assertion, String reason) {
+ // Do nothing
+ }
+
+ public void assertPolicy(QName qName) {
+ // Do nothing
+ }
+
+ public void unassertPolicy(QName qName, String reason) {
+ // Do nothing
+ }
+
+}
Added: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyAsserter.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyAsserter.java?rev=1607692&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyAsserter.java (added)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyAsserter.java Thu Jul 3 16:34:44 2014
@@ -0,0 +1,38 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.wss4j.policy.stax;
+
+import javax.xml.namespace.QName;
+
+import org.apache.neethi.Assertion;
+
+/**
+ * A interface that can be used to tell a third-part SOAP stack (e.g. Apache CXF) that WSS4J will
+ * take care of asserting a certain policy, and thus can be marked as "asserted".
+ */
+public interface PolicyAsserter {
+
+ void assertPolicy(Assertion assertion);
+
+ void unassertPolicy(Assertion assertion, String reason);
+
+ void assertPolicy(QName qName);
+
+ void unassertPolicy(QName qName, String reason);
+}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java Thu Jul 3 16:34:44 2014
@@ -51,6 +51,7 @@ import org.apache.wss4j.policy.model.Htt
import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.KerberosToken;
import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.Layout;
import org.apache.wss4j.policy.model.RelToken;
import org.apache.wss4j.policy.model.RequiredElements;
import org.apache.wss4j.policy.model.RequiredParts;
@@ -62,6 +63,7 @@ import org.apache.wss4j.policy.model.Sig
import org.apache.wss4j.policy.model.SpnegoContextToken;
import org.apache.wss4j.policy.model.SupportingTokens;
import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.Wss10;
import org.apache.wss4j.policy.model.X509Token;
import org.apache.wss4j.policy.model.Wss11;
import org.apache.wss4j.policy.stax.assertionStates.AlgorithmSuiteAssertionState;
@@ -133,15 +135,27 @@ public class PolicyEnforcer implements S
private int attachmentCount;
private boolean noSecurityHeader;
private boolean faultOccurred;
-
+ private final PolicyAsserter policyAsserter;
+
public PolicyEnforcer(List<OperationPolicy> operationPolicies, String soapAction, boolean initiator,
String actorOrRole, int attachmentCount) throws WSSPolicyException {
+ this(operationPolicies, soapAction, initiator, actorOrRole, attachmentCount, null);
+ }
+
+ public PolicyEnforcer(List<OperationPolicy> operationPolicies, String soapAction, boolean initiator,
+ String actorOrRole, int attachmentCount, PolicyAsserter policyAsserter) throws WSSPolicyException {
this.operationPolicies = operationPolicies;
this.initiator = initiator;
this.actorOrRole = actorOrRole;
this.attachmentCount = attachmentCount;
assertionStateMap = new LinkedList<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>>();
failedAssertionStateMap = new LinkedList<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>>();
+
+ if (policyAsserter == null) {
+ this.policyAsserter = new DummyPolicyAsserter();
+ } else {
+ this.policyAsserter = policyAsserter;
+ }
if (soapAction != null && !soapAction.isEmpty()) {
effectivePolicy = findPolicyBySOAPAction(operationPolicies, soapAction);
@@ -256,120 +270,157 @@ public class PolicyEnforcer implements S
protected List<Assertable> getAssertableForAssertion(AbstractSecurityAssertion abstractSecurityAssertion) throws WSSPolicyException {
List<Assertable> assertableList = new LinkedList<Assertable>();
+ boolean tokenRequired = true;
if (abstractSecurityAssertion instanceof AbstractToken) {
// Don't return a Token that is not required
SPConstants.IncludeTokenType includeTokenType =
((AbstractToken)abstractSecurityAssertion).getIncludeTokenType();
if (includeTokenType == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
- return assertableList;
+ tokenRequired = false;
} else if (initiator && includeTokenType == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT) {
- return assertableList;
+ tokenRequired = false;
} else if (initiator && includeTokenType == IncludeTokenType.INCLUDE_TOKEN_ONCE) {
- return assertableList;
+ tokenRequired = false;
} else if (!initiator && includeTokenType == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR) {
- return assertableList;
+ tokenRequired = false;
}
}
if (abstractSecurityAssertion instanceof ContentEncryptedElements) {
//initialized with asserted=true because it could be that parent elements are encrypted and therefore these element are also encrypted
//the test if it is really encrypted is done via the PolicyInputProcessor which emits EncryptedElementEvents for unencrypted elements with the unencrypted flag
- assertableList.add(new ContentEncryptedElementsAssertionState(abstractSecurityAssertion, true));
+ assertableList.add(new ContentEncryptedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true));
} else if (abstractSecurityAssertion instanceof EncryptedParts) {
//initialized with asserted=true with the same reason as by the EncryptedParts above
- assertableList.add(new EncryptedPartsAssertionState(abstractSecurityAssertion, true, attachmentCount));
+ assertableList.add(new EncryptedPartsAssertionState(abstractSecurityAssertion, policyAsserter, true, attachmentCount));
} else if (abstractSecurityAssertion instanceof EncryptedElements) {
//initialized with asserted=true with the same reason as by the EncryptedParts above
- assertableList.add(new EncryptedElementsAssertionState(abstractSecurityAssertion, true));
+ assertableList.add(new EncryptedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true));
} else if (abstractSecurityAssertion instanceof SignedParts) {
//initialized with asserted=true because it could be that parent elements are signed and therefore these element are also signed
//the test if it is really signed is done via the PolicyInputProcessor which emits SignedElementEvents for unsigned elements with the unsigned flag
- assertableList.add(new SignedPartsAssertionState(abstractSecurityAssertion, true, attachmentCount));
+ assertableList.add(new SignedPartsAssertionState(abstractSecurityAssertion, policyAsserter, true, attachmentCount));
} else if (abstractSecurityAssertion instanceof SignedElements) {
//initialized with asserted=true with the same reason as by the SignedParts above
