You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/05/23 15:17:32 UTC
svn commit: r1485693 [9/14] - in /cxf/trunk: ./
distribution/src/main/release/samples/sts/src/main/java/demo/wssec/client/
distribution/src/main/release/samples/sts/src/main/java/demo/wssec/server/
distribution/src/main/release/samples/sts/src/main/jav...
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,17 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
/**
* Validate SupportingToken policies.
@@ -54,21 +53,22 @@ public class ConcreteSupportingTokenPoli
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SUPPORTING_TOKENS);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ setMessage(message);
+ setResults(results);
+ setSignedResults(signedResults);
+ setEncryptedResults(encryptedResults);
+
+ parsePolicies(ais, message);
}
- setMessage(message);
- setResults(results);
- setSignedResults(signedResults);
- setEncryptedResults(encryptedResults);
-
+ return true;
+ }
+
+ private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
for (AssertionInfo ai : ais) {
- SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SUPPORTING != binding.getTokenType()) {
- continue;
- }
+ SupportingTokens binding = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
@@ -76,8 +76,8 @@ public class ConcreteSupportingTokenPoli
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
- List<Token> tokens = binding.getTokens();
- for (Token token : tokens) {
+ List<AbstractToken> tokens = binding.getTokens();
+ for (AbstractToken token : tokens) {
if (!isTokenRequired(token, message)) {
continue;
}
@@ -118,10 +118,7 @@ public class ConcreteSupportingTokenPoli
continue;
}
}
-
}
-
- return true;
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,7 +25,7 @@ import java.util.List;
import org.w3c.dom.Element;
import org.apache.cxf.helpers.DOMUtils;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
/**
* Validate a WS-SecurityPolicy Claims policy for the
@@ -42,7 +42,7 @@ public class DefaultClaimsPolicyValidato
*/
public boolean validatePolicy(
Element claimsPolicy,
- AssertionWrapper assertion
+ SamlAssertionWrapper assertion
) {
if (claimsPolicy == null) {
return false;
@@ -78,7 +78,7 @@ public class DefaultClaimsPolicyValidato
return DEFAULT_CLAIMS_NAMESPACE;
}
- private boolean findClaimInAssertion(AssertionWrapper assertion, URI claimURI) {
+ private boolean findClaimInAssertion(SamlAssertionWrapper assertion, URI claimURI) {
if (assertion.getSaml1() != null) {
return findClaimInAssertion(assertion.getSaml1(), claimURI);
} else if (assertion.getSaml2() != null) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,17 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
/**
* Validate an EncryptedSupportingToken policy.
@@ -54,21 +53,22 @@ public class EncryptedTokenPolicyValidat
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ setMessage(message);
+ setResults(results);
+ setSignedResults(signedResults);
+ setEncryptedResults(encryptedResults);
+
+ parsePolicies(ais, message);
}
- setMessage(message);
- setResults(results);
- setSignedResults(signedResults);
- setEncryptedResults(encryptedResults);
-
+ return true;
+ }
+
+ private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
for (AssertionInfo ai : ais) {
- SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENCRYPTED != binding.getTokenType()) {
- continue;
- }
+ SupportingTokens binding = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
@@ -76,8 +76,8 @@ public class EncryptedTokenPolicyValidat
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
- List<Token> tokens = binding.getTokens();
- for (Token token : tokens) {
+ List<AbstractToken> tokens = binding.getTokens();
+ for (AbstractToken token : tokens) {
if (!isTokenRequired(token, message)) {
continue;
}
@@ -119,8 +119,6 @@ public class EncryptedTokenPolicyValidat
}
}
}
-
- return true;
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,18 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
/**
* Validate an EndorsingEncryptedSupportingToken policy.
@@ -55,22 +55,23 @@ public class EndorsingEncryptedTokenPoli
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ setMessage(message);
+ setResults(results);
+ setSignedResults(signedResults);
+ setEncryptedResults(encryptedResults);
+
+ parsePolicies(ais, message);
}
- setMessage(message);
- setResults(results);
- setSignedResults(signedResults);
- setEncryptedResults(encryptedResults);
-
+ return true;
+ }
+
+ private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
for (AssertionInfo ai : ais) {
- SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENDORSING_ENCRYPTED
- != binding.getTokenType()) {
- continue;
- }
+ SupportingTokens binding = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
@@ -78,14 +79,14 @@ public class EndorsingEncryptedTokenPoli
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
- List<Token> tokens = binding.getTokens();
- for (Token token : tokens) {
+ List<AbstractToken> tokens = binding.getTokens();
+ for (AbstractToken token : tokens) {
if (!isTokenRequired(token, message)) {
continue;
}
- boolean derived = token.isDerivedKeys();
- setDerived(derived);
+ DerivedKeys derivedKeys = token.getDerivedKeys();
+ setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens()) {
@@ -124,8 +125,6 @@ public class EndorsingEncryptedTokenPoli
}
}
}
-
- return true;
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,18 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
/**
* Validate an EndorsingSupportingToken policy.
