You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/10/25 16:13:30 UTC
svn commit: r1535747 - in
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j:
./ policyhandlers/
Author: coheigea
Date: Fri Oct 25 14:13:29 2013
New Revision: 1535747
URL: http://svn.apache.org/r1535747
Log:
Some security refactoring
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java?rev=1535747&r1=1535746&r2=1535747&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java Fri Oct 25 14:13:29 2013
@@ -55,6 +55,9 @@ import org.apache.wss4j.dom.handler.WSHa
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AsymmetricBinding;
+import org.apache.wss4j.policy.model.SymmetricBinding;
+import org.apache.wss4j.policy.model.TransportBinding;
import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
@@ -144,12 +147,6 @@ public class PolicyBasedWSS4JStaxOutInte
private void checkAsymmetricBinding(
AssertionInfoMap aim, SoapMessage message
) throws WSSecurityException {
- Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
- if (ais.isEmpty()) {
- return;
- }
-
Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
if (s == null) {
s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
@@ -184,12 +181,6 @@ public class PolicyBasedWSS4JStaxOutInte
private void checkTransportBinding(
AssertionInfoMap aim, SoapMessage message
) throws WSSecurityException {
- Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
- if (ais.isEmpty()) {
- return;
- }
-
Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
if (s == null) {
s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
@@ -224,12 +215,6 @@ public class PolicyBasedWSS4JStaxOutInte
private void checkSymmetricBinding(
AssertionInfoMap aim, SoapMessage message
) throws WSSecurityException {
- Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
- if (ais.isEmpty()) {
- return;
- }
-
Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
if (s == null) {
s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
@@ -341,21 +326,39 @@ public class PolicyBasedWSS4JStaxOutInte
SoapMessage msg, Map<String, SecurityTokenProvider<OutboundSecurityToken>> outboundTokens
) throws WSSecurityException {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
- checkAsymmetricBinding(aim, msg);
- checkSymmetricBinding(aim, msg);
- checkTransportBinding(aim, msg);
+
+ Collection<AssertionInfo> asymAis =
+ getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (!asymAis.isEmpty()) {
+ checkAsymmetricBinding(aim, msg);
+ }
+
+ Collection<AssertionInfo> symAis =
+ getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (!symAis.isEmpty()) {
+ checkSymmetricBinding(aim, msg);
+ }
+
+ Collection<AssertionInfo> transAis =
+ getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (!transAis.isEmpty()) {
+ checkTransportBinding(aim, msg);
+ }
super.configureProperties(msg, outboundTokens);
- if (!getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING).isEmpty()) {
- new StaxTransportBindingHandler(getProperties(), msg, outboundTokens).handleBinding();
- } else if (!getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING).isEmpty()) {
- new StaxAsymmetricBindingHandler(getProperties(), msg, outboundTokens).handleBinding();
- } else if (!getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING).isEmpty()) {
- new StaxSymmetricBindingHandler(getProperties(), msg, outboundTokens).handleBinding();
+ if (!transAis.isEmpty()) {
+ TransportBinding binding = (TransportBinding)transAis.iterator().next().getAssertion();
+ new StaxTransportBindingHandler(getProperties(), msg, binding, outboundTokens).handleBinding();
+ } else if (!asymAis.isEmpty()) {
+ AsymmetricBinding binding = (AsymmetricBinding)asymAis.iterator().next().getAssertion();
+ new StaxAsymmetricBindingHandler(getProperties(), msg, binding, outboundTokens).handleBinding();
+ } else if (!symAis.isEmpty()) {
+ SymmetricBinding binding = (SymmetricBinding)symAis.iterator().next().getAssertion();
+ new StaxSymmetricBindingHandler(getProperties(), msg, binding, outboundTokens).handleBinding();
