You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/11/16 12:13:15 UTC
svn commit: r1202636 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws...
Author: coheigea
Date: Wed Nov 16 11:13:15 2011
New Revision: 1202636
URL: http://svn.apache.org/viewvc?rev=1202636&view=rev
Log:
Did a refactor of the TransportBindingHandler + added a systest for a Kerberos EndorsingEncryptedSupportingToken
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1202636&r1=1202635&r2=1202636&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Wed Nov 16 11:13:15 2011
@@ -219,23 +219,8 @@ public class TransportBindingHandler ext
ai.setAsserted(true);
}
if (sgndSuppTokens != null) {
- SignedEncryptedParts signdParts = sgndSuppTokens.getSignedParts();
-
for (Token token : sgndSuppTokens.getTokens()) {
- if (token instanceof IssuedToken
- || token instanceof SecureConversationToken
- || token instanceof SecurityContextToken
- || token instanceof KeyValueToken
- || token instanceof KerberosToken) {
- addSig(signatureValues, doIssuedTokenSignature(token, signdParts,
- sgndSuppTokens,
- null));
- } else if (token instanceof X509Token
- || token instanceof KeyValueToken) {
- addSig(signatureValues, doX509TokenSignature(token,
- signdParts,
- sgndSuppTokens));
- }
+ handleEndorsingToken(token, sgndSuppTokens, signatureValues);
}
}
}
@@ -250,30 +235,7 @@ public class TransportBindingHandler ext
if (endSuppTokens != null) {
for (Token token : endSuppTokens.getTokens()) {
- if (token instanceof IssuedToken
- || token instanceof SecureConversationToken
- || token instanceof SecurityContextToken
- || token instanceof KerberosToken) {
- addSig(signatureValues, doIssuedTokenSignature(token,
- endSuppTokens
- .getSignedParts(),
- endSuppTokens,
- null));
- } else if (token instanceof X509Token
- || token instanceof KeyValueToken) {
- addSig(signatureValues, doX509TokenSignature(token,
- endSuppTokens.getSignedParts(),
- endSuppTokens));
- } else if (token instanceof SamlToken) {
- AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
- assertionWrapper.toDOM(saaj.getSOAPPart());
- storeAssertionAsSecurityToken(assertionWrapper);
- addSig(signatureValues, doIssuedTokenSignature(token,
- endSuppTokens
- .getSignedParts(),
- endSuppTokens,
- null));
- }
+ handleEndorsingToken(token, endSuppTokens, signatureValues);
}
}
}
@@ -287,35 +249,42 @@ public class TransportBindingHandler ext
if (endSuppTokens != null) {
for (Token token : endSuppTokens.getTokens()) {
- if (token instanceof IssuedToken
- || token instanceof SecureConversationToken
- || token instanceof SecurityContextToken
- || token instanceof KerberosToken) {
- addSig(signatureValues, doIssuedTokenSignature(token,
- endSuppTokens
- .getSignedParts(),
- endSuppTokens,
- null));
- } else if (token instanceof X509Token
- || token instanceof KeyValueToken) {
- addSig(signatureValues, doX509TokenSignature(token,
- endSuppTokens.getSignedParts(),
- endSuppTokens));
- } else if (token instanceof SamlToken) {
- AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
- assertionWrapper.toDOM(saaj.getSOAPPart());
- storeAssertionAsSecurityToken(assertionWrapper);
- addSig(signatureValues, doIssuedTokenSignature(token,
- endSuppTokens
- .getSignedParts(),
- endSuppTokens,
- null));
- }
+ handleEndorsingToken(token, endSuppTokens, signatureValues);
}
}
}
}
+ private void handleEndorsingToken(
+ Token token, SupportingToken wrapper, List<byte[]> signatureValues
+ ) throws Exception {
+ SignedEncryptedParts signdParts = wrapper.getSignedParts();
+ if (token instanceof IssuedToken
+ || token instanceof SecureConversationToken
+ || token instanceof SecurityContextToken
+ || token instanceof KeyValueToken
+ || token instanceof KerberosToken) {
+ addSig(
+ signatureValues,
+ doIssuedTokenSignature(token, signdParts, wrapper)
+ );
+ } else if (token instanceof X509Token
+ || token instanceof KeyValueToken) {
+ addSig(
+ signatureValues,
+ doX509TokenSignature(token, signdParts, wrapper)
+ );
+ } else if (token instanceof SamlToken) {
+ AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
+ assertionWrapper.toDOM(saaj.getSOAPPart());
+ storeAssertionAsSecurityToken(assertionWrapper);
+ addSig(
+ signatureValues,
+ doIssuedTokenSignature(token, signdParts, wrapper)
+ );
+ }
+ }
+
private byte[] doX509TokenSignature(Token token, SignedEncryptedParts signedParts,
TokenWrapper wrapper)
@@ -391,19 +360,14 @@ public class TransportBindingHandler ext
}
}
- private byte[] doIssuedTokenSignature(Token token,
- SignedEncryptedParts signdParts,
- TokenWrapper wrapper,
- SecurityToken securityTok) throws Exception {
- //Get the issued token
- SecurityToken secTok = securityTok;
- if (secTok == null) {
- secTok = getSecurityToken();
- }
-
+ private byte[] doIssuedTokenSignature(
+ Token token, SignedEncryptedParts signdParts, TokenWrapper wrapper
+ ) throws Exception {
boolean tokenIncluded = false;
