You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2010/11/15 16:32:13 UTC
svn commit: r1035309 - in /cxf/branches/2.3.x-fixes: ./
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
systests/ws-specs/src/test/java/org/apache/cxf/systest/...
Author: dkulp
Date: Mon Nov 15 15:32:12 2010
New Revision: 1035309
URL: http://svn.apache.org/viewvc?rev=1035309&view=rev
Log:
Merged revisions 1035302 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1035302 | dkulp | 2010-11-15 10:26:52 -0500 (Mon, 15 Nov 2010) | 2 lines
[CXF-3041, CXF-3042] Cleanup to checks for various request only or
response only security cases
........
Modified:
cxf/branches/2.3.x-fixes/ (props changed)
cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl
Propchange: cxf/branches/2.3.x-fixes/
------------------------------------------------------------------------------
--- svnmerge-integrated (original)
+++ svnmerge-integrated Mon Nov 15 15:32:12 2010
@@ -1 +1 @@
-/cxf/trunk:1-1022155,1022157-1023401,1023420-1030540,1030542-1031074,1031076-1033529,1033531,1033533-1033888,1033890-1033925,1033927-1034174,1034637,1035203,1035206,1035220
+/cxf/trunk:1-1022155,1022157-1023401,1023420-1030540,1030542-1031074,1031076-1033529,1033531,1033533-1033888,1033890-1033925,1033927-1034174,1034637,1035203,1035206,1035220,1035302
Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1035309&r1=1035308&r2=1035309&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Mon Nov 15 15:32:12 2010
@@ -192,7 +192,11 @@ public class PolicyBasedWSS4JInIntercept
}
return false;
}
- private void assertPolicy(AssertionInfoMap aim, Token token, boolean derived) {
+ private void assertPolicy(AssertionInfoMap aim, Token token, Boolean derived) {
+ if (derived == null) {
+ //no keys were needed for anything
+ return;
+ }
if (!derived && token instanceof X509Token && token.isDerivedKeys()) {
notAssertPolicy(aim, token, "No derived keys found.");
}
@@ -461,7 +465,7 @@ public class PolicyBasedWSS4JInIntercept
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
Collection<WSDataRef> signed = new HashSet<WSDataRef>();
Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
- boolean hasDerivedKeys = false;
+ Boolean hasDerivedKeys = null;
boolean hasEndorsement = false;
Protections prots = Protections.NONE;
@@ -471,6 +475,9 @@ public class PolicyBasedWSS4JInIntercept
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
switch (actInt.intValue()) {
case WSConstants.SIGN:
+ if (hasDerivedKeys == null) {
+ hasDerivedKeys = Boolean.FALSE;
+ }
List<WSDataRef> sl = CastUtils.cast((List<?>)wser
.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (sl != null) {
@@ -487,6 +494,9 @@ public class PolicyBasedWSS4JInIntercept
}
break;
case WSConstants.ENCR:
+ if (hasDerivedKeys == null) {
+ hasDerivedKeys = Boolean.FALSE;
+ }
List<WSDataRef> el = CastUtils.cast((List<?>)wser
.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (el != null) {
@@ -519,7 +529,7 @@ public class PolicyBasedWSS4JInIntercept
assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
break;
case WSConstants.DKT:
- hasDerivedKeys = true;
+ hasDerivedKeys = Boolean.TRUE;
break;
case WSConstants.SC:
assertPolicy(aim, SP12Constants.WSS11);
@@ -611,7 +621,7 @@ public class PolicyBasedWSS4JInIntercept
SoapMessage message,
SOAPMessage doc,
Protections prots,
- boolean derived) {
+ Boolean derived) {
Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
if (ais == null) {
return true;
@@ -652,7 +662,7 @@ public class PolicyBasedWSS4JInIntercept
SoapMessage message,
SOAPMessage doc,
Protections prots,
- boolean derived) {
+ Boolean derived) {
Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
if (ais == null) {
return true;
Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1035309&r1=1035308&r2=1035309&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Mon Nov 15 15:32:12 2010
@@ -348,7 +348,10 @@ public class AsymmetricBindingHandler ex
assertUnusedTokens(abinding.getInitiatorToken());
}
sigToken = wrapper.getToken();
-
+ sigParts.addAll(this.getSignedParts());
+ if (sigParts.isEmpty()) {
+ return;
+ }
if (sigToken.isDerivedKeys()) {
// Set up the encrypted key to use
setupEncryptedKey(wrapper, sigToken);
@@ -388,6 +391,7 @@ public class AsymmetricBindingHandler ex
e.printStackTrace();
}
} else {
+
WSSecSignature sig = getSignatureBuider(wrapper, sigToken, false);
// This action must occur before sig.prependBSTElementToHeader
@@ -398,7 +402,6 @@ public class AsymmetricBindingHandler ex
sig.prependBSTElementToHeader(secHeader);
insertBeforeBottomUp(sig.getSignatureElement());
