You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/05/23 15:17:32 UTC
svn commit: r1485693 [4/14] - in /cxf/trunk: ./
distribution/src/main/release/samples/sts/src/main/java/demo/wssec/client/
distribution/src/main/release/samples/sts/src/main/java/demo/wssec/server/
distribution/src/main/release/samples/sts/src/main/jav...
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java Thu May 23 13:17:26 2013
@@ -19,10 +19,14 @@
package org.apache.cxf.ws.security.policy.interceptors;
+import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
+import java.util.List;
import java.util.logging.Logger;
+import javax.xml.namespace.QName;
+
import org.w3c.dom.Element;
import org.apache.cxf.binding.soap.SoapBindingConstants;
@@ -41,19 +45,10 @@ import org.apache.cxf.ws.addressing.Addr
import org.apache.cxf.ws.addressing.JAXWSAConstants;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.policy.PolicyBuilder;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Binding;
-import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.ProtectionToken;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Trust10;
-import org.apache.cxf.ws.security.policy.model.Trust13;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
+import org.apache.cxf.ws.security.trust.DefaultSymmetricBinding;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.cxf.ws.security.trust.STSUtils;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
@@ -61,8 +56,17 @@ import org.apache.neethi.All;
import org.apache.neethi.Assertion;
import org.apache.neethi.ExactlyOne;
import org.apache.neethi.Policy;
-import org.apache.ws.security.message.token.SecurityContextToken;
-import org.apache.ws.security.util.Base64;
+import org.apache.wss4j.dom.message.token.SecurityContextToken;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SPConstants.SPVersion;
+import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.ProtectionToken;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SignedParts;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
+import org.apache.xml.security.utils.Base64;
class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
static final Logger LOG = LogUtils.getL7dLogger(SecureConversationInInterceptor.class);
@@ -70,19 +74,21 @@ class SecureConversationInInterceptor ex
public SecureConversationInInterceptor() {
super(Phase.PRE_PROTOCOL);
+ getBefore().add(WSS4JInInterceptor.class.getName());
}
- private Binding getBinding(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
- if (ais != null && !ais.isEmpty()) {
- return (Binding)ais.iterator().next().getAssertion();
- }
- ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
- if (ais != null && !ais.isEmpty()) {
- return (Binding)ais.iterator().next().getAssertion();
- }
- ais = aim.get(SP12Constants.TRANSPORT_BINDING);
- if (ais != null && !ais.isEmpty()) {
- return (Binding)ais.iterator().next().getAssertion();
+ private AbstractBinding getBinding(AssertionInfoMap aim) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ return (AbstractBinding)ais.iterator().next().getAssertion();
+ }
+ ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ return (AbstractBinding)ais.iterator().next().getAssertion();
+ }
+ ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (!ais.isEmpty()) {
+ return (AbstractBinding)ais.iterator().next().getAssertion();
}
return null;
}
@@ -91,15 +97,17 @@ class SecureConversationInInterceptor ex
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ if (ais.isEmpty()) {
return;
}
if (isRequestor(message)) {
//client side should be checked on the way out
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
- }
+ }
+ assertPolicies(aim);
Object s = message.getContextualProperty(SecurityConstants.STS_TOKEN_DO_CANCEL);
if (s != null && (Boolean.TRUE.equals(s) || "true".equalsIgnoreCase(s.toString()))) {
@@ -126,7 +134,7 @@ class SecureConversationInInterceptor ex
SecureConversationToken tok = (SecureConversationToken)ais.iterator()
.next().getAssertion();
- Policy pol = tok.getBootstrapPolicy();
+ Policy pol = tok.getBootstrapPolicy().getPolicy();
if (s.endsWith("Cancel") || s.endsWith("/Renew")) {
//Cancel and Renew just sign with the token
Policy p = new Policy();
@@ -136,31 +144,52 @@ class SecureConversationInInterceptor ex
Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
all.addPolicyComponent(ass);
ea.addPolicyComponent(all);
- PolicyBuilder pbuilder = message.getExchange().getBus()
- .getExtension(PolicyBuilder.class);
- SymmetricBinding binding = new SymmetricBinding(SP12Constants.INSTANCE, pbuilder);
+
+ final SecureConversationToken secureConversationToken =
+ new SecureConversationToken(
+ SPConstants.SPVersion.SP12,
+ SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT,
+ null,
+ null,
+ null,
+ null
+ );
+ secureConversationToken.setOptional(true);
+
+ class InternalProtectionToken extends ProtectionToken {
+ public InternalProtectionToken(SPVersion version, Policy nestedPolicy) {
+ super(version, nestedPolicy);
+ super.setToken(secureConversationToken);
+ }
+ }
+
+ DefaultSymmetricBinding binding =
+ new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, new Policy());
+ binding.setProtectionToken(
+ new InternalProtectionToken(SPConstants.SPVersion.SP12, new Policy())
+ );
binding.setIncludeTimestamp(true);
- ProtectionToken token = new ProtectionToken(SP12Constants.INSTANCE, pbuilder);
- token.setToken(new SecureConversationToken(SP12Constants.INSTANCE));
- binding.setProtectionToken(token);
- binding.setEntireHeadersAndBodySignatures(true);
+ binding.setOnlySignEntireHeadersAndBody(true);
+ binding.setProtectTokens(false);
- Binding origBinding = getBinding(aim);
+ AbstractBinding origBinding = getBinding(aim);
binding.setAlgorithmSuite(origBinding.getAlgorithmSuite());
all.addPolicyComponent(binding);
- SignedEncryptedParts parts = new SignedEncryptedParts(true,
- SP12Constants.INSTANCE);
- parts.setBody(true);
+ List<Header> headers = null;
if (addNs != null) {
- parts.addHeader(new Header("To", addNs));
- parts.addHeader(new Header("From", addNs));
- parts.addHeader(new Header("FaultTo", addNs));
- parts.addHeader(new Header("ReplyTO", addNs));