-
+ // Get the issued token
+ SecurityToken secTok = getSecurityToken();
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
+
if (includeToken(token.getInclusion())) {
//Add the token
Element el = cloneElement(secTok.getToken());
@@ -427,8 +391,7 @@ public class TransportBindingHandler ext
WSEncryptionPart bodyPart = convertToEncryptionPart(saaj.getSOAPBody());
sigParts.add(bodyPart);
}
- if (secTok.getX509Certificate() != null
- || securityTok != null) {
+ if (secTok.getX509Certificate() != null) {
//the "getX509Certificate" this is to workaround an issue in WCF
//In WCF, for TransportBinding, in most cases, it doesn't want any of
//the headers signed even if the policy says so. HOWEVER, for KeyValue
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java?rev=1202636&r1=1202635&r2=1202636&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java Wed Nov 16 11:13:15 2011
@@ -280,6 +280,30 @@ public class KerberosTokenTest extends A
assertTrue(result.equals(BigInteger.valueOf(50)));
}
+ @org.junit.Test
+ @org.junit.Ignore
+ public void testKerberosOverSymmetricEndorsingEncrypted() throws Exception {
+
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = KerberosTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+
+ DoubleItPortType kerberosPort = service.getDoubleItKerberosSymmetricEndorsingEncryptedPort();
+ updateAddressPort(kerberosPort, PORT);
+
+ BigInteger result = kerberosPort.doubleIt(BigInteger.valueOf(25));
+ assertTrue(result.equals(BigInteger.valueOf(50)));
+ }
+
private boolean checkUnrestrictedPoliciesInstalled() {
try {
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml?rev=1202636&r1=1202635&r2=1202636&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml Wed Nov 16 11:13:15 2011
@@ -226,4 +226,20 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://WSSec/kerberos}DoubleItKerberosSymmetricEndorsingEncryptedPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.kerberos.client">
+ <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient">
+ <constructor-arg ref="cxf"/>
+ <property name="contextName" value="alice"/>
+ <property name="serviceName" value="bob@service.ws.apache.org"/>
+ </bean>
+ </entry>
+ </jaxws:properties>
+ </jaxws:client>
+
</beans>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml?rev=1202636&r1=1202635&r2=1202636&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml Wed Nov 16 11:13:15 2011
@@ -71,7 +71,7 @@
</httpj:engine>
</httpj:engine-factory>
- <!--<bean id="kerberosTicketDecoderImpl"
+ <!-- <bean id="kerberosTicketDecoderImpl"
class="org.apache.cxf.systest.ws.kerberos.server.KerberosTokenDecoderImpl"/>-->
<bean id="kerberosValidator"
@@ -287,4 +287,23 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="KerberosOverSymmetricEndorsingEncrypted"
+ address="http://localhost:${testutil.ports.Server}/DoubleItKerberosSymmetricEndorsingEncrypted"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItKerberosSymmetricEndorsingEncryptedPort"
+ xmlns:s="http://WSSec/kerberos"
+ implementor="org.apache.cxf.systest.ws.kerberos.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>
Modified: cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl?rev=1202636&r1=1202635&r2=1202636&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl Wed Nov 16 11:13:15 2011
@@ -274,6 +274,26 @@
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItKerberosSymmetricEndorsingEncryptedBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItKerberosSymmetricEndorsingEncryptedPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
+
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItKerberosTransportPort" binding="tns:DoubleItKerberosTransportBinding">
<soap:address location="https://localhost:9009/DoubleItKerberosTransport" />
@@ -314,6 +334,10 @@
binding="tns:DoubleItKerberosAsymmetricSignedEncryptedBinding">
<soap:address location="http://localhost:9001/DoubleItKerberosAsymmetricSignedEncrypted" />
</wsdl:port>
+ <wsdl:port name="DoubleItKerberosSymmetricEndorsingEncryptedPort"
+ binding="tns:DoubleItKerberosSymmetricEndorsingEncryptedBinding">
+ <soap:address location="http://localhost:9001/DoubleItKerberosSymmetricEndorsingEncrypted" />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItKerberosTransportPolicy">
@@ -820,6 +844,56 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItKerberosSymmetricEndorsingEncryptedPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SymmetricBinding>
+ <wsp:Policy>
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireThumbprintReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:EndorsingEncryptedSupportingTokens>
+ <wsp:Policy>
+ <sp:KerberosToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once">
+ <wsp:Policy>
+ <sp:WssGssKerberosV5ApReqToken11/>
+ </wsp:Policy>
+ </sp:KerberosToken>
+ </wsp:Policy>
+ </sp:EndorsingEncryptedSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>