- sigParts.addAll(this.getSignedParts());
sig.addReferencesToSign(sigParts, secHeader);
sig.computeSignature();
Modified: cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1035309&r1=1035308&r2=1035309&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java (original)
+++ cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java Mon Nov 15 15:32:12 2010
@@ -74,6 +74,9 @@ public class SecurityPolicyTest extends
public static final String POLICY_XPATH_ADDRESS = "http://localhost:" + PORT + "/SecPolTestXPath";
public static final String POLICY_SIGNONLY_ADDRESS = "http://localhost:" + PORT + "/SecPolTestSignedOnly";
+ public static final String POLICY_CXF3041_ADDRESS = "http://localhost:" + PORT + "/SecPolTestCXF3041";
+ public static final String POLICY_CXF3042_ADDRESS = "http://localhost:" + PORT + "/SecPolTestCXF3042";
+
public static class ServerPasswordCallback implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
@@ -88,7 +91,8 @@ public class SecurityPolicyTest extends
}
}
-
+ private DoubleItService service = new DoubleItService();
+
@BeforeClass
public static void init() throws Exception {
@@ -159,11 +163,30 @@ public class SecurityPolicyTest extends
SecurityPolicyTest.class.getResource("bob.properties").toString());
ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES,
SecurityPolicyTest.class.getResource("alice.properties").toString());
+
+
+ ep = (EndpointImpl)Endpoint.publish(POLICY_CXF3041_ADDRESS,
+ new DoubleItImplCXF3041());
+ ei = ep.getServer().getEndpoint().getEndpointInfo();
+ ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
+ ei.setProperty(SecurityConstants.SIGNATURE_PROPERTIES,
+ SecurityPolicyTest.class.getResource("bob.properties").toString());
+ ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES,
+ SecurityPolicyTest.class.getResource("alice.properties").toString());
+
+ ep = (EndpointImpl)Endpoint.publish(POLICY_CXF3042_ADDRESS,
+ new DoubleItImplCXF3042());
+ ei = ep.getServer().getEndpoint().getEndpointInfo();
+ ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
+ ei.setProperty(SecurityConstants.SIGNATURE_PROPERTIES,
+ SecurityPolicyTest.class.getResource("alice.properties").toString());
+ ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES,
+ SecurityPolicyTest.class.getResource("alice.properties").toString());
+
}
@Test
public void testPolicy() throws Exception {
- DoubleItService service = new DoubleItService();
DoubleItPortType pt;
pt = service.getDoubleItPortXPath();
@@ -246,7 +269,6 @@ public class SecurityPolicyTest extends
@Test
public void testSignedOnlyWithUnsignedMessage() throws Exception {
//CXF-2244
- DoubleItService service = new DoubleItService();
DoubleItPortType pt;
pt = service.getDoubleItPortSignedOnly();
@@ -277,7 +299,6 @@ public class SecurityPolicyTest extends
@Test
public void testDispatchClient() throws Exception {
- DoubleItService service = new DoubleItService();
Dispatch<Source> disp = service.createDispatch(DoubleItService.DoubleItPortEncryptThenSign,
Source.class,
Mode.PAYLOAD);
@@ -418,4 +439,58 @@ public class SecurityPolicyTest extends
}
}
+
+
+
+ @WebService(targetNamespace = "http://cxf.apache.org/policytest/DoubleIt",
+ portName = "DoubleItPortCXF3041",
+ serviceName = "DoubleItService",
+ endpointInterface = "org.apache.cxf.policytest.doubleit.DoubleItPortType",
+ wsdlLocation = "classpath:/wsdl_systest_wsspec/DoubleIt.wsdl")
+ public static class DoubleItImplCXF3041 implements DoubleItPortType {
+ /** {@inheritDoc}*/
+ public BigInteger doubleIt(BigInteger numberToDouble) {
+ return numberToDouble.multiply(new BigInteger("2"));
+ }
+ }
+ @WebService(targetNamespace = "http://cxf.apache.org/policytest/DoubleIt",
+ portName = "DoubleItPortCXF3042",
+ serviceName = "DoubleItService",
+ endpointInterface = "org.apache.cxf.policytest.doubleit.DoubleItPortType",
+ wsdlLocation = "classpath:/wsdl_systest_wsspec/DoubleIt.wsdl")
+ public static class DoubleItImplCXF3042 implements DoubleItPortType {
+ /** {@inheritDoc}*/
+ public BigInteger doubleIt(BigInteger numberToDouble) {
+ return numberToDouble.multiply(new BigInteger("2"));
+ }
+ }
+
+ @Test
+ public void testCXF3041() throws Exception {
+ DoubleItPortType pt;
+
+ pt = service.getDoubleItPortCXF3041();
+ updateAddressPort(pt, PORT);
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
+ new KeystorePasswordCallback());
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+ getClass().getResource("alice.properties"));
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,
