You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/03/22 21:22:30 UTC
svn commit: r1304029 [1/3] - in /webservices/wss4j/branches/swssf:
rampart-policy/src/main/java/org/apache/ws/secpolicy/
streaming-ws-policy/src/main/java/org/swssf/policy/
streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/
streaming-w...
Author: giger
Date: Thu Mar 22 20:22:29 2012
New Revision: 1304029
URL: http://svn.apache.org/viewvc?rev=1304029&view=rev
Log:
Allow more than one supporting token of the same type. It is legal per policy spec to have
more tokens as specified in the policy as long as one of them fulfills the policy.
Added:
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SupportingTokensTest.java (with props)
Modified:
webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/AssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/IssuedTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KerberosTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RelTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecureConversationTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecurityContextTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SpnegoContextTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenProtectionAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SpnegoContextTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/WSP13SpecTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/X509TokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/KeyValueTokenSecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/DerivedKeyTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/EncDecryptionTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/InteroperabilityTest.java
Modified: webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/AssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/AssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/AssertionState.java (original)
+++ webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/AssertionState.java Thu Mar 22 20:22:29 2012
@@ -47,7 +47,7 @@ public class AssertionState {
}
public synchronized void setAsserted(boolean asserted) {
- //don't allow to toogle back once the assertion is explicitly marked as failed;
+ //don't allow to toggle back once the assertion is explicitly marked as failed;
if (this.state == State.HARD_FAILURE) {
return;
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java Thu Mar 22 20:22:29 2012
@@ -367,6 +367,58 @@ public class PolicyEnforcer implements S
}
}
+ /**
+ * verifies the policy after the OperationSecurityEvent occured. This allows to
+ * stop further processing after the header is processed when the policy is not fulfilled.
+ *
+ * @throws WSSPolicyException throws when the policy is invalid
+ * @throws PolicyViolationException thrown when no alternative could be satisifed
+ */
+ private void verifyPolicyAfterOperationSecurityEvent() throws WSSPolicyException {
+ String assertionMessage = null;
+ Iterator<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> assertionStateMapIterator = this.assertionStateMap.iterator();
+ alternative:
+ while (assertionStateMapIterator.hasNext()) {
+ Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>> map = assertionStateMapIterator.next();
+ Iterator<Map.Entry<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> iterator = map.entrySet().iterator();
+ while (iterator.hasNext()) {
+ Map.Entry<SecurityEvent.Event, Map<Assertion, List<Assertable>>> mapEntry = iterator.next();
+ Iterator<Map.Entry<Assertion, List<Assertable>>> assertionStateIterator = mapEntry.getValue().entrySet().iterator();
+ while (assertionStateIterator.hasNext()) {
+ Map.Entry<Assertion, List<Assertable>> assertionListEntry = assertionStateIterator.next();
+ List<Assertable> assertableList = assertionListEntry.getValue();
+ Iterator<Assertable> assertableIterator = assertableList.iterator();
+ while (assertableIterator.hasNext()) {
+ Assertable assertable = assertableIterator.next();
+
+ boolean doAssert = false;
+ if (assertable instanceof TokenAssertionState) {
+ TokenAssertionState tokenAssertionState = (TokenAssertionState) assertable;
+ AbstractToken abstractToken = (AbstractToken) tokenAssertionState.getAssertion();
+ AbstractSecurityAssertion assertion = abstractToken.getParentAssertion();
+ if (assertion instanceof SupportingTokens) {
+ doAssert = true;
+ }
+ } else if (assertable instanceof TokenProtectionAssertionState) {
+ doAssert = true;
+ }
+
+ if (doAssert && !assertable.isAsserted()) {
+ assertionMessage = assertable.getErrorMessage();
+ failedAssertionStateMap.add(map);
+ assertionStateMapIterator.remove();
+ continue alternative;
+ }
+ }
+ }
+ }
+ }
+ if (assertionStateMap.isEmpty()) {
+ logFailedAssertions();
+ throw new WSSPolicyException(assertionMessage);
+ }
+ }
+
private void logFailedAssertions() {
Iterator<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> assertionStateMapIterator = this.failedAssertionStateMap.iterator();
while (assertionStateMapIterator.hasNext()) {
@@ -433,7 +485,10 @@ public class PolicyEnforcer implements S
SecurityEvent prevSecurityEvent = securityEventIterator.next();
verifyPolicy(prevSecurityEvent);
}
+
verifyPolicy(securityEvent);
+
+ verifyPolicyAfterOperationSecurityEvent();
} catch (WSSPolicyException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e);
} catch (XMLSecurityException e) {
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/IssuedTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/IssuedTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/IssuedTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/IssuedTokenAssertionState.java Thu Mar 22 20:22:29 2012
@@ -54,18 +54,19 @@ public class IssuedTokenAssertionState e
throw new WSSPolicyException("Expected a IssuedTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
}
- setAsserted(true);
-
IssuedToken issuedToken = (IssuedToken) abstractToken;
IssuedTokenSecurityEvent issuedTokenSecurityEvent = (IssuedTokenSecurityEvent) tokenSecurityEvent;
if (issuedToken.getIssuerName() != null) {
if (!issuedToken.getIssuerName().equals(issuedTokenSecurityEvent.getIssuerName())) {
- setAsserted(false);
setErrorMessage("IssuerName in Policy (" + issuedToken.getIssuerName() + ") didn't match with the one in the IssuedToken (" + issuedTokenSecurityEvent.getIssuerName() + ")");
+ return false;
}
}
//todo internal/external reference?
