You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/05/23 15:17:32 UTC
svn commit: r1485693 [3/14] - in /cxf/trunk: ./
distribution/src/main/release/samples/sts/src/main/java/demo/wssec/client/
distribution/src/main/release/samples/sts/src/main/java/demo/wssec/server/
distribution/src/main/release/samples/sts/src/main/jav...
Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java Thu May 23 13:17:26 2013
@@ -44,17 +44,17 @@ import org.apache.cxf.message.MessageUti
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.SecurityUtils;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.message.token.DOMX509Data;
-import org.apache.ws.security.message.token.DOMX509IssuerSerial;
-import org.apache.ws.security.util.Base64;
-import org.apache.ws.security.util.UUIDGenerator;
-import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.message.token.DOMX509Data;
+import org.apache.wss4j.dom.message.token.DOMX509IssuerSerial;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.signature.XMLSignature;
+import org.apache.xml.security.stax.impl.util.IDGenerator;
+import org.apache.xml.security.utils.Base64;
import org.apache.xml.security.utils.EncryptionConstants;
public class XmlEncOutInterceptor extends AbstractXmlSecOutInterceptor {
@@ -131,12 +131,12 @@ public class XmlEncOutInterceptor extend
userName = SecurityUtils.getUserName(crypto, userName);
if (StringUtils.isEmpty(userName)) {
- throw new WSSecurityException("User name is not available");
+ throw new Exception("User name is not available");
}
receiverCert = getReceiverCertificateFromCrypto(crypto, userName);
}
if (receiverCert == null) {
- throw new WSSecurityException("Receiver certificate is not available");
+ throw new Exception("Receiver certificate is not available");
}
String keyEncAlgo = encProps.getEncryptionKeyTransportAlgo() == null
@@ -156,7 +156,7 @@ public class XmlEncOutInterceptor extend
Document result = xmlCipher.doFinal(payloadDoc, payloadDoc.getDocumentElement(), false);
NodeList list = result.getElementsByTagNameNS(WSConstants.ENC_NS, "CipherValue");
if (list.getLength() != 1) {
- throw new WSSecurityException("Payload CipherData is missing", null);
+ throw new Exception("Payload CipherData is missing");
}
String cipherText = ((Element)list.item(0)).getTextContent().trim();
Element cipherValue =
@@ -201,9 +201,7 @@ public class XmlEncOutInterceptor extend
}
return keyGen;
} catch (NoSuchAlgorithmException e) {
- throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e
- );
+ throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, e);
}
}
@@ -222,7 +220,7 @@ public class XmlEncOutInterceptor extend
String message = "Public key algorithm too weak to encrypt symmetric key";
LOG.severe(message);
throw new WSSecurityException(
- WSSecurityException.FAILURE,
+ WSSecurityException.ErrorCode.FAILURE,
"unsupportedKeyTransp",
new Object[] {message}
);
@@ -232,15 +230,15 @@ public class XmlEncOutInterceptor extend
encryptedEphemeralKey = cipher.doFinal(keyBytes);
} catch (IllegalStateException ex) {
throw new WSSecurityException(
- WSSecurityException.FAILED_ENCRYPTION, null, null, ex
+ WSSecurityException.ErrorCode.FAILED_ENCRYPTION, null, null, ex
);
} catch (IllegalBlockSizeException ex) {
throw new WSSecurityException(
- WSSecurityException.FAILED_ENCRYPTION, null, null, ex
+ WSSecurityException.ErrorCode.FAILED_ENCRYPTION, null, null, ex
);
} catch (BadPaddingException ex) {
throw new WSSecurityException(
- WSSecurityException.FAILED_ENCRYPTION, null, null, ex
+ WSSecurityException.ErrorCode.FAILED_ENCRYPTION, null, null, ex
);
}
@@ -258,7 +256,7 @@ public class XmlEncOutInterceptor extend
String encodedKey = Base64Utility.encode(encryptedKey);
Element encryptedKeyElement = createEncryptedKeyElement(doc, keyEncAlgo, digestAlgo);
- String encKeyId = "EK-" + UUIDGenerator.getUUID();
+ String encKeyId = IDGenerator.generateID("EK-");
encryptedKeyElement.setAttributeNS(null, "Id", encKeyId);
Element keyInfoElement = createKeyInfoElement(doc, cert);
@@ -310,7 +308,7 @@ public class XmlEncOutInterceptor extend
data = remoteCert.getEncoded();
} catch (CertificateEncodingException e) {
throw new WSSecurityException(
- WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "encodeError", null, e
+ WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, "encodeError", e
);
}
Text text = encryptedDataDoc.createTextNode(Base64.encode(data));
@@ -332,7 +330,7 @@ public class XmlEncOutInterceptor extend
DOMX509Data domX509Data = new DOMX509Data(encryptedDataDoc, domIssuerSerial);
keyIdentifierNode = domX509Data.getElement();
} else {
- throw new WSSecurityException("Unsupported key identifier:" + keyIdType);
+ throw new Exception("Unsupported key identifier:" + keyIdType);
}
keyInfoElement.appendChild(keyIdentifierNode);
Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java (original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java Thu May 23 13:17:26 2013
@@ -39,9 +39,9 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.common.CryptoLoader;
import org.apache.cxf.rs.security.common.SecurityUtils;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.ws.security.WSPasswordCallback;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.Transforms;
import org.apache.xml.security.utils.Constants;
@@ -110,11 +110,11 @@ public class XmlSigOutInterceptor extend
String user = SecurityUtils.getUserName(message, crypto, userNameKey);
if (StringUtils.isEmpty(user) || SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(user)) {
- throw new WSSecurityException("User name is not available");
+ throw new Exception("User name is not available");
}
String password =
- SecurityUtils.getPassword(message, user, WSPasswordCallback.SIGNATURE, this.getClass());
+ SecurityUtils.getPassword(message, user, WSPasswordCallback.Usage.SIGNATURE, this.getClass());
X509Certificate[] issuerCerts = SecurityUtils.getCertificates(crypto, user);
@@ -131,7 +131,7 @@ public class XmlSigOutInterceptor extend
} catch (Exception ex) {
String errorMessage = "Private key can not be loaded, user:" + user;
LOG.severe(errorMessage);
- throw new WSSecurityException(errorMessage, ex);
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
String id = UUID.randomUUID().toString();
Modified: cxf/trunk/rt/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/pom.xml?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/security/pom.xml (original)
+++ cxf/trunk/rt/security/pom.xml Thu May 23 13:17:26 2013
@@ -44,8 +44,8 @@
<version>${project.version}</version>
</dependency>
<dependency>
- <groupId>org.apache.ws.security</groupId>
- <artifactId>wss4j</artifactId>
+ <groupId>org.apache.wss4j</groupId>
+ <artifactId>wss4j-ws-security-dom</artifactId>
<version>${cxf.wss4j.version}</version>
<exclusions>
<exclusion>