- assertableList.add(new SignedElementsAssertionState(abstractSecurityAssertion, true));
+ assertableList.add(new SignedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true));
} else if (abstractSecurityAssertion instanceof RequiredElements) {
- assertableList.add(new RequiredElementsAssertionState(abstractSecurityAssertion, false));
+ assertableList.add(new RequiredElementsAssertionState(abstractSecurityAssertion, policyAsserter, false));
} else if (abstractSecurityAssertion instanceof RequiredParts) {
- assertableList.add(new RequiredPartsAssertionState(abstractSecurityAssertion, false));
+ assertableList.add(new RequiredPartsAssertionState(abstractSecurityAssertion, policyAsserter, false));
} else if (abstractSecurityAssertion instanceof UsernameToken) {
- assertableList.add(new UsernameTokenAssertionState(abstractSecurityAssertion, false, initiator));
+ assertableList.add(new UsernameTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof IssuedToken) {
- assertableList.add(new IssuedTokenAssertionState(abstractSecurityAssertion, false, initiator));
+ assertableList.add(new IssuedTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof X509Token) {
- assertableList.add(new X509TokenAssertionState(abstractSecurityAssertion, false, initiator));
+ assertableList.add(new X509TokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof KerberosToken) {
- assertableList.add(new KerberosTokenAssertionState(abstractSecurityAssertion, false, initiator));
+ assertableList.add(new KerberosTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SpnegoContextToken) {
- assertableList.add(new SpnegoContextTokenAssertionState(abstractSecurityAssertion, false, initiator));
+ assertableList.add(new SpnegoContextTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SecureConversationToken) {
- assertableList.add(new SecureConversationTokenAssertionState(abstractSecurityAssertion, false, initiator));
+ assertableList.add(new SecureConversationTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SecurityContextToken) {
- assertableList.add(new SecurityContextTokenAssertionState(abstractSecurityAssertion, false, initiator));
+ assertableList.add(new SecurityContextTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SamlToken) {
- assertableList.add(new SamlTokenAssertionState(abstractSecurityAssertion, false, initiator));
+ assertableList.add(new SamlTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof RelToken) {
- assertableList.add(new RelTokenAssertionState(abstractSecurityAssertion, false, initiator));
+ assertableList.add(new RelTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof HttpsToken && !initiator) {
- assertableList.add(new HttpsTokenAssertionState(abstractSecurityAssertion, false, initiator));
+ assertableList.add(new HttpsTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof KeyValueToken) {
- assertableList.add(new KeyValueTokenAssertionState(abstractSecurityAssertion, false, initiator));
+ assertableList.add(new KeyValueTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof AlgorithmSuite) {
//initialized with asserted=true because we do negative matching
- assertableList.add(new AlgorithmSuiteAssertionState(abstractSecurityAssertion, true));
+ assertableList.add(new AlgorithmSuiteAssertionState(abstractSecurityAssertion, policyAsserter, true));
} /*else if (abstractSecurityAssertion instanceof AsymmetricBinding) {
} else if (abstractSecurityAssertion instanceof SymmetricBinding) {
} else if (abstractSecurityAssertion instanceof TransportBinding) {
- } else if (abstractSecurityAssertion instanceof Layout) {
- assertableList.add(new LayoutAssertionState(abstractSecurityAssertion, true));
- }*/
-
+ } */ else if (abstractSecurityAssertion instanceof Layout) {
+ //assertableList.add(new LayoutAssertionState(abstractSecurityAssertion, true));
+ String namespace = abstractSecurityAssertion.getName().getNamespaceURI();
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX));
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST));
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST));
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_STRICT));
+ policyAsserter.assertPolicy(abstractSecurityAssertion);
+ }
else if (abstractSecurityAssertion instanceof AbstractBinding) {
+ policyAsserter.assertPolicy(abstractSecurityAssertion);
AbstractBinding abstractBinding = (AbstractBinding) abstractSecurityAssertion;
if (abstractBinding instanceof AbstractSymmetricAsymmetricBinding) {
AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding) abstractSecurityAssertion;
- assertableList.add(new ProtectionOrderAssertionState(abstractSymmetricAsymmetricBinding, true));
- assertableList.add(new SignatureProtectionAssertionState(abstractSymmetricAsymmetricBinding, true));
+ assertableList.add(new ProtectionOrderAssertionState(abstractSymmetricAsymmetricBinding, policyAsserter, true));
+ assertableList.add(new SignatureProtectionAssertionState(abstractSymmetricAsymmetricBinding, policyAsserter, true));
if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()) {
//initialized with asserted=true because we do negative matching
- assertableList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion, true, actorOrRole));
+ assertableList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion, policyAsserter, true, actorOrRole));
}
- assertableList.add(new TokenProtectionAssertionState(abstractSecurityAssertion, true));
+ assertableList.add(new TokenProtectionAssertionState(abstractSecurityAssertion, policyAsserter, true));
}
//WSP1.3, 6.2 Timestamp Property
- assertableList.add(new IncludeTimeStampAssertionState(abstractBinding, true));
+ assertableList.add(new IncludeTimeStampAssertionState(abstractBinding, policyAsserter, true));
if (abstractBinding.isIncludeTimestamp()) {
List<QName> timestampElementPath = new LinkedList<QName>();
timestampElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
timestampElementPath.add(WSSConstants.TAG_wsu_Timestamp);
- RequiredElementsAssertionState requiredElementsAssertionState = new RequiredElementsAssertionState(abstractBinding, false);
+ RequiredElementsAssertionState requiredElementsAssertionState =
+ new RequiredElementsAssertionState(abstractBinding, policyAsserter, false);
requiredElementsAssertionState.addElement(timestampElementPath);
assertableList.add(requiredElementsAssertionState);
