You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/12/05 14:41:21 UTC
svn commit: r1417417 - in /webservices/wss4j/trunk:
integration/src/test/java/org/apache/ws/security/integration/test/dom/
integration/src/test/java/org/apache/ws/security/integration/test/stax/
policy/src/main/java/org/apache/ws/security/policy/model/...
Author: giger
Date: Wed Dec 5 13:41:19 2012
New Revision: 1417417
URL: http://svn.apache.org/viewvc?rev=1417417&view=rev
Log:
WSS-374 , WSS-362 - More Kerberos / Spnego work
Added:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/
- copied from r1416932, webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/spnego/
Removed:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/spnego/
Modified:
webservices/wss4j/trunk/integration/src/test/java/org/apache/ws/security/integration/test/dom/KerberosTest.java
webservices/wss4j/trunk/integration/src/test/java/org/apache/ws/security/integration/test/stax/KerberosTest.java
webservices/wss4j/trunk/policy/src/main/java/org/apache/ws/security/policy/model/KerberosToken.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/DefaultSpnegoClientAction.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/DefaultSpnegoServiceAction.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoClientAction.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoServiceAction.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoTokenContext.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/KerberosTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/KerberosTokenTest.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/HttpsSecurityToken.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/securityEvent/KerberosTokenSecurityEvent.java
Modified: webservices/wss4j/trunk/integration/src/test/java/org/apache/ws/security/integration/test/dom/KerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/integration/src/test/java/org/apache/ws/security/integration/test/dom/KerberosTest.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/integration/src/test/java/org/apache/ws/security/integration/test/dom/KerberosTest.java (original)
+++ webservices/wss4j/trunk/integration/src/test/java/org/apache/ws/security/integration/test/dom/KerberosTest.java Wed Dec 5 13:41:19 2012
@@ -31,7 +31,7 @@ import org.apache.ws.security.dom.messag
import org.apache.ws.security.dom.message.WSSecSignature;
import org.apache.ws.security.dom.message.token.BinarySecurity;
import org.apache.ws.security.dom.message.token.KerberosSecurity;
-import org.apache.ws.security.dom.spnego.SpnegoTokenContext;
+import org.apache.ws.security.common.spnego.SpnegoTokenContext;
import org.apache.ws.security.dom.util.WSSecurityUtil;
import org.apache.ws.security.dom.validate.KerberosTokenValidator;
import org.apache.ws.security.integration.test.common.KerberosServiceStarter;
Modified: webservices/wss4j/trunk/integration/src/test/java/org/apache/ws/security/integration/test/stax/KerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/integration/src/test/java/org/apache/ws/security/integration/test/stax/KerberosTest.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/integration/src/test/java/org/apache/ws/security/integration/test/stax/KerberosTest.java (original)
+++ webservices/wss4j/trunk/integration/src/test/java/org/apache/ws/security/integration/test/stax/KerberosTest.java Wed Dec 5 13:41:19 2012
@@ -270,7 +270,7 @@ public class KerberosTest extends Abstra
Assert.assertEquals(nodeList.getLength(), 1);
Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
- Assert.assertEquals(1, kerberosTokenSecurityEvents.size());
+ Assert.assertEquals(kerberosTokenSecurityEvents.size(), 2);
}
}
@@ -363,7 +363,7 @@ public class KerberosTest extends Abstra
Assert.assertEquals(nodeList.getLength(), 1);
Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
- Assert.assertEquals(1, kerberosTokenSecurityEvents.size());
+ Assert.assertEquals(kerberosTokenSecurityEvents.size(), 2);
}
}
@@ -532,7 +532,7 @@ public class KerberosTest extends Abstra
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
Assert.assertEquals(nodeList.getLength(), 0);
- Assert.assertEquals(1, kerberosTokenSecurityEvents.size());
+ Assert.assertEquals(kerberosTokenSecurityEvents.size(), 2);
}
}
@@ -628,7 +628,7 @@ public class KerberosTest extends Abstra
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
Assert.assertEquals(nodeList.getLength(), 0);
- Assert.assertEquals(1, kerberosTokenSecurityEvents.size());
+ Assert.assertEquals(kerberosTokenSecurityEvents.size(), 2);
}
}
}