@@ -55,21 +55,23 @@ public class EndorsingTokenPolicyValidat
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ setMessage(message);
+ setResults(results);
+ setSignedResults(signedResults);
+ setEncryptedResults(encryptedResults);
+
+ parsePolicies(ais, message);
}
- setMessage(message);
- setResults(results);
- setSignedResults(signedResults);
- setEncryptedResults(encryptedResults);
-
+ return true;
+ }
+
+ private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
for (AssertionInfo ai : ais) {
- SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENDORSING != binding.getTokenType()) {
- continue;
- }
+ SupportingTokens binding = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
@@ -77,14 +79,14 @@ public class EndorsingTokenPolicyValidat
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
- List<Token> tokens = binding.getTokens();
- for (Token token : tokens) {
+ List<AbstractToken> tokens = binding.getTokens();
+ for (AbstractToken token : tokens) {
if (!isTokenRequired(token, message)) {
continue;
}
- boolean derived = token.isDerivedKeys();
- setDerived(derived);
+ DerivedKeys derivedKeys = token.getDerivedKeys();
+ setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens()) {
@@ -122,8 +124,6 @@ public class EndorsingTokenPolicyValidat
}
}
}
-
- return true;
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -29,12 +29,12 @@ import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.policy.model.IssuedToken;
import org.opensaml.common.SAMLVersion;
@@ -58,7 +58,7 @@ public class IssuedTokenPolicyValidator
public boolean validatePolicy(
Collection<AssertionInfo> ais,
- AssertionWrapper assertionWrapper
+ SamlAssertionWrapper assertionWrapper
) {
if (ais == null || ais.isEmpty()) {
return true;
@@ -79,7 +79,7 @@ public class IssuedTokenPolicyValidator
continue;
}
- Element template = issuedToken.getRstTemplate();
+ Element template = issuedToken.getRequestSecurityTokenTemplate();
if (template != null && !checkIssuedTokenTemplate(template, assertionWrapper)) {
ai.setNotAsserted("Error in validating the IssuedToken policy");
continue;
@@ -130,7 +130,7 @@ public class IssuedTokenPolicyValidator
return false;
}
- Element template = issuedToken.getRstTemplate();
+ Element template = issuedToken.getRequestSecurityTokenTemplate();
if (template != null && !checkIssuedTokenTemplate(template, binarySecurityToken)) {
ai.setNotAsserted("Error in validating the IssuedToken policy");
return false;
@@ -142,7 +142,7 @@ public class IssuedTokenPolicyValidator
/**
* Check the issued token template against the received assertion
*/
- private boolean checkIssuedTokenTemplate(Element template, AssertionWrapper assertionWrapper) {
+ private boolean checkIssuedTokenTemplate(Element template, SamlAssertionWrapper assertionWrapper) {
Element child = DOMUtils.getFirstElement(template);
while (child != null) {
if ("TokenType".equals(child.getLocalName())) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -21,12 +21,15 @@ package org.apache.cxf.ws.security.wss4j
import java.util.Collection;
+import javax.xml.namespace.QName;
+
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.ws.security.message.token.KerberosSecurity;
+import org.apache.wss4j.dom.message.token.KerberosSecurity;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KerberosToken.ApReqTokenType;
/**
* Validate a WSSecurityEngineResult corresponding to the processing of a Kerberos Token
@@ -46,36 +49,67 @@ public class KerberosTokenPolicyValidato
AssertionInfoMap aim,
KerberosSecurity kerberosToken
) {
- Collection<AssertionInfo> krbAis = aim.get(SP12Constants.KERBEROS_TOKEN);
- if (krbAis != null && !krbAis.isEmpty()) {
- for (AssertionInfo ai : krbAis) {
- KerberosToken kerberosTokenPolicy = (KerberosToken)ai.getAssertion();
- ai.setAsserted(true);
-
- if (!isTokenRequired(kerberosTokenPolicy, message)) {
- continue;
- }
-
- if (!checkToken(kerberosTokenPolicy, kerberosToken)) {
- ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
- continue;
- }
- }
+ Collection<AssertionInfo> krbAis = getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+ if (!krbAis.isEmpty()) {
+ parsePolicies(aim, krbAis, kerberosToken);
}
+
return true;