Modified: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java (original)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java Thu May 23 13:17:26 2013
@@ -38,8 +38,8 @@ import org.apache.cxf.phase.AbstractPhas
import org.apache.cxf.phase.Phase;
import org.apache.cxf.security.LoginSecurityContext;
import org.apache.cxf.security.SecurityContext;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
-import org.apache.ws.security.util.DOM2Writer;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.util.DOM2Writer;
import org.opensaml.xacml.ctx.DecisionType;
import org.opensaml.xacml.ctx.RequestType;
import org.opensaml.xacml.ctx.ResponseType;
@@ -62,7 +62,7 @@ public abstract class AbstractXACMLAutho
public AbstractXACMLAuthorizingInterceptor() {
super(Phase.PRE_INVOKE);
- OpenSAMLUtil.initSamlEngine();
+ org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
}
public void handleMessage(Message message) throws Fault {
Modified: cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java (original)
+++ cxf/trunk/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java Thu May 23 13:17:26 2013
@@ -29,8 +29,8 @@ import org.w3c.dom.Element;
import org.apache.cxf.interceptor.security.SAMLSecurityContext;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.SecurityContext;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.joda.time.DateTime;
import org.opensaml.xacml.ctx.ActionType;
import org.opensaml.xacml.ctx.AttributeType;
@@ -175,7 +175,7 @@ public class DefaultXACMLRequestBuilder
if (sc instanceof SAMLSecurityContext) {
Element assertionElement = ((SAMLSecurityContext)sc).getAssertionElement();
if (assertionElement != null) {
- AssertionWrapper wrapper = new AssertionWrapper(assertionElement);
+ SamlAssertionWrapper wrapper = new SamlAssertionWrapper(assertionElement);
return wrapper.getIssuerString();
}
}
Modified: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java (original)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilderTest.java Thu May 23 13:17:26 2013
@@ -30,7 +30,7 @@ import javax.xml.parsers.ParserConfigura
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.joda.time.DateTime;
import org.opensaml.xacml.ctx.ActionType;
import org.opensaml.xacml.ctx.AttributeType;
Modified: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java (original)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilderTest.java Thu May 23 13:17:26 2013
@@ -30,8 +30,7 @@ import javax.xml.parsers.ParserConfigura
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
-
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
import org.opensaml.xacml.ctx.ActionType;
import org.opensaml.xacml.ctx.AttributeType;
import org.opensaml.xacml.ctx.AttributeValueType;
Modified: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java (original)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptorTest.java Thu May 23 13:17:26 2013
@@ -29,7 +29,6 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageImpl;
import org.apache.cxf.security.LoginSecurityContext;
import org.apache.cxf.security.SecurityContext;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
/**
@@ -38,7 +37,7 @@ import org.apache.ws.security.saml.ext.O
public class XACMLAuthorizingInterceptorTest extends org.junit.Assert {
static {
- OpenSAMLUtil.initSamlEngine();
+ org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
}
@org.junit.Test
Modified: cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java (original)
+++ cxf/trunk/rt/security/src/test/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilderTest.java Thu May 23 13:17:26 2013
@@ -24,7 +24,6 @@ import java.util.Collections;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageImpl;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
import org.opensaml.xacml.ctx.RequestType;
@@ -34,7 +33,7 @@ import org.opensaml.xacml.ctx.RequestTyp
public class XACMLRequestBuilderTest extends org.junit.Assert {
static {
- OpenSAMLUtil.initSamlEngine();
+ org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
}
@org.junit.Test
Modified: cxf/trunk/rt/ws/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/pom.xml?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/pom.xml (original)
+++ cxf/trunk/rt/ws/security/pom.xml Thu May 23 13:17:26 2013
@@ -87,8 +87,8 @@
<scope>compile</scope>
</dependency>
<dependency>
- <groupId>org.apache.ws.security</groupId>
- <artifactId>wss4j</artifactId>
+ <groupId>org.apache.wss4j</groupId>
+ <artifactId>wss4j-ws-security-dom</artifactId>
<version>${cxf.wss4j.version}</version>
<exclusions>
<exclusion>
@@ -102,8 +102,19 @@
</exclusions>
</dependency>
<dependency>
- <groupId>commons-logging</groupId>
- <artifactId>commons-logging</artifactId>
+ <groupId>org.apache.wss4j</groupId>
+ <artifactId>wss4j-policy</artifactId>
+ <version>${cxf.wss4j.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.wss4j</groupId>
+ <artifactId>wss4j-ws-security-stax</artifactId>
+ <version>${cxf.wss4j.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.wss4j</groupId>
+ <artifactId>wss4j-ws-security-policy-stax</artifactId>
+ <version>${cxf.wss4j.version}</version>
</dependency>
<dependency>
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java Thu May 23 13:17:26 2013
@@ -182,6 +182,13 @@ public final class SecurityConstants {
public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION =
"ws-security.validate.saml.subject.conf";
+ /**
+ * Whether to enable streaming WS-Security. If set to false (the default), the old DOM
+ * implementation is used. If set to true, the new streaming (StAX) implementation is used.
+ */
+ public static final String ENABLE_STREAMING_SECURITY =
+ "ws-security.enable.streaming";
+
//
// Non-boolean WS-Security Configuration parameters
//
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/cache/CacheCleanupListener.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/cache/CacheCleanupListener.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/cache/CacheCleanupListener.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/cache/CacheCleanupListener.java Thu May 23 13:17:26 2013
@@ -29,7 +29,7 @@ import org.apache.cxf.endpoint.ServerLif
import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.ws.security.cache.ReplayCache;
+import org.apache.wss4j.common.cache.ReplayCache;
/**
*
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java Thu May 23 13:17:26 2013
@@ -30,10 +30,10 @@ import org.apache.cxf.common.logging.Log
import org.apache.cxf.configuration.Configurable;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.message.token.KerberosSecurity;
-import org.apache.ws.security.util.Base64;
-import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.message.token.KerberosSecurity;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.xml.security.utils.Base64;
/**
* A class that obtains a ticket from a KDC and wraps it in a SecurityToken object.