Modified: webservices/wss4j/trunk/policy/src/main/java/org/apache/ws/security/policy/model/KerberosToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/policy/src/main/java/org/apache/ws/security/policy/model/KerberosToken.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/policy/src/main/java/org/apache/ws/security/policy/model/KerberosToken.java (original)
+++ webservices/wss4j/trunk/policy/src/main/java/org/apache/ws/security/policy/model/KerberosToken.java Wed Dec 5 13:41:19 2012
@@ -48,6 +48,8 @@ public class KerberosToken extends Abstr
}
}
+ private boolean requireKeyIdentifierReference;
+
private ApReqTokenType apReqTokenType;
public KerberosToken(SPConstants.SPVersion version, SPConstants.IncludeTokenType includeTokenType,
@@ -77,6 +79,7 @@ public class KerberosToken extends Abstr
for (int i = 0; i < assertions.size(); i++) {
Assertion assertion = assertions.get(i);
String assertionName = assertion.getName().getLocalPart();
+ String assertionNamespace = assertion.getName().getNamespaceURI();
DerivedKeys derivedKeys = DerivedKeys.lookUp(assertionName);
if (derivedKeys != null) {
if (kerberosToken.getDerivedKeys() != null) {
@@ -85,6 +88,14 @@ public class KerberosToken extends Abstr
kerberosToken.setDerivedKeys(derivedKeys);
continue;
}
+ if (getVersion().getSPConstants().getRequireKeyIdentifierReference().getLocalPart().equals(assertionName)
+ && getVersion().getSPConstants().getRequireKeyIdentifierReference().getNamespaceURI().equals(assertionNamespace)) {
+ if (kerberosToken.isRequireKeyIdentifierReference()) {
+ throw new IllegalArgumentException(SPConstants.ERR_INVALID_POLICY);
+ }
+ kerberosToken.setRequireKeyIdentifierReference(true);
+ continue;
+ }
ApReqTokenType apReqTokenType = ApReqTokenType.lookUp(assertionName);
if (apReqTokenType != null) {
if (kerberosToken.getApReqTokenType() != null) {
@@ -97,6 +108,14 @@ public class KerberosToken extends Abstr
}
}
+ public boolean isRequireKeyIdentifierReference() {
+ return requireKeyIdentifierReference;
+ }
+
+ protected void setRequireKeyIdentifierReference(boolean requireKeyIdentifierReference) {
+ this.requireKeyIdentifierReference = requireKeyIdentifierReference;
+ }
+
public ApReqTokenType getApReqTokenType() {
return apReqTokenType;
}
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/DefaultSpnegoClientAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/DefaultSpnegoClientAction.java?rev=1417417&r1=1416932&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/DefaultSpnegoClientAction.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/DefaultSpnegoClientAction.java Wed Dec 5 13:41:19 2012
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.ws.security.dom.spnego;
+package org.apache.ws.security.common.spnego;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/DefaultSpnegoServiceAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/DefaultSpnegoServiceAction.java?rev=1417417&r1=1416932&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/DefaultSpnegoServiceAction.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/DefaultSpnegoServiceAction.java Wed Dec 5 13:41:19 2012
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.ws.security.dom.spnego;
+package org.apache.ws.security.common.spnego;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoClientAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoClientAction.java?rev=1417417&r1=1416932&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoClientAction.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoClientAction.java Wed Dec 5 13:41:19 2012
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.ws.security.dom.spnego;
+package org.apache.ws.security.common.spnego;
import java.security.PrivilegedAction;
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoServiceAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoServiceAction.java?rev=1417417&r1=1416932&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoServiceAction.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoServiceAction.java Wed Dec 5 13:41:19 2012
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.ws.security.dom.spnego;
+package org.apache.ws.security.common.spnego;
import java.security.PrivilegedAction;
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoTokenContext.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoTokenContext.java?rev=1417417&r1=1416932&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoTokenContext.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/spnego/SpnegoTokenContext.java Wed Dec 5 13:41:19 2012
@@ -17,7 +17,7 @@
* under the License.