}
- private boolean checkToken(KerberosToken kerberosTokenPolicy, KerberosSecurity kerberosToken) {
- boolean isV5ApReq = kerberosTokenPolicy.isV5ApReqToken11();
- boolean isGssV5ApReq = kerberosTokenPolicy.isGssV5ApReqToken11();
+ private void parsePolicies(
+ AssertionInfoMap aim,
+ Collection<AssertionInfo> ais,
+ KerberosSecurity kerberosToken
+ ) {
+ for (AssertionInfo ai : ais) {
+ KerberosToken kerberosTokenPolicy = (KerberosToken)ai.getAssertion();
+ ai.setAsserted(true);
+
+ if (!isTokenRequired(kerberosTokenPolicy, message)) {
+ assertPolicy(
+ aim,
+ new QName(kerberosTokenPolicy.getVersion().getNamespace(),
+ "WssKerberosV5ApReqToken11")
+ );
+ assertPolicy(
+ aim,
+ new QName(kerberosTokenPolicy.getVersion().getNamespace(),
+ "WssGssKerberosV5ApReqToken11")
+ );
+ continue;
+ }
+
+ if (!checkToken(aim, kerberosTokenPolicy, kerberosToken)) {
+ ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
+ continue;
+ }
+ }
+ }
+
+ private boolean checkToken(
+ AssertionInfoMap aim,
+ KerberosToken kerberosTokenPolicy,
+ KerberosSecurity kerberosToken
+ ) {
+ ApReqTokenType apReqTokenType = kerberosTokenPolicy.getApReqTokenType();
- if (isV5ApReq && kerberosToken.isV5ApReq()) {
- return true;
- } else if (isGssV5ApReq && kerberosToken.isGssV5ApReq()) {
+ if (apReqTokenType == ApReqTokenType.WssKerberosV5ApReqToken11
+ && kerberosToken.isV5ApReq()) {
+ assertPolicy(
+ aim,
+ new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssKerberosV5ApReqToken11")
+ );
return true;
- } else if (!(isV5ApReq || isGssV5ApReq)) {
+ } else if (apReqTokenType == ApReqTokenType.WssGssKerberosV5ApReqToken11
+ && kerberosToken.isGssV5ApReq()) {
+ assertPolicy(
+ aim,
+ new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11")
+ );
return true;
}
+
return false;
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java Thu May 23 13:17:26 2013
@@ -29,17 +29,17 @@ import org.w3c.dom.Element;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.Layout;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngine;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.PKIPathSecurity;
-import org.apache.ws.security.message.token.X509Security;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngine;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.PKIPathSecurity;
+import org.apache.wss4j.dom.message.token.X509Security;
+import org.apache.wss4j.policy.model.Layout;
+import org.apache.wss4j.policy.model.Layout.LayoutType;
/**
* Validate a Layout policy.
@@ -57,9 +57,9 @@ public class LayoutPolicyValidator {
}
public boolean validatePolicy(Layout layout) {
- boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTsFirst;
- boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTsLast;
- boolean strict = layout.getValue() == SPConstants.Layout.Strict;
+ boolean timestampFirst = layout.getLayoutType() == LayoutType.LaxTsFirst;
+ boolean timestampLast = layout.getLayoutType() == LayoutType.LaxTsLast;
+ boolean strict = layout.getLayoutType() == LayoutType.Strict;
if (timestampFirst) {
if (results.isEmpty()) {
@@ -209,8 +209,8 @@ public class LayoutPolicyValidator {
}
} else if (actInt.intValue() == WSConstants.ST_SIGNED
|| actInt.intValue() == WSConstants.ST_UNSIGNED) {
- AssertionWrapper assertionWrapper =
- (AssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ SamlAssertionWrapper assertionWrapper =
+ (SamlAssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (samlKeyInfo != null) {
X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -24,19 +24,22 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
+import javax.xml.namespace.QName;
+
import org.w3c.dom.Element;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.wss4j.SAMLUtils;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.saml.DOMSAMLUtil;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SamlToken.SamlTokenType;
import org.opensaml.common.SAMLVersion;
/**
@@ -54,25 +57,39 @@ public class SamlTokenPolicyValidator ex
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SAML_TOKEN);
- if (ais == null || ais.isEmpty()) {
- return true;
- }
-
body = soapBody;
signed = signedResults;
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+ if (!ais.isEmpty()) {