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java Thu May 23 13:17:26 2013
@@ -20,54 +20,23 @@
package org.apache.cxf.ws.security.policy;
import java.util.Arrays;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import javax.xml.namespace.QName;
+import org.w3c.dom.Element;
+
import org.apache.cxf.Bus;
import org.apache.cxf.common.injection.NoJSR250Annotations;
import org.apache.cxf.ws.policy.AssertionBuilderLoader;
import org.apache.cxf.ws.policy.AssertionBuilderRegistry;
-import org.apache.cxf.ws.policy.PolicyBuilder;
import org.apache.cxf.ws.policy.PolicyInterceptorProviderLoader;
import org.apache.cxf.ws.policy.PolicyInterceptorProviderRegistry;
+import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertionBuilder;
-import org.apache.cxf.ws.security.policy.builders.AlgorithmSuiteBuilder;
-import org.apache.cxf.ws.security.policy.builders.AsymmetricBindingBuilder;
-import org.apache.cxf.ws.security.policy.builders.ContentEncryptedElementsBuilder;
-import org.apache.cxf.ws.security.policy.builders.EncryptedElementsBuilder;
-import org.apache.cxf.ws.security.policy.builders.EncryptedPartsBuilder;
-import org.apache.cxf.ws.security.policy.builders.HttpsTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.InitiatorEncryptionTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.InitiatorSignatureTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.InitiatorTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.IssuedTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.KerberosTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.KeyValueTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.LayoutBuilder;
-import org.apache.cxf.ws.security.policy.builders.ProtectionTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.RecipientEncryptionTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.RecipientSignatureTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.RecipientTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.RequiredElementsBuilder;
-import org.apache.cxf.ws.security.policy.builders.RequiredPartsBuilder;
-import org.apache.cxf.ws.security.policy.builders.SamlTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.SecureConversationTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.SecurityContextTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.SignedElementsBuilder;
-import org.apache.cxf.ws.security.policy.builders.SignedPartsBuilder;
-import org.apache.cxf.ws.security.policy.builders.SpnegoContextTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.SupportingTokens12Builder;
-import org.apache.cxf.ws.security.policy.builders.SupportingTokensBuilder;
-import org.apache.cxf.ws.security.policy.builders.SymmetricBindingBuilder;
-import org.apache.cxf.ws.security.policy.builders.TransportBindingBuilder;
-import org.apache.cxf.ws.security.policy.builders.TransportTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.Trust10Builder;
-import org.apache.cxf.ws.security.policy.builders.Trust13Builder;
-import org.apache.cxf.ws.security.policy.builders.UsernameTokenBuilder;
-import org.apache.cxf.ws.security.policy.builders.WSS10Builder;
-import org.apache.cxf.ws.security.policy.builders.WSS11Builder;
-import org.apache.cxf.ws.security.policy.builders.X509TokenBuilder;
+import org.apache.cxf.ws.security.policy.custom.AlgorithmSuiteBuilder;
import org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider;
import org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider;
import org.apache.cxf.ws.security.policy.interceptors.KerberosTokenInterceptorProvider;
@@ -77,6 +46,49 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.interceptors.UsernameTokenInterceptorProvider;
import org.apache.cxf.ws.security.policy.interceptors.WSSecurityInterceptorProvider;
import org.apache.cxf.ws.security.policy.interceptors.WSSecurityPolicyInterceptorProvider;
+import org.apache.neethi.Assertion;
+import org.apache.neethi.AssertionBuilderFactory;
+import org.apache.neethi.builders.xml.XMLPrimitiveAssertionBuilder;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SP13Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.builders.AsymmetricBindingBuilder;
+import org.apache.wss4j.policy.builders.BootstrapPolicyBuilder;
+import org.apache.wss4j.policy.builders.ContentEncryptedElementsBuilder;
+import org.apache.wss4j.policy.builders.EncryptedElementsBuilder;
+import org.apache.wss4j.policy.builders.EncryptedPartsBuilder;
+import org.apache.wss4j.policy.builders.HttpsTokenBuilder;
+import org.apache.wss4j.policy.builders.InitiatorEncryptionTokenBuilder;
+import org.apache.wss4j.policy.builders.InitiatorSignatureTokenBuilder;
+import org.apache.wss4j.policy.builders.InitiatorTokenBuilder;
+import org.apache.wss4j.policy.builders.IssuedTokenBuilder;
+import org.apache.wss4j.policy.builders.KerberosTokenBuilder;
+import org.apache.wss4j.policy.builders.KeyValueTokenBuilder;
+import org.apache.wss4j.policy.builders.LayoutBuilder;
+import org.apache.wss4j.policy.builders.ProtectionTokenBuilder;
+import org.apache.wss4j.policy.builders.RecipientEncryptionTokenBuilder;
+import org.apache.wss4j.policy.builders.RecipientSignatureTokenBuilder;
+import org.apache.wss4j.policy.builders.RecipientTokenBuilder;
+import org.apache.wss4j.policy.builders.RequiredElementsBuilder;
+import org.apache.wss4j.policy.builders.RequiredPartsBuilder;
+import org.apache.wss4j.policy.builders.SamlTokenBuilder;
+import org.apache.wss4j.policy.builders.SecureConversationTokenBuilder;
+import org.apache.wss4j.policy.builders.SecurityContextTokenBuilder;
+import org.apache.wss4j.policy.builders.SignedElementsBuilder;
+import org.apache.wss4j.policy.builders.SignedPartsBuilder;