*/
-package org.apache.ws.security.dom.spnego;
+package org.apache.ws.security.common.spnego;
import java.security.Principal;
import java.util.Set;
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/KerberosTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/KerberosTokenAssertionState.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/KerberosTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/KerberosTokenAssertionState.java Wed Dec 5 13:41:19 2012
@@ -22,6 +22,8 @@ import org.apache.ws.security.policy.WSS
import org.apache.ws.security.policy.model.AbstractSecurityAssertion;
import org.apache.ws.security.policy.model.AbstractToken;
import org.apache.ws.security.policy.model.KerberosToken;
+import org.apache.ws.security.stax.ext.WSSConstants;
+import org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.ws.security.stax.securityEvent.KerberosTokenSecurityEvent;
@@ -55,11 +57,17 @@ public class KerberosTokenAssertionState
KerberosToken kerberosToken = (KerberosToken) abstractToken;
KerberosTokenSecurityEvent kerberosTokenSecurityEvent = (KerberosTokenSecurityEvent) tokenSecurityEvent;
+ AbstractInboundSecurityToken securityToken = (AbstractInboundSecurityToken) tokenSecurityEvent.getSecurityToken();
+
if ((kerberosToken.getIssuerName() != null) &&
!kerberosToken.getIssuerName().equals(kerberosTokenSecurityEvent.getIssuerName())) {
setErrorMessage("IssuerName in Policy (" + kerberosToken.getIssuerName() + ") didn't match with the one in the IssuedToken (" + kerberosTokenSecurityEvent.getIssuerName() + ")");
return false;
}
+ if (kerberosToken.isRequireKeyIdentifierReference() && securityToken.getKeyIdentifierType() != WSSConstants.WSSKeyIdentifierType.EMBEDDED_KEYIDENTIFIER_REF) {
+ setErrorMessage("Policy enforces KeyIdentifierReference but we got " + securityToken.getKeyIdentifierType());
+ return false;
+ }
if (kerberosToken.getApReqTokenType() != null) {
switch (kerberosToken.getApReqTokenType()) {
case WssKerberosV5ApReqToken11:
@@ -76,7 +84,6 @@ public class KerberosTokenAssertionState
break;
}
}
- //todo
//always return true to prevent false alarm in case additional tokens with the same usage
//appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
return true;
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java Wed Dec 5 13:41:19 2012
@@ -60,7 +60,7 @@ public class SpnegoContextTokenAssertion
setErrorMessage("IssuerName in Policy (" + spnegoContextToken.getIssuerName() + ") didn't match with the one in the IssuedToken (" + spnegoContextTokenSecurityEvent.getIssuerName() + ")");
return false;
}
- //todo MustNotSend*
+ //todo MustNotSend* ?