+ parsePolicies(aim, ais, message, results, signedResults);
+ }
+
+ return true;
+ }
+
+ private void parsePolicies(
+ AssertionInfoMap aim,
+ Collection<AssertionInfo> ais,
+ Message message,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ ) {
final List<Integer> actions = new ArrayList<Integer>(2);
actions.add(WSConstants.ST_SIGNED);
actions.add(WSConstants.ST_UNSIGNED);
List<WSSecurityEngineResult> samlResults =
- WSS4JUtils.fetchAllActionResults(results, actions);
+ WSSecurityUtil.fetchAllActionResults(results, actions);
for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken)ai.getAssertion();
ai.setAsserted(true);
if (!isTokenRequired(samlToken, message)) {
+ assertPolicy(
+ aim,
+ new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name())
+ );
continue;
}
@@ -85,10 +102,10 @@ public class SamlTokenPolicyValidator ex
// All of the received SAML Assertions must conform to the policy
for (WSSecurityEngineResult result : samlResults) {
- AssertionWrapper assertionWrapper =
- (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ SamlAssertionWrapper assertionWrapper =
+ (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- if (!checkVersion(samlToken, assertionWrapper)) {
+ if (!checkVersion(aim, samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
continue;
}
@@ -101,7 +118,7 @@ public class SamlTokenPolicyValidator ex
ai.setNotAsserted("Assertion fails holder-of-key requirements");
continue;
}
- if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signed)) {
+ if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, body, signed)) {
ai.setNotAsserted("Assertion fails sender-vouches requirements");
continue;
}
@@ -112,8 +129,6 @@ public class SamlTokenPolicyValidator ex
*/
}
}
-
- return true;
}
/**
@@ -133,15 +148,22 @@ public class SamlTokenPolicyValidator ex
/**
* Check the policy version against the received assertion
*/
- private boolean checkVersion(SamlToken samlToken, AssertionWrapper assertionWrapper) {
- if ((samlToken.isUseSamlVersion11Profile10()
- || samlToken.isUseSamlVersion11Profile11())
+ private boolean checkVersion(
+ AssertionInfoMap aim,
+ SamlToken samlToken,
+ SamlAssertionWrapper assertionWrapper
+ ) {
+ SamlTokenType samlTokenType = samlToken.getSamlTokenType();
+ if ((samlTokenType == SamlTokenType.WssSamlV11Token10
+ || samlTokenType == SamlTokenType.WssSamlV11Token11)
&& assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
return false;
- } else if (samlToken.isUseSamlVersion20Profile11()
+ } else if (samlTokenType == SamlTokenType.WssSamlV20Token11
&& assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
return false;
}
+
+ assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), samlTokenType.name()));
return true;
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -27,11 +27,13 @@ import org.w3c.dom.Element;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.SecurityContextToken;
/**
* Validate a SecurityContextToken policy.
@@ -46,17 +48,31 @@ public class SecurityContextTokenPolicyV
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURITY_CONTEXT_TOKEN);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
+ if (!ais.isEmpty()) {
+ parsePolicies(aim, ais, message, results);
}
-
+
+ return true;
+ }
+
+ private void parsePolicies(
+ AssertionInfoMap aim,
+ Collection<AssertionInfo> ais,
+ Message message,
+ List<WSSecurityEngineResult> results
+ ) {
List<WSSecurityEngineResult> sctResults =
- WSS4JUtils.fetchAllActionResults(results, WSConstants.SCT);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.SCT);
for (AssertionInfo ai : ais) {
SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
ai.setAsserted(true);
+
+ assertPolicy(aim, SP12Constants.REQUIRE_EXTERNAL_URI_REFERENCE);
+ assertPolicy(aim, SP12Constants.SC13_SECURITY_CONTEXT_TOKEN);
+ assertPolicy(aim, SP11Constants.SC10_SECURITY_CONTEXT_TOKEN);
if (!isTokenRequired(sctPolicy, message)) {
continue;
@@ -69,7 +85,5 @@ public class SecurityContextTokenPolicyV
continue;
}
}
- return true;
}
-
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,17 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
/**
* Validate a SignedEncryptedSupportingToken policy.