} else {
// Fall back to Transport Binding
- new StaxTransportBindingHandler(getProperties(), msg, outboundTokens).handleBinding();
+ new StaxTransportBindingHandler(getProperties(), msg, null, outboundTokens).handleBinding();
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1535747&r1=1535746&r2=1535747&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Fri Oct 25 14:13:29 2013
@@ -128,7 +128,6 @@ import org.apache.wss4j.policy.model.Hea
import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.KerberosToken;
import org.apache.wss4j.policy.model.KeyValueToken;
-import org.apache.wss4j.policy.model.Layout;
import org.apache.wss4j.policy.model.Layout.LayoutType;
import org.apache.wss4j.policy.model.SamlToken;
import org.apache.wss4j.policy.model.SamlToken.SamlTokenType;
@@ -298,8 +297,7 @@ public abstract class AbstractBindingBui
}
protected WSSecTimestamp createTimestamp() {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.INCLUDE_TIMESTAMP);
- if (!ais.isEmpty()) {
+ if (binding.isIncludeTimestamp()) {
Object o = message.getContextualProperty(SecurityConstants.TIMESTAMP_TTL);
int ttl = 300; //default is 300 seconds
if (o instanceof Number) {
@@ -313,6 +311,8 @@ public abstract class AbstractBindingBui
timestampEl = new WSSecTimestamp(wssConfig);
timestampEl.setTimeToLive(ttl);
timestampEl.prepare(saaj.getSOAPPart());
+
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.INCLUDE_TIMESTAMP);
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
@@ -321,63 +321,52 @@ public abstract class AbstractBindingBui
}
protected WSSecTimestamp handleLayout(WSSecTimestamp timestamp) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.LAYOUT);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- Layout layout = (Layout)ai.getAssertion();
- ai.setAsserted(true);
- if (layout.getLayoutType() == LayoutType.LaxTsLast) {
- if (timestamp == null) {
- ai.setNotAsserted(SPConstants.LAYOUT_LAX_TIMESTAMP_LAST + " requires a timestamp");
- } else {
- ai.setAsserted(true);
- assertPolicy(
- new QName(layout.getName().getNamespaceURI(),
- SPConstants.LAYOUT_LAX_TIMESTAMP_LAST));
- Element el = timestamp.getElement();
- secHeader.getSecurityHeader().appendChild(el);
- if (bottomUpElement == null) {
- bottomUpElement = el;
- }
- }
- } else if (layout.getLayoutType() == LayoutType.LaxTsFirst) {
- if (timestamp == null) {
- ai.setNotAsserted(SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST + " requires a timestamp");
- } else {
- addTopDownElement(timestampEl.getElement());
- assertPolicy(
- new QName(layout.getName().getNamespaceURI(),
- SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST));
+ if (binding.getLayout() != null) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.LAYOUT);
+ AssertionInfo ai = null;
+ for (AssertionInfo layoutAi : ais) {
+ layoutAi.setAsserted(true);
+ ai = layoutAi;
+ }
+
+ if (binding.getLayout().getLayoutType() == LayoutType.LaxTsLast) {
+ if (timestamp == null) {
+ ai.setNotAsserted(SPConstants.LAYOUT_LAX_TIMESTAMP_LAST + " requires a timestamp");
+ } else {
+ ai.setAsserted(true);
+ assertPolicy(
+ new QName(binding.getLayout().getName().getNamespaceURI(),
+ SPConstants.LAYOUT_LAX_TIMESTAMP_LAST));
+ Element el = timestamp.getElement();
+ secHeader.getSecurityHeader().appendChild(el);
+ if (bottomUpElement == null) {
+ bottomUpElement = el;
}
- } else if (timestampEl != null) {
+ }
+ } else if (binding.getLayout().getLayoutType() == LayoutType.LaxTsFirst) {
+ if (timestamp == null) {
+ ai.setNotAsserted(SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST + " requires a timestamp");
+ } else {
addTopDownElement(timestampEl.getElement());
+ assertPolicy(
+ new QName(binding.getLayout().getName().getNamespaceURI(),
+ SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST));
}
-
- assertPolicy(
- new QName(layout.getName().getNamespaceURI(), SPConstants.LAYOUT_LAX));
- assertPolicy(
- new QName(layout.getName().getNamespaceURI(), SPConstants.LAYOUT_STRICT));
- }