- parts.addHeader(new Header("MessageID", addNs));
- parts.addHeader(new Header("RelatesTo", addNs));
- parts.addHeader(new Header("Action", addNs));
+ headers = new ArrayList<Header>();
+ headers.add(new Header("To", addNs));
+ headers.add(new Header("From", addNs));
+ headers.add(new Header("FaultTo", addNs));
+ headers.add(new Header("ReplyTo", addNs));
+ headers.add(new Header("Action", addNs));
+ headers.add(new Header("MessageID", addNs));
+ headers.add(new Header("RelatesTo", addNs));
}
+
+ SignedParts parts =
+ new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false);
all.addPolicyComponent(parts);
pol = p;
message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
@@ -187,8 +216,23 @@ class SecureConversationInInterceptor ex
} else {
message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
}
+
+ assertPolicies(aim);
}
}
+
+ private void assertPolicies(AssertionInfoMap aim) {
+ NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
+ NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_AMEND);
+ NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_CANCEL);
+ NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_RENEW);
+ QName oldCancelQName =
+ new QName(
+ "http://schemas.microsoft.com/ws/2005/07/securitypolicy",
+ SPConstants.MUST_NOT_SEND_CANCEL
+ );
+ NegotiationUtils.assertPolicy(aim, oldCancelQName);
+ }
private void unmapSecurityProps(Message message) {
Exchange ex = message.getExchange();
@@ -311,8 +355,9 @@ class SecureConversationInInterceptor ex
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ if (ais.isEmpty()) {
return;
}
for (AssertionInfo inf : ais) {
@@ -341,8 +386,9 @@ class SecureConversationInInterceptor ex
if (aim == null) {
return;
}
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ if (ais.isEmpty()) {
return;
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java Thu May 23 13:17:26 2013
@@ -32,14 +32,14 @@ import org.apache.cxf.ws.addressing.Addr
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.Trust10;
-import org.apache.cxf.ws.security.policy.model.Trust13;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.cxf.ws.security.trust.STSUtils;
-import org.apache.ws.security.WSConstants;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
class SecureConversationOutInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
public SecureConversationOutInterceptor() {
@@ -49,8 +49,9 @@ class SecureConversationOutInterceptor e
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ if (ais.isEmpty()) {
return;
}
if (isRequestor(message)) {
@@ -79,8 +80,8 @@ class SecureConversationOutInterceptor e
message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getId());
message.getExchange().put(SecurityConstants.TOKEN, tok);
NegotiationUtils.getTokenStore(message).add(tok);
-
}
+ NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
} else {
//server side should be checked on the way in
for (AssertionInfo ai : ais) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -29,18 +29,17 @@ import org.apache.cxf.common.logging.Log
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.policy.PolicyBuilder;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants.SupportTokenType;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.neethi.All;
import org.apache.neethi.ExactlyOne;
import org.apache.neethi.Policy;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
/**
*
@@ -53,7 +52,9 @@ public class SecureConversationTokenInte
public SecureConversationTokenInterceptorProvider() {
super(Arrays.asList(SP11Constants.SECURE_CONVERSATION_TOKEN,
- SP12Constants.SECURE_CONVERSATION_TOKEN));
+ SP12Constants.SECURE_CONVERSATION_TOKEN,
+ SP12Constants.BOOTSTRAP_POLICY,
+ SP11Constants.BOOTSTRAP_POLICY));
this.getOutInterceptors().add(new SecureConversationOutInterceptor());
this.getOutFaultInterceptors().add(new SecureConversationOutInterceptor());
this.getInInterceptors().add(new SecureConversationInInterceptor());
@@ -67,7 +68,7 @@ public class SecureConversationTokenInte
boolean endorse) {
client.setTrust(NegotiationUtils.getTrust10(aim));
client.setTrust(NegotiationUtils.getTrust13(aim));
- Policy pol = itok.getBootstrapPolicy();
+ Policy pol = itok.getBootstrapPolicy().getPolicy();
Policy p = new Policy();
ExactlyOne ea = new ExactlyOne();
p.addPolicyComponent(ea);
@@ -76,10 +77,10 @@ public class SecureConversationTokenInte
ea.addPolicyComponent(all);
if (endorse) {
- SupportingToken st = new SupportingToken(SupportTokenType.SUPPORTING_TOKEN_ENDORSING,
- SP12Constants.INSTANCE,
- message.getExchange()
- .getBus().getExtension(PolicyBuilder.class));
+ SupportingTokens st =
+ new SupportingTokens(SPConstants.SPVersion.SP12,
+ SP12Constants.SupportingTokenTypes.EndorsingSupportingTokens,
+ new Policy());
st.addToken(itok);
all.addPolicyComponent(st);
}
@@ -94,7 +95,7 @@ public class SecureConversationTokenInte
AlgorithmSuite suite = NegotiationUtils.getAlgorithmSuite(aim);
if (suite != null) {
client.setAlgorithmSuite(suite);
- int x = suite.getMaximumSymmetricKeyLength();
+ int x = suite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength();
if (x < 256) {
client.setKeySize(x);
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java Thu May 23 13:17:26 2013
@@ -22,8 +22,6 @@ package org.apache.cxf.ws.security.polic
import java.util.Collection;
import java.util.logging.Logger;
-import javax.xml.namespace.QName;
-
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
@@ -33,7 +31,8 @@ import org.apache.cxf.phase.Phase;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
-import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
/**
* Interceptor verifies critical policy security assertions for client side
@@ -59,37 +58,43 @@ public class SecurityVerificationOutInte
if (MessageUtils.isRequestor(message)) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
if (aim != null) {
- Collection<AssertionInfo> aisTransport = aim.get(SP12Constants.TRANSPORT_BINDING);
- Collection<AssertionInfo> aisAssymetric = aim.get(SP12Constants.ASYMMETRIC_BINDING);
- Collection<AssertionInfo> aisSymetric = aim.get(SP12Constants.SYMMETRIC_BINDING);