- SignedElementsAssertionState signedElementsAssertionState = new SignedElementsAssertionState(abstractSecurityAssertion, true);
+ SignedElementsAssertionState signedElementsAssertionState =
+ new SignedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true);
signedElementsAssertionState.addElement(timestampElementPath);
assertableList.add(signedElementsAssertionState);
}
- } else if (abstractSecurityAssertion instanceof Wss11) {
- Wss11 wss11 = (Wss11)abstractSecurityAssertion;
-
- if (initiator) {
- //9 WSS: SOAP Message Security Options [Signature Confirmation]
- assertableList.add(new SignatureConfirmationAssertionState(wss11, true));
+ } else if (abstractSecurityAssertion instanceof Wss10) {
+ Wss10 wss10 = (Wss10)abstractSecurityAssertion;
+ String namespace = wss10.getName().getNamespaceURI();
+ policyAsserter.assertPolicy(abstractSecurityAssertion);
+
+ if (wss10.isMustSupportRefEmbeddedToken()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN));
+ }
+ if (wss10.isMustSupportRefExternalURI()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI));
+ }
+ if (wss10.isMustSupportRefIssuerSerial()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL));
+ }
+ if (wss10.isMustSupportRefKeyIdentifier()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER));
+ }
+
+ if (abstractSecurityAssertion instanceof Wss11) {
+ Wss11 wss11 = (Wss11)abstractSecurityAssertion;
+ if (wss11.isMustSupportRefEncryptedKey()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY));
+ }
+ if (wss11.isMustSupportRefThumbprint()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_THUMBPRINT));
+ }
if (wss11.isRequireSignatureConfirmation()) {
- List<QName> signatureConfirmationElementPath = new LinkedList<QName>();
- signatureConfirmationElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
- signatureConfirmationElementPath.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
- RequiredElementsAssertionState requiredElementsAssertionState = new RequiredElementsAssertionState(wss11, false);
- requiredElementsAssertionState.addElement(signatureConfirmationElementPath);
- assertableList.add(requiredElementsAssertionState);
-
- SignedElementsAssertionState signedElementsAssertionState = new SignedElementsAssertionState(wss11, true);
- signedElementsAssertionState.addElement(signatureConfirmationElementPath);
- assertableList.add(signedElementsAssertionState);
+ assertableList.add(new SignatureConfirmationAssertionState(wss11, policyAsserter, true));
+ if (initiator) {
+ //9 WSS: SOAP Message Security Options [Signature Confirmation]
+ List<QName> signatureConfirmationElementPath = new LinkedList<QName>();
+ signatureConfirmationElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+ signatureConfirmationElementPath.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
+ RequiredElementsAssertionState requiredElementsAssertionState =
+ new RequiredElementsAssertionState(wss11, policyAsserter, false);
+ requiredElementsAssertionState.addElement(signatureConfirmationElementPath);
+ assertableList.add(requiredElementsAssertionState);
+
+ SignedElementsAssertionState signedElementsAssertionState =
+ new SignedElementsAssertionState(wss11, policyAsserter, true);
+ signedElementsAssertionState.addElement(signatureConfirmationElementPath);
+ assertableList.add(signedElementsAssertionState);
+ }
}
}
+ } else {
+ policyAsserter.assertPolicy(abstractSecurityAssertion);
}
return assertableList;
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/AlgorithmSuiteAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/AlgorithmSuiteAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/AlgorithmSuiteAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/AlgorithmSuiteAssertionState.java Thu Jul 3 16:34:44 2014
@@ -18,11 +18,15 @@
*/
package org.apache.wss4j.policy.stax.assertionStates;
+import javax.xml.namespace.QName;
+
import org.apache.wss4j.policy.AssertionState;
import org.apache.wss4j.common.WSSPolicyException;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
@@ -34,8 +38,25 @@ import org.apache.xml.security.stax.secu
*/
public class AlgorithmSuiteAssertionState extends AssertionState implements Assertable {
- public AlgorithmSuiteAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+ private PolicyAsserter policyAsserter;
+
+ public AlgorithmSuiteAssertionState(AbstractSecurityAssertion assertion,
+ PolicyAsserter policyAsserter,
+ boolean asserted) {
super(assertion, asserted);
+
+ this.policyAsserter = policyAsserter;
+ if (this.policyAsserter == null) {
+ this.policyAsserter = new DummyPolicyAsserter();
+ }
+
+ if (asserted) {
+ AlgorithmSuite algorithmSuite = (AlgorithmSuite) getAssertion();
+ policyAsserter.assertPolicy(getAssertion());
+ String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
+ String name = algorithmSuite.getAlgorithmSuiteType().getName();
+ policyAsserter.assertPolicy(new QName(namespace, name));
+ }
}
@Override
@@ -56,6 +77,7 @@ public class AlgorithmSuiteAssertionStat
&& !algorithmSuite.getSymmetricSignature().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("Symmetric signature algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
if (algorithmSuite.getAlgorithmSuiteType() != null) {
if (!algorithmSuiteSecurityEvent.isDerivedKey()
@@ -63,10 +85,12 @@ public class AlgorithmSuiteAssertionStat
|| algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < algorithmSuiteSecurityEvent.getKeyLength())) {
setAsserted(false);
setErrorMessage("Symmetric signature algorithm key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
} else if (algorithmSuiteSecurityEvent.isDerivedKey()
&& algorithmSuite.getAlgorithmSuiteType().getSignatureDerivedKeyLength() != algorithmSuiteSecurityEvent.getKeyLength()) {
setAsserted(false);
setErrorMessage("Symmetric signature algorithm derived key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
}
} else if (WSSConstants.Asym_Sig.equals(keyUsage)) {
@@ -74,24 +98,28 @@ public class AlgorithmSuiteAssertionStat
&& !algorithmSuite.getAsymmetricSignature().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("Asymmetric algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
if (algorithmSuite.getAlgorithmSuiteType() != null
&& (algorithmSuite.getAlgorithmSuiteType().getMinimumAsymmetricKeyLength() > algorithmSuiteSecurityEvent.getKeyLength()
|| algorithmSuite.getAlgorithmSuiteType().getMaximumAsymmetricKeyLength() < algorithmSuiteSecurityEvent.getKeyLength())) {