+import org.apache.wss4j.policy.builders.SpnegoContextTokenBuilder;
+import org.apache.wss4j.policy.builders.SupportingTokensBuilder;
+import org.apache.wss4j.policy.builders.SymmetricBindingBuilder;
+import org.apache.wss4j.policy.builders.TransportBindingBuilder;
+import org.apache.wss4j.policy.builders.TransportTokenBuilder;
+import org.apache.wss4j.policy.builders.Trust10Builder;
+import org.apache.wss4j.policy.builders.Trust13Builder;
+import org.apache.wss4j.policy.builders.UsernameTokenBuilder;
+import org.apache.wss4j.policy.builders.WSS10Builder;
+import org.apache.wss4j.policy.builders.WSS11Builder;
+import org.apache.wss4j.policy.builders.X509TokenBuilder;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
@NoJSR250Annotations
public final class WSSecurityPolicyLoader implements PolicyInterceptorProviderLoader, AssertionBuilderLoader {
@@ -100,43 +112,42 @@ public final class WSSecurityPolicyLoade
if (reg == null) {
return;
}
- PolicyBuilder pbuild = bus.getExtension(PolicyBuilder.class);
reg.registerBuilder(new AlgorithmSuiteBuilder(bus));
- reg.registerBuilder(new AsymmetricBindingBuilder(pbuild));
+ reg.registerBuilder(new AsymmetricBindingBuilder());
reg.registerBuilder(new ContentEncryptedElementsBuilder());
reg.registerBuilder(new EncryptedElementsBuilder());
reg.registerBuilder(new EncryptedPartsBuilder());
- reg.registerBuilder(new HttpsTokenBuilder(pbuild));
- reg.registerBuilder(new InitiatorTokenBuilder(pbuild));
- reg.registerBuilder(new InitiatorSignatureTokenBuilder(pbuild));
- reg.registerBuilder(new InitiatorEncryptionTokenBuilder(pbuild));
- reg.registerBuilder(new IssuedTokenBuilder(pbuild));
+ reg.registerBuilder(new HttpsTokenBuilder());
+ reg.registerBuilder(new InitiatorTokenBuilder());
+ reg.registerBuilder(new InitiatorSignatureTokenBuilder());
+ reg.registerBuilder(new InitiatorEncryptionTokenBuilder());
+ reg.registerBuilder(new IssuedTokenBuilder());
reg.registerBuilder(new LayoutBuilder());
- reg.registerBuilder(new ProtectionTokenBuilder(pbuild));
- reg.registerBuilder(new RecipientTokenBuilder(pbuild));
- reg.registerBuilder(new RecipientSignatureTokenBuilder(pbuild));
- reg.registerBuilder(new RecipientEncryptionTokenBuilder(pbuild));
+ reg.registerBuilder(new ProtectionTokenBuilder());
+ reg.registerBuilder(new RecipientTokenBuilder());
+ reg.registerBuilder(new RecipientSignatureTokenBuilder());
+ reg.registerBuilder(new RecipientEncryptionTokenBuilder());
reg.registerBuilder(new RequiredElementsBuilder());
reg.registerBuilder(new RequiredPartsBuilder());
- reg.registerBuilder(new SamlTokenBuilder(pbuild));
- reg.registerBuilder(new KerberosTokenBuilder(pbuild));
- reg.registerBuilder(new SecureConversationTokenBuilder(pbuild));
+ reg.registerBuilder(new SamlTokenBuilder());
+ reg.registerBuilder(new KerberosTokenBuilder());
+ reg.registerBuilder(new SecureConversationTokenBuilder());
+ reg.registerBuilder(new BootstrapPolicyBuilder());
reg.registerBuilder(new SecurityContextTokenBuilder());
reg.registerBuilder(new SignedElementsBuilder());
reg.registerBuilder(new SignedPartsBuilder());
- reg.registerBuilder(new SpnegoContextTokenBuilder(pbuild));
- reg.registerBuilder(new SupportingTokens12Builder(pbuild));
- reg.registerBuilder(new SupportingTokensBuilder(pbuild));
- reg.registerBuilder(new SymmetricBindingBuilder(pbuild));
- reg.registerBuilder(new TransportBindingBuilder(pbuild, bus));
- reg.registerBuilder(new TransportTokenBuilder(pbuild));
+ reg.registerBuilder(new SpnegoContextTokenBuilder());
+ reg.registerBuilder(new SupportingTokensBuilder());
+ reg.registerBuilder(new SymmetricBindingBuilder());
+ reg.registerBuilder(new TransportBindingBuilder());
+ reg.registerBuilder(new TransportTokenBuilder());
reg.registerBuilder(new Trust10Builder());
reg.registerBuilder(new Trust13Builder());
- reg.registerBuilder(new UsernameTokenBuilder(pbuild));
+ reg.registerBuilder(new UsernameTokenBuilder());
reg.registerBuilder(new KeyValueTokenBuilder());
reg.registerBuilder(new WSS10Builder());
reg.registerBuilder(new WSS11Builder());
- reg.registerBuilder(new X509TokenBuilder(pbuild));
+ reg.registerBuilder(new X509TokenBuilder());
//add generic assertions for these known things to prevent warnings
List<QName> others = Arrays.asList(new QName[] {
@@ -165,14 +176,106 @@ public final class WSSecurityPolicyLoade
SP11Constants.REQUIRE_INTERNAL_REFERENCE,
SP12Constants.REQUIRE_ISSUER_SERIAL_REFERENCE,
SP11Constants.REQUIRE_ISSUER_SERIAL_REFERENCE,
- new QName(SP12Constants.SP_NS, SP12Constants.ENCRYPT_BEFORE_SIGNING),
- new QName(SP11Constants.SP_NS, SP11Constants.ENCRYPT_BEFORE_SIGNING),
- new QName(SP12Constants.SP_NS, SP12Constants.SIGN_BEFORE_ENCRYPTING),
- new QName(SP11Constants.SP_NS, SP11Constants.SIGN_BEFORE_ENCRYPTING),
+ SP12Constants.REQUIRE_EMBEDDED_TOKEN_REFERENCE,
+ SP11Constants.REQUIRE_EMBEDDED_TOKEN_REFERENCE,
+ SP12Constants.ENCRYPT_BEFORE_SIGNING,
+ SP11Constants.ENCRYPT_BEFORE_SIGNING,
+ SP12Constants.SIGN_BEFORE_ENCRYPTING,
+ SP11Constants.SIGN_BEFORE_ENCRYPTING,
SP12Constants.REQUIRE_KEY_IDENTIFIER_REFERENCE,
SP11Constants.REQUIRE_KEY_IDENTIFIER_REFERENCE,
+ SP12Constants.PROTECT_TOKENS,
+ SP11Constants.PROTECT_TOKENS,
+ SP12Constants.RSA_KEY_VALUE,
+
+ // Layout
+ SP11Constants.LAX, SP11Constants.LAXTSFIRST, SP11Constants.LAXTSLAST, SP11Constants.STRICT,
+ SP12Constants.LAX, SP12Constants.LAXTSFIRST, SP12Constants.LAXTSLAST, SP12Constants.STRICT,
+
+ // UsernameToken
+ SP11Constants.WSS_USERNAME_TOKEN10, SP12Constants.WSS_USERNAME_TOKEN10,
+ SP11Constants.WSS_USERNAME_TOKEN11, SP12Constants.WSS_USERNAME_TOKEN11,
+ SP12Constants.HASH_PASSWORD, SP12Constants.NO_PASSWORD,
+ SP13Constants.CREATED, SP13Constants.NONCE,
+
+ SP12Constants.REQUIRE_INTERNAL_REFERENCE, SP11Constants.REQUIRE_INTERNAL_REFERENCE,
