You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/02/29 21:54:56 UTC
svn commit: r1295267 [2/11] - in /webservices/wss4j/branches/swssf:
rampart-policy/src/main/java/org/apache/ws/secpolicy/builders/
streaming-ws-policy/src/main/java/org/swssf/policy/
streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ s...
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ContentEncryptedElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ContentEncryptedElementsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ContentEncryptedElementsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ContentEncryptedElementsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,11 +24,14 @@ import org.apache.ws.secpolicy.model.Abs
import org.apache.ws.secpolicy.model.ContentEncryptedElements;
import org.apache.ws.secpolicy.model.XPath;
import org.swssf.policy.Assertable;
+import org.swssf.policy.PolicyUtils;
+import org.swssf.wss.ext.WSSUtils;
import org.swssf.wss.securityEvent.ContentEncryptedElementSecurityEvent;
import org.swssf.wss.securityEvent.SecurityEvent;
import javax.xml.namespace.QName;
import java.util.ArrayList;
+import java.util.Iterator;
import java.util.List;
/**
@@ -37,7 +40,7 @@ import java.util.List;
*/
public class ContentEncryptedElementsAssertionState extends AssertionState implements Assertable {
- private List<QName> elements = new ArrayList<QName>();
+ private List<List<QName>> pathElements = new ArrayList<List<QName>>();
public ContentEncryptedElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
super(assertion, asserted);
@@ -45,17 +48,8 @@ public class ContentEncryptedElementsAss
ContentEncryptedElements contentEncryptedElements = (ContentEncryptedElements) assertion;
for (int i = 0; i < contentEncryptedElements.getXPaths().size(); i++) {
XPath xPath = contentEncryptedElements.getXPaths().get(i);
- String[] xPathElements = xPath.getXPath().split("/");
- String[] xPathElement = xPathElements[xPathElements.length - 1].split(":");
- if (xPathElement.length == 2) {
- String ns = xPath.getPrefixNamespaceMap().get(xPathElement[0]);
- if (ns == null) {
- throw new IllegalArgumentException("Namespace not declared");
- }
- elements.add(new QName(ns, xPathElement[1]));
- } else {
- elements.add(new QName(xPathElement[1]));
- }
+ List<QName> elements = PolicyUtils.getElementPath(xPath);
+ pathElements.add(elements);
}
}
@@ -69,23 +63,23 @@ public class ContentEncryptedElementsAss
@Override
public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = (ContentEncryptedElementSecurityEvent) securityEvent;
- //todo better matching until we have a streaming xpath evaluation engine (work in progress)
- for (int i = 0; i < elements.size(); i++) {
- QName qName = elements.get(i);
- if (qName.equals(contentEncryptedElementSecurityEvent.getElement())) {
+ Iterator<List<QName>> pathElementIterator = pathElements.iterator();
+ while (pathElementIterator.hasNext()) {
+ List<QName> pathElements = pathElementIterator.next();
+ if (WSSUtils.pathMatches(pathElements, contentEncryptedElementSecurityEvent.getElementPath(), true, false)) {
if (contentEncryptedElementSecurityEvent.isEncrypted()) {
setAsserted(true);
return true;
} else {
- //an element must be signed but isn't
+ //an element must be encrypted but isn't
setAsserted(false);
- setErrorMessage("content of element " + contentEncryptedElementSecurityEvent.getElement() + " must be encrypted");
+ setErrorMessage("content of element " + WSSUtils.pathAsString(contentEncryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
return false;
}
}
}
- //if we return false here other signed elements will trigger a PolicyViolationException
+ //if we return false here other encrypted elements will trigger a PolicyViolationException
return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedElementsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedElementsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedElementsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,11 +24,14 @@ import org.apache.ws.secpolicy.model.Abs
import org.apache.ws.secpolicy.model.EncryptedElements;
import org.apache.ws.secpolicy.model.XPath;
import org.swssf.policy.Assertable;
+import org.swssf.policy.PolicyUtils;
+import org.swssf.wss.ext.WSSUtils;
import org.swssf.wss.securityEvent.EncryptedElementSecurityEvent;
import org.swssf.wss.securityEvent.SecurityEvent;
import javax.xml.namespace.QName;
import java.util.ArrayList;
+import java.util.Iterator;
import java.util.List;
/**
@@ -37,7 +40,7 @@ import java.util.List;
*/
public class EncryptedElementsAssertionState extends AssertionState implements Assertable {
- private List<QName> elements = new ArrayList<QName>();
+ private List<List<QName>> pathElements = new ArrayList<List<QName>>();
public EncryptedElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
super(assertion, asserted);
@@ -45,17 +48,8 @@ public class EncryptedElementsAssertionS
EncryptedElements encryptedElements = (EncryptedElements) assertion;
for (int i = 0; i < encryptedElements.getXPaths().size(); i++) {
XPath xPath = encryptedElements.getXPaths().get(i);
- String[] xPathElements = xPath.getXPath().split("/");
- String[] xPathElement = xPathElements[xPathElements.length - 1].split(":");
- if (xPathElement.length == 2) {
- String ns = xPath.getPrefixNamespaceMap().get(xPathElement[0]);
- if (ns == null) {
- throw new IllegalArgumentException("Namespace not declared");
- }
- elements.add(new QName(ns, xPathElement[1]));
- } else {
- elements.add(new QName(xPathElement[1]));
- }
+ List<QName> elements = PolicyUtils.getElementPath(xPath);