+ } else if (timestampEl != null) {
+ addTopDownElement(timestampEl.getElement());
+ }
+
+ assertPolicy(
+ new QName(binding.getLayout().getName().getNamespaceURI(), SPConstants.LAYOUT_LAX));
+ assertPolicy(
+ new QName(binding.getLayout().getName().getNamespaceURI(), SPConstants.LAYOUT_STRICT));
} else if (timestampEl != null) {
addTopDownElement(timestampEl.getElement());
}
return timestamp;
}
- protected void assertSupportingTokens(Collection<Assertion> suppTokens) {
- if (suppTokens == null) {
- return;
- }
- for (Assertion pa : suppTokens) {
- if (pa instanceof SupportingTokens) {
- for (AbstractToken token : ((SupportingTokens)pa).getTokens()) {
- this.assertPolicy(token);
- }
- }
- }
- }
-
- protected Map<AbstractToken, Object> handleSupportingTokens(
+ private Map<AbstractToken, Object> handleSupportingTokens(
Collection<Assertion> tokens,
boolean endorse
) throws WSSecurityException {
@@ -393,13 +382,6 @@ public abstract class AbstractBindingBui
}
protected Map<AbstractToken, Object> handleSupportingTokens(
- SupportingTokens suppTokens,
- boolean endorse
- ) throws WSSecurityException {
- return handleSupportingTokens(suppTokens, endorse, new HashMap<AbstractToken, Object>());
- }
-
- protected Map<AbstractToken, Object> handleSupportingTokens(
SupportingTokens suppTokens,
boolean endorse,
Map<AbstractToken, Object> ret
@@ -408,16 +390,18 @@ public abstract class AbstractBindingBui
return ret;
}
for (AbstractToken token : suppTokens.getTokens()) {
+ assertToken(token);
+ if (!isTokenRequired(token.getIncludeTokenType())) {
+ continue;
+ }
if (token instanceof UsernameToken) {
handleUsernameTokenSupportingToken(
(UsernameToken)token, endorse, suppTokens.isEncryptedToken(), ret
);
- } else if (isRequestor()
- && (token instanceof IssuedToken
+ } else if (token instanceof IssuedToken
|| token instanceof SecureConversationToken
|| token instanceof SecurityContextToken
- || token instanceof KerberosToken)) {
- assertToken(token);
+ || token instanceof KerberosToken) {
//ws-trust/ws-sc stuff.......
SecurityToken secToken = getSecurityToken();
if (secToken == null) {
@@ -483,7 +467,6 @@ public abstract class AbstractBindingBui
} else if (token instanceof X509Token) {
//We have to use a cert
//Prepare X509 signature
- assertToken(token);
WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
Element bstElem = sig.getBinarySecurityTokenElement();
if (bstElem != null) {
@@ -495,7 +478,6 @@ public abstract class AbstractBindingBui
}
ret.put(token, sig);
} else if (token instanceof KeyValueToken) {
- assertToken(token);
WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
if (suppTokens.isEncryptedToken()) {
WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
@@ -697,7 +679,7 @@ public abstract class AbstractBindingBui
protected WSSecUsernameToken addUsernameToken(UsernameToken token) {
assertToken(token);
- if (!isRequestor()) {
+ if (!isTokenRequired(token.getIncludeTokenType())) {
return null;
}
@@ -755,7 +737,7 @@ public abstract class AbstractBindingBui
protected WSSecUsernameToken addDKUsernameToken(UsernameToken token, boolean useMac) {
assertToken(token);
- if (!isRequestor()) {
+ if (!isTokenRequired(token.getIncludeTokenType())) {
return null;
}
@@ -791,7 +773,7 @@ public abstract class AbstractBindingBui
protected SamlAssertionWrapper addSamlToken(SamlToken token) throws WSSecurityException {
assertToken(token);
- if (!isRequestor()) {
+ if (!isTokenRequired(token.getIncludeTokenType())) {
return null;
}
@@ -1999,22 +1981,6 @@ public abstract class AbstractBindingBui
signatures.add(sig.getSignatureValue());
}
- protected void assertSupportingTokens(List<WSEncryptionPart> sigs) {
- assertSupportingTokens(findAndAssertPolicy(SP12Constants.SIGNED_SUPPORTING_TOKENS));
- assertSupportingTokens(findAndAssertPolicy(SP11Constants.SIGNED_SUPPORTING_TOKENS));
- assertSupportingTokens(findAndAssertPolicy(SP12Constants.ENDORSING_SUPPORTING_TOKENS));
- assertSupportingTokens(findAndAssertPolicy(SP11Constants.ENDORSING_SUPPORTING_TOKENS));