@@ -55,21 +54,23 @@ public class SignedEncryptedTokenPolicyV
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ setMessage(message);
+ setResults(results);
+ setSignedResults(signedResults);
+ setEncryptedResults(encryptedResults);
+
+ parsePolicies(ais, message);
}
-
- setMessage(message);
- setResults(results);
- setSignedResults(signedResults);
- setEncryptedResults(encryptedResults);
+ return true;
+ }
+
+ private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
for (AssertionInfo ai : ais) {
- SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENCRYPTED != binding.getTokenType()) {
- continue;
- }
+ SupportingTokens binding = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
@@ -77,8 +78,8 @@ public class SignedEncryptedTokenPolicyV
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
- List<Token> tokens = binding.getTokens();
- for (Token token : tokens) {
+ List<AbstractToken> tokens = binding.getTokens();
+ for (AbstractToken token : tokens) {
if (!isTokenRequired(token, message)) {
continue;
}
@@ -120,8 +121,7 @@ public class SignedEncryptedTokenPolicyV
}
}
}
-
- return true;
}
+
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,18 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
/**
* Validate a SignedEndorsingEncryptedSupportingToken policy.
@@ -56,22 +56,23 @@ public class SignedEndorsingEncryptedTok
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ setMessage(message);
+ setResults(results);
+ setSignedResults(signedResults);
+ setEncryptedResults(encryptedResults);
+
+ parsePolicies(ais, message);
}
-
- setMessage(message);
- setResults(results);
- setSignedResults(signedResults);
- setEncryptedResults(encryptedResults);
+ return true;
+ }
+
+ private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
for (AssertionInfo ai : ais) {
- SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENDORSING_ENCRYPTED
- != binding.getTokenType()) {
- continue;
- }
+ SupportingTokens binding = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
@@ -79,14 +80,14 @@ public class SignedEndorsingEncryptedTok
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
- List<Token> tokens = binding.getTokens();
- for (Token token : tokens) {
+ List<AbstractToken> tokens = binding.getTokens();
+ for (AbstractToken token : tokens) {
if (!isTokenRequired(token, message)) {
continue;
}
- boolean derived = token.isDerivedKeys();
- setDerived(derived);
+ DerivedKeys derivedKeys = token.getDerivedKeys();
+ setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens()) {
@@ -125,8 +126,6 @@ public class SignedEndorsingEncryptedTok
}
}
}
-
- return true;
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,18 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
/**
* Validate a SignedEndorsingSupportingToken policy.
@@ -55,21 +55,23 @@ public class SignedEndorsingTokenPolicyV
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ setMessage(message);
+ setResults(results);
+ setSignedResults(signedResults);
+ setEncryptedResults(encryptedResults);
+
+ parsePolicies(ais, message);
}
- setMessage(message);
- setResults(results);
- setSignedResults(signedResults);
- setEncryptedResults(encryptedResults);
-
+ return true;
+ }
+
+ private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
for (AssertionInfo ai : ais) {
- SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENDORSING != binding.getTokenType()) {
- continue;
- }
+ SupportingTokens binding = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
@@ -77,14 +79,14 @@ public class SignedEndorsingTokenPolicyV
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
- List<Token> tokens = binding.getTokens();
- for (Token token : tokens) {
+ List<AbstractToken> tokens = binding.getTokens();
+ for (AbstractToken token : tokens) {
if (!isTokenRequired(token, message)) {
continue;
}
- boolean derived = token.isDerivedKeys();
- setDerived(derived);
+ DerivedKeys derivedKeys = token.getDerivedKeys();
+ setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
boolean processingFailed = false;
if (token instanceof KerberosToken) {
if (!processKerberosTokens()) {
@@ -122,8 +124,6 @@ public class SignedEndorsingTokenPolicyV
}
}
}
-
- return true;
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,17 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
/**
* Validate SignedSupportingToken policies.
@@ -54,21 +53,23 @@ public class SignedTokenPolicyValidator
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+ if (!ais.isEmpty()) {
+ setMessage(message);
+ setResults(results);
+ setSignedResults(signedResults);
+ setEncryptedResults(encryptedResults);
+
+ parsePolicies(ais, message);
}
- setMessage(message);
- setResults(results);
- setSignedResults(signedResults);
- setEncryptedResults(encryptedResults);
-
+ return true;
+ }
+
+ private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
for (AssertionInfo ai : ais) {
- SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED != binding.getTokenType()) {
- continue;
- }
+ SupportingTokens binding = (SupportingTokens)ai.getAssertion();
ai.setAsserted(true);
setSignedParts(binding.getSignedParts());
@@ -76,8 +77,8 @@ public class SignedTokenPolicyValidator
setSignedElements(binding.getSignedElements());
setEncryptedElements(binding.getEncryptedElements());
- List<Token> tokens = binding.getTokens();
- for (Token token : tokens) {
+ List<AbstractToken> tokens = binding.getTokens();
+ for (AbstractToken token : tokens) {
if (!isTokenRequired(token, message)) {
continue;
}
@@ -118,10 +119,6 @@ public class SignedTokenPolicyValidator
continue;
}
}
-
}
-
- return true;
}
-
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SupportingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SupportingTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SupportingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SupportingTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,7 +25,7 @@ import org.w3c.dom.Element;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
/**
* Validate a WS-SecurityPolicy corresponding to a SupportingToken.