//always return true to prevent false alarm in case additional tokens with the same usage
//appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
return true;
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/KerberosTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/KerberosTokenTest.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/KerberosTokenTest.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/KerberosTokenTest.java Wed Dec 5 13:41:19 2012
@@ -18,14 +18,17 @@
*/
package org.apache.ws.security.policy.stax.test;
+import org.apache.ws.security.common.ext.WSSecurityException;
import org.apache.ws.security.policy.stax.PolicyEnforcer;
import org.apache.ws.security.stax.ext.WSSConstants;
+import org.apache.ws.security.stax.impl.securityToken.KerberosServiceSecurityToken;
import org.apache.ws.security.stax.securityEvent.KerberosTokenSecurityEvent;
import org.apache.ws.security.stax.securityEvent.OperationSecurityEvent;
import org.apache.ws.security.stax.securityEvent.SignedPartSecurityEvent;
import org.apache.xml.security.stax.ext.SecurityToken;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
+import org.testng.Assert;
import org.testng.annotations.Test;
import javax.xml.namespace.QName;
@@ -48,6 +51,7 @@ public class KerberosTokenTest extends A
" <sp:KerberosToken>\n" +
" <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
" <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+ " <sp:RequireKeyIdentifierReference/>" +
" <sp:WssKerberosV5ApReqToken11/>\n" +
" </wsp:Policy>\n" +
" </sp:KerberosToken>\n" +
@@ -58,6 +62,7 @@ public class KerberosTokenTest extends A
" <sp:KerberosToken>\n" +
" <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
" <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+ " <sp:RequireKeyIdentifierReference/>" +
" <sp:WssKerberosV5ApReqToken11/>\n" +
" </wsp:Policy>\n" +
" </sp:KerberosToken>\n" +
@@ -74,16 +79,22 @@ public class KerberosTokenTest extends A
PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
KerberosTokenSecurityEvent initiatorTokenSecurityEvent = new KerberosTokenSecurityEvent();
initiatorTokenSecurityEvent.setIssuerName("xs:anyURI");
- SecurityToken securityToken = getX509Token(WSSConstants.X509V3Token);
- securityToken.addTokenUsage(SecurityToken.TokenUsage.MainSignature);
- initiatorTokenSecurityEvent.setSecurityToken(securityToken);
+
+ KerberosServiceSecurityToken kerberosServiceSecurityToken =
+ new KerberosServiceSecurityToken(null, null, null, WSSConstants.NS_Kerberos5_AP_REQ, null,
+ WSSConstants.WSSKeyIdentifierType.EMBEDDED_KEYIDENTIFIER_REF);
+ kerberosServiceSecurityToken.addTokenUsage(SecurityToken.TokenUsage.MainSignature);
+ initiatorTokenSecurityEvent.setSecurityToken(kerberosServiceSecurityToken);
policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
KerberosTokenSecurityEvent recipientTokenSecurityEvent = new KerberosTokenSecurityEvent();
recipientTokenSecurityEvent.setIssuerName("xs:anyURI");
- securityToken = getX509Token(WSSConstants.X509V3Token);
- securityToken.addTokenUsage(SecurityToken.TokenUsage.MainEncryption);
- recipientTokenSecurityEvent.setSecurityToken(securityToken);
+
+ kerberosServiceSecurityToken =
+ new KerberosServiceSecurityToken(null, null, null, WSSConstants.NS_Kerberos5_AP_REQ, null,
+ WSSConstants.WSSKeyIdentifierType.EMBEDDED_KEYIDENTIFIER_REF);
+ kerberosServiceSecurityToken.addTokenUsage(SecurityToken.TokenUsage.MainEncryption);
+ recipientTokenSecurityEvent.setSecurityToken(kerberosServiceSecurityToken);
policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<XMLSecurityConstants.ContentType>();
@@ -104,5 +115,79 @@ public class KerberosTokenTest extends A
policyEnforcer.doFinal();
}
- //todo more tests
+ @Test
+ public void testPolicyNegative() throws Exception {
+ String policyString =
+ "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
+ "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+ "<sp:EncryptionToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:KerberosToken>\n" +
+ " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
+ " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+ " <sp:WssKerberosV5ApReqToken11/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:KerberosToken>\n" +
+ " </wsp:Policy>\n" +
+ "</sp:EncryptionToken>\n" +
+ "<sp:SignatureToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:KerberosToken>\n" +
+ " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
+ " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+ " <sp:WssKerberosV5ApReqToken11/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:KerberosToken>\n" +