+ pathElements.add(elements);
}
}
@@ -69,23 +63,23 @@ public class EncryptedElementsAssertionS
@Override
public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
EncryptedElementSecurityEvent encryptedElementSecurityEvent = (EncryptedElementSecurityEvent) securityEvent;
- //todo better matching until we have a streaming xpath evaluation engine (work in progress)
- for (int i = 0; i < elements.size(); i++) {
- QName qName = elements.get(i);
- if (qName.equals(encryptedElementSecurityEvent.getElement())) {
+ Iterator<List<QName>> pathElementIterator = pathElements.iterator();
+ while (pathElementIterator.hasNext()) {
+ List<QName> pathElements = pathElementIterator.next();
+ if (WSSUtils.pathMatches(pathElements, encryptedElementSecurityEvent.getElementPath(), true, false)) {
if (encryptedElementSecurityEvent.isEncrypted()) {
setAsserted(true);
return true;
} else {
- //an element must be signed but isn't
+ //an element must be encrypted but isn't
setAsserted(false);
- setErrorMessage("Element " + encryptedElementSecurityEvent.getElement() + " must be encrypted");
+ setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
return false;
}
}
}
- //if we return false here other signed elements will trigger a PolicyViolationException
+ //if we return false here other encrypted elements will trigger a PolicyViolationException
return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedPartsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedPartsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedPartsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedPartsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,10 +24,15 @@ import org.apache.ws.secpolicy.model.Abs
import org.apache.ws.secpolicy.model.EncryptedParts;
import org.apache.ws.secpolicy.model.Header;
import org.swssf.policy.Assertable;
-import org.swssf.policy.PolicyConstants;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
import org.swssf.wss.securityEvent.EncryptedPartSecurityEvent;
import org.swssf.wss.securityEvent.SecurityEvent;
+import javax.xml.namespace.QName;
+import java.util.LinkedList;
+import java.util.List;
+
/**
* @author $Author$
* @version $Revision$ $Date$
@@ -53,28 +58,33 @@ public class EncryptedPartsAssertionStat
EncryptedPartSecurityEvent encryptedPartSecurityEvent = (EncryptedPartSecurityEvent) securityEvent;
EncryptedParts encryptedParts = (EncryptedParts) getAssertion();
- if (encryptedParts.isBody() && (encryptedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap11_Body)
- || encryptedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap12_Body))) {
+ if (encryptedParts.isBody()
+ && (WSSUtils.pathMatches(WSSConstants.SOAP_11_BODY_PATH, encryptedPartSecurityEvent.getElementPath(), true, false))) {
if (encryptedPartSecurityEvent.isEncrypted()) {
setAsserted(true);
return true;
} else {
setAsserted(false);
- setErrorMessage("Element " + encryptedPartSecurityEvent.getElement() + " must be encrypted");
+ setErrorMessage("Element " + WSSUtils.pathAsString(encryptedPartSecurityEvent.getElementPath()) + " must be encrypted");
return false;
}
}
//body processed above. so this must be a header element
for (int i = 0; i < encryptedParts.getHeaders().size(); i++) {
Header header = encryptedParts.getHeaders().get(i);
- if (header.getNamespace().equals(encryptedPartSecurityEvent.getElement().getNamespaceURI())
- && (header.getName() == null //== wildcard
- || header.getName().equals(encryptedPartSecurityEvent.getElement().getLocalPart()))) {
+ QName headerQName = new QName(header.getNamespace(), header.getName() == null ? "" : header.getName());
+
+ List<QName> header11Path = new LinkedList<QName>();
+ header11Path.addAll(WSSConstants.SOAP_11_HEADER_PATH);
+ header11Path.add(headerQName);
+
+ if (WSSUtils.pathMatches(header11Path, encryptedPartSecurityEvent.getElementPath(), true, header.getName() == null)) {
if (encryptedPartSecurityEvent.isEncrypted()) {
setAsserted(true);
return true;
} else {
- setErrorMessage("Element " + encryptedPartSecurityEvent.getElement() + " must be encrypted");
+ setAsserted(false);
+ setErrorMessage("Element " + WSSUtils.pathAsString(encryptedPartSecurityEvent.getElementPath()) + " must be encrypted");
return false;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java Wed Feb 29 20:54:51 2012
@@ -23,8 +23,8 @@ import org.apache.ws.secpolicy.WSSPolicy
import org.apache.ws.secpolicy.model.AbstractSecurityAssertion;
import org.apache.ws.secpolicy.model.AbstractSymmetricAsymmetricBinding;
import org.swssf.policy.Assertable;
-import org.swssf.policy.PolicyConstants;
import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
import org.swssf.wss.securityEvent.SecurityEvent;
import org.swssf.wss.securityEvent.SignedPartSecurityEvent;
@@ -54,14 +54,13 @@ public class OnlySignEntireHeadersAndBod
return true;
}
if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()
- && (signedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap11_Body)
- || signedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap12_Body))) {
+ && WSSUtils.pathMatches(signedPartSecurityEvent.getElementPath(), WSSConstants.SOAP_11_BODY_PATH, true, false)) {
if (signedPartSecurityEvent.isSigned()) {
setAsserted(true);
return true;
} else {
setAsserted(false);
- setErrorMessage("Element " + signedPartSecurityEvent.getElement() + " must be signed");
+ setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
return false;
}
}
@@ -72,12 +71,12 @@ public class OnlySignEntireHeadersAndBod
//for a rewriting attack! If the Security Header is not signed then all child
//elements must be signed!