setAsserted(false);
setErrorMessage("Asymmetric signature algorithm key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
} else if (WSSConstants.SigDig.equals(keyUsage)) {
if (algorithmSuite.getAlgorithmSuiteType() != null
&& !algorithmSuite.getAlgorithmSuiteType().getDigest().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("Digest algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
} else if (WSSConstants.Enc.equals(keyUsage)) {
if (algorithmSuite.getAlgorithmSuiteType() != null
&& !algorithmSuite.getAlgorithmSuiteType().getEncryption().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("Encryption algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
if (algorithmSuite.getAlgorithmSuiteType() != null) {
if (!algorithmSuiteSecurityEvent.isDerivedKey()
@@ -99,10 +127,12 @@ public class AlgorithmSuiteAssertionStat
|| algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < algorithmSuiteSecurityEvent.getKeyLength())) {
setAsserted(false);
setErrorMessage("Symmetric encryption algorithm key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
} else if (algorithmSuiteSecurityEvent.isDerivedKey()
&& algorithmSuite.getAlgorithmSuiteType().getEncryptionDerivedKeyLength() != algorithmSuiteSecurityEvent.getKeyLength()) {
setAsserted(false);
setErrorMessage("Symmetric encryption algorithm derived key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
}
} else if (WSSConstants.Sym_Key_Wrap.equals(keyUsage)) {
@@ -110,48 +140,56 @@ public class AlgorithmSuiteAssertionStat
&& !algorithmSuite.getAlgorithmSuiteType().getSymmetricKeyWrap().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("Symmetric key wrap algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
if (algorithmSuite.getAlgorithmSuiteType() != null
&& (algorithmSuite.getAlgorithmSuiteType().getMinimumSymmetricKeyLength() > algorithmSuiteSecurityEvent.getKeyLength()
|| algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < algorithmSuiteSecurityEvent.getKeyLength())) {
setAsserted(false);
setErrorMessage("Symmetric key wrap algorithm key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
} else if (WSSConstants.Asym_Key_Wrap.equals(keyUsage)) {
if (algorithmSuite.getAlgorithmSuiteType() != null
&& !algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("Asymmetric key wrap algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
if (algorithmSuite.getAlgorithmSuiteType() != null
&& (algorithmSuite.getAlgorithmSuiteType().getMinimumAsymmetricKeyLength() > algorithmSuiteSecurityEvent.getKeyLength()
|| algorithmSuite.getAlgorithmSuiteType().getMaximumAsymmetricKeyLength() < algorithmSuiteSecurityEvent.getKeyLength())) {
setAsserted(false);
setErrorMessage("Asymmetric key wrap algorithm key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
} else if (WSSConstants.Comp_Key.equals(keyUsage)) {
if (algorithmSuite.getComputedKey() != null
&& !algorithmSuite.getComputedKey().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("Computed key algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
} else if (WSSConstants.Enc_KD.equals(keyUsage)) {
if (algorithmSuite.getAlgorithmSuiteType() != null
&& !algorithmSuite.getAlgorithmSuiteType().getEncryptionKeyDerivation().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("Encryption key derivation algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
} else if (WSSConstants.Sig_KD.equals(keyUsage)) {
if (algorithmSuite.getAlgorithmSuiteType() != null
&& !algorithmSuite.getAlgorithmSuiteType().getSignatureKeyDerivation().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("Signature key derivation algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
} else if (WSSConstants.SigC14n.equals(keyUsage)) {
if (algorithmSuite.getC14n() != null
&& !algorithmSuite.getC14n().getValue().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("C14N algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
} else if (WSSConstants.SigTransform.equals(keyUsage)) {
if (algorithmSuite.getC14n() != null
@@ -161,25 +199,37 @@ public class AlgorithmSuiteAssertionStat
&& !WSSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("Transform C14N algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
} else if (WSSConstants.Soap_Norm.equals(keyUsage)) {
if (algorithmSuite.getSoapNormType() != null
&& !algorithmSuite.getSoapNormType().getValue().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("Soap normalization algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
} else if (WSSConstants.STR_Trans.equals(keyUsage)) {
if (algorithmSuite.getStrType() != null
&& !algorithmSuite.getStrType().getValue().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("STR transformation algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
}
} else if (WSSConstants.XPath.equals(keyUsage) &&
algorithmSuite.getXPathType() != null &&
!algorithmSuite.getXPathType().getValue().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
setAsserted(false);
setErrorMessage("XPath algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
+ }
+
+ if (isAsserted()) {
+ policyAsserter.assertPolicy(getAssertion());
+ String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
+ String name = algorithmSuite.getAlgorithmSuiteType().getName();
+ policyAsserter.assertPolicy(new QName(namespace, name));
}
+
return isAsserted();
}
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ContentEncryptedElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ContentEncryptedElementsAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ContentEncryptedElementsAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ContentEncryptedElementsAssertionState.java Thu Jul 3 16:34:44 2014
@@ -27,11 +27,14 @@ import org.apache.xml.security.stax.secu
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.policy.stax.PolicyUtils;
import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import javax.xml.namespace.QName;
+
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
@@ -42,8 +45,11 @@ import java.util.List;
public class ContentEncryptedElementsAssertionState extends AssertionState implements Assertable {
private final List<List<QName>> pathElements = new ArrayList<List<QName>>();
+ private PolicyAsserter policyAsserter;