- if (((aisTransport == null) || aisTransport.isEmpty())
- && ((aisAssymetric == null) || aisAssymetric.isEmpty())
- && ((aisSymetric == null) || aisSymetric.isEmpty())) {
+ Collection<AssertionInfo> aisTransport =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ Collection<AssertionInfo> aisAssymetric =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ Collection<AssertionInfo> aisSymetric =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+
+ if (aisTransport.isEmpty() && aisAssymetric.isEmpty() && aisSymetric.isEmpty()) {
+
+ Collection<AssertionInfo> aisSignedParts =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+ checkAssertion(aisSignedParts, SPConstants.SIGNED_PARTS);
- Collection<AssertionInfo> aisSignedParts = aim.get(SP12Constants.SIGNED_PARTS);
- checkAssertion(aisSignedParts, SP12Constants.SIGNED_PARTS);
Collection<AssertionInfo> aisSignedElements = aim.get(SP12Constants.SIGNED_ELEMENTS);
- checkAssertion(aisSignedElements, SP12Constants.SIGNED_ELEMENTS);
+ checkAssertion(aisSignedElements, SPConstants.SIGNED_ELEMENTS);
Collection<AssertionInfo> aisEncryptedParts = aim.get(SP12Constants.ENCRYPTED_PARTS);
- checkAssertion(aisEncryptedParts, SP12Constants.ENCRYPTED_PARTS);
+ checkAssertion(aisEncryptedParts, SPConstants.ENCRYPTED_PARTS);
+
Collection<AssertionInfo> aisEncryptedElements =
aim.get(SP12Constants.ENCRYPTED_ELEMENTS);
- checkAssertion(aisEncryptedElements, SP12Constants.ENCRYPTED_ELEMENTS);
+ checkAssertion(aisEncryptedElements, SPConstants.ENCRYPTED_ELEMENTS);
+
Collection<AssertionInfo> aisContentEncryptedElements =
aim.get(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS);
- checkAssertion(aisContentEncryptedElements, SP12Constants.CONTENT_ENCRYPTED_ELEMENTS);
+ checkAssertion(aisContentEncryptedElements, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
}
}
}
}
- private void checkAssertion(Collection<AssertionInfo> ais, QName assertion) {
+ private void checkAssertion(Collection<AssertionInfo> ais, String assertionName) {
if ((ais != null) && (!ais.isEmpty())) {
String error = String
.format("%s assertion cannot be fulfilled without binding. "
+ "At least one binding assertion (%s, %s, %s) must be specified in policy.",
- assertion.getLocalPart(), SP12Constants.TRANSPORT_BINDING.getLocalPart(),
+ assertionName, SP12Constants.TRANSPORT_BINDING.getLocalPart(),
SP12Constants.ASYMMETRIC_BINDING.getLocalPart(),
SP12Constants.SYMMETRIC_BINDING.getLocalPart());
AssertionInfo info = ais.iterator().next();
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java Thu May 23 13:17:26 2013
@@ -43,7 +43,6 @@ import org.apache.cxf.ws.addressing.JAXW
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.trust.STSUtils;
@@ -52,12 +51,13 @@ import org.apache.neethi.All;
import org.apache.neethi.Assertion;
import org.apache.neethi.ExactlyOne;
import org.apache.neethi.Policy;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.SecurityContextToken;
-import org.apache.ws.security.spnego.SpnegoTokenContext;
-import org.apache.ws.security.util.Base64;
-import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.wss4j.common.spnego.SpnegoTokenContext;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.SecurityContextToken;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.xml.security.utils.Base64;
class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
static final Logger LOG = LogUtils.getL7dLogger(SpnegoContextTokenInInterceptor.class);
@@ -70,8 +70,9 @@ class SpnegoContextTokenInInterceptor ex
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SPNEGO_CONTEXT_TOKEN);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+ if (ais.isEmpty()) {
return;
}
if (isRequestor(message)) {
@@ -348,8 +349,9 @@ class SpnegoContextTokenInInterceptor ex
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SPNEGO_CONTEXT_TOKEN);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+ if (ais.isEmpty()) {
return;
}
for (AssertionInfo inf : ais) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java Thu May 23 13:17:26 2013
@@ -32,16 +32,16 @@ import org.apache.cxf.ws.addressing.Addr
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Trust10;
-import org.apache.cxf.ws.security.policy.model.Trust13;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.cxf.ws.security.trust.STSUtils;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.spnego.SpnegoClientAction;
-import org.apache.ws.security.spnego.SpnegoTokenContext;
-import org.apache.ws.security.util.Base64;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.spnego.SpnegoClientAction;
+import org.apache.wss4j.common.spnego.SpnegoTokenContext;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
+import org.apache.xml.security.utils.Base64;
class SpnegoContextTokenOutInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
public SpnegoContextTokenOutInterceptor() {
@@ -51,8 +51,9 @@ class SpnegoContextTokenOutInterceptor e
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SPNEGO_CONTEXT_TOKEN);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+ if (ais.isEmpty()) {
return;
}
if (isRequestor(message)) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -30,14 +30,14 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.neethi.All;
import org.apache.neethi.ExactlyOne;
import org.apache.neethi.Policy;
-import org.apache.ws.security.WSSConfig;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
/**
*
@@ -79,7 +79,7 @@ public class SpnegoTokenInterceptorProvi
AlgorithmSuite suite = NegotiationUtils.getAlgorithmSuite(aim);
if (suite != null) {
client.setAlgorithmSuite(suite);
- int x = suite.getMaximumSymmetricKeyLength();
+ int x = suite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength();
if (x < 256) {
client.setKeySize(x);
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -26,8 +26,9 @@ import javax.xml.namespace.QName;
import org.apache.cxf.Bus;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
-import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
/**
*
@@ -39,6 +40,7 @@ public class UsernameTokenInterceptorPro
ASSERTION_TYPES = new ArrayList<QName>();
ASSERTION_TYPES.add(SP12Constants.USERNAME_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.USERNAME_TOKEN);