- return isAsserted();
+ setAsserted(true);
+ //always return true to prevent false alarm in case additional tokens with the same usage
+ //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KerberosTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KerberosTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KerberosTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KerberosTokenAssertionState.java Thu Mar 22 20:22:29 2012
@@ -52,33 +52,35 @@ public class KerberosTokenAssertionState
throw new WSSPolicyException("Expected a KerberosTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
}
- setAsserted(true);
-
KerberosToken kerberosToken = (KerberosToken) abstractToken;
KerberosTokenSecurityEvent kerberosTokenSecurityEvent = (KerberosTokenSecurityEvent) tokenSecurityEvent;
if (kerberosToken.getIssuerName() != null) {
if (!kerberosToken.getIssuerName().equals(kerberosTokenSecurityEvent.getIssuerName())) {
- setAsserted(false);
setErrorMessage("IssuerName in Policy (" + kerberosToken.getIssuerName() + ") didn't match with the one in the IssuedToken (" + kerberosTokenSecurityEvent.getIssuerName() + ")");
+ return false;
}
}
if (kerberosToken.getApReqTokenType() != null) {
switch (kerberosToken.getApReqTokenType()) {
case WssKerberosV5ApReqToken11:
if (!kerberosTokenSecurityEvent.isKerberosV5ApReqToken11()) {
- setAsserted(false);
setErrorMessage("Policy enforces " + kerberosToken.getApReqTokenType());
+ return false;
}
break;
case WssGssKerberosV5ApReqToken11:
if (!kerberosTokenSecurityEvent.isGssKerberosV5ApReqToken11()) {
- setAsserted(false);
setErrorMessage("Policy enforces " + kerberosToken.getApReqTokenType());
+ return false;
}
break;
}
}
//todo
- return isAsserted();
+
+ setAsserted(true);
+ //always return true to prevent false alarm in case additional tokens with the same usage
+ //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java Thu Mar 22 20:22:29 2012
@@ -51,15 +51,17 @@ public class KeyValueTokenAssertionState
if (!(tokenSecurityEvent instanceof KeyValueTokenSecurityEvent)) {
throw new WSSPolicyException("Expected a KeyValueTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
}
- setAsserted(true);
KeyValueTokenSecurityEvent keyValueTokenSecurityEvent = (KeyValueTokenSecurityEvent) tokenSecurityEvent;
KeyValueToken keyValueToken = (KeyValueToken) abstractToken;
- if (keyValueToken.isRsaKeyValue() && !keyValueTokenSecurityEvent.hasRsaKeyValue()) {
- setAsserted(false);
+ if (keyValueToken.isRsaKeyValue() && !keyValueTokenSecurityEvent.isRsaKeyValue()) {
setErrorMessage("Policy enforces that a RsaKeyValue must be present in the KeyValueToken");
+ return false;
}
- return isAsserted();
+ setAsserted(true);
+ //always return true to prevent false alarm in case additional tokens with the same usage
+ //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RelTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RelTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RelTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RelTokenAssertionState.java Thu Mar 22 20:22:29 2012
@@ -55,16 +55,17 @@ public class RelTokenAssertionState exte
RelTokenSecurityEvent relTokenSecurityEvent = (RelTokenSecurityEvent) tokenSecurityEvent;
RelToken relToken = (RelToken) abstractToken;
- setAsserted(true);
-
if (relToken.getIssuerName() != null && !relToken.getIssuerName().equals(relTokenSecurityEvent.getIssuerName())) {
- setAsserted(false);
setErrorMessage("IssuerName in Policy (" + relToken.getIssuerName() + ") didn't match with the one in the RelToken (" + relTokenSecurityEvent.getIssuerName() + ")");
+ return false;
}
//todo RequireKeyIdentifierReference
//todo WssRelV*