+ " </wsp:Policy>\n" +
+ "</sp:SignatureToken>\n" +
+ " <sp:AlgorithmSuite>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Basic256/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:AlgorithmSuite>\n" +
+ "</wsp:Policy>\n" +
+ "</sp:SymmetricBinding>";
+
+ PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+ KerberosTokenSecurityEvent initiatorTokenSecurityEvent = new KerberosTokenSecurityEvent();
+ initiatorTokenSecurityEvent.setIssuerName("xs:anyURI");
+
+ KerberosServiceSecurityToken kerberosServiceSecurityToken =
+ new KerberosServiceSecurityToken(null, null, null, WSSConstants.NS_GSS_Kerberos5_AP_REQ, null,
+ WSSConstants.WSSKeyIdentifierType.THUMBPRINT_IDENTIFIER);
+ kerberosServiceSecurityToken.addTokenUsage(SecurityToken.TokenUsage.MainSignature);
+ initiatorTokenSecurityEvent.setSecurityToken(kerberosServiceSecurityToken);
+ policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
+
+ KerberosTokenSecurityEvent recipientTokenSecurityEvent = new KerberosTokenSecurityEvent();
+ recipientTokenSecurityEvent.setIssuerName("xs:anyURI");
+
+ kerberosServiceSecurityToken =
+ new KerberosServiceSecurityToken(null, null, null, WSSConstants.NS_Kerberos5_AP_REQ, null,
+ WSSConstants.WSSKeyIdentifierType.THUMBPRINT_IDENTIFIER);
+ kerberosServiceSecurityToken.addTokenUsage(SecurityToken.TokenUsage.MainEncryption);
+ recipientTokenSecurityEvent.setSecurityToken(kerberosServiceSecurityToken);
+ policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
+
+ List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<XMLSecurityConstants.ContentType>();
+ protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
+ protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
+ SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
+ signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
+ policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
+
+ ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = new ContentEncryptedElementSecurityEvent(recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
+ contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
+ policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
+
+ OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
+ operationSecurityEvent.setOperation(new QName("definitions"));
+
+ try {
+ policyEnforcer.registerSecurityEvent(operationSecurityEvent);
+ Assert.fail("Exception expected");
+ } catch (WSSecurityException e) {
+ Assert.assertEquals(e.getMessage(), "Policy enforces WssKerberosV5ApReqToken11");
+ }
+ }
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java Wed Dec 5 13:41:19 2012
@@ -573,6 +573,7 @@ public class TransportBindingIntegration
httpsTokenSecurityEvent.setIssuerName("transmitter");
httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
HttpsSecurityToken httpsSecurityToken = new HttpsSecurityToken(true, "transmitter", null);
+ //todo token usage hard-coded in httpsSecurityToken?
httpsSecurityToken.addTokenUsage(SecurityToken.TokenUsage.MainSignature);
httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java Wed Dec 5 13:41:19 2012
@@ -219,7 +219,13 @@ public class WSSConstants extends XMLSec
public static final String NS_KERBEROS11_TOKEN_PROFILE = "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#";
public static final String NS_GSS_Kerberos5_AP_REQ = NS_KERBEROS11_TOKEN_PROFILE + "GSS_Kerberosv5_AP_REQ";
+ public static final String NS_GSS_Kerberos5_AP_REQ1510 = NS_KERBEROS11_TOKEN_PROFILE + "GSS_Kerberosv5_AP_REQ1510";
+ public static final String NS_GSS_Kerberos5_AP_REQ4120 = NS_KERBEROS11_TOKEN_PROFILE + "GSS_Kerberosv5_AP_REQ4120";
+ public static final String NS_Kerberos5_AP_REQ = NS_KERBEROS11_TOKEN_PROFILE + "Kerberosv5_AP_REQ";
public static final String NS_Kerberos5_AP_REQ_SHA1 = NS_KERBEROS11_TOKEN_PROFILE + "Kerberosv5APREQSHA1";
+ public static final String NS_Kerberos5_AP_REQ1510 = NS_KERBEROS11_TOKEN_PROFILE + "Kerberosv5_AP_REQ1510";
+ public static final String NS_Kerberos5_AP_REQ4120 = NS_KERBEROS11_TOKEN_PROFILE + "Kerberosv5_AP_REQ4120";
+
public static final QName ATT_NULL_AssertionID = new QName(null, "AssertionID");
public static final QName ATT_NULL_ID = new QName(null, "ID");
@@ -306,6 +312,7 @@ public class WSSConstants extends XMLSec
public static final TokenType RelToken = new TokenType("RelToken");
public static final TokenType DerivedKeyToken = new TokenType("DerivedKeyToken");
+ //todo correct/cleanup/rename/revisit KeyIdentifierTypes over the whole framework. I messed it up...