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java Thu May 23 13:17:26 2013
@@ -27,10 +27,10 @@ import org.w3c.dom.Element;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.SymmetricBinding;
/**
* Validate a SymmetricBinding policy.
@@ -45,11 +45,23 @@ public class SymmetricBindingPolicyValid
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults);
}
+ return true;
+ }
+
+ private void parsePolicies(
+ AssertionInfoMap aim,
+ Collection<AssertionInfo> ais,
+ Message message,
+ Element soapBody,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults,
+ List<WSSecurityEngineResult> encryptedResults
+ ) {
boolean hasDerivedKeys = false;
for (WSSecurityEngineResult result : results) {
Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
@@ -64,7 +76,7 @@ public class SymmetricBindingPolicyValid
ai.setAsserted(true);
// Check the protection order
- if (!checkProtectionOrder(binding, ai, results)) {
+ if (!checkProtectionOrder(binding, aim, ai, results)) {
continue;
}
@@ -78,8 +90,6 @@ public class SymmetricBindingPolicyValid
continue;
}
}
-
- return true;
}
/**
@@ -101,6 +111,9 @@ public class SymmetricBindingPolicyValid
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
+ assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+ assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+ assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
}
if (binding.getSignatureToken() != null) {
@@ -111,6 +124,9 @@ public class SymmetricBindingPolicyValid
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
+ assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+ assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+ assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
}
if (binding.getProtectionToken() != null) {
@@ -121,6 +137,9 @@ public class SymmetricBindingPolicyValid
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
+ assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+ assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+ assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
}
return true;
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,7 +25,7 @@ import org.w3c.dom.Element;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
/**
* Validate a WS-SecurityPolicy corresponding to a received token.
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java Thu May 23 13:17:26 2013
@@ -22,6 +22,8 @@ package org.apache.cxf.ws.security.wss4j
import java.util.Collection;
import java.util.List;
+import javax.xml.namespace.QName;
+
import org.w3c.dom.Element;
import org.apache.cxf.message.Message;
@@ -29,10 +31,12 @@ import org.apache.cxf.message.MessageUti
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Layout;
-import org.apache.cxf.ws.security.policy.model.TransportBinding;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.Layout;
+import org.apache.wss4j.policy.model.TransportBinding;
/**
* Validate a TransportBinding policy.
@@ -47,11 +51,27 @@ public class TransportBindingPolicyValid
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (!ais.isEmpty()) {
+ parsePolicies(aim, ais, message, results, signedResults);
+
+ // We don't need to check these policies for the Transport binding
+ assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
+ assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS);
+ assertPolicy(aim, SP12Constants.SIGNED_PARTS);
+ assertPolicy(aim, SP11Constants.SIGNED_PARTS);
}
+ return true;
+ }
+
+ private void parsePolicies(
+ AssertionInfoMap aim,
+ Collection<AssertionInfo> ais,
+ Message message,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ ) {
for (AssertionInfo ai : ais) {
TransportBinding binding = (TransportBinding)ai.getAssertion();
ai.setAsserted(true);
@@ -74,33 +94,40 @@ public class TransportBindingPolicyValid
if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) {
continue;
}
+ assertPolicy(aim, binding.getAlgorithmSuite());
+ String namespace = binding.getAlgorithmSuite().getVersion().getNamespace();
+ String name = binding.getAlgorithmSuite().getAlgorithmSuiteType().getName();
+ Collection<AssertionInfo> algSuiteAis = aim.get(new QName(namespace, name));
+ if (algSuiteAis != null) {
+ for (AssertionInfo algSuiteAi : algSuiteAis) {
+ algSuiteAi.setAsserted(true);
+ }
+ }
// Check the IncludeTimestamp
if (!validateTimestamp(binding.isIncludeTimestamp(), true, results, signedResults, message)) {
String error = "Received Timestamp does not match the requirements";
- notAssertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP, error);
ai.setNotAsserted(error);
continue;
}
- assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
+ assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
// Check the Layout
Layout layout = binding.getLayout();
LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(results, signedResults);
if (!layoutValidator.validatePolicy(layout)) {
String error = "Layout does not match the requirements";
- notAssertPolicy(aim, layout, error);
+ notAssertPolicy(aim, binding.getLayout(), error);
ai.setNotAsserted(error);
continue;
}
- assertPolicy(aim, layout);
+ assertPolicy(aim, binding.getLayout());
+ assertPolicy(aim, SPConstants.LAYOUT_LAX);
+ assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
+ assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
+ assertPolicy(aim, SPConstants.LAYOUT_STRICT);
}
-
- // We don't need to check these policies for the Transport binding
- assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
- assertPolicy(aim, SP12Constants.SIGNED_PARTS);
-
- return true;
+
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -28,13 +28,15 @@ import org.w3c.dom.Element;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP13Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken.PasswordType;
/**
* Validate a UsernameToken policy.