- return isAsserted();
+ setAsserted(true);
+ //always return true to prevent false alarm in case additional tokens with the same usage
+ //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java Thu Mar 22 20:22:29 2012
@@ -58,42 +58,43 @@ public class SamlTokenAssertionState ext
SamlTokenSecurityEvent samlTokenSecurityEvent = (SamlTokenSecurityEvent) tokenSecurityEvent;
SamlToken samlToken = (SamlToken) abstractToken;
- setAsserted(true);
if (samlToken.getIssuerName() != null && !samlToken.getIssuerName().equals(samlTokenSecurityEvent.getIssuerName())) {
- setAsserted(false);
setErrorMessage("IssuerName in Policy (" + samlToken.getIssuerName() + ") didn't match with the one in the SamlToken (" + samlTokenSecurityEvent.getIssuerName() + ")");
+ return false;
}
if (samlToken.isRequireKeyIdentifierReference() && ((AbstractSecurityToken) samlTokenSecurityEvent.getSecurityToken()).getKeyIdentifierType() != WSSConstants.KeyIdentifierType.X509_KEY_IDENTIFIER) {
- setAsserted(false);
setErrorMessage("Policy enforces KeyIdentifierReference but we got " + samlTokenSecurityEvent.getSecurityToken().getTokenType());
+ return false;
}
if (samlToken.getSamlTokenType() != null) {
switch (samlToken.getSamlTokenType()) {
case WssSamlV11Token10:
if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_10) {
- setAsserted(false);
setErrorMessage("Policy enforces SamlVersion11Profile10 but we got " + samlTokenSecurityEvent.getSamlVersion());
+ return false;
}
break;
case WssSamlV11Token11:
if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_11) {
- setAsserted(false);
setErrorMessage("Policy enforces SamlVersion11Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
+ return false;
}
break;
case WssSamlV20Token11:
if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_20) {
- setAsserted(false);
setErrorMessage("Policy enforces SamlVersion20Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
+ return false;
}
break;
case WssSamlV10Token10:
case WssSamlV10Token11:
- setAsserted(false);
setErrorMessage("Unsupported token type: " + samlToken.getSamlTokenType());
- break;
+ return false;
}
}
- return isAsserted();
+ setAsserted(true);
+ //always return true to prevent false alarm in case additional tokens with the same usage
+ //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecureConversationTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecureConversationTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecureConversationTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecureConversationTokenAssertionState.java Thu Mar 22 20:22:29 2012
@@ -54,19 +54,19 @@ public class SecureConversationTokenAsse
SecureConversationTokenSecurityEvent secureConversationSecurityEvent = (SecureConversationTokenSecurityEvent) tokenSecurityEvent;
SecureConversationToken secureConversationToken = (SecureConversationToken) abstractToken;
- setAsserted(true);
-
if (secureConversationToken.getIssuerName() != null && !secureConversationToken.getIssuerName().equals(secureConversationSecurityEvent.getIssuerName())) {
- setAsserted(false);
setErrorMessage("IssuerName in Policy (" + secureConversationToken.getIssuerName() + ") didn't match with the one in the SecureConversationToken (" + secureConversationSecurityEvent.getIssuerName() + ")");
+ return false;
}
if (secureConversationToken.isRequireExternalUriReference() && !secureConversationSecurityEvent.isExternalUriRef()) {
- setAsserted(false);
setErrorMessage("Policy enforces externalUriRef but we didn't got one");
+ return false;
}
//todo sp:SC13SecurityContextToken:
- //if (securityContextToken.isSc10SecurityContextToken() && )
//todo MustNotSendCancel etc...