- assertSupportingTokens(findAndAssertPolicy(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS));
- assertSupportingTokens(findAndAssertPolicy(SP11Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS));
- assertSupportingTokens(findAndAssertPolicy(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS));
- assertSupportingTokens(findAndAssertPolicy(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS));
- assertSupportingTokens(findAndAssertPolicy(SP12Constants
- .SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS));
- assertSupportingTokens(findAndAssertPolicy(SP12Constants.SUPPORTING_TOKENS));
- assertSupportingTokens(findAndAssertPolicy(SP11Constants.SUPPORTING_TOKENS));
- assertSupportingTokens(findAndAssertPolicy(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS));
- }
-
protected void addSupportingTokens(List<WSEncryptionPart> sigs) throws WSSecurityException {
Collection<Assertion> sgndSuppTokens =
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java?rev=1535747&r1=1535746&r2=1535747&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java Fri Oct 25 14:13:29 2013
@@ -47,7 +47,6 @@ import org.apache.wss4j.policy.SP12Const
import org.apache.wss4j.policy.SP13Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
-import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.AlgorithmSuite;
@@ -447,26 +446,6 @@ public abstract class AbstractCommonBind
return null;
}
- protected AbstractBinding getBinding(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
- if (ais != null && ais.size() > 0) {
- return (AbstractBinding)ais.iterator().next().getAssertion();
- }
-
- ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
- if (ais != null && ais.size() > 0) {
- return (AbstractBinding)ais.iterator().next().getAssertion();
- }
-
- ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
- if (ais != null && ais.size() > 0) {
- return (AbstractBinding)ais.iterator().next().getAssertion();
- }
-
- return null;
- }
-
protected boolean isRequestor() {
return MessageUtils.isRequestor(message);
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java?rev=1535747&r1=1535746&r2=1535747&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java Fri Oct 25 14:13:29 2013
@@ -118,14 +118,17 @@ public abstract class AbstractStaxBindin
protected Map<String, SecurityTokenProvider<OutboundSecurityToken>> outboundTokens;
private final Map<String, Object> properties;
+ private AbstractBinding binding;
public AbstractStaxBindingHandler(
Map<String, Object> properties,
SoapMessage msg,
+ AbstractBinding binding,
Map<String, SecurityTokenProvider<OutboundSecurityToken>> outboundTokens
) {
super(msg);
this.properties = properties;
+ this.binding = binding;
this.outboundTokens = outboundTokens;
}
@@ -484,7 +487,6 @@ public abstract class AbstractStaxBindin
}
protected void configureTimestamp(AssertionInfoMap aim) {
- AbstractBinding binding = getBinding(aim);
if (binding != null && binding.isIncludeTimestamp()) {
timestampAdded = true;
assertPolicy(new QName(binding.getName().getNamespaceURI(), SPConstants.INCLUDE_TIMESTAMP));
@@ -548,9 +550,6 @@ public abstract class AbstractStaxBindin
}
}
- AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- AbstractBinding binding = getBinding(aim);
-
config.put(ConfigurationConstants.SIG_KEY_ID, getKeyIdentifierType(wrapper, token));
// Find out do we also need to include the token as per the Inclusion requirement
@@ -655,6 +654,11 @@ public abstract class AbstractStaxBindin
return ret;
}
for (AbstractToken token : suppTokens.getTokens()) {
+ assertToken(token);
+ if (!isTokenRequired(token.getIncludeTokenType())) {
+ continue;
+ }
+
if (token instanceof UsernameToken) {
handleUsernameTokenSupportingToken(
(UsernameToken)token, endorse, suppTokens.isEncryptedToken(), ret
@@ -664,70 +668,9 @@ public abstract class AbstractStaxBindin
|| token instanceof SecureConversationToken
|| token instanceof SecurityContextToken
|| token instanceof KerberosToken)) {
- //ws-trust/ws-sc stuff.......