- public ContentEncryptedElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+ public ContentEncryptedElementsAssertionState(AbstractSecurityAssertion assertion,
+ PolicyAsserter policyAsserter,
+ boolean asserted) {
super(assertion, asserted);
ContentEncryptedElements contentEncryptedElements = (ContentEncryptedElements) assertion;
@@ -52,6 +58,15 @@ public class ContentEncryptedElementsAss
List<QName> elements = PolicyUtils.getElementPath(xPath);
pathElements.add(elements);
}
+
+ this.policyAsserter = policyAsserter;
+ if (this.policyAsserter == null) {
+ this.policyAsserter = new DummyPolicyAsserter();
+ }
+
+ if (asserted) {
+ policyAsserter.assertPolicy(getAssertion());
+ }
}
@Override
@@ -71,16 +86,19 @@ public class ContentEncryptedElementsAss
if (WSSUtils.pathMatches(pathElements, contentEncryptedElementSecurityEvent.getElementPath(), true, false)) {
if (contentEncryptedElementSecurityEvent.isEncrypted()) {
setAsserted(true);
+ policyAsserter.assertPolicy(getAssertion());
return true;
} else {
//an element must be encrypted but isn't
setAsserted(false);
setErrorMessage("Content of element " + WSSUtils.pathAsString(contentEncryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
}
}
//if we return false here other encrypted elements will trigger a PolicyViolationException
+ policyAsserter.assertPolicy(getAssertion());
return true;
}
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedElementsAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedElementsAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedElementsAssertionState.java Thu Jul 3 16:34:44 2014
@@ -27,6 +27,8 @@ import org.apache.xml.security.stax.secu
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.policy.stax.PolicyUtils;
import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
@@ -43,8 +45,11 @@ import java.util.List;
public class EncryptedElementsAssertionState extends AssertionState implements Assertable {
private final List<List<QName>> pathElements = new ArrayList<List<QName>>();
+ private PolicyAsserter policyAsserter;
- public EncryptedElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+ public EncryptedElementsAssertionState(AbstractSecurityAssertion assertion,
+ PolicyAsserter policyAsserter,
+ boolean asserted) {
super(assertion, asserted);
EncryptedElements encryptedElements = (EncryptedElements) assertion;
@@ -53,6 +58,15 @@ public class EncryptedElementsAssertionS
List<QName> elements = PolicyUtils.getElementPath(xPath);
pathElements.add(elements);
}
+
+ this.policyAsserter = policyAsserter;
+ if (this.policyAsserter == null) {
+ this.policyAsserter = new DummyPolicyAsserter();
+ }
+
+ if (asserted) {
+ policyAsserter.assertPolicy(getAssertion());
+ }
}
@Override
@@ -74,16 +88,19 @@ public class EncryptedElementsAssertionS
if (WSSUtils.pathMatches(pathElements, encryptedElementSecurityEvent.getElementPath(), true, false)) {
if (encryptedElementSecurityEvent.isEncrypted()) {
setAsserted(true);
+ policyAsserter.assertPolicy(getAssertion());
return true;
} else {
//an element must be encrypted but isn't
setAsserted(false);
setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
}
}
//if we return false here other encrypted elements will trigger a PolicyViolationException
+ policyAsserter.assertPolicy(getAssertion());
return true;
}
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedPartsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedPartsAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedPartsAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedPartsAssertionState.java Thu Jul 3 16:34:44 2014
@@ -26,6 +26,8 @@ import org.apache.wss4j.policy.model.Hea
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.securityEvent.EncryptedPartSecurityEvent;
@@ -44,11 +46,23 @@ public class EncryptedPartsAssertionStat
private int attachmentCount;
private int encryptedAttachmentCount;
private boolean encryptedAttachmentRequired;
+ private PolicyAsserter policyAsserter;
public EncryptedPartsAssertionState(
- AbstractSecurityAssertion assertion, boolean asserted, int attachmentCount) {
+ AbstractSecurityAssertion assertion,
+ PolicyAsserter policyAsserter,
+ boolean asserted, int attachmentCount) {
super(assertion, asserted);
this.attachmentCount = attachmentCount;
+
+ this.policyAsserter = policyAsserter;
+ if (this.policyAsserter == null) {
+ this.policyAsserter = new DummyPolicyAsserter();
+ }
+
+ if (asserted) {
+ policyAsserter.assertPolicy(getAssertion());
+ }
}
@Override
@@ -69,6 +83,7 @@ public class EncryptedPartsAssertionStat
if (encryptedPartSecurityEvent.isAttachment()) {
encryptedAttachmentCount++;
setAsserted(true);
+ policyAsserter.assertPolicy(getAssertion());
return true;
}
}
@@ -77,10 +92,12 @@ public class EncryptedPartsAssertionStat
if (encryptedParts.isBody() && WSSUtils.isInSOAPBody(encryptedPartSecurityEvent.getElementPath())) {
if (encryptedPartSecurityEvent.isEncrypted()) {
setAsserted(true);
+ policyAsserter.assertPolicy(getAssertion());
return true;
} else {
setAsserted(false);
setErrorMessage("SOAP-Body must be encrypted");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
}
@@ -96,16 +113,19 @@ public class EncryptedPartsAssertionStat
if (WSSUtils.pathMatches(header11Path, encryptedPartSecurityEvent.getElementPath(), true, header.getName() == null)) {
if (encryptedPartSecurityEvent.isEncrypted()) {
setAsserted(true);
+ policyAsserter.assertPolicy(getAssertion());
return true;
} else {
setAsserted(false);
setErrorMessage("Element " + WSSUtils.pathAsString(encryptedPartSecurityEvent.getElementPath()) + " must be encrypted");
+ policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
}
}
//if we return false here other encrypted elements will trigger a PolicyViolationException
+ policyAsserter.assertPolicy(getAssertion());
return true;
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java Thu Jul 3 16:34:44 2014
@@ -18,10 +18,14 @@
*/
package org.apache.wss4j.policy.stax.assertionStates;
+import javax.xml.namespace.QName;
+
import org.apache.wss4j.common.WSSPolicyException;
+import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.HttpsToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.SecurityToken;
@@ -34,8 +38,17 @@ import org.apache.wss4j.stax.securityEve
public class HttpsTokenAssertionState extends TokenAssertionState {
- public HttpsTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
- super(assertion, asserted, initiator);