}
public UsernameTokenInterceptorProvider() {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -25,9 +25,12 @@ import java.util.Collection;
import javax.xml.namespace.QName;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
-import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
/**
*
@@ -41,6 +44,10 @@ public class WSSecurityInterceptorProvid
ASSERTION_TYPES.add(SP12Constants.TRANSPORT_BINDING);
ASSERTION_TYPES.add(SP12Constants.ASYMMETRIC_BINDING);
ASSERTION_TYPES.add(SP12Constants.SYMMETRIC_BINDING);
+
+ ASSERTION_TYPES.add(SP11Constants.TRANSPORT_BINDING);
+ ASSERTION_TYPES.add(SP11Constants.ASYMMETRIC_BINDING);
+ ASSERTION_TYPES.add(SP11Constants.SYMMETRIC_BINDING);
}
public WSSecurityInterceptorProvider() {
@@ -49,5 +56,10 @@ public class WSSecurityInterceptorProvid
this.getOutFaultInterceptors().add(PolicyBasedWSS4JOutInterceptor.INSTANCE);
this.getInInterceptors().add(PolicyBasedWSS4JInInterceptor.INSTANCE);
this.getInFaultInterceptors().add(PolicyBasedWSS4JInInterceptor.INSTANCE);
+
+ this.getOutInterceptors().add(PolicyBasedWSS4JStaxOutInterceptor.INSTANCE);
+ this.getOutFaultInterceptors().add(PolicyBasedWSS4JStaxOutInterceptor.INSTANCE);
+ this.getInInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE);
+ this.getInFaultInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE);
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -25,8 +25,8 @@ import java.util.Collection;
import javax.xml.namespace.QName;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
/**
*
@@ -39,9 +39,13 @@ public class WSSecurityPolicyInterceptor
ASSERTION_TYPES.add(SP12Constants.LAYOUT);
ASSERTION_TYPES.add(SP12Constants.INCLUDE_TIMESTAMP);
ASSERTION_TYPES.add(SP12Constants.ALGORITHM_SUITE);
+ ASSERTION_TYPES.add(SP12Constants.ENCRYPT_SIGNATURE);
+ ASSERTION_TYPES.add(SP12Constants.PROTECT_TOKENS);
+ ASSERTION_TYPES.add(SP12Constants.ENCRYPT_BEFORE_SIGNING);
+ ASSERTION_TYPES.add(SP12Constants.SIGN_BEFORE_ENCRYPTING);
+ ASSERTION_TYPES.add(SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
ASSERTION_TYPES.add(SP12Constants.WSS10);
ASSERTION_TYPES.add(SP12Constants.WSS11);
- ASSERTION_TYPES.add(SP11Constants.TRUST_10);
ASSERTION_TYPES.add(SP12Constants.TRUST_13);
ASSERTION_TYPES.add(SP12Constants.PROTECTION_TOKEN);
ASSERTION_TYPES.add(SP12Constants.X509_TOKEN);
@@ -61,14 +65,48 @@ public class WSSecurityPolicyInterceptor
ASSERTION_TYPES.add(SP12Constants.ENCRYPTED_ELEMENTS);
ASSERTION_TYPES.add(SP12Constants.SIGNED_ELEMENTS);
ASSERTION_TYPES.add(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS);
- ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSupportingTokens());
- ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSignedSupportingTokens());
- ASSERTION_TYPES.add(SP12Constants.INSTANCE.getEndorsingSupportingTokens());
- ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSignedEndorsingSupportingTokens());
+ ASSERTION_TYPES.add(SP12Constants.SUPPORTING_TOKENS);
+ ASSERTION_TYPES.add(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+ ASSERTION_TYPES.add(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
ASSERTION_TYPES.add(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
+ ASSERTION_TYPES.add(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
ASSERTION_TYPES.add(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
ASSERTION_TYPES.add(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
ASSERTION_TYPES.add(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+
+ ASSERTION_TYPES.add(SP11Constants.LAYOUT);
+ ASSERTION_TYPES.add(SP11Constants.INCLUDE_TIMESTAMP);
+ ASSERTION_TYPES.add(SP11Constants.ALGORITHM_SUITE);
+ ASSERTION_TYPES.add(SP11Constants.ENCRYPT_SIGNATURE);
+ ASSERTION_TYPES.add(SP11Constants.PROTECT_TOKENS);
+ ASSERTION_TYPES.add(SP11Constants.ENCRYPT_BEFORE_SIGNING);
+ ASSERTION_TYPES.add(SP11Constants.SIGN_BEFORE_ENCRYPTING);
+ ASSERTION_TYPES.add(SP11Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
+ ASSERTION_TYPES.add(SP11Constants.WSS10);
+ ASSERTION_TYPES.add(SP11Constants.WSS11);
+ ASSERTION_TYPES.add(SP11Constants.TRUST_10);
+ ASSERTION_TYPES.add(SP11Constants.PROTECTION_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.X509_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.ENCRYPTION_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.SIGNATURE_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.TRANSPORT_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.INITIATOR_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.INITIATOR_SIGNATURE_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.INITIATOR_ENCRYPTION_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.RECIPIENT_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.RECIPIENT_SIGNATURE_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.RECIPIENT_ENCRYPTION_TOKEN);
+ ASSERTION_TYPES.add(SP11Constants.SIGNED_PARTS);
+ ASSERTION_TYPES.add(SP11Constants.REQUIRED_PARTS);
+ ASSERTION_TYPES.add(SP11Constants.REQUIRED_ELEMENTS);
+ ASSERTION_TYPES.add(SP11Constants.ENCRYPTED_PARTS);
+ ASSERTION_TYPES.add(SP11Constants.ENCRYPTED_ELEMENTS);
+ ASSERTION_TYPES.add(SP11Constants.SIGNED_ELEMENTS);
+ ASSERTION_TYPES.add(SP11Constants.CONTENT_ENCRYPTED_ELEMENTS);
+ ASSERTION_TYPES.add(SP11Constants.SUPPORTING_TOKENS);
+ ASSERTION_TYPES.add(SP11Constants.SIGNED_SUPPORTING_TOKENS);
+ ASSERTION_TYPES.add(SP11Constants.ENDORSING_SUPPORTING_TOKENS);
+ ASSERTION_TYPES.add(SP11Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
}
public WSSecurityPolicyInterceptorProvider() {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java Thu May 23 13:17:26 2013
@@ -37,7 +37,7 @@ import org.apache.cxf.Bus;
import org.apache.cxf.buslifecycle.BusLifeCycleListener;
import org.apache.cxf.buslifecycle.BusLifeCycleManager;
import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.ws.security.cache.EHCacheManagerHolder;
+import org.apache.wss4j.common.cache.EHCacheManagerHolder;
/**
* An in-memory EHCache implementation of the TokenStore interface. The default TTL is 60 minutes
@@ -59,7 +59,7 @@ public class EHCacheTokenStore implement