+ SP12Constants.REQUIRE_EXTERNAL_REFERNCE, SP11Constants.REQUIRE_EXTERNAL_REFERNCE,
+
+ // Kerberos
+ new QName(SP11Constants.SP_NS, "WssKerberosV5ApReqToken11"),
+ new QName(SP12Constants.SP_NS, "WssKerberosV5ApReqToken11"),
+ new QName(SP11Constants.SP_NS, "WssGssKerberosV5ApReqToken11"),
+ new QName(SP12Constants.SP_NS, "WssGssKerberosV5ApReqToken11"),
+
+ // Spnego
+ SP12Constants.MUST_NOT_SEND_AMEND,
+ SP12Constants.MUST_NOT_SEND_CANCEL,
+ SP12Constants.MUST_NOT_SEND_RENEW,
+
+ // Backwards compatibility thing
+ new QName("http://schemas.microsoft.com/ws/2005/07/securitypolicy", SPConstants.MUST_NOT_SEND_CANCEL),
+
+ // SCT
+ SP12Constants.REQUIRE_EXTERNAL_URI_REFERENCE,
+ SP12Constants.SC13_SECURITY_CONTEXT_TOKEN,
+ SP11Constants.SC10_SECURITY_CONTEXT_TOKEN,
+
+ // WSS10
+ SP12Constants.MUST_SUPPORT_REF_KEY_IDENTIFIER, SP11Constants.MUST_SUPPORT_REF_KEY_IDENTIFIER,
+ SP12Constants.MUST_SUPPORT_REF_ISSUER_SERIAL, SP11Constants.MUST_SUPPORT_REF_ISSUER_SERIAL,
+ SP12Constants.MUST_SUPPORT_REF_EXTERNAL_URI, SP12Constants.MUST_SUPPORT_REF_EXTERNAL_URI,
+ SP12Constants.MUST_SUPPORT_REF_EMBEDDED_TOKEN, SP11Constants.MUST_SUPPORT_REF_EMBEDDED_TOKEN,
+
+ // WSS11
+ SP12Constants.MUST_SUPPORT_REF_THUMBPRINT, SP11Constants.MUST_SUPPORT_REF_THUMBPRINT,
+ SP12Constants.MUST_SUPPORT_REF_ENCRYPTED_KEY, SP11Constants.MUST_SUPPORT_REF_ENCRYPTED_KEY,
+ SP12Constants.REQUIRE_SIGNATURE_CONFIRMATION, SP11Constants.REQUIRE_SIGNATURE_CONFIRMATION,
+
+ // SAML
+ new QName(SP11Constants.SP_NS, "WssSamlV11Token10"),
+ new QName(SP12Constants.SP_NS, "WssSamlV11Token10"),
+ new QName(SP11Constants.SP_NS, "WssSamlV11Token11"),
+ new QName(SP12Constants.SP_NS, "WssSamlV11Token11"),
+ new QName(SP11Constants.SP_NS, "WssSamlV20Token11"),
+ new QName(SP12Constants.SP_NS, "WssSamlV20Token11"),
+
+ // HTTPs
+ SP12Constants.HTTP_BASIC_AUTHENTICATION,
+ SP12Constants.HTTP_DIGEST_AUTHENTICATION,
+ SP12Constants.REQUIRE_CLIENT_CERTIFICATE,
+
+ // Trust13
+ SP12Constants.MUST_SUPPORT_CLIENT_CHALLENGE, SP11Constants.MUST_SUPPORT_CLIENT_CHALLENGE,
+ SP12Constants.MUST_SUPPORT_SERVER_CHALLENGE, SP11Constants.MUST_SUPPORT_SERVER_CHALLENGE,
+ SP12Constants.REQUIRE_CLIENT_ENTROPY, SP11Constants.REQUIRE_CLIENT_ENTROPY,
+ SP12Constants.REQUIRE_SERVER_ENTROPY, SP11Constants.REQUIRE_SERVER_ENTROPY,
+ SP12Constants.MUST_SUPPORT_ISSUED_TOKENS, SP11Constants.MUST_SUPPORT_ISSUED_TOKENS,
+ SP12Constants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION,
+ SP12Constants.REQUIRE_APPLIES_TO,
+ SP13Constants.SCOPE_POLICY_15,
+ SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE,
+
+ });
+ final Map<QName, Assertion> assertions = new HashMap<QName, Assertion>();
+ for (QName q : others) {
+ assertions.put(q, new PrimitiveAssertion(q));
+ }
+ for (String s : AlgorithmSuite.getSupportedAlgorithmSuiteNames()) {
+ QName q = new QName(SP11Constants.SP_NS, s);
+ assertions.put(q, new PrimitiveAssertion(q));
+ q = new QName(SP12Constants.SP_NS, s);
+ assertions.put(q, new PrimitiveAssertion(q));
+ }
+ reg.registerBuilder(new PrimitiveAssertionBuilder(assertions.keySet()) {
+ public Assertion build(Element element, AssertionBuilderFactory fact) {
+ if (XMLPrimitiveAssertionBuilder.isOptional(element)
+ || XMLPrimitiveAssertionBuilder.isIgnorable(element)) {
+ return super.build(element, fact);
+ }
+ QName q = new QName(element.getNamespaceURI(), element.getLocalName());
+ return assertions.get(q);
+ }
});
- reg.registerBuilder(new PrimitiveAssertionBuilder(others));
}
public void registerProviders() {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/AlgorithmSuiteLoader.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/AlgorithmSuiteLoader.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/AlgorithmSuiteLoader.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/AlgorithmSuiteLoader.java Thu May 23 13:17:26 2013
@@ -18,10 +18,10 @@
*/
package org.apache.cxf.ws.security.policy.custom;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
+import org.apache.cxf.Bus;
+import org.apache.neethi.Policy;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
/**
* This interface defines a way of retrieving an AlgorithmSuite object from the policy element
@@ -29,6 +29,6 @@ import org.apache.cxf.ws.security.policy
*/
public interface AlgorithmSuiteLoader {
- AlgorithmSuite getAlgorithmSuite(Element policyElement, SPConstants consts);
+ AlgorithmSuite getAlgorithmSuite(Bus bus, SPConstants.SPVersion version, Policy nestedPolicy);
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/DefaultAlgorithmSuiteLoader.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/DefaultAlgorithmSuiteLoader.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/DefaultAlgorithmSuiteLoader.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/DefaultAlgorithmSuiteLoader.java Thu May 23 13:17:26 2013
@@ -18,35 +18,112 @@
*/
package org.apache.cxf.ws.security.policy.custom;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.xml.namespace.QName;
+
import org.w3c.dom.Element;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
+import org.apache.cxf.Bus;
+import org.apache.cxf.ws.policy.AssertionBuilderRegistry;
+import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
+import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertionBuilder;
+import org.apache.neethi.Assertion;
+import org.apache.neethi.AssertionBuilderFactory;
+import org.apache.neethi.Policy;
+import org.apache.neethi.builders.xml.XMLPrimitiveAssertionBuilder;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
/**
- * This class retrieves the default AlgorithmSuites.
+ * This class retrieves the default AlgorithmSuites plus the CXF specific GCM AlgorithmSuites.