// @see http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html#_Toc212617840
- || signedPartSecurityEvent.getElement().equals(WSSConstants.TAG_wsse_Security)) {
+ || WSSUtils.pathMatches(signedPartSecurityEvent.getElementPath(), WSSConstants.WSSE_SECURITY_HEADER_PATH, true, false)) {
setAsserted(true);
return true;
} else {
setAsserted(false);
- setErrorMessage("Element " + signedPartSecurityEvent.getElement() + " must be signed");
+ setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
return false;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ProtectionOrderAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ProtectionOrderAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ProtectionOrderAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ProtectionOrderAssertionState.java Wed Feb 29 20:54:51 2012
@@ -18,21 +18,15 @@
*/
package org.swssf.policy.assertionStates;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.xml.namespace.QName;
-
import org.apache.ws.secpolicy.AssertionState;
import org.apache.ws.secpolicy.WSSPolicyException;
import org.apache.ws.secpolicy.model.AbstractSecurityAssertion;
import org.swssf.policy.Assertable;
-import org.swssf.wss.securityEvent.ContentEncryptedElementSecurityEvent;
-import org.swssf.wss.securityEvent.EncryptedElementSecurityEvent;
-import org.swssf.wss.securityEvent.EncryptedPartSecurityEvent;
-import org.swssf.wss.securityEvent.SecurityEvent;
-import org.swssf.wss.securityEvent.SignedElementSecurityEvent;
-import org.swssf.wss.securityEvent.SignedPartSecurityEvent;
+import org.swssf.wss.securityEvent.*;
+
+import javax.xml.namespace.QName;
+import java.util.ArrayList;
+import java.util.List;
/**
* @author $Author$
@@ -41,8 +35,8 @@ import org.swssf.wss.securityEvent.Signe
public class ProtectionOrderAssertionState extends AssertionState implements Assertable {
- private List<QName> signedElements = new ArrayList<QName>();
- private List<QName> encryptedElements = new ArrayList<QName>();
+ private List<List<QName>> signedElements = new ArrayList<List<QName>>();
+ private List<List<QName>> encryptedElements = new ArrayList<List<QName>>();
public ProtectionOrderAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
super(assertion, asserted);
@@ -69,40 +63,35 @@ public class ProtectionOrderAssertionSta
if (!signedElementSecurityEvent.isSigned()) {
return true;
}
- if (!encryptedElements.contains(signedElementSecurityEvent.getElement())) {
- signedElements.add(signedElementSecurityEvent.getElement());
+ if (!encryptedElements.contains(signedElementSecurityEvent.getElementPath())) {
+ signedElements.add(signedElementSecurityEvent.getElementPath());
} else {
}
- System.out.println("Sig: " + signedElementSecurityEvent.getElement());
break;
case SignedPart:
SignedPartSecurityEvent signedPartSecurityEvent = (SignedPartSecurityEvent) securityEvent;
if (!signedPartSecurityEvent.isSigned()) {
return true;
}
- System.out.println("Sig: " + signedPartSecurityEvent.getElement());
break;
case EncryptedElement:
EncryptedElementSecurityEvent encryptedElementSecurityEvent = (EncryptedElementSecurityEvent) securityEvent;
if (!encryptedElementSecurityEvent.isEncrypted()) {
return true;
}
- System.out.println("Enc: " + encryptedElementSecurityEvent.getElement() + " signed: " + encryptedElementSecurityEvent.isSignedContent());
break;
case EncryptedPart:
EncryptedPartSecurityEvent encryptedPartSecurityEvent = (EncryptedPartSecurityEvent) securityEvent;
if (!encryptedPartSecurityEvent.isEncrypted()) {
return true;
}
- System.out.println("Enc: " + encryptedPartSecurityEvent.getElement() + " signed: " + encryptedPartSecurityEvent.isSignedContent());
break;
case ContentEncrypted:
ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = (ContentEncryptedElementSecurityEvent) securityEvent;
if (!contentEncryptedElementSecurityEvent.isEncrypted()) {
return true;
}
- System.out.println("Enc: " + contentEncryptedElementSecurityEvent.getElement() + " signed: " + contentEncryptedElementSecurityEvent.isSignedContent());
break;
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredElementsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredElementsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredElementsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,12 +24,15 @@ import org.apache.ws.secpolicy.model.Abs
import org.apache.ws.secpolicy.model.RequiredElements;
import org.apache.ws.secpolicy.model.XPath;
import org.swssf.policy.Assertable;
+import org.swssf.policy.PolicyUtils;
+import org.swssf.wss.ext.WSSUtils;
import org.swssf.wss.securityEvent.RequiredElementSecurityEvent;
import org.swssf.wss.securityEvent.SecurityEvent;
import javax.xml.namespace.QName;
import java.util.HashMap;
import java.util.Iterator;
+import java.util.List;
import java.util.Map;
/**
@@ -38,7 +41,7 @@ import java.util.Map;
*/
public class RequiredElementsAssertionState extends AssertionState implements Assertable {
- private Map<QName, Boolean> elements = new HashMap<QName, Boolean>();
+ private Map<List<QName>, Boolean> pathElements = new HashMap<List<QName>, Boolean>();
public RequiredElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
super(assertion, asserted);
@@ -47,23 +50,14 @@ public class RequiredElementsAssertionSt
RequiredElements requiredElements = (RequiredElements) assertion;
for (int i = 0; i < requiredElements.getXPaths().size(); i++) {
XPath xPath = requiredElements.getXPaths().get(i);
- String[] xPathElements = xPath.getXPath().split("/");
- String[] xPathElement = xPathElements[xPathElements.length - 1].split(":");
- if (xPathElement.length == 2) {
- String ns = xPath.getPrefixNamespaceMap().get(xPathElement[0]);
- if (ns == null) {
- throw new IllegalArgumentException("Namespace not declared");
- }
- elements.put(new QName(ns, xPathElement[1]), Boolean.FALSE);
- } else {
- elements.put(new QName(xPathElement[1]), Boolean.FALSE);
- }
+ List<QName> elements = PolicyUtils.getElementPath(xPath);
+ pathElements.put(elements, Boolean.FALSE);
}
}
}
- public void addElement(QName element) {
- this.elements.put(element, Boolean.FALSE);
+ public void addElement(List<QName> pathElement) {
+ this.pathElements.put(pathElement, Boolean.FALSE);
}
@Override
@@ -76,13 +70,12 @@ public class RequiredElementsAssertionSt
@Override
public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