- return isAsserted();
+ setAsserted(true);
+ //always return true to prevent false alarm in case additional tokens with the same usage
+ //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecurityContextTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecurityContextTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecurityContextTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecurityContextTokenAssertionState.java Thu Mar 22 20:22:29 2012
@@ -54,18 +54,19 @@ public class SecurityContextTokenAsserti
SecurityContextTokenSecurityEvent securityContextTokenSecurityEvent = (SecurityContextTokenSecurityEvent) tokenSecurityEvent;
SecurityContextToken securityContextToken = (SecurityContextToken) abstractToken;
- setAsserted(true);
-
if (securityContextToken.getIssuerName() != null && !securityContextToken.getIssuerName().equals(securityContextTokenSecurityEvent.getIssuerName())) {
- setAsserted(false);
setErrorMessage("IssuerName in Policy (" + securityContextToken.getIssuerName() + ") didn't match with the one in the SecurityContextToken (" + securityContextTokenSecurityEvent.getIssuerName() + ")");
+ return false;
}
if (securityContextToken.isRequireExternalUriReference() && !securityContextTokenSecurityEvent.isExternalUriRef()) {
- setAsserted(false);
setErrorMessage("Policy enforces externalUriRef but we didn't got one");
+ return false;
}
//todo sp:SC13SecurityContextToken:
- //if (securityContextToken.isSc10SecurityContextToken() && )
- return isAsserted();
+
+ setAsserted(true);
+ //always return true to prevent false alarm in case additional tokens with the same usage
+ //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SpnegoContextTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SpnegoContextTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SpnegoContextTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SpnegoContextTokenAssertionState.java Thu Mar 22 20:22:29 2012
@@ -51,11 +51,20 @@ public class SpnegoContextTokenAssertion
if (!(tokenSecurityEvent instanceof SpnegoContextTokenSecurityEvent)) {
throw new WSSPolicyException("Expected a SpnegoContextTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
}
- setAsserted(true);
SpnegoContextToken spnegoContextToken = (SpnegoContextToken) abstractToken;
SpnegoContextTokenSecurityEvent spnegoContextTokenSecurityEvent = (SpnegoContextTokenSecurityEvent) tokenSecurityEvent;
+ if (spnegoContextToken.getIssuerName() != null) {
+ if (!spnegoContextToken.getIssuerName().equals(spnegoContextTokenSecurityEvent.getIssuerName())) {
+ setErrorMessage("IssuerName in Policy (" + spnegoContextToken.getIssuerName() + ") didn't match with the one in the IssuedToken (" + spnegoContextTokenSecurityEvent.getIssuerName() + ")");
+ return false;
+ }
+ }
//todo MustNotSend*
- return isAsserted();
+
+ setAsserted(true);
+ //always return true to prevent false alarm in case additional tokens with the same usage
+ //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java Thu Mar 22 20:22:29 2012
@@ -30,6 +30,7 @@ import org.swssf.xmlsec.ext.SecurityToke
import org.swssf.xmlsec.ext.XMLSecurityException;
import java.util.Iterator;
+import java.util.List;
/**
* WSP1.3, 5 Token Assertions
@@ -50,12 +51,18 @@ public abstract class TokenAssertionStat
@Override
public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException, XMLSecurityException {
+ if (isAsserted()) {
+ //just return true when this token assertion is already fulfilled.
+ return true;
+ }
+
TokenSecurityEvent tokenSecurityEvent = (TokenSecurityEvent) securityEvent;
AbstractToken abstractToken = (AbstractToken) getAssertion();
final AbstractSecurityAssertion parentAssertion = abstractToken.getParentAssertion();
int ignoreToken = 0;
- Iterator<SecurityToken.TokenUsage> tokenUsageIterator = tokenSecurityEvent.getSecurityToken().getTokenUsages().iterator();
+ final List<SecurityToken.TokenUsage> tokenUsages = tokenSecurityEvent.getSecurityToken().getTokenUsages();
+ Iterator<SecurityToken.TokenUsage> tokenUsageIterator = tokenUsages.iterator();
while (tokenUsageIterator.hasNext()) {
SecurityToken.TokenUsage tokenUsage = tokenUsageIterator.next();
switch (tokenUsage) {
@@ -105,7 +112,7 @@ public abstract class TokenAssertionStat
break;
}
}
- if (ignoreToken >= tokenSecurityEvent.getSecurityToken().getTokenUsages().size()) {
+ if (ignoreToken >= tokenUsages.size()) {
//token is not for us, so return true to prevent false alarm
return true;
}
@@ -139,7 +146,15 @@ public abstract class TokenAssertionStat
}
}
- return assertToken(tokenSecurityEvent, abstractToken);
+ boolean asserted = assertToken(tokenSecurityEvent, abstractToken);
+ if (!asserted && (tokenUsages.contains(SecurityToken.TokenUsage.MainSignature)
+ || tokenUsages.contains(SecurityToken.TokenUsage.MainEncryption))) {
+ //return false if not asserted for the main signature and encryption tokens
+ return false;
+ } else {
+ //always return true for supporting tokens.
