You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2009/12/10 22:26:48 UTC
svn commit: r889428 - in /cxf/branches/2.2.x-fixes: ./
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/
systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security...
Author: dkulp
Date: Thu Dec 10 21:26:48 2009
New Revision: 889428
URL: http://svn.apache.org/viewvc?rev=889428&view=rev
Log:
Merged revisions 889426 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r889426 | dkulp | 2009-12-10 16:24:32 -0500 (Thu, 10 Dec 2009) | 2 lines
[CXF-2150] If service is configured for Digest, make sure a digest is
sent in. For WS-SecPol, make sure what came in matches the policy.
........
Modified:
cxf/branches/2.2.x-fixes/ (props changed)
cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/WSSecurityClientTest.java
cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/server.xml
cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/test-data/UsernameTokenRequest.xml
Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
svn:mergeinfo = /cxf/trunk:889426
Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=889428&r1=889427&r2=889428&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Thu Dec 10 21:26:48 2009
@@ -71,11 +71,14 @@
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.UsernameToken;
import org.apache.cxf.ws.security.policy.model.Wss11;
import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerConstants;
@@ -495,7 +498,9 @@
}
protected void doResults(SoapMessage msg, String actor,
- SOAPMessage doc, Vector results) throws SOAPException, XMLStreamException {
+ SOAPMessage doc, Vector results)
+ throws SOAPException, XMLStreamException, WSSecurityException {
+
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
Collection<WSDataRef> signed = new HashSet<WSDataRef>();
Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
@@ -535,7 +540,20 @@
}
break;
case WSConstants.UT:
- assertPolicy(aim, SP12Constants.USERNAME_TOKEN);
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ WSUsernameTokenPrincipal princ
+ = (WSUsernameTokenPrincipal)wser.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ for (AssertionInfo ai : ais) {
+ UsernameToken tok = (UsernameToken)ai.getAssertion();
+ if (tok.isHashPassword() != princ.isPasswordDigest()) {
+ ai.setNotAsserted("Password hashing policy not enforced");
+ }
+ }
+ }
break;
case WSConstants.TS:
assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=889428&r1=889427&r2=889428&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Thu Dec 10 21:26:48 2009
@@ -61,6 +61,7 @@
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
@@ -328,7 +329,7 @@
}
protected void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult)
- throws SOAPException, XMLStreamException {
+ throws SOAPException, XMLStreamException, WSSecurityException {
/*
* All ok up to this point. Now construct and setup the security result
* structure. The service may fetch this and check it.
@@ -353,6 +354,21 @@
i++;
}
msg.setContent(XMLStreamReader.class, reader);
+ String pwType = (String)getProperty(msg, "passwordType");
+ if ("PasswordDigest".equals(pwType)) {
+ //CXF-2150 - we need to check the UsernameTokens
+ for (WSSecurityEngineResult o : CastUtils.cast(wsResult, WSSecurityEngineResult.class)) {
+ Integer actInt = (Integer)o.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt == WSConstants.UT) {
+ WSUsernameTokenPrincipal princ
+ = (WSUsernameTokenPrincipal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ if (!princ.isPasswordDigest()) {
+ LOG.warning("Non-digest UsernameToken found, but digest required");
+ throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
+ }
+ }
+ }
+ }
for (WSSecurityEngineResult o : CastUtils.cast(wsResult, WSSecurityEngineResult.class)) {
final Principal p = (Principal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);
Modified: cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/WSSecurityClientTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/WSSecurityClientTest.java?rev=889428&r1=889427&r2=889428&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/WSSecurityClientTest.java (original)
+++ cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/WSSecurityClientTest.java Thu Dec 10 21:26:48 2009
@@ -20,7 +20,9 @@
package org.apache.cxf.systest.ws.security;
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import javax.xml.namespace.QName;
import javax.xml.transform.OutputKeys;
@@ -42,9 +44,12 @@
import org.apache.cxf.BusFactory;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.jaxws.DispatchImpl;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.hello_world_soap_http.Greeter;
import org.junit.BeforeClass;
@@ -95,6 +100,41 @@
launchServer(Server.class, true)
);
}
+
+ @Test
+ public void testUsernameToken() {
+ final javax.xml.ws.Service svc
+ = javax.xml.ws.Service.create(WSDL_LOC, GREETER_SERVICE_QNAME);
+ final Greeter greeter = svc.getPort(USERNAME_TOKEN_PORT_QNAME, Greeter.class);
+
+ Client client = ClientProxy.getClient(greeter);
+ Map<String, Object> props = new HashMap<String, Object>();
+ props.put("action", "UsernameToken");
+ props.put("user", "alice");
+ WSS4JOutInterceptor wss4jOut = new WSS4JOutInterceptor(props);
+
+ client.getOutInterceptors().add(wss4jOut);
+
+ ((BindingProvider)greeter).getRequestContext().put("password", "password");
+ String s = greeter.greetMe("CXF");
+ assertEquals("Hello CXF", s);
+
+ try {
+ ((BindingProvider)greeter).getRequestContext().put("password", "foo");
+ greeter.greetMe("CXF");
+ fail("should fail");
+ } catch (Exception ex) {
+ //expected
+ }
+ try {
+ props.put("passwordType", "PasswordText");
+ ((BindingProvider)greeter).getRequestContext().put("password", "password");
+ greeter.greetMe("CXF");
+ fail("should fail");
+ } catch (Exception ex) {
+ //expected
+ }
+ }
@Test
public void testTimestampSignEncrypt() {
@@ -222,11 +262,6 @@
return createUsernameTokenDispatcher(false);
}
private static Dispatch<Source> createUsernameTokenDispatcher(boolean decoupled) {
- //
- // Set up the client (stolen from JAX-RS system test)
- //
- // TODO This could really be done more simply with an HTTPURLConnection
- //
final Service service = Service.create(
GREETER_SERVICE_QNAME
);
Modified: cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/server.xml?rev=889428&r1=889427&r2=889428&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/server.xml (original)
+++ cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/server.xml Thu Dec 10 21:26:48 2009
@@ -72,7 +72,7 @@
<constructor-arg>
<map>
<entry key="action" value="UsernameToken"/>
- <!-- <entry key="passwordType" value="PasswordDigest"/> -->
+ <entry key="passwordType" value="PasswordDigest"/>
<entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.security.KeystorePasswordCallback"/>
</map>
</constructor-arg>
Modified: cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/test-data/UsernameTokenRequest.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/test-data/UsernameTokenRequest.xml?rev=889428&r1=889427&r2=889428&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/test-data/UsernameTokenRequest.xml (original)
+++ cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/test-data/UsernameTokenRequest.xml Thu Dec 10 21:26:48 2009
@@ -3,10 +3,10 @@
<wss:Security xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wss:UsernameToken>
<wss:Username>alice</wss:Username>
- <wss:Password
- Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"
- >password</wss:Password>
- </wss:UsernameToken>
+ <wss:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">FPqPsaAp7hWASdknPsbfZxIoDVI=</wss:Password>
+ <wss:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">OJBNzEGDmTiD/lbeA+UDeg==</wss:Nonce>
+ <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-12-10T21:12:59.100Z</wsu:Created>
+ </wss:UsernameToken>
</wss:Security>
</soap:Header>
<soap:Body>