public enum WSSKeyIdentifierType implements KeyIdentifierType {
ISSUER_SERIAL,
SECURITY_TOKEN_DIRECT_REFERENCE,
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/BinarySecurityTokenInputHandler.java Wed Dec 5 13:41:19 2012
@@ -32,11 +32,13 @@ import org.apache.ws.security.stax.ext.W
import org.apache.ws.security.stax.impl.securityToken.KerberosServiceSecurityToken;
import org.apache.ws.security.stax.impl.securityToken.X509PKIPathv1SecurityToken;
import org.apache.ws.security.stax.impl.securityToken.X509_V3SecurityToken;
+import org.apache.ws.security.stax.securityEvent.KerberosTokenSecurityEvent;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.*;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.impl.securityToken.AbstractInboundSecurityToken;
import org.apache.xml.security.stax.impl.util.IDGenerator;
+import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityEvent.X509TokenSecurityEvent;
import javax.xml.bind.JAXBElement;
@@ -105,7 +107,8 @@ public class BinarySecurityTokenInputHan
} else if (WSSConstants.NS_GSS_Kerberos5_AP_REQ.equals(binarySecurityTokenType.getValueType())) {
this.securityToken = new KerberosServiceSecurityToken(
(WSSecurityContext) securityContext, ((WSSSecurityProperties)securityProperties).getCallbackHandler(),
- securityTokenData, binarySecurityTokenType.getId(), WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE
+ securityTokenData, binarySecurityTokenType.getValueType(),
+ binarySecurityTokenType.getId(), WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE
);
} else {
throw new WSSecurityException(
@@ -125,12 +128,19 @@ public class BinarySecurityTokenInputHan
securityContext.registerSecurityTokenProvider(binarySecurityTokenType.getId(), securityTokenProvider);
- //todo most probably wrong in case of a kerberos token
+ TokenSecurityEvent tokenSecurityEvent;
//fire a tokenSecurityEvent
- X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
- x509TokenSecurityEvent.setSecurityToken((SecurityToken) securityTokenProvider.getSecurityToken());
- x509TokenSecurityEvent.setCorrelationID(binarySecurityTokenType.getId());
- securityContext.registerSecurityEvent(x509TokenSecurityEvent);
+ if (binarySecurityTokenType.getValueType().startsWith(WSSConstants.NS_X509TOKEN_PROFILE)) {
+ tokenSecurityEvent = new X509TokenSecurityEvent();
+ } else if (binarySecurityTokenType.getValueType().startsWith(WSSConstants.NS_KERBEROS11_TOKEN_PROFILE)) {
+ tokenSecurityEvent = new KerberosTokenSecurityEvent();
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "invalidValueType", binarySecurityTokenType.getValueType());
+ }
+ tokenSecurityEvent.setSecurityToken((SecurityToken) securityTokenProvider.getSecurityToken());
+ tokenSecurityEvent.setCorrelationID(binarySecurityTokenType.getId());
+ securityContext.registerSecurityEvent(tokenSecurityEvent);
}
private Crypto getCrypto(WSSSecurityProperties securityProperties) throws WSSConfigurationException {
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/HttpsSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/HttpsSecurityToken.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/HttpsSecurityToken.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/HttpsSecurityToken.java Wed Dec 5 13:41:19 2012
@@ -41,6 +41,7 @@ public class HttpsSecurityToken extends
httpDigestAuthentication,
}
+ //todo the HttpsToken and the HttpsTokenSecEvent will be instantiated outside of wss4j so remove WSSecurityContext?