+ return true;
+ }
}
public abstract boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException;
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenProtectionAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenProtectionAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenProtectionAssertionState.java Thu Mar 22 20:22:29 2012
@@ -212,14 +212,17 @@ public class TokenProtectionAssertionSta
private boolean signsSignedSupportingTokens(SecurityToken securityToken) throws XMLSecurityException {
- int numberOfSignedEndorsingSupportingTokens = 0;
+ List<SecurityToken> signedSupportingTokens = new LinkedList<SecurityToken>();
List<SignedElementSecurityEvent> signedElements = new LinkedList<SignedElementSecurityEvent>();
Iterator<TokenSecurityEvent> tokenSecurityEventIterator = tokenSecurityEvents.iterator();
while (tokenSecurityEventIterator.hasNext()) {
TokenSecurityEvent tokenSecurityEvent = tokenSecurityEventIterator.next();
SecurityToken supportingToken = tokenSecurityEvent.getSecurityToken();
if (isSignedSupportingToken(supportingToken)) {
- numberOfSignedEndorsingSupportingTokens++;
+ if (signedSupportingTokens.contains(supportingToken)) {
+ continue;
+ }
+ signedSupportingTokens.add(supportingToken);
List<QName> elementPath = supportingToken.getElementPath();
boolean found = false;
@@ -244,7 +247,7 @@ public class TokenProtectionAssertionSta
}
}
}
- if (numberOfSignedEndorsingSupportingTokens > signedElements.size()) {
+ if (signedSupportingTokens.size() > signedElements.size()) {
return false;
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java Thu Mar 22 20:22:29 2012
@@ -58,47 +58,49 @@ public class UsernameTokenAssertionState
UsernameTokenSecurityEvent usernameTokenSecurityEvent = (UsernameTokenSecurityEvent) tokenSecurityEvent;
UsernameToken usernameToken = (UsernameToken) abstractToken;
- setAsserted(true);
if (usernameToken.getPasswordType() != null) {
switch (usernameToken.getPasswordType()) {
case NoPassword:
if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
- setAsserted(false);
setErrorMessage("UsernameToken contains a password but the policy prohibits it");
+ return false;
}
break;
case HashPassword:
if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
- setAsserted(false);
setErrorMessage("UsernameToken does not contain a hashed password");
+ return false;
}
break;
}
}
if (usernameToken.isCreated() && (usernameSecurityToken.getCreated() == null || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT)) {
- setAsserted(false);
setErrorMessage("UsernameToken does not contain a created timestamp or password is not plain text");
+ return false;
}
if (usernameToken.isNonce() && (usernameSecurityToken.getNonce() == null || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT)) {
- setAsserted(false);
setErrorMessage("UsernameToken does not contain a nonce or password is not plain text");
+ return false;
}
if (usernameToken.getUsernameTokenType() != null) {
switch (usernameToken.getUsernameTokenType()) {
case WssUsernameToken10:
if (usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
- setAsserted(false);
setErrorMessage("Policy enforces UsernameToken profile 1.0 but we got 1.1");
+ return false;
}
break;
case WssUsernameToken11:
if (!usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
- setAsserted(false);
setErrorMessage("Policy enforces UsernameToken profile 1.1 but we got 1.0");
+ return false;
}
break;
}
}
- return isAsserted();
+ setAsserted(true);
+ //always return true to prevent false alarm in case additional tokens with the same usage
+ //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java Thu Mar 22 20:22:29 2012
@@ -68,66 +68,69 @@ public class X509TokenAssertionState ext
|| WSSConstants.X509PkiPathV1Token.equals(tokenType))) {
throw new WSSPolicyException("Invalid Token for this assertion");
}
- setAsserted(true);
+
try {
X509Certificate x509Certificate = securityToken.getX509Certificates()[0];
if (x509Token.getIssuerName() != null) {
final String certificateIssuerName = x509Certificate.getIssuerX500Principal().getName();
if (!x509Token.getIssuerName().equals(certificateIssuerName)) {
- setAsserted(false);
setErrorMessage("IssuerName in Policy (" + x509Token.getIssuerName() + ") didn't match with the one in the certificate (" + certificateIssuerName + ")");
+ return false;
}
}
if (x509Token.isRequireKeyIdentifierReference() && securityToken.getKeyIdentifierType() != WSSConstants.KeyIdentifierType.X509_KEY_IDENTIFIER) {