RequiredElementSecurityEvent requiredElementSecurityEvent = (RequiredElementSecurityEvent) securityEvent;
- //todo better matching until we have a streaming xpath evaluation engine (work in progress)
- Iterator<Map.Entry<QName, Boolean>> elementMapIterator = elements.entrySet().iterator();
+ Iterator<Map.Entry<List<QName>, Boolean>> elementMapIterator = pathElements.entrySet().iterator();
while (elementMapIterator.hasNext()) {
- Map.Entry<QName, Boolean> next = elementMapIterator.next();
- QName qName = next.getKey();
- if (qName.equals(requiredElementSecurityEvent.getElement())) {
+ Map.Entry<List<QName>, Boolean> next = elementMapIterator.next();
+ List<QName> qNameList = next.getKey();
+ if (WSSUtils.pathMatches(qNameList, requiredElementSecurityEvent.getElementPath(), true, false)) {
next.setValue(Boolean.TRUE);
break;
}
@@ -93,11 +86,11 @@ public class RequiredElementsAssertionSt
@Override
public boolean isAsserted() {
- Iterator<Map.Entry<QName, Boolean>> elementMapIterator = elements.entrySet().iterator();
+ Iterator<Map.Entry<List<QName>, Boolean>> elementMapIterator = pathElements.entrySet().iterator();
while (elementMapIterator.hasNext()) {
- Map.Entry<QName, Boolean> next = elementMapIterator.next();
+ Map.Entry<List<QName>, Boolean> next = elementMapIterator.next();
if (Boolean.FALSE.equals(next.getValue())) {
- setErrorMessage("Element " + next.getKey().toString() + " must be present");
+ setErrorMessage("Element " + WSSUtils.pathAsString(next.getKey()) + " must be present");
return false;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredPartsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredPartsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredPartsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredPartsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,12 +24,13 @@ import org.apache.ws.secpolicy.model.Abs
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.RequiredParts;
import org.swssf.policy.Assertable;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
import org.swssf.wss.securityEvent.RequiredPartSecurityEvent;
import org.swssf.wss.securityEvent.SecurityEvent;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.Map;
+import javax.xml.namespace.QName;
+import java.util.*;
/**
* @author $Author$
@@ -59,15 +60,18 @@ public class RequiredPartsAssertionState
@Override
public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
RequiredPartSecurityEvent requiredPartSecurityEvent = (RequiredPartSecurityEvent) securityEvent;
- //todo better matching until we have a streaming xpath evaluation engine (work in progress)
Iterator<Map.Entry<Header, Boolean>> elementMapIterator = headers.entrySet().iterator();
while (elementMapIterator.hasNext()) {
Map.Entry<Header, Boolean> next = elementMapIterator.next();
Header header = next.getKey();
- if (header.getNamespace().equals(requiredPartSecurityEvent.getElement().getNamespaceURI())
- && (header.getName() == null //== wildcard
- || header.getName().equals(requiredPartSecurityEvent.getElement().getLocalPart()))) {
+ QName headerQName = new QName(header.getNamespace(), header.getName() == null ? "" : header.getName());
+
+ List<QName> header11Path = new LinkedList<QName>();
+ header11Path.addAll(WSSConstants.SOAP_11_HEADER_PATH);
+ header11Path.add(headerQName);
+
+ if (WSSUtils.pathMatches(header11Path, requiredPartSecurityEvent.getElementPath(), true, header.getName() == null)) {
next.setValue(Boolean.TRUE);
break;
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java Wed Feb 29 20:54:51 2012
@@ -28,6 +28,7 @@ import org.swssf.wss.impl.securityToken.
import org.swssf.wss.securityEvent.SamlTokenSecurityEvent;
import org.swssf.wss.securityEvent.SecurityEvent;
import org.swssf.wss.securityEvent.TokenSecurityEvent;
+import org.swssf.xmlsec.ext.XMLSecurityException;
/**
* @author $Author$
@@ -48,7 +49,7 @@ public class SamlTokenAssertionState ext
}
@Override
- public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException {
+ public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException {
if (!(tokenSecurityEvent instanceof SamlTokenSecurityEvent)) {
throw new WSSPolicyException("Expected a SamlTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
}
@@ -64,30 +65,32 @@ public class SamlTokenAssertionState ext
setAsserted(false);
setErrorMessage("Policy enforces KeyIdentifierReference but we got " + samlTokenSecurityEvent.getSecurityToken().getTokenType());
}
- switch (samlToken.getSamlTokenType()) {
- case WssSamlV11Token10:
- if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_10) {
+ if (samlToken.getSamlTokenType() != null) {
+ switch (samlToken.getSamlTokenType()) {
+ case WssSamlV11Token10:
+ if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_10) {
+ setAsserted(false);
+ setErrorMessage("Policy enforces SamlVersion11Profile10 but we got " + samlTokenSecurityEvent.getSamlVersion());
+ }
+ break;
+ case WssSamlV11Token11:
+ if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_11) {
+ setAsserted(false);
+ setErrorMessage("Policy enforces SamlVersion11Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
+ }
+ break;
+ case WssSamlV20Token11:
+ if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_20) {
+ setAsserted(false);
+ setErrorMessage("Policy enforces SamlVersion20Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
+ }
+ break;
+ case WssSamlV10Token10:
+ case WssSamlV10Token11:
setAsserted(false);
- setErrorMessage("Policy enforces SamlVersion11Profile10 but we got " + samlTokenSecurityEvent.getSamlVersion());
- }
- break;
- case WssSamlV11Token11:
- if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_11) {
- setAsserted(false);
- setErrorMessage("Policy enforces SamlVersion11Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
- }
- break;
- case WssSamlV20Token11:
- if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_20) {
- setAsserted(false);
- setErrorMessage("Policy enforces SamlVersion20Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
- }
- break;
- case WssSamlV10Token10:
- case WssSamlV10Token11:
- setAsserted(false);
- setErrorMessage("Unsupported token type: " + samlToken.getSamlTokenType());
- break;
+ setErrorMessage("Unsupported token type: " + samlToken.getSamlTokenType());
+ break;
+ }
}
return isAsserted();