+ public HttpsTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
+ PolicyAsserter policyAsserter, boolean initiator) {
+ super(assertion, asserted, policyAsserter, initiator);
+
+ if (asserted) {
+ HttpsToken token = (HttpsToken) getAssertion();
+ String namespace = token.getName().getNamespaceURI();
+ if (token.getAuthenticationType() != null) {
+ getPolicyAsserter().assertPolicy(new QName(namespace, token.getAuthenticationType().name()));
+ }
+ }
}
@Override
@@ -57,30 +70,44 @@ public class HttpsTokenAssertionState ex
if (httpsToken.getIssuerName() != null && !httpsToken.getIssuerName().equals(httpsTokenSecurityEvent.getIssuerName())) {
setErrorMessage("IssuerName in Policy (" + httpsToken.getIssuerName() + ") didn't match with the one in the HttpsToken (" + httpsTokenSecurityEvent.getIssuerName() + ")");
+ getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
if (httpsToken.getAuthenticationType() != null) {
+ String namespace = getAssertion().getName().getNamespaceURI();
+
switch (httpsToken.getAuthenticationType()) {
case HttpBasicAuthentication:
if (httpsTokenSecurityEvent.getAuthenticationType() != HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication) {
setErrorMessage("Policy enforces HttpBasicAuthentication but we got " + httpsTokenSecurityEvent.getAuthenticationType());
+ getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HTTP_BASIC_AUTHENTICATION),
+ getErrorMessage());
return false;
}
+ getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HTTP_BASIC_AUTHENTICATION));
break;
case HttpDigestAuthentication:
if (httpsTokenSecurityEvent.getAuthenticationType() != HttpsTokenSecurityEvent.AuthenticationType.HttpDigestAuthentication) {
setErrorMessage("Policy enforces HttpDigestAuthentication but we got " + httpsTokenSecurityEvent.getAuthenticationType());
+ getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HTTP_DIGEST_AUTHENTICATION),
+ getErrorMessage());
return false;
}
+ getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HTTP_DIGEST_AUTHENTICATION));
break;
case RequireClientCertificate:
if (httpsTokenSecurityEvent.getAuthenticationType() != HttpsTokenSecurityEvent.AuthenticationType.HttpsClientCertificateAuthentication) {
setErrorMessage("Policy enforces HttpClientCertificateAuthentication but we got " + httpsTokenSecurityEvent.getAuthenticationType());
+ getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_CERTIFICATE),
+ getErrorMessage());
return false;
}
+ getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_CERTIFICATE));
break;
}
}
+
+ getPolicyAsserter().assertPolicy(getAssertion());
return true;
}
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IncludeTimeStampAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IncludeTimeStampAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IncludeTimeStampAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IncludeTimeStampAssertionState.java Thu Jul 3 16:34:44 2014
@@ -18,21 +18,39 @@
*/
package org.apache.wss4j.policy.stax.assertionStates;
+import javax.xml.namespace.QName;
+
import org.apache.wss4j.policy.AssertionState;
+import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
/**
* WSP1.3, 6.2 Timestamp Property
*/
public class IncludeTimeStampAssertionState extends AssertionState implements Assertable {
+
+ private PolicyAsserter policyAsserter;
- public IncludeTimeStampAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+ public IncludeTimeStampAssertionState(AbstractSecurityAssertion assertion,
+ PolicyAsserter policyAsserter,
+ boolean asserted) {
super(assertion, asserted);
+ this.policyAsserter = policyAsserter;
+ if (this.policyAsserter == null) {
+ this.policyAsserter = new DummyPolicyAsserter();
+ }
+
+ if (asserted) {
+ String namespace = getAssertion().getName().getNamespaceURI();
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.INCLUDE_TIMESTAMP));
+ }
}
@Override
@@ -47,11 +65,15 @@ public class IncludeTimeStampAssertionSt
// TimestampSecurityEvent timestampSecurityEvent = (TimestampSecurityEvent) securityEvent;
boolean isIncludeTimestamp = ((AbstractBinding) getAssertion()).isIncludeTimestamp();
+ String namespace = getAssertion().getName().getNamespaceURI();
if (isIncludeTimestamp) {
setAsserted(true);
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.INCLUDE_TIMESTAMP));
} else {
setAsserted(false);
setErrorMessage("Timestamp must not be present");
+ policyAsserter.unassertPolicy(new QName(namespace, SPConstants.INCLUDE_TIMESTAMP),
+ getErrorMessage());
}
return isAsserted();
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java Thu Jul 3 16:34:44 2014
@@ -24,6 +24,7 @@ import org.apache.wss4j.common.WSSPolicy
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
import org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent;
@@ -53,8 +54,9 @@ public class IssuedTokenAssertionState e
private static final String DEFAULT_CLAIMS_NAMESPACE =
"http://schemas.xmlsoap.org/ws/2005/05/identity";
- public IssuedTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
- super(assertion, asserted, initiator);
+ public IssuedTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
+ PolicyAsserter policyAsserter, boolean initiator) {
+ super(assertion, asserted, policyAsserter, initiator);
}
@Override
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java Thu Jul 3 16:34:44 2014
@@ -18,10 +18,14 @@
*/
package org.apache.wss4j.policy.stax.assertionStates;
+import javax.xml.namespace.QName;
+
import org.apache.wss4j.common.WSSPolicyException;
+import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.securityToken.KerberosServiceSecurityToken;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
@@ -36,8 +40,20 @@ import org.apache.wss4j.stax.securityEve
public class KerberosTokenAssertionState extends TokenAssertionState {
- public KerberosTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
- super(assertion, asserted, initiator);
+ public KerberosTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
+ PolicyAsserter policyAsserter, boolean initiator) {
+ super(assertion, asserted, policyAsserter, initiator);
+
+ if (asserted) {
+ KerberosToken token = (KerberosToken) getAssertion();
+ String namespace = token.getName().getNamespaceURI();
+ if (token.isRequireKeyIdentifierReference()) {
+ getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+ }
+ if (token.getApReqTokenType() != null) {