*/
public class DefaultAlgorithmSuiteLoader implements AlgorithmSuiteLoader {
- private static final String CXF_CUSTOM_POLICY_NS =
- "http://cxf.apache.org/custom/security-policy";
+ public AlgorithmSuite getAlgorithmSuite(Bus bus, SPConstants.SPVersion version, Policy nestedPolicy) {
+ AssertionBuilderRegistry reg = bus.getExtension(AssertionBuilderRegistry.class);
+ if (reg != null) {
+ String ns = "http://cxf.apache.org/custom/security-policy";
+ final Map<QName, Assertion> assertions = new HashMap<QName, Assertion>();
+ QName qName = new QName(ns, "Basic128GCM");
+ assertions.put(qName, new PrimitiveAssertion(qName));
+ qName = new QName(ns, "Basic192GCM");
+ assertions.put(qName, new PrimitiveAssertion(qName));
+ qName = new QName(ns, "Basic256GCM");
+ assertions.put(qName, new PrimitiveAssertion(qName));
+
+ reg.registerBuilder(new PrimitiveAssertionBuilder(assertions.keySet()) {
+ public Assertion build(Element element, AssertionBuilderFactory fact) {
+ if (XMLPrimitiveAssertionBuilder.isOptional(element)
+ || XMLPrimitiveAssertionBuilder.isIgnorable(element)) {
+ return super.build(element, fact);
+ }
+ QName q = new QName(element.getNamespaceURI(), element.getLocalName());
+ return assertions.get(q);
+ }
+ });
+ }
+ return new GCMAlgorithmSuite(version, nestedPolicy);
+ }
+
+ private static class GCMAlgorithmSuite extends AlgorithmSuite {
+
+ GCMAlgorithmSuite(SPConstants.SPVersion version, Policy nestedPolicy) {
+ super(version, nestedPolicy);
+ }
+
+ @Override
+ protected AbstractSecurityAssertion cloneAssertion(Policy nestedPolicy) {
+ return new GCMAlgorithmSuite(getVersion(), nestedPolicy);
+ }
- public AlgorithmSuite getAlgorithmSuite(Element policyElement, SPConstants consts) {
- if (policyElement != null) {
- Element algorithm = DOMUtils.getFirstElement(policyElement);
- if (algorithm != null) {
- AlgorithmSuite algorithmSuite = null;
- if (CXF_CUSTOM_POLICY_NS.equals(algorithm.getNamespaceURI())) {
- algorithmSuite = new GCMAlgorithmSuite(consts);
- } else {
- algorithmSuite = new AlgorithmSuite(consts);
- }
- algorithmSuite.setAlgorithmSuite(algorithm.getLocalName());
- return algorithmSuite;
+ @Override
+ protected void parseCustomAssertion(Assertion assertion) {
+ String assertionName = assertion.getName().getLocalPart();
+ String assertionNamespace = assertion.getName().getNamespaceURI();
+ if (!"http://cxf.apache.org/custom/security-policy".equals(assertionNamespace)) {
+ return;
+ }
+
+ if ("Basic128GCM".equals(assertionName)) {
+ setAlgorithmSuiteType(new AlgorithmSuiteType(
+ "Basic128GCM",
+ SPConstants.SHA1,
+ "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+ SPConstants.KW_AES128,
+ SPConstants.KW_RSA_OAEP,
+ SPConstants.P_SHA1_L128,
+ SPConstants.P_SHA1_L128,
+ 128, 128, 128, 256, 1024, 4096
+ ));
+ getAlgorithmSuiteType().setNamespace(assertionNamespace);
+ } else if ("Basic192GCM".equals(assertionName)) {
+ setAlgorithmSuiteType(new AlgorithmSuiteType(
+ "Basic192GCM",
+ SPConstants.SHA1,
+ "http://www.w3.org/2009/xmlenc11#aes192-gcm",
+ SPConstants.KW_AES192,
+ SPConstants.KW_RSA_OAEP,
+ SPConstants.P_SHA1_L192,
+ SPConstants.P_SHA1_L192,
+ 192, 192, 192, 256, 1024, 4096));
+ getAlgorithmSuiteType().setNamespace(assertionNamespace);
+ } else if ("Basic256GCM".equals(assertionName)) {
+ setAlgorithmSuiteType(new AlgorithmSuiteType(
+ "Basic256GCM",
+ SPConstants.SHA1,
+ "http://www.w3.org/2009/xmlenc11#aes256-gcm",
+ SPConstants.KW_AES256,
+ SPConstants.KW_RSA_OAEP,
+ SPConstants.P_SHA1_L256,
+ SPConstants.P_SHA1_L192,
+ 256, 192, 256, 256, 1024, 4096));
+ getAlgorithmSuiteType().setNamespace(assertionNamespace);
}
}
- return null;
}
+
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -21,12 +21,16 @@ package org.apache.cxf.ws.security.polic
import java.security.Principal;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
@@ -42,15 +46,23 @@ import org.apache.cxf.ws.policy.Abstract
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.HttpsToken;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.HttpsToken;
+import org.apache.wss4j.stax.impl.securityToken.HttpsSecurityTokenImpl;
+import org.apache.wss4j.stax.securityEvent.HttpsTokenSecurityEvent;
+import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
/**
*
*/
public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProvider {
+ private static final Logger LOG = LogUtils.getL7dLogger(HttpsTokenInterceptorProvider.class);
+
private static final long serialVersionUID = -13951002554477036L;
public HttpsTokenInterceptorProvider() {
@@ -79,12 +91,13 @@ public class HttpsTokenInterceptorProvid
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.HTTPS_TOKEN);
- if (ais == null) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
+ if (ais.isEmpty()) {
return;
}
if (isRequestor(message)) {
- assertHttps(ais, message);
+ assertHttps(aim, ais, message);
} else {
//server side should be checked on the way in
for (AssertionInfo ai : ais) {
@@ -93,7 +106,7 @@ public class HttpsTokenInterceptorProvid
}
}
}
- private void assertHttps(Collection<AssertionInfo> ais, Message message) {
+ private void assertHttps(AssertionInfoMap aim, Collection<AssertionInfo> ais, Message message) {
for (AssertionInfo ai : ais) {
HttpsToken token = (HttpsToken)ai.getAssertion();
String scheme = (String)message.get("http.scheme");
@@ -101,7 +114,8 @@ public class HttpsTokenInterceptorProvid
Map<String, List<String>> headers = getSetProtocolHeaders(message);
if ("https".equals(scheme)) {
- if (token.isRequireClientCertificate()) {
+ if (token.getAuthenticationType()
+ == HttpsToken.AuthenticationType.RequireClientCertificate) {
final MessageTrustDecider orig = message.get(MessageTrustDecider.class);
MessageTrustDecider trust = new MessageTrustDecider() {
public void establishTrust(String conduitName,
@@ -122,20 +136,25 @@ public class HttpsTokenInterceptorProvid
}
};
message.put(MessageTrustDecider.class, trust);
+ NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
}
- if (token.isHttpBasicAuthentication()) {
+ if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpBasicAuthentication) {
List<String> auth = headers.get("Authorization");
if (auth == null || auth.size() == 0
|| !auth.get(0).startsWith("Basic")) {
ai.setNotAsserted("HttpBasicAuthentication is set, but not being used");
+ } else {
+ NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
}
}
- if (token.isHttpDigestAuthentication()) {
+ if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpDigestAuthentication) {
List<String> auth = headers.get("Authorization");
if (auth == null || auth.size() == 0
|| !auth.get(0).startsWith("Digest")) {
ai.setNotAsserted("HttpDigestAuthentication is set, but not being used");
- }
+ } else {
+ NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+ }
}
} else {
ai.setNotAsserted("Not an HTTPs connection");
@@ -157,12 +176,17 @@ public class HttpsTokenInterceptorProvid
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.HTTPS_TOKEN);
- if (ais == null) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
+ if (ais.isEmpty()) {
return;
}
if (!isRequestor(message)) {
- assertHttps(ais, message);
+ try {
+ assertHttps(aim, ais, message);
+ } catch (XMLSecurityException e) {
+ LOG.fine(e.getMessage());
+ }
// Store the TLS principal on the message context
SecurityContext sc = message.get(SecurityContext.class);
if (sc == null || sc.getUserPrincipal() == null) {
@@ -182,45 +206,113 @@ public class HttpsTokenInterceptorProvid
//client side should be checked on the way out
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
- }
+ }
+
+ NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+ NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
+ NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
}
}
}
- private void assertHttps(Collection<AssertionInfo> ais, Message message) {
+ private void assertHttps(
+ AssertionInfoMap aim,
+ Collection<AssertionInfo> ais,
+ Message message
+ ) throws XMLSecurityException {
+ List<SecurityEvent> securityEvents = getSecurityEventList(message);
+ AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
+
for (AssertionInfo ai : ais) {
boolean asserted = true;
HttpsToken token = (HttpsToken)ai.getAssertion();
+ HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
