You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/07/25 15:02:43 UTC
svn commit: r1506950 -
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
Author: coheigea
Date: Thu Jul 25 13:02:43 2013
New Revision: 1506950
URL: http://svn.apache.org/r1506950
Log:
Simplify asserting security policies for the streaming case
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java?rev=1506950&r1=1506949&r2=1506950&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java Thu Jul 25 13:02:43 2013
@@ -35,7 +35,6 @@ import org.apache.wss4j.policy.SP13Const
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
-import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
/**
@@ -61,158 +60,25 @@ public class PolicyStaxActionInIntercept
return;
}
- verifyTokens(aim, incomingSecurityEventList);
- verifyPartsAndElements(aim, incomingSecurityEventList, soapMessage);
- verifyBindings(aim);
- }
-
- private void verifyPartsAndElements(
- AssertionInfoMap aim, List<SecurityEvent> incomingSecurityEventList,
- SoapMessage soapMessage
- ) {
- assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
- assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
- assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
- assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
- assertAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
-
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
- }
-
- private void verifyTokens(
- AssertionInfoMap aim, List<SecurityEvent> incomingSecurityEventList
- ) {
- // UsernameToken
- assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN10);
- assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN11);
- assertAllAssertionsByLocalname(aim, SPConstants.HASH_PASSWORD);
- assertAllAssertionsByLocalname(aim, SPConstants.NO_PASSWORD);
- Collection<AssertionInfo> sp13Ais = aim.get(SP13Constants.NONCE);
- if (sp13Ais != null) {
- for (AssertionInfo ai : sp13Ais) {
- ai.setAsserted(true);
- }
- }
- sp13Ais = aim.get(SP13Constants.CREATED);
- if (sp13Ais != null) {
- for (AssertionInfo ai : sp13Ais) {
- ai.setAsserted(true);
- }
- }
-
- // X509
- assertAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKCS7_TOKEN10);
- assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKCS7_TOKEN11);
- assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
- assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
- assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V1_TOKEN10);
- assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V1_TOKEN11);
- assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V3_TOKEN10);
- assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V3_TOKEN11);
-
- // SAML
- assertAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
- assertAllAssertionsByLocalname(aim, "WssSamlV11Token10");
- assertAllAssertionsByLocalname(aim, "WssSamlV11Token11");
- assertAllAssertionsByLocalname(aim, "WssSamlV20Token11");
-
- // SCT
- assertAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE);
-
- for (SecurityEvent event : incomingSecurityEventList) {
- if (WSSecurityEventConstants.Timestamp == event.getSecurityEventType()) {
- assertAllAssertionsByLocalname(aim, "Timestamp");
- }
- }
-
- assertAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
- assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
- assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
- assertAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
- assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
- assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
- assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
- assertAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
- assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
- }
-
- private void verifyBindings(AssertionInfoMap aim) {
- assertAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
- assertAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
- assertAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
- assertAllAssertionsByLocalname(aim, SPConstants.PROTECTION_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.INITIATOR_ENCRYPTION_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.INITIATOR_SIGNATURE_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.INITIATOR_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.RECIPIENT_ENCRYPTION_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.RECIPIENT_SIGNATURE_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.RECIPIENT_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
-
- assertAllAssertionsByLocalname(aim, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
- assertAllAssertionsByLocalname(aim, SPConstants.PROTECT_TOKENS);
- assertAllAssertionsByLocalname(aim, SPConstants.INCLUDE_TIMESTAMP);
- assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPT_SIGNATURE);
- assertAllAssertionsByLocalname(aim, SPConstants.SIGN_BEFORE_ENCRYPTING);
- assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPT_BEFORE_SIGNING);
- assertAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
- assertAllAssertionsByLocalname(aim, SPConstants.LAYOUT_LAX);
- assertAllAssertionsByLocalname(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
- assertAllAssertionsByLocalname(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
- assertAllAssertionsByLocalname(aim, SPConstants.LAYOUT_STRICT);
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_DERIVED_KEYS);
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION);
-
- assertAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
+ assertAllSecurityAssertions(aim);
assertAllAlgorithmSuites(SP11Constants.SP_NS, aim);
assertAllAlgorithmSuites(SP12Constants.SP_NS, aim);
-
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
-
- assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
- assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
- assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
- assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
-
- assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT);
- assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY);
-
- assertAllAssertionsByLocalname(aim, SPConstants.KEY_VALUE_TOKEN);
- assertAllAssertionsByLocalname(aim, SPConstants.RSA_KEY_VALUE);
-
- assertAllAssertionsByLocalname(aim, SPConstants.WSS10);
- assertAllAssertionsByLocalname(aim, SPConstants.WSS11);
-
- assertAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
- assertAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
- assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
}
- private void assertAllAssertionsByLocalname(AssertionInfoMap aim, String localname) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- if (sp11Ais != null) {
- for (AssertionInfo ai : sp11Ais) {
- ai.setAsserted(true);
- }
- }
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
- if (sp12Ais != null) {
- for (AssertionInfo ai : sp12Ais) {
- ai.setAsserted(true);
+ private void assertAllSecurityAssertions(AssertionInfoMap aim) {
+ for (QName key : aim.keySet()) {
+ if (SP11Constants.SP_NS.equals(key.getNamespaceURI())
+ || SP12Constants.SP_NS.equals(key.getNamespaceURI())
+ || SP13Constants.SP_NS.equals(key.getNamespaceURI())) {
+ Collection<AssertionInfo> ais = aim.get(key);
+ if (ais != null && !ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ }
}
}
+
}
private void assertAllAlgorithmSuites(String spNamespace, AssertionInfoMap aim) {