+ getPolicyAsserter().assertPolicy(new QName(namespace, token.getApReqTokenType().name()));
+ }
+ }
}
@Override
@@ -61,31 +77,46 @@ public class KerberosTokenAssertionState
if (kerberosToken.getIssuerName() != null &&
!kerberosToken.getIssuerName().equals(kerberosTokenSecurityEvent.getIssuerName())) {
setErrorMessage("IssuerName in Policy (" + kerberosToken.getIssuerName() + ") didn't match with the one in the IssuedToken (" + kerberosTokenSecurityEvent.getIssuerName() + ")");
+ getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
- if (kerberosToken.isRequireKeyIdentifierReference() &&
- !WSSecurityTokenConstants.KeyIdentifier_EmbeddedKeyIdentifierRef.equals(kerberosServiceSecurityToken.getKeyIdentifier())) {
- setErrorMessage("Policy enforces KeyIdentifierReference but we got " + kerberosServiceSecurityToken.getKeyIdentifier());
- return false;
+
+ String namespace = getAssertion().getName().getNamespaceURI();
+ if (kerberosToken.isRequireKeyIdentifierReference()) {
+ if (!WSSecurityTokenConstants.KeyIdentifier_EmbeddedKeyIdentifierRef.equals(kerberosServiceSecurityToken.getKeyIdentifier())) {
+ setErrorMessage("Policy enforces KeyIdentifierReference but we got " + kerberosServiceSecurityToken.getKeyIdentifier());
+ getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE),
+ getErrorMessage());
+ return false;
+ } else {
+ getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+ }
}
if (kerberosToken.getApReqTokenType() != null) {
switch (kerberosToken.getApReqTokenType()) {
case WssKerberosV5ApReqToken11:
if (!kerberosTokenSecurityEvent.isKerberosV5ApReqToken11()) {
setErrorMessage("Policy enforces " + kerberosToken.getApReqTokenType());
+ getPolicyAsserter().unassertPolicy(new QName(namespace, "WssKerberosV5ApReqToken11"),
+ getErrorMessage());
return false;
}
+ getPolicyAsserter().assertPolicy(new QName(namespace, "WssKerberosV5ApReqToken11"));
break;
case WssGssKerberosV5ApReqToken11:
if (!kerberosTokenSecurityEvent.isGssKerberosV5ApReqToken11()) {
setErrorMessage("Policy enforces " + kerberosToken.getApReqTokenType());
+ getPolicyAsserter().unassertPolicy(new QName(namespace, "WssGssKerberosV5ApReqToken11"),
+ getErrorMessage());
return false;
}
+ getPolicyAsserter().assertPolicy(new QName(namespace, "WssGssKerberosV5ApReqToken11"));
break;
}
}
//always return true to prevent false alarm in case additional tokens with the same usage
//appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ getPolicyAsserter().assertPolicy(getAssertion());
return true;
}
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KeyValueTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KeyValueTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KeyValueTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KeyValueTokenAssertionState.java Thu Jul 3 16:34:44 2014
@@ -18,10 +18,14 @@
*/
package org.apache.wss4j.policy.stax.assertionStates;
+import javax.xml.namespace.QName;
+
import org.apache.wss4j.common.WSSPolicyException;
+import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.securityToken.RsaKeyValueSecurityToken;
import org.apache.wss4j.stax.securityEvent.KeyValueTokenSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
@@ -35,8 +39,17 @@ import org.apache.wss4j.stax.securityEve
public class KeyValueTokenAssertionState extends TokenAssertionState {
- public KeyValueTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
- super(assertion, asserted, initiator);
+ public KeyValueTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
+ PolicyAsserter policyAsserter, boolean initiator) {
+ super(assertion, asserted, policyAsserter, initiator);
+
+ if (asserted) {
+ KeyValueToken token = (KeyValueToken) getAssertion();
+ String namespace = token.getName().getNamespaceURI();
+ if (token.isRsaKeyValue()) {
+ getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE));
+ }
+ }
}
@Override
@@ -55,13 +68,22 @@ public class KeyValueTokenAssertionState
KeyValueTokenSecurityEvent keyValueTokenSecurityEvent = (KeyValueTokenSecurityEvent) tokenSecurityEvent;
KeyValueToken keyValueToken = (KeyValueToken) abstractToken;
- if (keyValueToken.isRsaKeyValue() && !(keyValueTokenSecurityEvent.getSecurityToken() instanceof RsaKeyValueSecurityToken)) {
- setErrorMessage("Policy enforces that a RsaKeyValue must be present in the KeyValueToken but we got a " +
+
+ String namespace = getAssertion().getName().getNamespaceURI();
+ if (keyValueToken.isRsaKeyValue()) {
+ if (!(keyValueTokenSecurityEvent.getSecurityToken() instanceof RsaKeyValueSecurityToken)) {
+ setErrorMessage("Policy enforces that a RsaKeyValue must be present in the KeyValueToken but we got a " +
keyValueTokenSecurityEvent.getSecurityToken().getClass().getSimpleName());
- return false;
+ getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE),
+ getErrorMessage());
+ return false;
+ } else {
+ getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE));
+ }
}
//always return true to prevent false alarm in case additional tokens with the same usage
//appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ getPolicyAsserter().assertPolicy(getAssertion());
return true;
}
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java Thu Jul 3 16:34:44 2014
@@ -19,16 +19,20 @@
package org.apache.wss4j.policy.stax.assertionStates;
import org.apache.wss4j.policy.AssertionState;
+import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.common.WSSPolicyException;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import javax.xml.namespace.QName;
+
import java.util.List;
/**
@@ -37,10 +41,24 @@ import java.util.List;
public class OnlySignEntireHeadersAndBodyAssertionState extends AssertionState implements Assertable {
private String roleOrActor;
+ private PolicyAsserter policyAsserter;
- public OnlySignEntireHeadersAndBodyAssertionState(AbstractSecurityAssertion assertion, boolean asserted, String roleOrActor) {
+ public OnlySignEntireHeadersAndBodyAssertionState(AbstractSecurityAssertion assertion,
+ PolicyAsserter policyAsserter,
+ boolean asserted,
+ String roleOrActor) {
super(assertion, asserted);
this.roleOrActor = roleOrActor;
+
+ this.policyAsserter = policyAsserter;
+ if (this.policyAsserter == null) {
+ this.policyAsserter = new DummyPolicyAsserter();
+ }
+
+ if (asserted) {
+ String namespace = getAssertion().getName().getNamespaceURI();
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