+
Map<String, List<String>> headers = getSetProtocolHeaders(message);
- if (token.isHttpBasicAuthentication()) {
+ if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpBasicAuthentication) {
List<String> auth = headers.get("Authorization");
if (auth == null || auth.size() == 0
|| !auth.get(0).startsWith("Basic")) {
asserted = false;
+ } else {
+ httpsTokenSecurityEvent.setAuthenticationType(
+ HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication
+ );
+ HttpsSecurityTokenImpl httpsSecurityToken =
+ new HttpsSecurityTokenImpl(true, policy.getUserName());
+ httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+ httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
+ NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
}
}
- if (token.isHttpDigestAuthentication()) {
+ if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpDigestAuthentication) {
List<String> auth = headers.get("Authorization");
if (auth == null || auth.size() == 0
|| !auth.get(0).startsWith("Digest")) {
asserted = false;
- }
+ } else {
+ httpsTokenSecurityEvent.setAuthenticationType(
+ HttpsTokenSecurityEvent.AuthenticationType.HttpDigestAuthentication
+ );
+ HttpsSecurityTokenImpl httpsSecurityToken =
+ new HttpsSecurityTokenImpl(false, policy.getUserName());
+ httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+ httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
+ NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+ }
}
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
if (tlsInfo != null) {
- if (token.isRequireClientCertificate()
- && (tlsInfo.getPeerCertificates() == null
- || tlsInfo.getPeerCertificates().length == 0)) {
- asserted = false;
+ if (token.getAuthenticationType()
+ == HttpsToken.AuthenticationType.RequireClientCertificate) {
+ if (tlsInfo.getPeerCertificates() == null
+ || tlsInfo.getPeerCertificates().length == 0) {
+ asserted = false;
+ } else {
+ NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
+ }
+ }
+
+ if (tlsInfo.getPeerCertificates() != null && tlsInfo.getPeerCertificates().length > 0) {
+ httpsTokenSecurityEvent.setAuthenticationType(
+ HttpsTokenSecurityEvent.AuthenticationType.HttpsClientCertificateAuthentication
+ );
+ HttpsSecurityTokenImpl httpsSecurityToken =
+ new HttpsSecurityTokenImpl((X509Certificate)tlsInfo.getPeerCertificates()[0]);
+ httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+ httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
+ } else {
+ httpsTokenSecurityEvent.setAuthenticationType(
+ HttpsTokenSecurityEvent.AuthenticationType.HttpsNoAuthentication
+ );
+ HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl();
+ httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+ httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
}
} else {
asserted = false;
}
ai.setAsserted(asserted);
+
+ if (asserted) {
+ securityEvents.add(httpsTokenSecurityEvent);
+ }
+ }
+ }
+
+ private List<SecurityEvent> getSecurityEventList(Message message) {
+ @SuppressWarnings("unchecked")
+ List<SecurityEvent> securityEvents =
+ (List<SecurityEvent>) message.getExchange().get(SecurityEvent.class.getName() + ".out");
+ if (securityEvents == null) {
+ securityEvents = new ArrayList<SecurityEvent>();
+ message.getExchange().put(SecurityEvent.class.getName() + ".out", securityEvents);
}
+
+ return securityEvents;
}
private SecurityContext createSecurityContext(final Principal p) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -42,11 +42,6 @@ import org.apache.cxf.ws.policy.Abstract
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.Trust10;
-import org.apache.cxf.ws.security.policy.model.Trust13;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory;
@@ -55,15 +50,21 @@ import org.apache.cxf.ws.security.trust.
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
/**
*
@@ -136,9 +137,11 @@ public class IssuedTokenInterceptorProvi
public void handleMessage(Message message) throws Fault {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
+
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.ISSUED_TOKEN);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
+ if (ais.isEmpty()) {
return;
}
if (isRequestor(message)) {
@@ -179,15 +182,17 @@ public class IssuedTokenInterceptorProvi
}
}
private Trust10 getTrust10(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais = aim.get(SP11Constants.TRUST_10);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
+ if (ais.isEmpty()) {
return null;
}
return (Trust10)ais.iterator().next().getAssertion();
}
private Trust13 getTrust13(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.TRUST_13);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
+ if (ais.isEmpty()) {
return null;
}
return (Trust13)ais.iterator().next().getAssertion();
@@ -342,10 +347,9 @@ public class IssuedTokenInterceptorProvi
) throws Exception {
client.setTrust(getTrust10(aim));
client.setTrust(getTrust13(aim));
- client.setTemplate(itok.getRstTemplate());
- Element policy = itok.getPolicy();
- if (policy != null && policy.getNamespaceURI() != null) {
- client.setWspNamespace(policy.getNamespaceURI());
+ client.setTemplate(itok.getRequestSecurityTokenTemplate());
+ if (itok.getPolicy() != null && itok.getPolicy().getNamespace() != null) {
+ client.setWspNamespace(itok.getPolicy().getNamespace());
}
if (maps != null && maps.getNamespaceURI() != null) {
client.setAddressingNamespace(maps.getNamespaceURI());
@@ -402,7 +406,7 @@ public class IssuedTokenInterceptorProvi
client.setTrust(getTrust10(aim));
client.setTrust(getTrust13(aim));
- client.setTemplate(itok.getRstTemplate());
+ client.setTemplate(itok.getRequestSecurityTokenTemplate());
return client.renewSecurityToken(tok);
} catch (RuntimeException e) {
throw e;
@@ -494,8 +498,9 @@ public class IssuedTokenInterceptorProvi
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.ISSUED_TOKEN);
- if (ais == null) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
+ if (ais.isEmpty()) {
return;
}
if (!isRequestor(message)) {
@@ -519,13 +524,14 @@ public class IssuedTokenInterceptorProvi
AssertionInfoMap aim
) {
List<WSSecurityEngineResult> signedResults =
- WSS4JUtils.fetchAllActionResults(rResult.getResults(), WSConstants.SIGN);
+ WSSecurityUtil.fetchAllActionResults(rResult.getResults(), WSConstants.SIGN);
IssuedTokenPolicyValidator issuedValidator =
new IssuedTokenPolicyValidator(signedResults, message);
- Collection<AssertionInfo> issuedAis = aim.get(SP12Constants.ISSUED_TOKEN);
+ Collection<AssertionInfo> issuedAis =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
- for (AssertionWrapper assertionWrapper : findSamlTokenResults(rResult.getResults())) {
+ for (SamlAssertionWrapper assertionWrapper : findSamlTokenResults(rResult.getResults())) {
boolean valid = issuedValidator.validatePolicy(issuedAis, assertionWrapper);
if (valid) {
SecurityToken token = createSecurityToken(assertionWrapper);
@@ -547,15 +553,15 @@ public class IssuedTokenInterceptorProvi
}
}
- private List<AssertionWrapper> findSamlTokenResults(
+ private List<SamlAssertionWrapper> findSamlTokenResults(
List<WSSecurityEngineResult> wsSecEngineResults
) {
- List<AssertionWrapper> results = new ArrayList<AssertionWrapper>();
+ List<SamlAssertionWrapper> results = new ArrayList<SamlAssertionWrapper>();
for (WSSecurityEngineResult wser : wsSecEngineResults) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.ST_SIGNED
|| actInt.intValue() == WSConstants.ST_UNSIGNED) {
- results.add((AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION));
+ results.add((SamlAssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION));
}
}
return results;
@@ -575,7 +581,7 @@ public class IssuedTokenInterceptorProvi
}
private SecurityToken createSecurityToken(
- AssertionWrapper assertionWrapper
+ SamlAssertionWrapper assertionWrapper
) {
SecurityToken token = new SecurityToken(assertionWrapper.getId());
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -37,8 +37,6 @@ import org.apache.cxf.ws.policy.Assertio
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.kerberos.KerberosClient;
import org.apache.cxf.ws.security.kerberos.KerberosUtils;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory;
@@ -46,12 +44,15 @@ import org.apache.cxf.ws.security.wss4j.