b.getExtension(BusLifeCycleManager.class).registerLifeCycleListener(this);
}
- cacheManager = EHCacheManagerHolder.getCacheManager(bus, configFileURL);
+ cacheManager = EHCacheManagerHolder.getCacheManager(configFileURL);
// Cannot overflow to disk as SecurityToken Elements can't be serialized
CacheConfiguration cc = EHCacheManagerHolder.getCacheConfiguration(key, cacheManager);
cc.overflowToDisk(false); //tokens not writable
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java Thu May 23 13:17:26 2013
@@ -33,10 +33,10 @@ import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.staxutils.W3CDOMStreamWriter;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.message.token.Reference;
-import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.message.token.Reference;
+import org.apache.wss4j.dom.util.XmlSchemaDateFormat;
/**
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java Thu May 23 13:17:26 2013
@@ -26,7 +26,6 @@ import org.apache.cxf.common.classloader
import org.apache.cxf.message.Message;
import org.apache.cxf.resource.ResourceManager;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.cache.ReplayCacheFactory;
/**
* An abstract factory to return a TokenStore instance. It returns an EHCacheTokenStoreFactory
@@ -69,7 +68,7 @@ public abstract class TokenStoreFactory
url = rm.resolveResource((String)o, URL.class);
try {
if (url == null) {
- url = ClassLoaderUtils.getResource((String)o, ReplayCacheFactory.class);
+ url = ClassLoaderUtils.getResource((String)o, TokenStoreFactory.class);
}
if (url == null) {
url = new URL((String)o);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java Thu May 23 13:17:26 2013
@@ -25,6 +25,7 @@ import java.io.StringReader;
import java.net.URL;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
@@ -91,16 +92,6 @@ import org.apache.cxf.ws.policy.PolicyCo
import org.apache.cxf.ws.policy.PolicyEngine;
import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
-import org.apache.cxf.ws.security.policy.model.Binding;
-import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.ProtectionToken;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Trust10;
-import org.apache.cxf.ws.security.policy.model.Trust13;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.trust.claims.ClaimsCallback;
import org.apache.cxf.ws.security.trust.delegation.DelegationCallback;
@@ -111,27 +102,39 @@ import org.apache.neethi.All;
import org.apache.neethi.ExactlyOne;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyComponent;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDocInfo;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.components.crypto.CryptoType;
-import org.apache.ws.security.conversation.ConversationException;
-import org.apache.ws.security.conversation.dkalgo.P_SHA1;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.Reference;
-import org.apache.ws.security.processor.EncryptedKeyProcessor;
-import org.apache.ws.security.processor.X509Util;
-import org.apache.ws.security.util.Base64;
-import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.derivedKey.ConversationException;
+import org.apache.wss4j.common.derivedKey.P_SHA1;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDocInfo;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.Reference;
+import org.apache.wss4j.dom.processor.EncryptedKeyProcessor;
+import org.apache.wss4j.dom.processor.X509Util;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.dom.util.XmlSchemaDateFormat;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SPConstants.SPVersion;
+import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.ProtectionToken;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SignedParts;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
+import org.apache.xml.security.exceptions.Base64DecodingException;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.keys.content.keyvalues.DSAKeyValue;
import org.apache.xml.security.keys.content.keyvalues.RSAKeyValue;
+import org.apache.xml.security.utils.Base64;
/**
* An abstract class with some functionality to invoke on a SecurityTokenService (STS) via the
@@ -159,7 +162,7 @@ public abstract class AbstractSTSClient
protected AlgorithmSuite algorithmSuite;
protected String namespace = STSUtils.WST_NS_05_12;
protected String addressingNamespace = "http://www.w3.org/2005/08/addressing";
- protected String wspNamespace = SPConstants.P_NS;
+ protected String wspNamespace = "http://www.w3.org/ns/ws-policy";
protected Object onBehalfOf;
protected boolean enableAppliesTo = true;
@@ -440,8 +443,8 @@ public abstract class AbstractSTSClient
while (i.hasNext() && algorithmSuite == null) {
List<PolicyComponent> p = CastUtils.cast((List<?>)i.next());
for (PolicyComponent p2 : p) {
- if (p2 instanceof Binding) {
- algorithmSuite = ((Binding)p2).getAlgorithmSuite();
+ if (p2 instanceof AbstractBinding) {
+ algorithmSuite = ((AbstractBinding)p2).getAlgorithmSuite();
}
}
}
@@ -812,8 +815,9 @@ public abstract class AbstractSTSClient
if (algorithmSuite == null) {
requestorEntropy = WSSecurityUtil.generateNonce(keySize / 8);
} else {
+ AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
requestorEntropy = WSSecurityUtil
- .generateNonce(algorithmSuite.getMaximumSymmetricKeyLength() / 8);
+ .generateNonce(algType.getMaximumSymmetricKeyLength() / 8);
}
writer.writeCharacters(Base64.encode(requestorEntropy));
@@ -1050,38 +1054,52 @@ public abstract class AbstractSTSClient
All all = new All();
one.addPolicyComponent(all);
all.addAssertion(getAddressingAssertion());
+
+ final SecureConversationToken secureConversationToken =
+ new SecureConversationToken(
+ SPConstants.SPVersion.SP12,
+ SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT,
+ null,
+ null,
+ null,
+ null
+ );
+ secureConversationToken.setOptional(true);
+
+ class InternalProtectionToken extends ProtectionToken {
+ public InternalProtectionToken(SPVersion version, Policy nestedPolicy) {
+ super(version, nestedPolicy);
+ super.setToken(secureConversationToken);
+ }
+ }
- PolicyBuilder pbuilder = bus.getExtension(PolicyBuilder.class);
- SymmetricBinding binding = new SymmetricBinding(pbuilder);
+ DefaultSymmetricBinding binding =