+ }
}
@Override
@@ -53,25 +71,34 @@ public class OnlySignEntireHeadersAndBod
@Override
public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
+ String namespace = getAssertion().getName().getNamespaceURI();
+
AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent) securityEvent;
if (abstractSecuredElementSecurityEvent.isSigned() && !abstractSecuredElementSecurityEvent.isAttachment()) {
List<QName> elementPath = abstractSecuredElementSecurityEvent.getElementPath();
if (elementPath.size() == 4 && WSSUtils.isInSecurityHeader(abstractSecuredElementSecurityEvent.getXmlSecEvent(), elementPath, roleOrActor)) {
setAsserted(true);
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
return true;
}
if (elementPath.size() == 3 && WSSUtils.isInSOAPHeader(elementPath)) {
setAsserted(true);
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
return true;
}
if (elementPath.size() == 2 && WSSUtils.isInSOAPBody(elementPath)) {
setAsserted(true);
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
return true;
}
setAsserted(false);
setErrorMessage("OnlySignEntireHeadersAndBody not fulfilled, offending element: " + WSSUtils.pathAsString(elementPath));
+ policyAsserter.unassertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY),
+ getErrorMessage());
return false;
}
+
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
return true;
}
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ProtectionOrderAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ProtectionOrderAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ProtectionOrderAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ProtectionOrderAssertionState.java Thu Jul 3 16:34:44 2014
@@ -19,10 +19,13 @@
package org.apache.wss4j.policy.stax.assertionStates;
import org.apache.wss4j.policy.AssertionState;
+import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.common.WSSPolicyException;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.wss4j.stax.ext.WSSUtils;
import org.apache.wss4j.stax.securityEvent.*;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
@@ -33,6 +36,7 @@ import org.apache.xml.security.stax.secu
import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
import javax.xml.namespace.QName;
+
import java.util.List;
/**
@@ -41,8 +45,31 @@ import java.util.List;
public class ProtectionOrderAssertionState extends AssertionState implements Assertable {
- public ProtectionOrderAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+ private PolicyAsserter policyAsserter;
+
+ public ProtectionOrderAssertionState(AbstractSecurityAssertion assertion,
+ PolicyAsserter policyAsserter,
+ boolean asserted) {
super(assertion, asserted);
+ this.policyAsserter = policyAsserter;
+ if (this.policyAsserter == null) {
+ this.policyAsserter = new DummyPolicyAsserter();
+ }
+
+ if (asserted) {
+ String namespace = getAssertion().getName().getNamespaceURI();
+ AbstractSymmetricAsymmetricBinding.ProtectionOrder protectionOrder = ((AbstractSymmetricAsymmetricBinding) getAssertion()).getProtectionOrder();
+ switch (protectionOrder) {
+ case SignBeforeEncrypting: {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.SIGN_BEFORE_ENCRYPTING));
+ break;
+ }
+ case EncryptBeforeSigning: {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.ENCRYPT_BEFORE_SIGNING));
+ }
+ break;
+ }
+ }
}
@Override
@@ -100,6 +127,8 @@ public class ProtectionOrderAssertionSta
}
private void testProtectionOrder(AbstractSymmetricAsymmetricBinding.ProtectionOrder protectionOrder, List<XMLSecurityConstants.ContentType> contentTypes, List<QName> elementPath) {
+ String namespace = getAssertion().getName().getNamespaceURI();
+
switch (protectionOrder) {
case SignBeforeEncrypting: {
int lastSignature = contentTypes.lastIndexOf(XMLSecurityConstants.ContentType.SIGNATURE);
@@ -107,6 +136,10 @@ public class ProtectionOrderAssertionSta
if (firstEncryption >= 0 && firstEncryption < lastSignature) {
setAsserted(false);
setErrorMessage("Policy enforces " + protectionOrder + " but the " + WSSUtils.pathAsString(elementPath) + " was encrypted and then signed");
+ policyAsserter.unassertPolicy(new QName(namespace, SPConstants.SIGN_BEFORE_ENCRYPTING),
+ getErrorMessage());
+ } else {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.SIGN_BEFORE_ENCRYPTING));
}
break;
}
@@ -116,6 +149,10 @@ public class ProtectionOrderAssertionSta
if (firstSignature >= 0 && firstSignature < lastEncryption) {
setAsserted(false);
setErrorMessage("Policy enforces " + protectionOrder + " but the " + WSSUtils.pathAsString(elementPath) + " was signed and then encrypted");
+ policyAsserter.unassertPolicy(new QName(namespace, SPConstants.ENCRYPT_BEFORE_SIGNING),
+ getErrorMessage());
+ } else {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.ENCRYPT_BEFORE_SIGNING));
}
break;
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RelTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RelTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RelTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RelTokenAssertionState.java Thu Jul 3 16:34:44 2014
@@ -22,6 +22,7 @@ import org.apache.wss4j.common.WSSPolicy
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.RelToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.SecurityToken;
@@ -34,8 +35,9 @@ import org.apache.wss4j.stax.securityEve
public class RelTokenAssertionState extends TokenAssertionState {
- public RelTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
- super(assertion, asserted, initiator);
+ public RelTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
+ PolicyAsserter policyAsserter, boolean initiator) {
+ super(assertion, asserted, policyAsserter, initiator);
}
@Override
@@ -57,6 +59,7 @@ public class RelTokenAssertionState exte
if (relToken.getIssuerName() != null && !relToken.getIssuerName().equals(relTokenSecurityEvent.getIssuerName())) {
setErrorMessage("IssuerName in Policy (" + relToken.getIssuerName() + ") didn't match with the one in the RelToken (" + relTokenSecurityEvent.getIssuerName() + ")");
+ getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
@@ -64,6 +67,7 @@ public class RelTokenAssertionState exte
//todo WssRelV*
//always return true to prevent false alarm in case additional tokens with the same usage
//appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ getPolicyAsserter().assertPolicy(getAssertion());
return true;
}
}