+ getClass().getResource("bob.properties"));
+ assertEquals(BigInteger.valueOf(10), pt.doubleIt(BigInteger.valueOf(5)));
+ }
+
+ @Test
+ public void testCXF3042() throws Exception {
+ DoubleItPortType pt;
+ pt = service.getDoubleItPortCXF3042();
+ updateAddressPort(pt, PORT);
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
+ new KeystorePasswordCallback());
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+ getClass().getResource("alice.properties"));
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,
+ getClass().getResource("alice.properties"));
+ assertEquals(BigInteger.valueOf(10), pt.doubleIt(BigInteger.valueOf(5)));
+ }
}
Modified: cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl?rev=1035309&r1=1035308&r2=1035309&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl (original)
+++ cxf/branches/2.3.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl Mon Nov 15 15:32:12 2010
@@ -149,6 +149,39 @@
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
+
+ <wsdl:binding name="DoubleItBindingCXF3041" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#CXF3041"/>
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <wsp:PolicyReference URI="#SignBody"/>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+ <wsdl:binding name="DoubleItBindingCXF3042" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#CXF3042"/>
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <wsp:PolicyReference URI="#EncrBody"/>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+
+
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItPortHttps" binding="tns:DoubleItBinding">
<soap:address location="https://localhost:9009/SecPolTest" />
@@ -174,6 +207,12 @@
<wsdl:port name="DoubleItPortTimestampOnly" binding="tns:DoubleItBindingTimestampOnly">
<soap:address location="http://localhost:9010/SecPolTestTimestampOnly" />
</wsdl:port>
+ <wsdl:port name="DoubleItPortCXF3041" binding="tns:DoubleItBindingCXF3041">
+ <soap:address location="http://localhost:9010/SecPolTestCXF3041" />
+ </wsdl:port>
+ <wsdl:port name="DoubleItPortCXF3042" binding="tns:DoubleItBindingCXF3042">
+ <soap:address location="http://localhost:9010/SecPolTestCXF3042" />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItBindingPolicy">
@@ -542,5 +581,133 @@
</wsp:ExactlyOne>
</wsp:Policy>
+
+
+ <!-- Policy for asymmetric binding with the certificate included in the message from
+ client to server but only a thumbprint on messages from the server to the client. -->
+ <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
+ "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:RequireThumbprintReference/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:RequireThumbprintReference/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128Rsa15/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ </wsp:Policy>
+ <!-- Policy for signing the message body. -->
+ <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
+ "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <sp:SignedParts>
+ <sp:Body/>
+ </sp:SignedParts>
+ </wsp:Policy>
+ <!-- Policy for encrypting the message body. -->
+ <wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
+ "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <sp:EncryptedParts>
+ <sp:Body/>
+ </sp:EncryptedParts>
+ </wsp:Policy>
+
+ <!-- Policy for asymmetric binding with the certificate included in the message from
+ client to server but only a thumbprint on messages from the server to the client. -->
+ <wsp:Policy wsu:Id="CXF3041" xmlns:wsu=
+ "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:RequireThumbprintReference/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:RequireThumbprintReference/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128Rsa15/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ </wsp:Policy>
+
+
+
+ <!-- Policy for symmetric binding, using an ephemeral key generated by the client and
+ sent to the server as part of the request, using asymmetric encryption with the server
+ public key to secure the symmetric key. -->
+ <wsp:Policy wsu:Id="CXF3042"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
+ xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <sp:SymmetricBinding>
+ <wsp:Policy>
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:RequireDerivedKeys/>
+ <sp:RequireThumbprintReference/>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128Rsa15/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:OnlySignEntireHeadersAndBody/>
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ </wsp:Policy>
</wsdl:definitions>