+ new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, new Policy());
all.addAssertion(binding);
all.addAssertion(getAddressingAssertion());
- ProtectionToken ptoken = new ProtectionToken(pbuilder);
- binding.setProtectionToken(ptoken);
+ binding.setProtectionToken(
+ new InternalProtectionToken(SPConstants.SPVersion.SP12, new Policy())
+ );
binding.setIncludeTimestamp(true);
- binding.setEntireHeadersAndBodySignatures(true);
- binding.setTokenProtection(false);
- AlgorithmSuite suite = new AlgorithmSuite();
- binding.setAlgorithmSuite(suite);
- SecureConversationToken sct = new SecureConversationToken();
- sct.setOptional(true);
- ptoken.setToken(sct);
-
- SignedEncryptedParts parts = new SignedEncryptedParts(true);
- parts.setOptional(true);
- parts.setBody(true);
+ binding.setOnlySignEntireHeadersAndBody(true);
+ binding.setProtectTokens(false);
String addrNamespace = addressingNamespace;
if (addrNamespace == null) {
addrNamespace = "http://www.w3.org/2005/08/addressing";
}
- parts.addHeader(new Header("To", addrNamespace));
- parts.addHeader(new Header("From", addrNamespace));
- parts.addHeader(new Header("FaultTo", addrNamespace));
- parts.addHeader(new Header("ReplyTo", addrNamespace));
- parts.addHeader(new Header("Action", addrNamespace));
- parts.addHeader(new Header("MessageID", addrNamespace));
- parts.addHeader(new Header("RelatesTo", addrNamespace));
+ List<Header> headers = new ArrayList<Header>();
+ headers.add(new Header("To", addrNamespace));
+ headers.add(new Header("From", addrNamespace));
+ headers.add(new Header("FaultTo", addrNamespace));
+ headers.add(new Header("ReplyTo", addrNamespace));
+ headers.add(new Header("Action", addrNamespace));
+ headers.add(new Header("MessageID", addrNamespace));
+ headers.add(new Header("RelatesTo", addrNamespace));
+
+ SignedParts parts = new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false);
+ parts.setOptional(true);
all.addPolicyComponent(parts);
client.getRequestContext().put(PolicyConstants.POLICY_OVERRIDE, cancelPolicy);
@@ -1223,7 +1241,7 @@ public abstract class AbstractSTSClient
}
protected SecurityToken createSecurityToken(Element el, byte[] requestorEntropy)
- throws WSSecurityException {
+ throws WSSecurityException, Base64DecodingException {
if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
el = DOMUtils.getFirstElement(el);
@@ -1337,7 +1355,7 @@ public abstract class AbstractSTSClient
return token;
}
- protected byte[] decryptKey(Element child) throws TrustException, WSSecurityException {
+ protected byte[] decryptKey(Element child) throws TrustException, WSSecurityException, Base64DecodingException {
String encryptionAlgorithm = X509Util.getEncAlgo(child);
// For the SPNEGO case just return the decoded cipher value and decrypt it later
if (encryptionAlgorithm != null && encryptionAlgorithm.endsWith("spnego#GSS_Wrap")) {
@@ -1354,7 +1372,7 @@ public abstract class AbstractSTSClient
}
}
if (cipherValue == null) {
- throw new WSSecurityException(WSSecurityException.INVALID_SECURITY, "noCipher");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noCipher");
}
return cipherValue;
} else {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java Thu May 23 13:17:26 2013
@@ -33,9 +33,9 @@ import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.message.token.UsernameToken;
-import org.apache.ws.security.validate.Credential;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.dom.validate.Credential;
public class AuthPolicyValidatingInterceptor extends AbstractPhaseInterceptor<Message> {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java Thu May 23 13:17:26 2013
@@ -19,11 +19,11 @@
package org.apache.cxf.ws.security.trust;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.validate.Credential;
-import org.apache.ws.security.validate.SamlAssertionValidator;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.validate.Credential;
+import org.apache.wss4j.dom.validate.SamlAssertionValidator;
/**
* This class validates a SAML Assertion by invoking the SamlAssertionValidator in WSS4J. It
@@ -56,7 +56,7 @@ public class STSSamlAssertionValidator e
*/
@Override
protected Credential verifySignedAssertion(
- AssertionWrapper assertion,
+ SamlAssertionWrapper assertion,
RequestData data
) throws WSSecurityException {
try {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java Thu May 23 13:17:26 2013
@@ -31,11 +31,11 @@ import org.apache.cxf.ws.security.Securi
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.validate.Credential;
-import org.apache.ws.security.validate.Validator;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.validate.Credential;
+import org.apache.wss4j.dom.validate.Validator;
/**
*
@@ -70,13 +70,13 @@ public class STSTokenValidator implement
SecurityToken token = new SecurityToken();
Element tokenElement = null;
int hash = 0;
- if (credential.getAssertion() != null) {
- AssertionWrapper assertion = credential.getAssertion();
+ if (credential.getSamlAssertion() != null) {
+ SamlAssertionWrapper assertion = credential.getSamlAssertion();
byte[] signatureValue = assertion.getSignatureValue();
if (signatureValue != null && signatureValue.length > 0) {
hash = Arrays.hashCode(signatureValue);
}
- tokenElement = credential.getAssertion().getElement();
+ tokenElement = credential.getSamlAssertion().getElement();
} else if (credential.getUsernametoken() != null) {
tokenElement = credential.getUsernametoken().getElement();
hash = credential.getUsernametoken().hashCode();
@@ -93,7 +93,7 @@ public class STSTokenValidator implement
if (tokenStore != null && hash != 0) {
SecurityToken transformedToken = getTransformedToken(tokenStore, hash);
if (transformedToken != null) {
- AssertionWrapper assertion = new AssertionWrapper(transformedToken.getToken());
+ SamlAssertionWrapper assertion = new SamlAssertionWrapper(transformedToken.getToken());
credential.setTransformedToken(assertion);
return credential;
}
@@ -106,7 +106,7 @@ public class STSTokenValidator implement
List<SecurityToken> tokens = c.validateSecurityToken(token);
SecurityToken returnedToken = tokens.get(0);
if (returnedToken != token) {