@@ -49,22 +51,36 @@ public class UsernameTokenPolicyValidato
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+ if (!ais.isEmpty()) {
+ parsePolicies(ais, message, results);
+
+ assertPolicy(aim, SP13Constants.CREATED);
+ assertPolicy(aim, SP13Constants.NONCE);
+ assertPolicy(aim, SPConstants.NO_PASSWORD);
+ assertPolicy(aim, SPConstants.HASH_PASSWORD);
+ assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
+ assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
}
+ return true;
+ }
+
+ private void parsePolicies(
+ Collection<AssertionInfo> ais,
+ Message message,
+ List<WSSecurityEngineResult> results
+ ) {
final List<Integer> actions = new ArrayList<Integer>(2);
actions.add(WSConstants.UT);
actions.add(WSConstants.UT_NOPASSWORD);
List<WSSecurityEngineResult> utResults =
- WSS4JUtils.fetchAllActionResults(results, actions);
+ WSSecurityUtil.fetchAllActionResults(results, actions);
for (AssertionInfo ai : ais) {
- org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy =
- (org.apache.cxf.ws.security.policy.model.UsernameToken)ai.getAssertion();
+ org.apache.wss4j.policy.model.UsernameToken usernameTokenPolicy =
+ (org.apache.wss4j.policy.model.UsernameToken)ai.getAssertion();
ai.setAsserted(true);
-
if (!isTokenRequired(usernameTokenPolicy, message)) {
continue;
}
@@ -80,39 +96,43 @@ public class UsernameTokenPolicyValidato
continue;
}
}
- return true;
}
/**
* All UsernameTokens must conform to the policy
*/
public boolean checkTokens(
- org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy,
+ org.apache.wss4j.policy.model.UsernameToken usernameTokenPolicy,
AssertionInfo ai,
List<WSSecurityEngineResult> utResults
) {
for (WSSecurityEngineResult result : utResults) {
UsernameToken usernameToken =
(UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
- if (usernameTokenPolicy.isHashPassword() != usernameToken.isHashed()) {
+ PasswordType passwordType = usernameTokenPolicy.getPasswordType();
+ boolean isHashPassword = passwordType == PasswordType.HashPassword;
+ boolean isNoPassword = passwordType == PasswordType.NoPassword;
+ if (isHashPassword != usernameToken.isHashed()) {
ai.setNotAsserted("Password hashing policy not enforced");
return false;
}
- if (usernameTokenPolicy.isNoPassword() && (usernameToken.getPassword() != null)) {
+
+ if (isNoPassword && (usernameToken.getPassword() != null)) {
ai.setNotAsserted("Username Token NoPassword policy not enforced");
return false;
- } else if (!usernameTokenPolicy.isNoPassword() && (usernameToken.getPassword() == null)
+ } else if (!isNoPassword && (usernameToken.getPassword() == null)
&& isNonEndorsingSupportingToken(usernameTokenPolicy)) {
ai.setNotAsserted("Username Token No Password supplied");
return false;
}
- if (usernameTokenPolicy.isRequireCreated()
+ if (usernameTokenPolicy.isCreated()
&& (usernameToken.getCreated() == null || usernameToken.isHashed())) {
ai.setNotAsserted("Username Token Created policy not enforced");
return false;
}
- if (usernameTokenPolicy.isRequireNonce()
+
+ if (usernameTokenPolicy.isNonce()
&& (usernameToken.getNonce() == null || usernameToken.isHashed())) {
ai.setNotAsserted("Username Token Nonce policy not enforced");
return false;
@@ -126,15 +146,16 @@ public class UsernameTokenPolicyValidato
* true then the corresponding UsernameToken must have a password element.