- SecurityToken secToken = getSecurityToken();
- if (secToken == null) {
- policyNotAsserted(token, "Could not find IssuedToken");
- }
- Element clone = cloneElement(secToken.getToken());
- secToken.setToken(clone);
- addSupportingElement(clone);
-
- String id = secToken.getId();
- if (id != null && id.charAt(0) == '#') {
- id = id.substring(1);
- }
- if (suppTokens.isEncryptedToken()) {
- WSEncryptionPart part = new WSEncryptionPart(id, "Element");
- part.setElement(clone);
- encryptedTokensList.add(part);
- }
-
- if (secToken.getX509Certificate() == null) {
- ret.put(token, new WSSecurityTokenHolder(wssConfig, secToken));
- } else {
- WSSecSignature sig = new WSSecSignature(wssConfig);
- sig.setX509Certificate(secToken.getX509Certificate());
- sig.setCustomTokenId(id);
- sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- String tokenType = secToken.getTokenType();
- if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
- || WSConstants.SAML_NS.equals(tokenType)) {
- sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
- } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
- || WSConstants.SAML2_NS.equals(tokenType)) {
- sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
- } else if (tokenType != null) {
- sig.setCustomTokenValueType(tokenType);
- } else {
- sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
- }
- sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
- sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
-
- Crypto crypto = secToken.getCrypto();
- String uname = null;
- try {
- uname = crypto.getX509Identifier(secToken.getX509Certificate());
- } catch (WSSecurityException e1) {
- LOG.log(Level.FINE, e1.getMessage(), e1);
- throw new Fault(e1);
- }
-
- String password = getPassword(uname, token, WSPasswordCallback.Usage.SIGNATURE);
- sig.setUserInfo(uname, password);
- try {
- sig.prepare(saaj.getSOAPPart(), secToken.getCrypto(), secHeader);
- } catch (WSSecurityException e) {
- LOG.log(Level.FINE, e.getMessage(), e);
- throw new Fault(e);
- }
-
- ret.put(token, sig);
- }
} */
- } else if (isRequestor() && token instanceof IssuedToken) {
+ } else if (token instanceof IssuedToken) {
SecurityToken sigTok = getSecurityToken();
SecurePart securePart = addIssuedToken((IssuedToken)token, sigTok, signed, endorse);
if (securePart != null) {
@@ -736,7 +679,7 @@ public abstract class AbstractStaxBindin
encryptedTokensList.add(securePart);
}
}
- } else if (isRequestor() && token instanceof KerberosToken) {
+ } else if (token instanceof KerberosToken) {
SecurePart securePart = addKerberosToken((KerberosToken)token, signed, endorse, false);
if (securePart != null) {
ret.put(token, securePart);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1535747&r1=1535746&r2=1535747&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Fri Oct 25 14:13:29 2013
@@ -327,16 +327,13 @@ public class AsymmetricBindingHandler ex
sigParts.add(timestampPart);
}
- if (isRequestor()) {
- try {
- addSupportingTokens(sigParts);
- } catch (WSSecurityException ex) {
- LOG.log(Level.FINE, ex.getMessage(), ex);
- policyNotAsserted(encryptionToken, ex);
- }
- } else {
- addSignatureConfirmation(sigParts);
+ try {
+ addSupportingTokens(sigParts);
+ } catch (WSSecurityException ex) {
+ LOG.log(Level.FINE, ex.getMessage(), ex);
+ policyNotAsserted(encryptionToken, ex);
}
+ addSignatureConfirmation(sigParts);
try {
if (sigParts.size() > 0) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java?rev=1535747&r1=1535746&r2=1535747&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java Fri Oct 25 14:13:29 2013
