You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/05/04 18:06:49 UTC
svn commit: r1099502 - in
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j:
PolicyBasedWSS4JInInterceptor.java
policyvalidators/EndorsingTokenPolicyValidator.java
Author: coheigea
Date: Wed May 4 16:06:49 2011
New Revision: 1099502
URL: http://svn.apache.org/viewvc?rev=1099502&view=rev
Log:
[CXF-3461] - EndorsingSupportingTokens policy reports not satisfied when using TLS with signed timestamp
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1099502&r1=1099501&r2=1099502&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Wed May 4 16:06:49 2011
@@ -74,6 +74,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
import org.apache.neethi.Assertion;
import org.apache.ws.security.WSConstants;
@@ -540,7 +541,6 @@ public class PolicyBasedWSS4JInIntercept
&& sl.get(0).getName().equals(new QName(WSConstants.SIG_NS, WSConstants.SIG_LN))) {
//endorsing the signature
hasEndorsement = true;
- break;
}
for (WSDataRef r : sl) {
signed.add(r);
@@ -621,18 +621,24 @@ public class PolicyBasedWSS4JInIntercept
assertSymetricBinding(aim, msg, prots, hasDerivedKeys);
assertTransportBinding(aim);
-
//REVISIT - probably can verify some of these like if UT is encrypted and/or signed, etc...
assertPolicy(aim, SP12Constants.SIGNED_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
if (hasEndorsement || isRequestor(msg)) {
- assertPolicy(aim, SP12Constants.ENDORSING_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
}
+ if (isRequestor(msg)) {
+ assertPolicy(aim, SP12Constants.ENDORSING_SUPPORTING_TOKENS);
+ } else {
+ // TODO need to revisit all of the other endorsed policies
+ EndorsingTokenPolicyValidator endorsingValidator =
+ new EndorsingTokenPolicyValidator(signedResults, msg);
+ endorsingValidator.validatePolicy(aim);
+ }
super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
}
private void assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header)
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1099502&r1=1099501&r2=1099502&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java Wed May 4 16:06:49 2011
@@ -19,7 +19,6 @@
package org.apache.cxf.ws.security.wss4j.policyvalidators;
-import java.security.cert.Certificate;
import java.util.Collection;
import java.util.List;
@@ -60,11 +59,11 @@ public class EndorsingTokenPolicyValidat
ai.setAsserted(true);
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
- Certificate[] tlsCerts = null;
+ boolean transport = false;
if (tlsInfo != null) {
- tlsCerts = tlsInfo.getPeerCertificates();
+ transport = true;
}
- if (!checkEndorsed(tlsCerts)) {
+ if (!checkEndorsed(transport)) {
ai.setNotAsserted("Message fails endorsing supporting tokens requirements");
return false;
}
@@ -77,11 +76,11 @@ public class EndorsingTokenPolicyValidat
/**
* Check the endorsing supporting token policy. If we're using the Transport Binding then
* check that the Timestamp is signed. Otherwise, check that the signature is signed.
- * @param tlsCerts
+ * @param transport
* @return true if the endorsed supporting token policy is correct
*/
- private boolean checkEndorsed(Certificate[] tlsCerts) {
- if (tlsCerts != null && tlsCerts.length > 0) {
+ private boolean checkEndorsed(boolean transport) {
+ if (transport) {
return checkTimestampIsSigned();
}
return checkSignatureIsSigned();