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignatureProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignatureProtectionAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignatureProtectionAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignatureProtectionAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,11 +24,14 @@ import org.apache.ws.secpolicy.model.Abs
import org.apache.ws.secpolicy.model.AbstractSymmetricAsymmetricBinding;
import org.swssf.policy.Assertable;
import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
import org.swssf.wss.securityEvent.EncryptedElementSecurityEvent;
import org.swssf.wss.securityEvent.SecurityEvent;
import javax.xml.namespace.QName;
import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.LinkedList;
import java.util.List;
/**
@@ -37,13 +40,21 @@ import java.util.List;
*/
public class SignatureProtectionAssertionState extends AssertionState implements Assertable {
- private List<QName> elements = new ArrayList<QName>();
+ private List<List<QName>> elementPaths = new ArrayList<List<QName>>();
public SignatureProtectionAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
super(assertion, asserted);
-
- elements.add(WSSConstants.TAG_dsig_Signature);
- elements.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
+ List<QName> signature11Path = new LinkedList<QName>();
+ signature11Path.addAll(WSSConstants.SOAP_11_HEADER_PATH);
+ signature11Path.add(WSSConstants.TAG_wsse_Security);
+ signature11Path.add(WSSConstants.TAG_dsig_Signature);
+ elementPaths.add(signature11Path);
+
+ List<QName> signatureConfirmation11Path = new LinkedList<QName>();
+ signatureConfirmation11Path.addAll(WSSConstants.SOAP_11_HEADER_PATH);
+ signatureConfirmation11Path.add(WSSConstants.TAG_wsse_Security);
+ signatureConfirmation11Path.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
+ elementPaths.add(signatureConfirmation11Path);
}
@Override
@@ -59,22 +70,23 @@ public class SignatureProtectionAssertio
AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding) getAssertion();
//todo better matching until we have a streaming xpath evaluation engine (work in progress)
- for (int i = 0; i < elements.size(); i++) {
- QName qName = elements.get(i);
- if (qName.equals(encryptedElementSecurityEvent.getElement())) {
+ Iterator<List<QName>> pathElementsIterator = elementPaths.iterator();
+ while (pathElementsIterator.hasNext()) {
+ List<QName> qNameList = pathElementsIterator.next();
+ if (WSSUtils.pathMatches(qNameList, encryptedElementSecurityEvent.getElementPath(), true, false)) {
if (encryptedElementSecurityEvent.isEncrypted()) {
if (abstractSymmetricAsymmetricBinding.isEncryptSignature()) {
setAsserted(true);
return true;
} else {
setAsserted(false);
- setErrorMessage("Element " + encryptedElementSecurityEvent.getElement() + " must not be encrypted");
+ setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must not be encrypted");
return false;
}
} else {
if (abstractSymmetricAsymmetricBinding.isEncryptSignature()) {
setAsserted(false);
- setErrorMessage("Element " + encryptedElementSecurityEvent.getElement() + " must be encrypted");
+ setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
return false;
} else {
setAsserted(true);
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedElementsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedElementsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedElementsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,11 +24,14 @@ import org.apache.ws.secpolicy.model.Abs
import org.apache.ws.secpolicy.model.SignedElements;
import org.apache.ws.secpolicy.model.XPath;
import org.swssf.policy.Assertable;
+import org.swssf.policy.PolicyUtils;
+import org.swssf.wss.ext.WSSUtils;
import org.swssf.wss.securityEvent.SecurityEvent;
import org.swssf.wss.securityEvent.SignedElementSecurityEvent;
import javax.xml.namespace.QName;
import java.util.ArrayList;
+import java.util.Iterator;
import java.util.List;
/**
@@ -37,7 +40,7 @@ import java.util.List;
*/
public class SignedElementsAssertionState extends AssertionState implements Assertable {
- private List<QName> elements = new ArrayList<QName>();
+ private List<List<QName>> pathElements = new ArrayList<List<QName>>();
public SignedElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
super(assertion, asserted);
@@ -46,17 +49,8 @@ public class SignedElementsAssertionStat
SignedElements signedElements = (SignedElements) assertion;
for (int i = 0; i < signedElements.getXPaths().size(); i++) {
XPath xPath = signedElements.getXPaths().get(i);
- String[] xPathElements = xPath.getXPath().split("/");
- String[] xPathElement = xPathElements[xPathElements.length - 1].split(":");
- if (xPathElement.length == 2) {
- String ns = xPath.getPrefixNamespaceMap().get(xPathElement[0]);
- if (ns == null) {
- throw new IllegalArgumentException("Namespace not declared");
- }
- elements.add(new QName(ns, xPathElement[1]));
- } else {
- elements.add(new QName(xPathElement[1]));
- }
+ List<QName> elements = PolicyUtils.getElementPath(xPath);
+ pathElements.add(elements);
}
}
}
@@ -68,25 +62,25 @@ public class SignedElementsAssertionStat
};
}
- public void addElement(QName element) {
- this.elements.add(element);
+ public void addElement(List<QName> pathElement) {
+ this.pathElements.add(pathElement);
}
@Override
public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
- //todo better matching until we have a streaming xpath evaluation engine (work in progress)
- for (int i = 0; i < elements.size(); i++) {
- QName qName = elements.get(i);
- if (qName.equals(signedElementSecurityEvent.getElement())) {
+ Iterator<List<QName>> pathElementIterator = pathElements.iterator();
+ while (pathElementIterator.hasNext()) {
+ List<QName> pathElements = pathElementIterator.next();
+ if (WSSUtils.pathMatches(pathElements, signedElementSecurityEvent.getElementPath(), true, false)) {
if (signedElementSecurityEvent.isSigned()) {
setAsserted(true);
return true;
} else {
//an element must be signed but isn't
setAsserted(false);
- setErrorMessage("Element " + signedElementSecurityEvent.getElement() + " must be signed");
+ setErrorMessage("Element " + WSSUtils.pathAsString(signedElementSecurityEvent.getElementPath()) + " must be signed");