@@ -71,16 +71,17 @@ public class StaxAsymmetricBindingHandle
public StaxAsymmetricBindingHandler(
Map<String, Object> properties,
SoapMessage msg,
+ AsymmetricBinding abinding,
Map<String, SecurityTokenProvider<OutboundSecurityToken>> outboundTokens
) {
- super(properties, msg, outboundTokens);
+ super(properties, msg, abinding, outboundTokens);
this.message = msg;
+ this.abinding = abinding;
}
public void handleBinding() {
AssertionInfoMap aim = getMessage().get(AssertionInfoMap.class);
configureTimestamp(aim);
- abinding = (AsymmetricBinding)getBinding(aim);
assertPolicy(abinding.getName());
String asymSignatureAlgorithm =
@@ -154,7 +155,6 @@ public class StaxAsymmetricBindingHandle
if (isRequestor() && initiatorWrapper != null) {
doSignature(initiatorWrapper, sigs);
- //doEndorse();
} else if (!isRequestor()) {
//confirm sig
addSignatureConfirmation(sigs);
@@ -286,9 +286,10 @@ public class StaxAsymmetricBindingHandle
throw new Fault(ex);
}
+ addSupportingTokens();
+
if (encryptionToken != null && encrParts.size() > 0) {
if (isRequestor()) {
- addSupportingTokens();
encrParts.addAll(encryptedTokensList);
} else {
addSignatureConfirmation(sigParts);
@@ -311,14 +312,14 @@ public class StaxAsymmetricBindingHandle
doEncryption(wrapper, encrParts, true);
}
+ if (timestampAdded) {
+ SecurePart part =
+ new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
+ sigParts.add(part);
+ }
+
if (sigParts.size() > 0) {
- if (timestampAdded) {
- SecurePart part =
- new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
- sigParts.add(part);
- }
-
- if ((sigParts.size() > 0) && initiatorWrapper != null && isRequestor()) {
+ if (initiatorWrapper != null && isRequestor()) {
doSignature(initiatorWrapper, sigParts);
} else if (!isRequestor()) {
AbstractTokenWrapper recipientSignatureToken = abinding.getRecipientSignatureToken();
@@ -331,10 +332,6 @@ public class StaxAsymmetricBindingHandle
doSignature(recipientSignatureToken, sigParts);
}
}
-
- //if (isRequestor()) {
- // doEndorse();
- //}
}
} catch (Exception e) {
String reason = e.getMessage();
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java?rev=1535747&r1=1535746&r2=1535747&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java Fri Oct 25 14:13:29 2013
@@ -81,10 +81,12 @@ public class StaxSymmetricBindingHandler
public StaxSymmetricBindingHandler(
Map<String, Object> properties,
SoapMessage msg,
+ SymmetricBinding sbinding,
Map<String, SecurityTokenProvider<OutboundSecurityToken>> outboundTokens
) {
- super(properties, msg, outboundTokens);
+ super(properties, msg, sbinding, outboundTokens);
this.message = msg;
+ this.sbinding = sbinding;
}
private AbstractTokenWrapper getSignatureToken() {
@@ -104,7 +106,6 @@ public class StaxSymmetricBindingHandler
public void handleBinding() {
AssertionInfoMap aim = getMessage().get(AssertionInfoMap.class);
configureTimestamp(aim);
- sbinding = (SymmetricBinding)getBinding(aim);
assertPolicy(sbinding.getName());
String asymSignatureAlgorithm =
@@ -155,8 +156,6 @@ public class StaxSymmetricBindingHandler
assertTokenWrapper(encryptionWrapper);
AbstractToken encryptionToken = encryptionWrapper.getToken();
- //The encryption token can be an IssuedToken or a
- //SecureConversationToken
String tokenId = null;
SecurityToken tok = null;
if (encryptionToken instanceof KerberosToken) {
@@ -228,9 +227,10 @@ public class StaxSymmetricBindingHandler
throw new Fault(ex);
}
+ addSupportingTokens();