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.policyvalidators.KerberosTokenPolicyValidator;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.KerberosSecurity;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.KerberosSecurity;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
/**
*
@@ -102,8 +103,9 @@ public class KerberosTokenInterceptorPro
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.KERBEROS_TOKEN);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+ if (ais.isEmpty()) {
return;
}
if (isRequestor(message)) {
@@ -134,6 +136,9 @@ public class KerberosTokenInterceptorPro
ai.setAsserted(true);
}
}
+
+ NegotiationUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ NegotiationUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
}
}
@@ -150,8 +155,9 @@ public class KerberosTokenInterceptorPro
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.KERBEROS_TOKEN);
- if (ais == null) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+ if (ais.isEmpty()) {
return;
}
if (!isRequestor(message)) {
@@ -166,6 +172,9 @@ public class KerberosTokenInterceptorPro
ai.setAsserted(true);
}
}
+
+ NegotiationUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ NegotiationUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java Thu May 23 13:17:26 2013
@@ -20,9 +20,12 @@
package org.apache.cxf.ws.security.policy.interceptors;
import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
+import javax.xml.namespace.QName;
import org.apache.cxf.Bus;
import org.apache.cxf.binding.soap.SoapMessage;
@@ -47,25 +50,26 @@ import org.apache.cxf.ws.policy.Endpoint
import org.apache.cxf.ws.policy.PolicyEngine;
import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
-import org.apache.cxf.ws.security.policy.model.Binding;
-import org.apache.cxf.ws.security.policy.model.Trust10;
-import org.apache.cxf.ws.security.policy.model.Trust13;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory;
import org.apache.cxf.ws.security.trust.STSUtils;
import org.apache.neethi.Assertion;
import org.apache.neethi.Policy;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.conversation.ConversationConstants;
-import org.apache.ws.security.conversation.ConversationException;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.message.token.SecurityContextToken;
+import org.apache.wss4j.common.derivedKey.ConversationConstants;
+import org.apache.wss4j.common.derivedKey.ConversationException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.message.token.SecurityContextToken;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
/**
* This is a collection of utility methods for use in negotiation exchanges such as WS-SecureConversation
@@ -78,19 +82,16 @@ final class NegotiationUtils {
}
static Trust10 getTrust10(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.TRUST_10);
- if (ais == null || ais.isEmpty()) {
- ais = aim.get(SP11Constants.TRUST_10);
- }
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
+ if (ais.isEmpty()) {
return null;
}
return (Trust10)ais.iterator().next().getAssertion();
}
static Trust13 getTrust13(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.TRUST_13);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
+ if (ais.isEmpty()) {
return null;
}
return (Trust13)ais.iterator().next().getAssertion();
@@ -146,23 +147,24 @@ final class NegotiationUtils {
}
static AlgorithmSuite getAlgorithmSuite(AssertionInfoMap aim) {
- Binding transport = null;
- Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
- if (ais != null) {
+ AbstractBinding transport = null;
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- transport = (Binding)ai.getAssertion();
+ transport = (AbstractBinding)ai.getAssertion();
}
} else {
- ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
- if (ais != null) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- transport = (Binding)ai.getAssertion();
+ transport = (AbstractBinding)ai.getAssertion();
}
} else {
- ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
- if (ais != null) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- transport = (Binding)ai.getAssertion();
+ transport = (AbstractBinding)ai.getAssertion();
}
}
}
@@ -302,4 +304,48 @@ final class NegotiationUtils {
return handler;
}
+ static boolean assertPolicy(AssertionInfoMap aim, QName name) {
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
+ if (ais != null && !ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
+ static boolean assertPolicy(AssertionInfoMap aim, String localname) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, localname);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
+ static Collection<AssertionInfo> getAllAssertionsByLocalname(
+ AssertionInfoMap aim,
+ String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+ if (sp11Ais != null) {
+ ais.addAll(sp11Ais);
+ }
+ if (sp12Ais != null) {
+ ais.addAll(sp12Ais);
+ }
+ return ais;
+ }
+
+ return Collections.emptySet();
+ }
+
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java Thu May 23 13:17:26 2013
@@ -44,15 +44,16 @@ import org.apache.cxf.ws.addressing.JAXW
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.trust.STSUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.conversation.ConversationException;
-import org.apache.ws.security.conversation.dkalgo.P_SHA1;
-import org.apache.ws.security.message.token.Reference;
-import org.apache.ws.security.message.token.SecurityTokenReference;
-import org.apache.ws.security.util.Base64;
-import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.apache.wss4j.common.derivedKey.ConversationException;
+import org.apache.wss4j.common.derivedKey.P_SHA1;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.bsp.BSPEnforcer;
+import org.apache.wss4j.dom.message.token.Reference;
+import org.apache.wss4j.dom.message.token.SecurityTokenReference;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.dom.util.XmlSchemaDateFormat;
+import org.apache.xml.security.utils.Base64;
/**
* An abstract Invoker used by the Spnego and SecureConversationInInterceptors.
@@ -169,7 +170,8 @@ abstract class STSInvoker implements Inv
}
private SecurityToken findCancelToken(Exchange exchange, Element el) throws WSSecurityException {
- SecurityTokenReference ref = new SecurityTokenReference(DOMUtils.getFirstElement(el));
+ SecurityTokenReference ref =
+ new SecurityTokenReference(DOMUtils.getFirstElement(el), new BSPEnforcer());
String uri = ref.getReference().getURI();
TokenStore store = (TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
.getProperty(TokenStore.class.getName());
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SamlTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SamlTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SamlTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SamlTokenInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -25,8 +25,9 @@ import java.util.Collection;
import javax.xml.namespace.QName;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
-import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.wss4j.SamlTokenInterceptor;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
/**
*
@@ -38,6 +39,7 @@ public class SamlTokenInterceptorProvide
ASSERTION_TYPES = new ArrayList<QName>();
ASSERTION_TYPES.add(SP12Constants.SAML_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.SAML_TOKEN);
}
public SamlTokenInterceptorProvider() {