- AssertionWrapper assertion = new AssertionWrapper(returnedToken.getToken());
+ SamlAssertionWrapper assertion = new SamlAssertionWrapper(returnedToken.getToken());
credential.setTransformedToken(assertion);
if (hash != 0) {
tokenStore.add(returnedToken);
@@ -119,7 +119,7 @@ public class STSTokenValidator implement
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
- throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e);
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", null, e);
}
}
@@ -147,14 +147,14 @@ public class STSTokenValidator implement
protected boolean isValidatedLocally(Credential credential, RequestData data)
throws WSSecurityException {
- if (!alwaysValidateToSts && credential.getAssertion() != null) {
+ if (!alwaysValidateToSts && credential.getSamlAssertion() != null) {
try {
samlValidator.validate(credential, data);
return samlValidator.isTrustVerificationSucceeded();
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
- throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e);
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", null, e);
}
}
return false;
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java Thu May 23 13:17:26 2013
@@ -19,6 +19,7 @@
package org.apache.cxf.ws.security.trust;
+import javax.xml.bind.JAXBException;
import javax.xml.namespace.QName;
import org.apache.cxf.Bus;
@@ -44,9 +45,11 @@ import org.apache.cxf.service.model.Oper
import org.apache.cxf.service.model.ServiceInfo;
import org.apache.cxf.transport.ConduitInitiator;
import org.apache.cxf.transport.ConduitInitiatorManager;
+import org.apache.cxf.ws.addressing.EndpointReferenceType;
+import org.apache.cxf.ws.addressing.VersionTransformer;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
import org.apache.neethi.Policy;
+import org.apache.wss4j.policy.model.IssuedToken;
/**
*
@@ -102,12 +105,18 @@ public final class STSUtils {
if (MessageUtils.getContextualBoolean(message, SecurityConstants.STS_CLIENT_SOAP12_BINDING, false)) {
client.setSoap12();
}
- if ((itok != null) && (itok.getIssuerEpr() != null)) {
+ if ((itok != null) && (itok.getIssuer() != null)) {
+ EndpointReferenceType epr = null;
+ try {
+ epr = VersionTransformer.parseEndpointReference(itok.getIssuer());
+ } catch (JAXBException e) {
+ throw new IllegalArgumentException(e);
+ }
//configure via mex
boolean useEPRWSAAddrAsMEXLocation = !Boolean.valueOf(
(String)message.getContextualProperty(
SecurityConstants.DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS));
- client.configureViaEPR(itok.getIssuerEpr(), useEPRWSAAddrAsMEXLocation);
+ client.configureViaEPR(epr, useEPRWSAAddrAsMEXLocation);
}
}
return client;
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java Thu May 23 13:17:26 2013
@@ -33,13 +33,13 @@ import org.apache.cxf.binding.soap.SoapM
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.UsernameToken;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.UsernameToken;
/**
* This CallbackHandler implementation obtains the previously received message from a
@@ -97,8 +97,8 @@ public class ReceivedTokenCallbackHandle
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.ST_SIGNED
|| actInt.intValue() == WSConstants.ST_UNSIGNED) {
- AssertionWrapper assertion =
- (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ SamlAssertionWrapper assertion =
+ (SamlAssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
return assertion.getElement();
} else if (actInt.intValue() == WSConstants.UT
|| actInt.intValue() == WSConstants.UT_NOPASSWORD) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java Thu May 23 13:17:26 2013
@@ -31,7 +31,7 @@ import org.w3c.dom.Node;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.wss4j.dom.message.token.UsernameToken;
/**
* This CallbackHandler implementation obtains a username via the jaxws property
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java Thu May 23 13:17:26 2013
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j
import java.util.Collection;
import java.util.Collections;
+import java.util.HashSet;
import java.util.Set;
import java.util.logging.Logger;
@@ -48,11 +49,13 @@ import org.apache.cxf.ws.policy.Assertio
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
/**
* An abstract interceptor that can be used to form the basis of an interceptor to add and process
@@ -70,6 +73,7 @@ public abstract class AbstractTokenInter
super(Phase.PRE_PROTOCOL);
addAfter(PolicyBasedWSS4JOutInterceptor.class.getName());
addAfter(PolicyBasedWSS4JInInterceptor.class.getName());
+ addAfter(PolicyBasedWSS4JStaxInInterceptor.class.getName());
}
public Set<QName> getUnderstoodHeaders() {
@@ -78,6 +82,12 @@ public abstract class AbstractTokenInter
public void handleMessage(SoapMessage message) throws Fault {
+ boolean enableStax =
+ MessageUtils.isTrue(message.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
+ if (enableStax) {
+ return;
+ }
+
boolean isReq = MessageUtils.isRequestor(message);
boolean isOut = MessageUtils.isOutbound(message);
@@ -106,26 +116,64 @@ public abstract class AbstractTokenInter
protected abstract void addToken(SoapMessage message);
- protected abstract Token assertTokens(SoapMessage message);
+ protected abstract AbstractToken assertTokens(SoapMessage message);
- protected Token assertTokens(SoapMessage message, QName assertion, boolean signed) {
+ protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
+ protected boolean assertPolicy(AssertionInfoMap aim, QName name) {
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
+ if (ais != null && !ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
+ protected Collection<AssertionInfo> getAllAssertionsByLocalname(
+ AssertionInfoMap aim,
+ String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+ if (sp11Ais != null) {
+ ais.addAll(sp11Ais);
+ }
+ if (sp12Ais != null) {
+ ais.addAll(sp12Ais);
+ }
+ return ais;
+ }
+
+ return Collections.emptySet();
+ }
+
+ protected AbstractToken assertTokens(SoapMessage message, String localname, boolean signed) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais = aim.getAssertionInfo(assertion);
- Token tok = null;