+
if (encryptionToken != null && encrParts.size() > 0) {
if (isRequestor()) {
- addSupportingTokens();
encrParts.addAll(encryptedTokensList);
} else {
addSignatureConfirmation(sigParts);
@@ -246,27 +246,25 @@ public class StaxSymmetricBindingHandler
}
doEncryption(encryptionWrapper, encrParts, true);
- if (timestampAdded) {
- SecurePart part =
- new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
- sigParts.add(part);
- }
- sigParts.addAll(this.getSignedParts());
+ }
+
+ if (timestampAdded) {
+ SecurePart part =
+ new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
+ sigParts.add(part);
+ }
+ sigParts.addAll(this.getSignedParts());
+ if (sigParts.size() > 0) {
AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
- if ((sigParts.size() > 0) && sigAbstractTokenWrapper != null && isRequestor()) {
+ if (sigAbstractTokenWrapper != null && isRequestor()) {
doSignature(sigAbstractTokenWrapper, sigToken, tok, sigParts);
} else if (!isRequestor()) {
addSignatureConfirmation(sigParts);
- if (!sigParts.isEmpty()) {
- doSignature(sigAbstractTokenWrapper, sigToken, tok, sigParts);
- }
+ doSignature(sigAbstractTokenWrapper, sigToken, tok, sigParts);
}
- //if (isRequestor()) {
- // doEndorse();
- //}
}
} catch (RuntimeException ex) {
throw ex;
@@ -355,21 +353,17 @@ public class StaxSymmetricBindingHandler
}
sigs.addAll(this.getSignedParts());
- if (isRequestor()) {
- if (!sigs.isEmpty()) {
- doSignature(sigAbstractTokenWrapper, sigToken, sigTok, sigs);
- }
- // doEndorse();
- } else {
+ if (!isRequestor()) {
addSignatureConfirmation(sigs);
- if (!sigs.isEmpty()) {
- doSignature(sigAbstractTokenWrapper, sigToken, sigTok, sigs);
- }
}
+ if (!sigs.isEmpty()) {
+ doSignature(sigAbstractTokenWrapper, sigToken, sigTok, sigs);
+ }
+
+ addSupportingTokens();
+
if (isRequestor()) {
- addSupportingTokens();
-
Map<String, Object> config = getProperties();
if (config.containsKey(ConfigurationConstants.ACTION)) {
String action = (String)config.get(ConfigurationConstants.ACTION);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java?rev=1535747&r1=1535746&r2=1535747&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java Fri Oct 25 14:13:29 2013
@@ -37,8 +37,9 @@ import org.apache.cxf.ws.policy.Assertio
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractStaxBindingHandler.TokenStoreCallbackHandler;
import org.apache.wss4j.common.ConfigurationConstants;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
@@ -75,9 +76,11 @@ public class StaxTransportBindingHandler
public StaxTransportBindingHandler(
Map<String, Object> properties,
SoapMessage msg,
+ TransportBinding tbinding,
Map<String, SecurityTokenProvider<OutboundSecurityToken>> outboundTokens
) {
- super(properties, msg, outboundTokens);
+ super(properties, msg, tbinding, outboundTokens);
+ this.tbinding = tbinding;
}
public void handleBinding() {
@@ -85,7 +88,6 @@ public class StaxTransportBindingHandler
configureTimestamp(aim);
if (this.isRequestor()) {
- tbinding = (TransportBinding)getBinding(aim);
if (tbinding != null) {
assertPolicy(tbinding.getName());
String asymSignatureAlgorithm =
@@ -128,6 +130,10 @@ public class StaxTransportBindingHandler
assertWSSProperties(tbinding.getName().getNamespaceURI());
assertTrustProperties(tbinding.getName().getNamespaceURI());
}
+ assertPolicy(SP12Constants.SIGNED_PARTS);
+ assertPolicy(SP11Constants.SIGNED_PARTS);
+ assertPolicy(SP12Constants.ENCRYPTED_PARTS);
+ assertPolicy(SP11Constants.ENCRYPTED_PARTS);
}
/**