- setAsserted(false);
setErrorMessage("Policy enforces KeyIdentifierReference but we got " + securityToken.getKeyIdentifierType());
+ return false;
} else if (x509Token.isRequireIssuerSerialReference() && securityToken.getKeyIdentifierType() != WSSConstants.KeyIdentifierType.ISSUER_SERIAL) {
- setAsserted(false);
setErrorMessage("Policy enforces IssuerSerialReference but we got " + securityToken.getKeyIdentifierType());
+ return false;
} else if (x509Token.isRequireEmbeddedTokenReference() && securityToken.getKeyIdentifierType() != WSSConstants.KeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE) {
- setAsserted(false);
setErrorMessage("Policy enforces EmbeddedTokenReference but we got " + securityToken.getKeyIdentifierType());
+ return false;
} else if (x509Token.isRequireThumbprintReference() && securityToken.getKeyIdentifierType() != WSSConstants.KeyIdentifierType.THUMBPRINT_IDENTIFIER) {
- setAsserted(false);
setErrorMessage("Policy enforces ThumbprintReference but we got " + securityToken.getKeyIdentifierType());
+ return false;
}
if (x509Certificate.getVersion() == 2) {
- setAsserted(false);
setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() + " not supported");
+ return false;
}
if (x509Token.getTokenType() != null) {
switch (x509Token.getTokenType()) {
case WssX509V3Token10:
case WssX509V3Token11:
if (WSSConstants.X509V3Token != securityToken.getTokenType() || x509Certificate.getVersion() != 3) {
- setAsserted(false);
setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() + " mismatch; Policy enforces " + x509Token.getTokenType());
+ return false;
}
break;
case WssX509V1Token11:
if (WSSConstants.X509V1Token != securityToken.getTokenType() || x509Certificate.getVersion() != 1) {
- setAsserted(false);
setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() + " mismatch; Policy enforces " + x509Token.getTokenType());
+ return false;
}
break;
case WssX509PkiPathV1Token10:
case WssX509PkiPathV1Token11:
if (securityToken.getTokenType() != WSSConstants.X509PkiPathV1Token) {
- setAsserted(false);
setErrorMessage("Policy enforces " + x509Token.getTokenType() + " but we got " + securityToken.getTokenType());
+ return false;
}
break;
case WssX509Pkcs7Token10:
case WssX509Pkcs7Token11:
- setAsserted(false);
setErrorMessage("Unsupported token type: " + securityToken.getTokenType());
- break;
+ return false;
}
}
} catch (XMLSecurityException e) {
- setAsserted(false);
setErrorMessage(e.getMessage());
+ return false;
}
- return isAsserted();
+
+ setAsserted(true);
+ //always return true to prevent false alarm in case additional tokens with the same usage
+ //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ return true;
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java Thu Mar 22 20:22:29 2012
@@ -67,12 +67,14 @@ public class KeyValueTokenTest extends A
PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
KeyValueTokenSecurityEvent initiatorTokenSecurityEvent = new KeyValueTokenSecurityEvent();
+ initiatorTokenSecurityEvent.setRsaKeyValue(true);
SecurityToken securityToken = getX509Token(WSSConstants.X509V3Token);
securityToken.addTokenUsage(SecurityToken.TokenUsage.MainSignature);
initiatorTokenSecurityEvent.setSecurityToken(securityToken);
policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
KeyValueTokenSecurityEvent recipientTokenSecurityEvent = new KeyValueTokenSecurityEvent();
+ recipientTokenSecurityEvent.setRsaKeyValue(true);
securityToken = getX509Token(WSSConstants.X509V3Token);
securityToken.addTokenUsage(SecurityToken.TokenUsage.MainEncryption);
recipientTokenSecurityEvent.setSecurityToken(securityToken);
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SpnegoContextTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SpnegoContextTokenTest.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SpnegoContextTokenTest.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SpnegoContextTokenTest.java Thu Mar 22 20:22:29 2012
@@ -75,6 +75,7 @@ public class SpnegoContextTokenTest exte
policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
SpnegoContextTokenSecurityEvent recipientTokenSecurityEvent = new SpnegoContextTokenSecurityEvent();
+ recipientTokenSecurityEvent.setIssuerName("xs:anyURI");
securityToken = getX509Token(WSSConstants.X509V3Token);
securityToken.addTokenUsage(SecurityToken.TokenUsage.MainEncryption);
recipientTokenSecurityEvent.setSecurityToken(securityToken);