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+ AbstractToken tok = null;
for (AssertionInfo ai : ais) {
- tok = (Token)ai.getAssertion();
+ tok = (AbstractToken)ai.getAssertion();
ai.setAsserted(true);
}
- ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
+
+ assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
if (signed || isTLSInUse(message)) {
- ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
+ assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
}
return tok;
}
@@ -190,7 +238,8 @@ public abstract class AbstractTokenInter
return sh;
}
- protected String getPassword(String userName, Token info, int type, SoapMessage message) {
+ protected String getPassword(String userName, AbstractToken info,
+ WSPasswordCallback.Usage usage, SoapMessage message) {
//Then try to get the password from the given callback handler
CallbackHandler handler = getCallback(message);
@@ -199,7 +248,7 @@ public abstract class AbstractTokenInter
return null;
}
- WSPasswordCallback[] cb = {new WSPasswordCallback(userName, type)};
+ WSPasswordCallback[] cb = {new WSPasswordCallback(userName, usage)};
try {
handler.handle(cb);
} catch (Exception e) {
@@ -210,14 +259,13 @@ public abstract class AbstractTokenInter
return cb[0].getPassword();
}
- protected void policyNotAsserted(Token assertion, String reason, SoapMessage message) {
+ protected void policyNotAsserted(AbstractToken assertion, String reason, SoapMessage message) {
if (assertion == null) {
return;
}
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais;
- ais = aim.get(assertion.getName());
+ Collection<AssertionInfo> ais = aim.get(assertion.getName());
if (ais != null) {
for (AssertionInfo ai : ais) {
if (ai.getAssertion() == assertion) {
@@ -230,13 +278,12 @@ public abstract class AbstractTokenInter
}
}
- protected void policyNotAsserted(Token assertion, Exception reason, SoapMessage message) {
+ protected void policyNotAsserted(AbstractToken assertion, Exception reason, SoapMessage message) {
if (assertion == null) {
return;
}
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais;
- ais = aim.get(assertion.getName());
+ Collection<AssertionInfo> ais = aim.get(assertion.getName());
if (ais != null) {
for (AssertionInfo ai : ais) {
if (ai.getAssertion() == assertion) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java Thu May 23 13:17:26 2013
@@ -35,11 +35,11 @@ import org.apache.cxf.interceptor.securi
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.security.SecurityContext;
-import org.apache.ws.security.WSSecurityEngine;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.validate.UsernameTokenValidator;
-import org.apache.ws.security.validate.Validator;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSSecurityEngine;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.validate.UsernameTokenValidator;
+import org.apache.wss4j.dom.validate.Validator;
/**
@@ -139,13 +139,15 @@ public abstract class AbstractUsernameTo
} catch (Exception ex) {
String errorMessage = "Failed Authentication : Subject has not been created";
LOG.severe(errorMessage);
- throw new WSSecurityException(errorMessage, ex);
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION,
+ ex);
}
if (subject == null || subject.getPrincipals().size() == 0
|| !subject.getPrincipals().iterator().next().getName().equals(name)) {
String errorMessage = "Failed Authentication : Invalid Subject";
LOG.severe(errorMessage);
- throw new WSSecurityException(errorMessage);
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION,
+ new Exception(errorMessage));
}
msg.put(Subject.class, subject);
}
@@ -182,7 +184,7 @@ public abstract class AbstractUsernameTo
@Override
protected void verifyCustomPassword(
- org.apache.ws.security.message.token.UsernameToken usernameToken,
+ org.apache.wss4j.dom.message.token.UsernameToken usernameToken,
RequestData data
) throws WSSecurityException {
AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
@@ -192,7 +194,7 @@ public abstract class AbstractUsernameTo
@Override
protected void verifyPlaintextPassword(
- org.apache.ws.security.message.token.UsernameToken usernameToken,
+ org.apache.wss4j.dom.message.token.UsernameToken usernameToken,
RequestData data
) throws WSSecurityException {
AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
@@ -202,11 +204,11 @@ public abstract class AbstractUsernameTo
@Override
protected void verifyDigestPassword(
- org.apache.ws.security.message.token.UsernameToken usernameToken,
+ org.apache.wss4j.dom.message.token.UsernameToken usernameToken,
RequestData data
) throws WSSecurityException {
if (!supportDigestPasswords) {
- throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
String user = usernameToken.getName();
String password = usernameToken.getPassword();
@@ -220,7 +222,7 @@ public abstract class AbstractUsernameTo
@Override
protected void verifyUnknownPassword(
- org.apache.ws.security.message.token.UsernameToken usernameToken,
+ org.apache.wss4j.dom.message.token.UsernameToken usernameToken,
RequestData data
) throws WSSecurityException {
AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java Thu May 23 13:17:26 2013
@@ -40,13 +40,13 @@ import org.apache.cxf.message.MessageUti
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.resource.ResourceManager;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.handler.WSHandler;
-import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandler;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
public abstract class AbstractWSS4JInterceptor extends WSHandler implements SoapInterceptor,
PhaseInterceptor<SoapMessage> {
@@ -190,6 +190,16 @@ public abstract class AbstractWSS4JInter
if (certConstraints != null) {
msg.setContextualProperty(WSHandlerConstants.SIG_SUBJECT_CERT_CONSTRAINTS, certConstraints);
}
+
+ // Now set SAML SenderVouches + Holder Of Key requirements
+ boolean validateSAMLSubjectConf =
+ MessageUtils.getContextualBoolean(
+ msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true
+ );
+ msg.setContextualProperty(
+ WSHandlerConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION,
+ Boolean.toString(validateSAMLSubjectConf)
+ );
}
@Override