public HttpsSecurityToken(X509Certificate x509Certificate, WSSecurityContext wsSecurityContext)
throws XMLSecurityException {
@@ -49,6 +50,7 @@ public class HttpsSecurityToken extends
this.authenticationType = AuthenticationType.httpsClientAuthentication;
}
+ //todo the HttpsToken and the HttpsTokenSecEvent will be instantiated outside of wss4j so remove WSSecurityContext?
public HttpsSecurityToken(boolean basicAuthentication, String username, WSSecurityContext wsSecurityContext)
throws XMLSecurityException {
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/KerberosServiceSecurityToken.java Wed Dec 5 13:41:19 2012
@@ -50,15 +50,17 @@ public class KerberosServiceSecurityToke
private CallbackHandler callbackHandler;
private byte[] binaryContent;
+ private String kerberosTokenValueType;
private KerberosTokenDecoder kerberosTokenDecoder;
public KerberosServiceSecurityToken(WSSecurityContext wsSecurityContext, CallbackHandler callbackHandler,
- byte[] binaryContent, String id, WSSConstants.KeyIdentifierType keyIdentifierType)
- throws XMLSecurityException {
+ byte[] binaryContent, String kerberosTokenValueType, String id,
+ WSSConstants.KeyIdentifierType keyIdentifierType) throws XMLSecurityException {
super(wsSecurityContext, id, keyIdentifierType);
this.callbackHandler = callbackHandler;
this.binaryContent = binaryContent;
+ this.kerberosTokenValueType = kerberosTokenValueType;
}
@Override
@@ -147,4 +149,8 @@ public class KerberosServiceSecurityToke
public byte[] getBinaryContent() {
return binaryContent;
}
+
+ public String getKerberosTokenValueType() {
+ return kerberosTokenValueType;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/securityEvent/KerberosTokenSecurityEvent.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/securityEvent/KerberosTokenSecurityEvent.java?rev=1417417&r1=1417416&r2=1417417&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/securityEvent/KerberosTokenSecurityEvent.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/securityEvent/KerberosTokenSecurityEvent.java Wed Dec 5 13:41:19 2012
@@ -18,6 +18,8 @@
*/
package org.apache.ws.security.stax.securityEvent;
+import org.apache.ws.security.stax.ext.WSSConstants;
+import org.apache.ws.security.stax.impl.securityToken.KerberosServiceSecurityToken;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
/**
@@ -33,7 +35,7 @@ public class KerberosTokenSecurityEvent
}
public String getIssuerName() {
- return issuerName;
+ return issuerName; //todo return ((KerberosServiceSecurityToken)getSecurityToken()).???();
}
public void setIssuerName(String issuerName) {
@@ -41,12 +43,22 @@ public class KerberosTokenSecurityEvent
}
public boolean isKerberosV5ApReqToken11() {
- //todo
- return true;
+ String type = ((KerberosServiceSecurityToken)getSecurityToken()).getKerberosTokenValueType();
+ if (WSSConstants.NS_Kerberos5_AP_REQ.equals(type)
+ || WSSConstants.NS_Kerberos5_AP_REQ1510.equals(type)
+ || WSSConstants.NS_Kerberos5_AP_REQ4120.equals(type)) {
+ return true;
+ }
+ return false;
}
public boolean isGssKerberosV5ApReqToken11() {
- //todo
+ String type = ((KerberosServiceSecurityToken)getSecurityToken()).getKerberosTokenValueType();
+ if (WSSConstants.NS_GSS_Kerberos5_AP_REQ.equals(type)
+ || WSSConstants.NS_GSS_Kerberos5_AP_REQ1510.equals(type)
+ || WSSConstants.NS_GSS_Kerberos5_AP_REQ4120.equals(type)) {
+ return true;
+ }
return false;
}
}