*/
private boolean isNonEndorsingSupportingToken(
- org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy
+ org.apache.wss4j.policy.model.UsernameToken usernameTokenPolicy
) {
- SupportingToken supportingToken = usernameTokenPolicy.getSupportingToken();
- if (supportingToken != null) {
- SPConstants.SupportTokenType type = supportingToken.getTokenType();
- if (type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SUPPORTING
- || type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED
- || type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENCRYPTED
- || type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENCRYPTED) {
+ AbstractSecurityAssertion parentAssertion = usernameTokenPolicy.getParentAssertion();
+ if (parentAssertion instanceof SupportingTokens) {
+ SupportingTokens supportingToken = (SupportingTokens)parentAssertion;
+ String localname = supportingToken.getName().getLocalPart();
+ if (localname.equals(SPConstants.SUPPORTING_TOKENS)
+ || localname.equals(SPConstants.SIGNED_SUPPORTING_TOKENS)
+ || localname.equals(SPConstants.ENCRYPTED_SUPPORTING_TOKENS)
+ || localname.equals(SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS)) {
return true;
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java Thu May 23 13:17:26 2013
@@ -28,16 +28,17 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Wss11;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.Wss11;
/**
* Validate a WSS11 policy.
*/
-public class WSS11PolicyValidator implements TokenPolicyValidator {
+public class WSS11PolicyValidator
+ extends AbstractTokenPolicyValidator implements TokenPolicyValidator {
public boolean validatePolicy(
AssertionInfoMap aim,
@@ -46,13 +47,25 @@ public class WSS11PolicyValidator implem
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+ if (!ais.isEmpty()) {
+ parsePolicies(ais, message, results);
+
+ assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT);
+ assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY);
+ assertPolicy(aim, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION);
}
+ return true;
+ }
+
+ private void parsePolicies(
+ Collection<AssertionInfo> ais,
+ Message message,
+ List<WSSecurityEngineResult> results
+ ) {
List<WSSecurityEngineResult> scResults =
- WSS4JUtils.fetchAllActionResults(results, WSConstants.SC);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.SC);
for (AssertionInfo ai : ais) {
Wss11 wss11 = (Wss11)ai.getAssertion();
@@ -70,7 +83,6 @@ public class WSS11PolicyValidator implem
continue;
}
}
- return true;
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -27,13 +27,13 @@ import org.w3c.dom.Element;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.X509Token;
+import org.apache.wss4j.policy.model.X509Token.TokenType;
/**
* Validate an X509 Token policy.
@@ -50,13 +50,28 @@ public class X509TokenPolicyValidator ex
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.X509_TOKEN);
- if (ais == null || ais.isEmpty()) {
- return true;
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
+ if (!ais.isEmpty()) {
+ parsePolicies(ais, message, results);
+
+ assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
+ assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
+ assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN10);
+ assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN11);
+ assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN10);
+ assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN11);
}
+ return true;
+ }
+
+ private void parsePolicies(
+ Collection<AssertionInfo> ais,
+ Message message,
+ List<WSSecurityEngineResult> results
+ ) {
List<WSSecurityEngineResult> bstResults =
- WSS4JUtils.fetchAllActionResults(results, WSConstants.BST);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.BST);
for (AssertionInfo ai : ais) {
X509Token x509TokenPolicy = (X509Token)ai.getAssertion();
@@ -73,19 +88,18 @@ public class X509TokenPolicyValidator ex
continue;
}
- if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType(), bstResults)) {
+ if (!checkTokenType(x509TokenPolicy.getTokenType(), bstResults)) {
ai.setNotAsserted("An incorrect X.509 Token Type is detected");
continue;
}
}
- return true;
}
/**
* Check that at least one received token matches the token type.
*/
private boolean checkTokenType(
- String requiredVersionAndType,
+ TokenType tokenType,
List<WSSecurityEngineResult> bstResults
) {
if (bstResults.isEmpty()) {
@@ -93,8 +107,8 @@ public class X509TokenPolicyValidator ex
}
String requiredType = X509_V3_VALUETYPE;
- if (SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10.equals(requiredVersionAndType)
- || SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11.equals(requiredVersionAndType)) {
+ if (tokenType == TokenType.WssX509PkiPathV1Token10
+ || tokenType == TokenType.WssX509PkiPathV1Token11) {
requiredType = PKI_VALUETYPE;
}
Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java (original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java Thu May 23 13:17:26 2013
@@ -21,9 +21,9 @@ package org.apache.cxf.ws.security.trust
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageImpl;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.message.token.UsernameToken;
-import org.apache.ws.security.validate.Credential;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.dom.validate.Credential;
import org.junit.Assert;
import org.junit.Test;