return false;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedPartsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedPartsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedPartsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedPartsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,10 +24,15 @@ import org.apache.ws.secpolicy.model.Abs
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.SignedParts;
import org.swssf.policy.Assertable;
-import org.swssf.policy.PolicyConstants;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
import org.swssf.wss.securityEvent.SecurityEvent;
import org.swssf.wss.securityEvent.SignedPartSecurityEvent;
+import javax.xml.namespace.QName;
+import java.util.LinkedList;
+import java.util.List;
+
/**
* @author $Author$
* @version $Revision$ $Date$
@@ -53,14 +58,14 @@ public class SignedPartsAssertionState e
SignedPartSecurityEvent signedPartSecurityEvent = (SignedPartSecurityEvent) securityEvent;
SignedParts signedParts = (SignedParts) getAssertion();
- if (signedParts.isBody() && (signedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap11_Body)
- || signedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap12_Body))) {
+ if (signedParts.isBody()
+ && (WSSUtils.pathMatches(WSSConstants.SOAP_11_BODY_PATH, signedPartSecurityEvent.getElementPath(), true, false))) {
if (signedPartSecurityEvent.isSigned()) {
setAsserted(true);
return true;
} else {
setAsserted(false);
- setErrorMessage("Element " + signedPartSecurityEvent.getElement() + " must be signed");
+ setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
return false;
}
}
@@ -71,21 +76,25 @@ public class SignedPartsAssertionState e
return true;
} else {
setAsserted(false);
- setErrorMessage("Element " + signedPartSecurityEvent.getElement() + " must be signed");
+ setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
return false;
}
} else {
for (int i = 0; i < signedParts.getHeaders().size(); i++) {
Header header = signedParts.getHeaders().get(i);
- if (header.getNamespace().equals(signedPartSecurityEvent.getElement().getNamespaceURI())
- && (header.getName() == null //== wildcard
- || header.getName().equals(signedPartSecurityEvent.getElement().getLocalPart()))) {
+ QName headerQName = new QName(header.getNamespace(), header.getName() == null ? "" : header.getName());
+
+ List<QName> header11Path = new LinkedList<QName>();
+ header11Path.addAll(WSSConstants.SOAP_11_HEADER_PATH);
+ header11Path.add(headerQName);
+
+ if (WSSUtils.pathMatches(header11Path, signedPartSecurityEvent.getElementPath(), true, header.getName() == null)) {
if (signedPartSecurityEvent.isSigned()) {
setAsserted(true);
return true;
} else {
setAsserted(false);
- setErrorMessage("Element " + signedPartSecurityEvent.getElement() + " must be signed");
+ setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
return false;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java Wed Feb 29 20:54:51 2012
@@ -23,8 +23,11 @@ import org.apache.ws.secpolicy.SPConstan
import org.apache.ws.secpolicy.WSSPolicyException;
import org.apache.ws.secpolicy.model.*;
import org.swssf.policy.Assertable;
+import org.swssf.wss.ext.WSSConstants;
import org.swssf.wss.securityEvent.SecurityEvent;
import org.swssf.wss.securityEvent.TokenSecurityEvent;
+import org.swssf.xmlsec.ext.SecurityToken;
+import org.swssf.xmlsec.ext.XMLSecurityException;
/**
* @author $Author$
@@ -44,13 +47,15 @@ public abstract class TokenAssertionStat
}
@Override
- public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
+ public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException, XMLSecurityException {
TokenSecurityEvent tokenSecurityEvent = (TokenSecurityEvent) securityEvent;
AbstractToken abstractToken = (AbstractToken) getAssertion();
final AbstractSecurityAssertion parentAssertion = abstractToken.getParentAssertion();
- switch (tokenSecurityEvent.getTokenUsage()) {
+ //todo what todo with the other usages if there are any? What when a sig and enc derives from the same source token?
+ SecurityToken.TokenUsage tokenUsage = tokenSecurityEvent.getSecurityToken().getTokenUsages().get(0);
+ switch (tokenUsage) {
case MainSignature:
if (!(parentAssertion instanceof InitiatorToken)
&& !(parentAssertion instanceof InitiatorSignatureToken)
@@ -81,6 +86,12 @@ public abstract class TokenAssertionStat
if (!(parentAssertion instanceof SupportingTokens)) {
return true;
}
+ SupportingTokens supportingTokens = (SupportingTokens) parentAssertion;
+ if (supportingTokens.getSupportingTokenType().getName().getLocalPart().equals(SPConstants.SIGNED_SUPPORTING_TOKENS)
+ && !tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(SecurityToken.TokenUsage.SignedSupportingTokens)) {
+ return true;
+ }
+ //todo the supporting token types...
break;
}
@@ -91,8 +102,48 @@ public abstract class TokenAssertionStat
return false;
}
+ boolean hasDerivedKeys = false;
+ hasDerivedKeys = hasDerivedKeys(tokenSecurityEvent.getSecurityToken());
+ if (abstractToken.getDerivedKeys() != null) {
+ AbstractToken.DerivedKeys derivedKeys = abstractToken.getDerivedKeys();
+ switch (derivedKeys) {
+ case RequireDerivedKeys:
+ case RequireExplicitDerivedKeys:
+ case RequireImpliedDerivedKeys:
+ if (!hasDerivedKeys) {
+ setAsserted(false);
+ setErrorMessage("Derived key must be used");
+ }
+ }
+ } else {
+ if (hasDerivedKeys) {
+ setAsserted(false);
+ setErrorMessage("Derived key must not be used");
+ }
+ }
+
return assertToken(tokenSecurityEvent, abstractToken);
}
- public abstract boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException;
+ public abstract boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException;
+
+ protected boolean hasDerivedKeys(SecurityToken securityToken) throws XMLSecurityException {
+ if (securityToken == null) {
+ return false;
+ } else if (securityToken.getTokenType() == WSSConstants.DerivedKeyToken) {
+ return true;
+ }
+
+ if (securityToken.getWrappedTokens().size() == 0) {
+ return false;
+ }
+
+ //all wrapped tokens must be derived!:
+ boolean hasDerivedKeys = true;
+ for (int i = 0; i < securityToken.getWrappedTokens().size(); i++) {
+ SecurityToken wrappedSecurityToken = securityToken.getWrappedTokens().get(i);
+ hasDerivedKeys &= hasDerivedKeys(wrappedSecurityToken);
+ }
+ return hasDerivedKeys;
+ }
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java Wed Feb 29 20:54:51 2012
@@ -27,6 +27,7 @@ import org.swssf.wss.impl.securityToken.