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1535747&r1=1535746&r2=1535747&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Fri Oct 25 14:13:29 2013
@@ -115,11 +115,6 @@ public class SymmetricBindingHandler ext
handleLayout(timestamp);
assertPolicy(sbinding.getName());
- if (isRequestor()) {
- //Setup required tokens
- initializeTokens();
- }
-
if (sbinding.getProtectionOrder()
== AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
doEncryptBeforeSign();
@@ -138,22 +133,6 @@ public class SymmetricBindingHandler ext
new QName(sbinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
}
- private void initializeTokens() {
- //Setting up encryption token and signature token
- /*
- Token sigTok = getSignatureToken().getToken();
- //Token encrTok = getEncryptionToken().getToken();
-
- if (sigTok instanceof IssuedToken) {
- //IssuedToken issuedToken = (IssuedToken)sigTok;
-
- //REVISIT - WS-Trust STS token retrieval
- } else if (sigTok instanceof SecureConversationToken) {
- //REVISIT - SecureConversation token retrieval
- }
- */
- }
-
private void doEncryptBeforeSign() {
try {
AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
@@ -206,7 +185,6 @@ public class SymmetricBindingHandler ext
}
boolean attached = false;
-
if (isTokenRequired(encryptionToken.getIncludeTokenType())) {
Element el = tok.getToken();
this.addEncryptedKeyElement(cloneElement(el));
@@ -227,9 +205,8 @@ public class SymmetricBindingHandler ext
sigParts.add(timestampPart);
}
- if (isRequestor()) {
- this.addSupportingTokens(sigParts);
- } else {
+ addSupportingTokens(sigParts);
+ if (!isRequestor()) {
addSignatureConfirmation(sigParts);
}
@@ -359,15 +336,14 @@ public class SymmetricBindingHandler ext
sigs.add(timestampPart);
}
+ addSupportingTokens(sigs);
if (isRequestor()) {
- addSupportingTokens(sigs);
if (!sigs.isEmpty()) {
signatures.add(doSignature(sigs, sigAbstractTokenWrapper, sigToken, sigTok, tokIncluded));
}
doEndorse();
} else {
//confirm sig
- assertSupportingTokens(sigs);
addSignatureConfirmation(sigs);
if (!sigs.isEmpty()) {
doSignature(sigs, sigAbstractTokenWrapper, sigToken, sigTok, tokIncluded);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1535747&r1=1535746&r2=1535747&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Fri Oct 25 14:13:29 2013
@@ -22,6 +22,7 @@ package org.apache.cxf.ws.security.wss4j
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
+import java.util.HashMap;
import java.util.List;
import java.util.logging.Level;
@@ -54,6 +55,8 @@ import org.apache.wss4j.dom.message.WSSe
import org.apache.wss4j.dom.message.WSSecTimestamp;
import org.apache.wss4j.dom.message.WSSecUsernameToken;
import org.apache.wss4j.dom.message.token.SecurityTokenReference;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
@@ -173,6 +176,10 @@ public class TransportBindingHandler ext
assertWSSProperties(tbinding.getName().getNamespaceURI());
assertTrustProperties(tbinding.getName().getNamespaceURI());
}
+ assertPolicy(SP12Constants.SIGNED_PARTS);
+ assertPolicy(SP11Constants.SIGNED_PARTS);
+ assertPolicy(SP12Constants.ENCRYPTED_PARTS);
+ assertPolicy(SP11Constants.ENCRYPTED_PARTS);
}
/**
@@ -220,7 +227,7 @@ public class TransportBindingHandler ext
SupportingTokens suppTokens = (SupportingTokens)ai.getAssertion();
if (suppTokens != null && suppTokens.getTokens() != null
&& suppTokens.getTokens().size() > 0) {
- handleSupportingTokens(suppTokens, false);
+ handleSupportingTokens(suppTokens, false, new HashMap<AbstractToken, Object>());
}
ai.setAsserted(true);
}