import org.swssf.wss.securityEvent.SecurityEvent;
import org.swssf.wss.securityEvent.TokenSecurityEvent;
import org.swssf.wss.securityEvent.UsernameTokenSecurityEvent;
+import org.swssf.xmlsec.ext.XMLSecurityException;
/**
* @author $Author$
@@ -47,7 +48,7 @@ public class UsernameTokenAssertionState
}
@Override
- public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException {
+ public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException {
if (!(tokenSecurityEvent instanceof UsernameTokenSecurityEvent)) {
throw new WSSPolicyException("Expected a UsernameSecurityTokenEvent but got " + tokenSecurityEvent.getClass().getName());
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java Wed Feb 29 20:54:51 2012
@@ -51,7 +51,7 @@ public class X509TokenAssertionState ext
}
@Override
- public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException {
+ public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException {
if (!(tokenSecurityEvent instanceof X509TokenSecurityEvent)) {
throw new WSSPolicyException("Expected a X509TokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java Wed Feb 29 20:54:51 2012
@@ -22,7 +22,11 @@ import org.apache.ws.secpolicy.SPConstan
import org.apache.ws.secpolicy.WSSPolicyException;
import org.swssf.policy.PolicyEnforcer;
import org.swssf.policy.PolicyEnforcerFactory;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.impl.securityToken.X509SecurityToken;
import org.swssf.wss.test.AbstractTestBase;
+import org.swssf.xmlsec.ext.XMLSecurityConstants;
+import org.swssf.xmlsec.ext.XMLSecurityException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -34,6 +38,11 @@ import javax.xml.parsers.DocumentBuilder
import javax.xml.parsers.ParserConfigurationException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
/**
* @author $Author$
@@ -58,4 +67,52 @@ public class AbstractPolicyTestBase exte
return policyEnforcer;
}
+
+ public X509SecurityToken getX509Token(WSSConstants.TokenType tokenType) throws Exception {
+
+ final KeyStore keyStore = KeyStore.getInstance("jks");
+ keyStore.load(this.getClass().getClassLoader().getResourceAsStream("transmitter.jks"), "default".toCharArray());
+
+ return new X509SecurityToken(tokenType, null, null, null, "", WSSConstants.KeyIdentifierType.THUMBPRINT_IDENTIFIER) {
+ @Override
+ protected String getAlias() throws XMLSecurityException {
+ return "transmitter";
+ }
+
+ @Override
+ public Key getSecretKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage) throws XMLSecurityException {
+ try {
+ return keyStore.getKey("transmitter", "default".toCharArray());
+ } catch (Exception e) {
+ throw new XMLSecurityException(e.getMessage(), e);
+ }
+ }
+
+ @Override
+ public PublicKey getPublicKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage) throws XMLSecurityException {
+ try {
+ return keyStore.getCertificate("transmitter").getPublicKey();
+ } catch (Exception e) {
+ throw new XMLSecurityException(e.getMessage(), e);
+ }
+ }
+
+ @Override
+ public X509Certificate[] getX509Certificates() throws XMLSecurityException {
+ Certificate[] certificates;
+ try {
+ certificates = keyStore.getCertificateChain("transmitter");
+ } catch (Exception e) {
+ throw new XMLSecurityException(e.getMessage(), e);
+ }
+
+ X509Certificate[] x509Certificates = new X509Certificate[certificates.length];
+ for (int i = 0; i < certificates.length; i++) {
+ Certificate certificate = certificates[i];
+ x509Certificates[i] = (X509Certificate) certificate;
+ }
+ return x509Certificates;
+ }
+ };
+ }
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AsymmetricBindingIntegrationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AsymmetricBindingIntegrationTest.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AsymmetricBindingIntegrationTest.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AsymmetricBindingIntegrationTest.java Wed Feb 29 20:54:51 2012
@@ -1711,7 +1711,11 @@ public class AsymmetricBindingIntegratio
" <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
" </sp:SignedParts>\n" +
" <sp:SignedElements>\n" +
- " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
+ " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+ " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+ " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+ " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
+ " </sp:XPath>\n" +
" </sp:SignedElements>\n" +
" <sp:EncryptedParts>\n" +
" <sp:Body/>\n" +
@@ -1719,10 +1723,18 @@ public class AsymmetricBindingIntegratio
" <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
" </sp:EncryptedParts>\n" +
" <sp:EncryptedElements>\n" +
- " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
+ " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+ " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+ " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+ " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
+ " </sp:XPath>\n" +
" </sp:EncryptedElements>\n" +
" <sp:ContentEncryptedElements>\n" +
- " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
+ " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+ " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+ " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+ " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Expires" +
+ " </sp:XPath>\n" +
" </sp:ContentEncryptedElements>\n" +
" </wsp:All>\n" +
" </wsp:ExactlyOne>";
@@ -1992,7 +2004,7 @@ public class AsymmetricBindingIntegratio
}
@Test
- public void testSamlToken() throws Exception {
+ public void testTokenScenario() throws Exception {
String policyString =
"<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
@@ -2002,7 +2014,7 @@ public class AsymmetricBindingIntegratio
" <wsp:Policy>\n" +
" <sp:InitiatorToken>\n" +
" <wsp:Policy>\n" +
- " <sp:SamlToken>\n" +
+ " <sp:SamlToken IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always\">\n" +
" <sp:IssuerName>www.example.com</sp:IssuerName>\n" +
" <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
" <sp:WssSamlV20Token11/>\n" +
@@ -2015,6 +2027,7 @@ public class AsymmetricBindingIntegratio
" <sp:X509Token IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
" <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
" <wsp:Policy>\n" +
+ " <sp:RequireDerivedKeys/>\n" +
" <sp:WssX509V3Token11/>\n" +
" </wsp:Policy>\n" +
" </sp:X509Token>\n" +
@@ -2028,13 +2041,22 @@ public class AsymmetricBindingIntegratio
" <sp:IncludeTimestamp/>\n" +
" </wsp:Policy>\n" +
" </sp:AsymmetricBinding>\n" +
+ " <sp:SignedSupportingTokens>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:UsernameToken IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\"/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:SignedSupportingTokens>\n" +
" <sp:SignedParts>\n" +
" <sp:Body/>\n" +
" <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
" <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
" </sp:SignedParts>\n" +
" <sp:SignedElements>\n" +
- " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
+ " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+ " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+ " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+ " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
+ " </sp:XPath>\n" +
" </sp:SignedElements>\n" +
" <sp:EncryptedParts>\n" +
" <sp:Body/>\n" +
@@ -2042,16 +2064,24 @@ public class AsymmetricBindingIntegratio
" <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
" </sp:EncryptedParts>\n" +
" <sp:EncryptedElements>\n" +
- " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
+ " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+ " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+ " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+ " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
+ " </sp:XPath>\n" +
" </sp:EncryptedElements>\n" +
" <sp:ContentEncryptedElements>\n" +
- " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
+ " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+ " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+ " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+ " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Expires" +
+ " </sp:XPath>\n" +
" </sp:ContentEncryptedElements>\n" +
" </wsp:All>\n" +
" </wsp:ExactlyOne>";
WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
- WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.SAML_TOKEN_SIGNED, WSSConstants.ENCRYPT_WITH_DERIVED_KEY};
+ WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP, WSSConstants.USERNAMETOKEN, WSSConstants.SAML_TOKEN_SIGNED, WSSConstants.ENCRYPT_WITH_DERIVED_KEY};
outSecurityProperties.setOutAction(actions);
CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl();
callbackHandler.setSamlVersion(SAMLVersion.VERSION_20);
@@ -2069,12 +2099,18 @@ public class AsymmetricBindingIntegratio
cryptoType.setAlias("transmitter");
callbackHandler.setCerts(crypto.getX509Certificates(cryptoType));
outSecurityProperties.setCallbackHandler(callbackHandler);
+ outSecurityProperties.setTokenUser("tester");
outSecurityProperties.setSignatureKeyIdentifierType(WSSConstants.KeyIdentifierType.EMBEDDED_KEYIDENTIFIER_REF);
outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
outSecurityProperties.setSignatureUser("transmitter");
+ outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_soap_Body_LocalName, WSSConstants.NS_SOAP11, SecurePart.Modifier.Element));
+ outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsse_UsernameToken.getLocalPart(), WSSConstants.TAG_wsse_UsernameToken.getNamespaceURI(), SecurePart.Modifier.Element));
+ outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsu_Timestamp.getLocalPart(), WSSConstants.TAG_wsu_Timestamp.getNamespaceURI(), SecurePart.Modifier.Element));
outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
outSecurityProperties.setEncryptionUser("receiver");
outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_soap_Body_LocalName, WSSConstants.NS_SOAP11, SecurePart.Modifier.Content));
+ outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Created.getLocalPart(), WSSConstants.TAG_wsu_Created.getNamespaceURI(), SecurePart.Modifier.Element));
+ outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Expires.getLocalPart(), WSSConstants.TAG_wsu_Expires.getNamespaceURI(), SecurePart.Modifier.Content));
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
@@ -2085,8 +2121,126 @@ public class AsymmetricBindingIntegratio
inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
- inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
+ inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
+ Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
+
+ //read the whole stream:
+ Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ transformer.transform(new DOMSource(document), new StreamResult(
+ new OutputStream() {
+ @Override
+ public void write(int b) throws IOException {
+ // > /dev/null
+ }
+ }
+ ));
+ }
+
+ @Test
+ public void testTokenScenarioLateEncryption() throws Exception {
+
+ String policyString =
+ "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
+ "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
+ " <wsp:All>\n" +
+ " <sp:AsymmetricBinding>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:InitiatorToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:SamlToken IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always\">\n" +
+ " <sp:IssuerName>www.example.com</sp:IssuerName>\n" +
+ " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+ " <sp:WssSamlV20Token11/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:SamlToken>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:InitiatorToken>\n" +
+ " <sp:RecipientToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:X509Token IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
+ " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:RequireDerivedKeys/>\n" +
+ " <sp:WssX509V3Token11/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:X509Token>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:RecipientToken>\n" +
+ " <sp:AlgorithmSuite>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Basic256/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:AlgorithmSuite>\n" +
+ " <sp:IncludeTimestamp/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:AsymmetricBinding>\n" +
+ " <sp:SignedSupportingTokens>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:UsernameToken IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\"/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:SignedSupportingTokens>\n" +
+ " <sp:SignedParts>\n" +
+ " <sp:Body/>\n" +
+ " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
+ " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
+ " </sp:SignedParts>\n" +
+ " <sp:SignedElements>\n" +
+ " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+ " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+ " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+ " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
+ " </sp:XPath>\n" +
+ " </sp:SignedElements>\n" +
+ " <sp:EncryptedElements>\n" +
+ " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+ " xmlns:wsdl=\"http://schemas.xmlsoap.org/wsdl/\" " +
+ " xmlns:xsd=\"http://www.w3.org/1999/XMLSchema\">" +
+ " /soap:Envelope/soap:Body/wsdl:definitions/wsdl:types/xsd:schema/xsd:simpleType" +
+ " </sp:XPath>\n" +
+ " </sp:EncryptedElements>\n" +
+ " </wsp:All>\n" +
+ " </wsp:ExactlyOne>";
+ WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
+ WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP, WSSConstants.USERNAMETOKEN, WSSConstants.SAML_TOKEN_SIGNED, WSSConstants.ENCRYPT_WITH_DERIVED_KEY};
+ outSecurityProperties.setOutAction(actions);
+ CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl();
+ callbackHandler.setSamlVersion(SAMLVersion.VERSION_20);
+ callbackHandler.setStatement(CallbackHandlerImpl.Statement.AUTHN);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+ callbackHandler.setIssuer("www.example.com");
+ byte[] secret = new byte[128 / 8];
+ WSSConstants.secureRandom.nextBytes(secret);
+ callbackHandler.setSecret(secret);
+ KeyStore keyStore = KeyStore.getInstance("jks");
+ keyStore.load(this.getClass().getClassLoader().getResourceAsStream("transmitter.jks"), "default".toCharArray());
+ Merlin crypto = new Merlin();
+ crypto.setKeyStore(keyStore);
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias("transmitter");
+ callbackHandler.setCerts(crypto.getX509Certificates(cryptoType));
+ outSecurityProperties.setCallbackHandler(callbackHandler);
+ outSecurityProperties.setTokenUser("tester");
+ outSecurityProperties.setSignatureKeyIdentifierType(WSSConstants.KeyIdentifierType.EMBEDDED_KEYIDENTIFIER_REF);
+ outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ outSecurityProperties.setSignatureUser("transmitter");
+ outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_soap_Body_LocalName, WSSConstants.NS_SOAP11, SecurePart.Modifier.Element));
+ outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsse_UsernameToken.getLocalPart(), WSSConstants.TAG_wsse_UsernameToken.getNamespaceURI(), SecurePart.Modifier.Element));
+ outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsu_Timestamp.getLocalPart(), WSSConstants.TAG_wsu_Timestamp.getNamespaceURI(), SecurePart.Modifier.Element));
+ outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ outSecurityProperties.setEncryptionUser("receiver");
+ outSecurityProperties.addEncryptionPart(new SecurePart("simpleType", "http://www.w3.org/1999/XMLSchema", SecurePart.Modifier.Element));
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
+
+ WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
+ inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+
+ PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+ inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
//read the whole stream: