You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/05/23 15:17:32 UTC
svn commit: r1485693 [5/14] - in /cxf/trunk: ./
distribution/src/main/release/samples/sts/src/main/java/demo/wssec/client/
distribution/src/main/release/samples/sts/src/main/java/demo/wssec/server/
distribution/src/main/release/samples/sts/src/main/jav...
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java Thu May 23 13:17:26 2013
@@ -21,19 +21,26 @@ package org.apache.cxf.ws.security.wss4j
import java.util.ArrayList;
import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
import java.util.List;
+import javax.xml.namespace.QName;
+
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.Binding;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.AlgorithmSuite;
-import org.apache.ws.security.handler.RequestData;
+import org.apache.wss4j.common.crypto.AlgorithmSuite;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
/**
* Translate any AlgorithmSuite policy that may be operative into a WSS4J AlgorithmSuite object
@@ -46,7 +53,7 @@ public final class AlgorithmSuiteTransla
return;
}
- List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> algorithmSuites =
+ List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites =
getAlgorithmSuites(getBindings(aim));
if (!algorithmSuites.isEmpty()) {
// Translate into WSS4J's AlgorithmSuite class
@@ -55,15 +62,16 @@ public final class AlgorithmSuiteTransla
}
// Now look for an AlgorithmSuite for a SAML Assertion
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SAML_TOKEN);
- if (ais != null && !ais.isEmpty()) {
- List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> samlAlgorithmSuites
- = new ArrayList<org.apache.cxf.ws.security.policy.model.AlgorithmSuite>();
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+ if (!ais.isEmpty()) {
+ List<org.apache.wss4j.policy.model.AlgorithmSuite> samlAlgorithmSuites
+ = new ArrayList<org.apache.wss4j.policy.model.AlgorithmSuite>();
for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken)ai.getAssertion();
- SupportingToken supportingToken = samlToken.getSupportingToken();
- if (supportingToken != null && supportingToken.getAlgorithmSuite() != null) {
- samlAlgorithmSuites.add(supportingToken.getAlgorithmSuite());
+ AbstractSecurityAssertion parentAssertion = samlToken.getParentAssertion();
+ if ((parentAssertion instanceof SupportingTokens)
+ && ((SupportingTokens)parentAssertion).getAlgorithmSuite() != null) {
+ samlAlgorithmSuites.add(((SupportingTokens)parentAssertion).getAlgorithmSuite());
}
}
@@ -77,11 +85,11 @@ public final class AlgorithmSuiteTransla
* Translate a list of CXF AlgorithmSuite objects into a single WSS4J AlgorithmSuite object
*/
private AlgorithmSuite translateAlgorithmSuites(
- List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> algorithmSuites
+ List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites
) {
AlgorithmSuite algorithmSuite = null;
- for (org.apache.cxf.ws.security.policy.model.AlgorithmSuite cxfAlgorithmSuite
+ for (org.apache.wss4j.policy.model.AlgorithmSuite cxfAlgorithmSuite
: algorithmSuites) {
if (cxfAlgorithmSuite == null) {
continue;
@@ -92,40 +100,41 @@ public final class AlgorithmSuiteTransla
algorithmSuite = new AlgorithmSuite();
}
+ AlgorithmSuiteType algorithmSuiteType = cxfAlgorithmSuite.getAlgorithmSuiteType();
// Set asymmetric key lengths
if (algorithmSuite.getMaximumAsymmetricKeyLength()
- < cxfAlgorithmSuite.getMaximumAsymmetricKeyLength()) {
+ < algorithmSuiteType.getMaximumAsymmetricKeyLength()) {
algorithmSuite.setMaximumAsymmetricKeyLength(
- cxfAlgorithmSuite.getMaximumAsymmetricKeyLength());
+ algorithmSuiteType.getMaximumAsymmetricKeyLength());
}
if (algorithmSuite.getMinimumAsymmetricKeyLength()
- > cxfAlgorithmSuite.getMinimumAsymmetricKeyLength()) {
+ > algorithmSuiteType.getMinimumAsymmetricKeyLength()) {
algorithmSuite.setMinimumAsymmetricKeyLength(
- cxfAlgorithmSuite.getMinimumAsymmetricKeyLength());
+ algorithmSuiteType.getMinimumAsymmetricKeyLength());
}
// Set symmetric key lengths
if (algorithmSuite.getMaximumSymmetricKeyLength()
- < cxfAlgorithmSuite.getMaximumSymmetricKeyLength()) {
+ < algorithmSuiteType.getMaximumSymmetricKeyLength()) {
algorithmSuite.setMaximumSymmetricKeyLength(
- cxfAlgorithmSuite.getMaximumSymmetricKeyLength());
+ algorithmSuiteType.getMaximumSymmetricKeyLength());
}
if (algorithmSuite.getMinimumSymmetricKeyLength()
- > cxfAlgorithmSuite.getMinimumSymmetricKeyLength()) {
+ > algorithmSuiteType.getMinimumSymmetricKeyLength()) {
algorithmSuite.setMinimumSymmetricKeyLength(
- cxfAlgorithmSuite.getMinimumSymmetricKeyLength());
+ algorithmSuiteType.getMinimumSymmetricKeyLength());
}
- algorithmSuite.addEncryptionMethod(cxfAlgorithmSuite.getEncryption());
- algorithmSuite.addKeyWrapAlgorithm(cxfAlgorithmSuite.getSymmetricKeyWrap());
- algorithmSuite.addKeyWrapAlgorithm(cxfAlgorithmSuite.getAsymmetricKeyWrap());
+ algorithmSuite.addEncryptionMethod(algorithmSuiteType.getEncryption());
+ algorithmSuite.addKeyWrapAlgorithm(algorithmSuiteType.getSymmetricKeyWrap());
+ algorithmSuite.addKeyWrapAlgorithm(algorithmSuiteType.getAsymmetricKeyWrap());
algorithmSuite.addSignatureMethod(cxfAlgorithmSuite.getAsymmetricSignature());
algorithmSuite.addSignatureMethod(cxfAlgorithmSuite.getSymmetricSignature());
- algorithmSuite.addDigestAlgorithm(cxfAlgorithmSuite.getDigest());
- algorithmSuite.addC14nAlgorithm(cxfAlgorithmSuite.getInclusiveC14n());
+ algorithmSuite.addDigestAlgorithm(algorithmSuiteType.getDigest());
+ algorithmSuite.addC14nAlgorithm(cxfAlgorithmSuite.getC14n().getValue());
- algorithmSuite.addTransformAlgorithm(cxfAlgorithmSuite.getInclusiveC14n());
+ algorithmSuite.addTransformAlgorithm(cxfAlgorithmSuite.getC14n().getValue());
algorithmSuite.addTransformAlgorithm(SPConstants.STRT10);
algorithmSuite.addTransformAlgorithm(WSConstants.NS_XMLDSIG_ENVELOPED_SIGNATURE);
@@ -139,25 +148,26 @@ public final class AlgorithmSuiteTransla
/**
* Get all of the WS-SecurityPolicy Bindings that are in operation
*/
- private List<Binding> getBindings(AssertionInfoMap aim) {
- List<Binding> bindings = new ArrayList<Binding>();
+ private List<AbstractBinding> getBindings(AssertionInfoMap aim) {
+ List<AbstractBinding> bindings = new ArrayList<AbstractBinding>();
if (aim != null) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
- if (ais != null && !ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- bindings.add((Binding)ai.getAssertion());
+ bindings.add((AbstractBinding)ai.getAssertion());
}
}
- ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
- if (ais != null && !ais.isEmpty()) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- bindings.add((Binding)ai.getAssertion());
+ bindings.add((AbstractBinding)ai.getAssertion());
}
}
- ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
- if (ais != null && !ais.isEmpty()) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- bindings.add((Binding)ai.getAssertion());
+ bindings.add((AbstractBinding)ai.getAssertion());
}
}
}
@@ -167,17 +177,38 @@ public final class AlgorithmSuiteTransla
/**
* Get all of the CXF AlgorithmSuites from the bindings
*/
- private List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> getAlgorithmSuites(
- List<Binding> bindings
+ private List<org.apache.wss4j.policy.model.AlgorithmSuite> getAlgorithmSuites(
+ List<AbstractBinding> bindings
) {
- List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> algorithmSuites =
- new ArrayList<org.apache.cxf.ws.security.policy.model.AlgorithmSuite>();
- for (Binding binding : bindings) {
+ List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites =
+ new ArrayList<org.apache.wss4j.policy.model.AlgorithmSuite>();
+ for (AbstractBinding binding : bindings) {
if (binding.getAlgorithmSuite() != null) {
algorithmSuites.add(binding.getAlgorithmSuite());
}
}
return algorithmSuites;
}
+
+ private Collection<AssertionInfo> getAllAssertionsByLocalname(
+ AssertionInfoMap aim,
+ String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+ if (sp11Ais != null) {
+ ais.addAll(sp11Ais);
+ }
+ if (sp12Ais != null) {
+ ais.addAll(sp12Ais);
+ }
+ return ais;
+ }
+
+ return Collections.emptySet();
+ }
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java Thu May 23 13:17:26 2013
@@ -45,12 +45,13 @@ import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
/**
* Utility to enable the checking of WS-Security signature/encryption
@@ -144,10 +145,10 @@ public class CryptoCoverageChecker exten
for (final WSHandlerResult wshr : results) {
final List<WSSecurityEngineResult> wsSecurityEngineSignResults =
- WSS4JUtils.fetchAllActionResults(wshr.getResults(), WSConstants.SIGN);
+ WSSecurityUtil.fetchAllActionResults(wshr.getResults(), WSConstants.SIGN);
final List<WSSecurityEngineResult> wsSecurityEngineEncResults =
- WSS4JUtils.fetchAllActionResults(wshr.getResults(), WSConstants.ENCR);
+ WSSecurityUtil.fetchAllActionResults(wshr.getResults(), WSConstants.ENCR);
for (WSSecurityEngineResult wser : wsSecurityEngineSignResults) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java Thu May 23 13:17:26 2013
@@ -37,9 +37,9 @@ import org.w3c.dom.NodeList;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.helpers.MapNamespaceContext;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityException;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
/**
@@ -125,8 +125,9 @@ public final class CryptoCoverageUtil {
CoverageScope scope
) throws WSSecurityException {
if (!CryptoCoverageUtil.matchElement(refs, type, scope, soapBody)) {
- throw new WSSecurityException("The " + getCoverageTypeString(type)
+ Exception ex = new Exception("The " + getCoverageTypeString(type)
+ " does not cover the required elements (soap:Body).");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
}
@@ -172,9 +173,10 @@ public final class CryptoCoverageUtil {
for (Element el : elements) {
if (!CryptoCoverageUtil.matchElement(refs, type, scope, el)) {
- throw new WSSecurityException("The " + getCoverageTypeString(type)
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ new Exception("The " + getCoverageTypeString(type)
+ " does not cover the required elements ({"
- + namespace + "}" + name + ").");
+ + namespace + "}" + name + ")."));
}
}
}
@@ -282,7 +284,7 @@ public final class CryptoCoverageUtil {
XPathConstants.NODESET);
} catch (XPathExpressionException e) {
// The xpath's are not valid in the config.
- throw new WSSecurityException(WSSecurityException.FAILURE);
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
}
// If we found nodes then we need to do the check.
@@ -298,9 +300,10 @@ public final class CryptoCoverageUtil {
// We looked through all of the refs, but the element was
// not signed.
if (!instanceMatched) {
- throw new WSSecurityException("The " + getCoverageTypeString(type)
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ new Exception("The " + getCoverageTypeString(type)
+ " does not cover the required elements ("
- + xpathString + ").");
+ + xpathString + ")."));
}
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java Thu May 23 13:17:26 2013
@@ -22,7 +22,7 @@ package org.apache.cxf.ws.security.wss4j
import org.apache.cxf.ws.addressing.Names;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
-import org.apache.ws.security.WSConstants;
+import org.apache.wss4j.dom.WSConstants;
/**
* This utility extends the CryptoCoverageChecker to provide an easy way to check to see
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java Thu May 23 13:17:26 2013
@@ -36,21 +36,22 @@ import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDocInfo;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.processor.BinarySecurityTokenProcessor;
-import org.apache.ws.security.validate.Validator;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDocInfo;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.processor.BinarySecurityTokenProcessor;
+import org.apache.wss4j.dom.validate.Validator;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
/**
* An interceptor to add a Kerberos token to the security header of an outbound request, and to
@@ -86,7 +87,10 @@ public class KerberosTokenInterceptor ex
WSHandlerResult rResult = new WSHandlerResult(null, bstResults);
results.add(0, rResult);
- assertTokens(message, SP12Constants.KERBEROS_TOKEN, false);
+ assertTokens(message, SPConstants.KERBEROS_TOKEN, false);
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
Principal principal =
(Principal)bstResults.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
@@ -128,8 +132,8 @@ public class KerberosTokenInterceptor ex
}
} catch (RuntimeException t) {
throw t;
- } catch (Throwable t) {
- throw new WSSecurityException(t.getMessage(), t);
+ } catch (Exception ex) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
return super.getValidator(qName);
}
@@ -142,8 +146,11 @@ public class KerberosTokenInterceptor ex
return results;
}
- protected Token assertTokens(SoapMessage message) {
- return assertTokens(message, SP12Constants.KERBEROS_TOKEN, true);
+ protected AbstractToken assertTokens(SoapMessage message) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+ return assertTokens(message, SPConstants.KERBEROS_TOKEN, true);
}
protected void addToken(SoapMessage message) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Thu May 23 13:17:26 2013
@@ -25,6 +25,7 @@ import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
@@ -52,21 +53,12 @@ import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.helpers.MapNamespaceContext;
import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.resource.ResourceManager;
import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.ContentEncryptedElements;
-import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.RequiredElements;
-import org.apache.cxf.ws.security.policy.model.RequiredParts;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.Wss11;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
@@ -88,16 +80,27 @@ import org.apache.cxf.ws.security.wss4j.
import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.message.token.Timestamp;
-import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.message.token.Timestamp;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SP13Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.RequiredElements;
+import org.apache.wss4j.policy.model.RequiredParts;
+import org.apache.wss4j.policy.model.SignedParts;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.UsernameToken.PasswordType;
+import org.apache.wss4j.policy.model.Wss11;
/**
*
@@ -116,7 +119,9 @@ public class PolicyBasedWSS4JInIntercept
public void handleMessage(SoapMessage msg) throws Fault {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
- if (aim != null) {
+ boolean enableStax =
+ MessageUtils.isTrue(msg.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
+ if (aim != null && !enableStax) {
super.handleMessage(msg);
}
}
@@ -164,8 +169,8 @@ public class PolicyBasedWSS4JInIntercept
private void handleWSS11(AssertionInfoMap aim, SoapMessage message) {
if (isRequestor(message)) {
message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
- Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
- if (ais != null) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
Wss11 wss11 = (Wss11)ai.getAssertion();
if (wss11.isRequireSignatureConfirmation()) {
@@ -187,8 +192,8 @@ public class PolicyBasedWSS4JInIntercept
return action + " " + val;
}
- private boolean assertPolicy(AssertionInfoMap aim, QName q) {
- Collection<AssertionInfo> ais = aim.get(q);
+ private boolean assertPolicy(AssertionInfoMap aim, QName name) {
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
if (ais != null && !ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
@@ -197,12 +202,45 @@ public class PolicyBasedWSS4JInIntercept
}
return false;
}
+
+ private boolean assertPolicy(AssertionInfoMap aim, String localname) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
+ private Collection<AssertionInfo> getAllAssertionsByLocalname(
+ AssertionInfoMap aim,
+ String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+ if (sp11Ais != null) {
+ ais.addAll(sp11Ais);
+ }
+ if (sp12Ais != null) {
+ ais.addAll(sp12Ais);
+ }
+ return ais;
+ }
+
+ return Collections.emptySet();
+ }
private String checkAsymmetricBinding(
AssertionInfoMap aim, String action, SoapMessage message
) throws WSSecurityException {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (ais.isEmpty()) {
return action;
}
@@ -231,10 +269,10 @@ public class PolicyBasedWSS4JInIntercept
}
if (encrCrypto != null) {
- message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
+ message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
message.put("RefId-" + encrCrypto.hashCode(), (Crypto)encrCrypto);
} else if (signCrypto != null) {
- message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
+ message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
message.put("RefId-" + signCrypto.hashCode(), (Crypto)signCrypto);
}
@@ -269,10 +307,10 @@ public class PolicyBasedWSS4JInIntercept
}
if (encrCrypto != null) {
- message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
+ message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
message.put("RefId-" + encrCrypto.hashCode(), (Crypto)encrCrypto);
} else if (signCrypto != null) {
- message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
+ message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
message.put("RefId-" + signCrypto.hashCode(), (Crypto)signCrypto);
}
@@ -282,12 +320,13 @@ public class PolicyBasedWSS4JInIntercept
private void checkUsernameToken(
AssertionInfoMap aim, SoapMessage message
) throws WSSecurityException {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
- if (ais != null && !ais.isEmpty()) {
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
UsernameToken policy = (UsernameToken)ai.getAssertion();
- if (policy.isNoPassword()) {
+ if (policy.getPasswordType() == PasswordType.NoPassword) {
message.put(WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD, "true");
}
}
@@ -297,8 +336,9 @@ public class PolicyBasedWSS4JInIntercept
private String checkSymmetricBinding(
AssertionInfoMap aim, String action, SoapMessage message
) throws WSSecurityException {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
- if (ais == null || ais.isEmpty()) {
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (ais.isEmpty()) {
return action;
}
@@ -327,7 +367,7 @@ public class PolicyBasedWSS4JInIntercept
crypto = signCrypto;
}
if (crypto != null) {
- message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + crypto.hashCode());
+ message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + crypto.hashCode());
message.put("RefId-" + crypto.hashCode(), crypto);
}
@@ -345,7 +385,7 @@ public class PolicyBasedWSS4JInIntercept
crypto = encrCrypto;
}
if (crypto != null) {
- message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + crypto.hashCode());
+ message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + crypto.hashCode());
message.put("RefId-" + crypto.hashCode(), crypto);
}
@@ -371,7 +411,8 @@ public class PolicyBasedWSS4JInIntercept
Properties props = getProps(e, propsURL, message);
if (props == null) {
LOG.fine("Cannot find Crypto Encryption properties: " + e);
- throw new WSSecurityException("Cannot find Crypto Encryption properties: " + e);
+ Exception ex = new Exception("Cannot find Crypto Encryption properties: " + e);
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
encrCrypto = CryptoFactory.getInstance(props);
@@ -393,7 +434,8 @@ public class PolicyBasedWSS4JInIntercept
Properties props = getProps(s, propsURL, message);
if (props == null) {
LOG.fine("Cannot find Crypto Signature properties: " + s);
- throw new WSSecurityException("Cannot find Crypto Signature properties: " + s);
+ Exception ex = new Exception("Cannot find Crypto Signature properties: " + s);
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
signCrypto = CryptoFactory.getInstance(props);
@@ -407,39 +449,38 @@ public class PolicyBasedWSS4JInIntercept
}
private boolean assertXPathTokens(AssertionInfoMap aim,
- QName name,
+ String name,
Collection<WSDataRef> refs,
Element soapEnvelope,
CoverageType type,
CoverageScope scope,
final XPath xpath) throws SOAPException {
- Collection<AssertionInfo> ais = aim.get(name);
- if (ais != null) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, name);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
- Map<String, String> namespaces = null;
- List<String> xpaths = null;
- if (CoverageScope.CONTENT.equals(scope)) {
- ContentEncryptedElements p = (ContentEncryptedElements)ai.getAssertion();
- namespaces = p.getDeclaredNamespaces();
- xpaths = p.getXPathExpressions();
- } else {
- SignedEncryptedElements p = (SignedEncryptedElements)ai.getAssertion();
- namespaces = p.getDeclaredNamespaces();
- xpaths = p.getXPathExpressions();
- }
- if (xpaths != null) {
- if (namespaces != null) {
- xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
+ RequiredElements elements = (RequiredElements)ai.getAssertion();
+
+ if (elements != null && elements.getXPaths() != null
+ && !elements.getXPaths().isEmpty()) {
+ List<String> expressions = new ArrayList<String>();
+ for (org.apache.wss4j.policy.model.XPath xPath : elements.getXPaths()) {
+ expressions.add(xPath.getXPath());
+ }
+
+ if (elements.getXPaths().get(0).getPrefixNamespaceMap() != null) {
+ xpath.setNamespaceContext(
+ new MapNamespaceContext(elements.getXPaths().get(0).getPrefixNamespaceMap())
+ );
}
try {
CryptoCoverageUtil.checkCoverage(soapEnvelope, refs,
- xpath, xpaths, type, scope);
+ xpath, expressions, type, scope);
} catch (WSSecurityException e) {
ai.setNotAsserted("No " + type
- + " element found matching one of the XPaths "
- + Arrays.toString(xpaths.toArray()));
+ + " element found matching one of the XPaths "
+ + Arrays.toString(expressions.toArray()));
}
}
}
@@ -449,17 +490,17 @@ public class PolicyBasedWSS4JInIntercept
private boolean assertTokens(AssertionInfoMap aim,
- QName name,
+ String name,
Collection<WSDataRef> signed,
SoapMessage msg,
Element soapHeader,
Element soapBody,
CoverageType type) throws SOAPException {
- Collection<AssertionInfo> ais = aim.get(name);
- if (ais != null) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, name);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
- SignedEncryptedParts p = (SignedEncryptedParts)ai.getAssertion();
+ SignedParts p = (SignedParts)ai.getAssertion();
if (p.isBody()) {
try {
@@ -484,7 +525,7 @@ public class PolicyBasedWSS4JInIntercept
.getNamespace(), h.getName(), type,
CoverageScope.ELEMENT);
} catch (WSSecurityException e) {
- ai.setNotAsserted(h.getQName() + " not + " + type);
+ ai.setNotAsserted(h.getNamespace() + ":" + h.getName() + " not + " + type);
}
}
}
@@ -520,8 +561,36 @@ public class PolicyBasedWSS4JInIntercept
checkUsernameToken(aim, message);
// stuff we can default to asserted and un-assert if a condition isn't met
- assertPolicy(aim, SP12Constants.KEYVALUE_TOKEN);
-
+ assertPolicy(aim, SPConstants.KEY_VALUE_TOKEN);
+ assertPolicy(aim, SPConstants.RSA_KEY_VALUE);
+ assertPolicy(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
+ assertPolicy(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
+ assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
+ assertPolicy(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
+ assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
+
+ // WSS10
+ assertPolicy(aim, SPConstants.WSS10);
+ assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
+ assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
+ assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
+ assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
+
+ // Trust 1.0
+ assertPolicy(aim, SPConstants.TRUST_10);
+ assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
+ assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
+ assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
+ assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
+ assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
+
+ // Trust 1.3
+ assertPolicy(aim, SPConstants.TRUST_13);
+ assertPolicy(aim, SP12Constants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION);
+ assertPolicy(aim, SP12Constants.REQUIRE_APPLIES_TO);
+ assertPolicy(aim, SP13Constants.SCOPE_POLICY_15);
+ assertPolicy(aim, SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE);
+
message.put(WSHandlerConstants.ACTION, action.trim());
}
}
@@ -546,7 +615,7 @@ public class PolicyBasedWSS4JInIntercept
actions.add(WSConstants.SIGN);
actions.add(WSConstants.UT_SIGN);
List<WSSecurityEngineResult> signedResults =
- WSS4JUtils.fetchAllActionResults(results, actions);
+ WSSecurityUtil.fetchAllActionResults(results, actions);
for (WSSecurityEngineResult result : signedResults) {
List<WSDataRef> sl =
CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
@@ -558,7 +627,7 @@ public class PolicyBasedWSS4JInIntercept
}
List<WSSecurityEngineResult> encryptResults =
- WSS4JUtils.fetchAllActionResults(results, WSConstants.ENCR);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.ENCR);
for (WSSecurityEngineResult result : encryptResults) {
List<WSDataRef> sl =
CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
@@ -589,11 +658,6 @@ public class PolicyBasedWSS4JInIntercept
LOG.fine("Incoming request failed supporting token policy validation");
}
- // relatively irrelevant stuff from a verification standpoint
- assertPolicy(aim, SP12Constants.WSS10);
- assertPolicy(aim, SP12Constants.TRUST_13);
- assertPolicy(aim, SP11Constants.TRUST_10);
-
super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
}
@@ -615,10 +679,10 @@ public class PolicyBasedWSS4JInIntercept
boolean check = true;
if (!isTransportBinding(aim)) {
check &= assertTokens(
- aim, SP12Constants.SIGNED_PARTS, signed, msg, soapHeader, soapBody, CoverageType.SIGNED
+ aim, SPConstants.SIGNED_PARTS, signed, msg, soapHeader, soapBody, CoverageType.SIGNED
);
check &= assertTokens(
- aim, SP12Constants.ENCRYPTED_PARTS, encrypted, msg, soapHeader, soapBody,
+ aim, SPConstants.ENCRYPTED_PARTS, encrypted, msg, soapHeader, soapBody,
CoverageType.ENCRYPTED
);
}
@@ -629,11 +693,11 @@ public class PolicyBasedWSS4JInIntercept
final XPathFactory factory = XPathFactory.newInstance();
final XPath xpath = factory.newXPath();
- check &= assertXPathTokens(aim, SP12Constants.SIGNED_ELEMENTS, signed, soapEnvelope,
+ check &= assertXPathTokens(aim, SPConstants.SIGNED_ELEMENTS, signed, soapEnvelope,
CoverageType.SIGNED, CoverageScope.ELEMENT, xpath);
- check &= assertXPathTokens(aim, SP12Constants.ENCRYPTED_ELEMENTS, encrypted, soapEnvelope,
+ check &= assertXPathTokens(aim, SPConstants.ENCRYPTED_ELEMENTS, encrypted, soapEnvelope,
CoverageType.ENCRYPTED, CoverageScope.ELEMENT, xpath);
- check &= assertXPathTokens(aim, SP12Constants.CONTENT_ENCRYPTED_ELEMENTS, encrypted,
+ check &= assertXPathTokens(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS, encrypted,
soapEnvelope, CoverageType.ENCRYPTED, CoverageScope.CONTENT, xpath);
}
@@ -719,13 +783,13 @@ public class PolicyBasedWSS4JInIntercept
utActions.add(WSConstants.UT);
utActions.add(WSConstants.UT_NOPASSWORD);
List<WSSecurityEngineResult> utResults =
- WSS4JUtils.fetchAllActionResults(results, utActions);
+ WSSecurityUtil.fetchAllActionResults(results, utActions);
final List<Integer> samlActions = new ArrayList<Integer>(2);
samlActions.add(WSConstants.ST_SIGNED);
samlActions.add(WSConstants.ST_UNSIGNED);
List<WSSecurityEngineResult> samlResults =
- WSS4JUtils.fetchAllActionResults(results, samlActions);
+ WSSecurityUtil.fetchAllActionResults(results, samlActions);
// Store the timestamp element
WSSecurityEngineResult tsResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
@@ -791,41 +855,48 @@ public class PolicyBasedWSS4JInIntercept
private boolean assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header)
throws SOAPException {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.REQUIRED_PARTS);
- if (ais != null) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
RequiredParts rp = (RequiredParts)ai.getAssertion();
ai.setAsserted(true);
for (Header h : rp.getHeaders()) {
+ QName qName = new QName(h.getNamespace(), h.getName());
if (header == null
- || DOMUtils.getFirstChildWithName((Element)header, h.getQName()) == null) {
- ai.setNotAsserted("No header element of name " + h.getQName() + " found.");
+ || DOMUtils.getFirstChildWithName((Element)header, qName) == null) {
+ ai.setNotAsserted("No header element of name " + qName + " found.");
}
}
}
}
- ais = aim.get(SP12Constants.REQUIRED_ELEMENTS);
- if (ais != null) {
+
+ ais = getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
RequiredElements rp = (RequiredElements)ai.getAssertion();
ai.setAsserted(true);
- Map<String, String> namespaces = rp.getDeclaredNamespaces();
- XPathFactory factory = XPathFactory.newInstance();
- for (String expression : rp.getXPathExpressions()) {
- XPath xpath = factory.newXPath();
- if (namespaces != null) {
- xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
- }
- NodeList list;
- try {
- list = (NodeList)xpath.evaluate(expression,
- header,
- XPathConstants.NODESET);
- if (list.getLength() == 0) {
- ai.setNotAsserted("No header element matching XPath " + expression + " found.");
+
+ if (rp != null && rp.getXPaths() != null && !rp.getXPaths().isEmpty()) {
+ XPathFactory factory = XPathFactory.newInstance();
+ for (org.apache.wss4j.policy.model.XPath xPath : rp.getXPaths()) {
+ Map<String, String> namespaces = xPath.getPrefixNamespaceMap();
+ String expression = xPath.getXPath();
+
+ XPath xpath = factory.newXPath();
+ if (namespaces != null) {
+ xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
+ }
+ NodeList list;
+ try {
+ list = (NodeList)xpath.evaluate(expression,
+ header,
+ XPathConstants.NODESET);
+ if (list.getLength() == 0) {
+ ai.setNotAsserted("No header element matching XPath " + expression + " found.");
+ }
+ } catch (XPathExpressionException e) {
+ ai.setNotAsserted("Invalid XPath expression " + expression + " " + e.getMessage());
}
- } catch (XPathExpressionException e) {
- ai.setNotAsserted("Invalid XPath expression " + expression + " " + e.getMessage());
}
}
}
@@ -835,14 +906,15 @@ public class PolicyBasedWSS4JInIntercept
}
private boolean isTransportBinding(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
- if (ais != null && ais.size() > 0) {
- ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
- if (ais != null && ais.size() > 0) {
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (ais.size() > 0) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (ais.size() > 0) {
return false;
}
- ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
- if (ais != null && ais.size() > 0) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (ais.size() > 0) {
return false;
}
return true;
@@ -851,16 +923,16 @@ public class PolicyBasedWSS4JInIntercept
}
private boolean containsXPathPolicy(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_ELEMENTS);
- if (ais != null && ais.size() > 0) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+ if (ais.size() > 0) {
return true;
}
- ais = aim.get(SP12Constants.ENCRYPTED_ELEMENTS);
- if (ais != null && ais.size() > 0) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+ if (ais.size() > 0) {
return true;
}
- ais = aim.get(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS);
- if (ais != null && ais.size() > 0) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+ if (ais.size() > 0) {
return true;
}
return false;
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java Thu May 23 13:17:26 2013
@@ -20,9 +20,11 @@ package org.apache.cxf.ws.security.wss4j
import java.util.Collection;
import java.util.Collections;
+import java.util.HashSet;
import java.util.Set;
import java.util.logging.Logger;
+import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
@@ -35,24 +37,28 @@ import org.apache.cxf.binding.soap.saaj.
import org.apache.cxf.common.i18n.Message;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.policy.PolicyBuilder;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Binding;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.TransportBinding;
import org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler;
import org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler;
import org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.message.WSSecHeader;
+import org.apache.neethi.Policy;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.message.WSSecHeader;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.AsymmetricBinding;
+import org.apache.wss4j.policy.model.SymmetricBinding;
+import org.apache.wss4j.policy.model.TransportBinding;
public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
public static final String SECURITY_PROCESSED = PolicyBasedWSS4JOutInterceptor.class.getName() + ".DONE";
@@ -72,11 +78,15 @@ public class PolicyBasedWSS4JOutIntercep
public void handleMessage(SoapMessage mc) throws Fault {
- if (mc.getContent(SOAPMessage.class) == null) {
- saajOut.handleMessage(mc);
+ boolean enableStax =
+ MessageUtils.isTrue(mc.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
+ if (!enableStax) {
+ if (mc.getContent(SOAPMessage.class) == null) {
+ saajOut.handleMessage(mc);
+ }
+ mc.put(SECURITY_PROCESSED, Boolean.TRUE);
+ mc.getInterceptorChain().add(ending);
}
- mc.put(SECURITY_PROCESSED, Boolean.TRUE);
- mc.getInterceptorChain().add(ending);
}
public void handleFault(SoapMessage message) {
saajOut.handleFault(message);
@@ -99,36 +109,36 @@ public class PolicyBasedWSS4JOutIntercep
boolean mustUnderstand = true;
String actor = null;
-
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Binding transport = null;
- ais = aim.get(SP12Constants.TRANSPORT_BINDING);
- if (ais != null) {
+ AbstractBinding transport = null;
+ ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- transport = (Binding)ai.getAssertion();
+ transport = (AbstractBinding)ai.getAssertion();
ai.setAsserted(true);
}
}
- ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
- if (ais != null) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- transport = (Binding)ai.getAssertion();
+ transport = (AbstractBinding)ai.getAssertion();
ai.setAsserted(true);
}
}
- ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
- if (ais != null) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
- transport = (Binding)ai.getAssertion();
+ transport = (AbstractBinding)ai.getAssertion();
ai.setAsserted(true);
}
}
+
if (transport == null && isRequestor(message)) {
- transport = new TransportBinding(SP12Constants.INSTANCE,
- message.getExchange().getBus()
- .getExtension(PolicyBuilder.class));
+ Policy policy = new Policy();
+ transport = new TransportBinding(org.apache.wss4j.policy.SPConstants.SPVersion.SP11,
+ policy);
}
if (transport != null) {
@@ -153,7 +163,7 @@ public class PolicyBasedWSS4JOutIntercep
if (config == null) {
config = WSSConfig.getNewInstance();
}
- translateProperties(message, config);
+ translateProperties(message);
if (transport instanceof TransportBinding) {
new TransportBindingHandler(config, (TransportBinding)transport, saaj,
@@ -171,14 +181,14 @@ public class PolicyBasedWSS4JOutIntercep
}
}
- ais = aim.get(SP12Constants.WSS10);
- if (ais != null) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
}
- ais = aim.get(SP12Constants.WSS11);
- if (ais != null) {
+ ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
+ if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
@@ -213,13 +223,32 @@ public class PolicyBasedWSS4JOutIntercep
return null;
}
- private void translateProperties(SoapMessage msg, WSSConfig config) {
+ private void translateProperties(SoapMessage msg) {
String bspCompliant = (String)msg.getContextualProperty(SecurityConstants.IS_BSP_COMPLIANT);
- if ("1".equals(bspCompliant) || "true".equals(bspCompliant)) {
- config.setWsiBSPCompliant(true);
- } else if ("0".equals(bspCompliant) || "false".equals(bspCompliant)) {
- config.setWsiBSPCompliant(false);
+ if (bspCompliant != null) {
+ msg.setContextualProperty(WSHandlerConstants.IS_BSP_COMPLIANT, bspCompliant);
}
}
+
+ private Collection<AssertionInfo> getAllAssertionsByLocalname(
+ AssertionInfoMap aim,
+ String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+ if (sp11Ais != null) {
+ ais.addAll(sp11Ais);
+ }
+ if (sp12Ais != null) {
+ ais.addAll(sp12Ais);
+ }
+ return ais;
+ }
+
+ return Collections.emptySet();
+ }
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java Thu May 23 13:17:26 2013
@@ -19,30 +19,13 @@
package org.apache.cxf.ws.security.wss4j;
-import java.security.Principal;
-import java.security.PublicKey;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collections;
import java.util.List;
-import java.util.logging.Logger;
import org.w3c.dom.Element;
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.security.transport.TLSSessionInfo;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.opensaml.common.SAMLVersion;
import org.opensaml.xml.XMLObject;
@@ -51,25 +34,23 @@ import org.opensaml.xml.XMLObject;
*/
public final class SAMLUtils {
- private static final Logger LOG = LogUtils.getL7dLogger(SAMLUtils.class);
-
private SAMLUtils() {
}
public static List<String> parseRolesInAssertion(Object assertion, String roleAttributeName) {
- if (((AssertionWrapper) assertion).getSamlVersion().equals(SAMLVersion.VERSION_20)) {
- return parseRolesInAssertion(((AssertionWrapper)assertion).getSaml2(), roleAttributeName);
+ if (((SamlAssertionWrapper) assertion).getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+ return parseRolesInAssertion(((SamlAssertionWrapper)assertion).getSaml2(), roleAttributeName);
} else {
- return parseRolesInAssertion(((AssertionWrapper)assertion).getSaml1(), roleAttributeName);
+ return parseRolesInAssertion(((SamlAssertionWrapper)assertion).getSaml1(), roleAttributeName);
}
}
public static String getIssuer(Object assertion) {
- return ((AssertionWrapper)assertion).getIssuerString();
+ return ((SamlAssertionWrapper)assertion).getIssuerString();
}
public static Element getAssertionElement(Object assertion) {
- return ((AssertionWrapper)assertion).getElement();
+ return ((SamlAssertionWrapper)assertion).getElement();
}
//
@@ -148,217 +129,4 @@ public final class SAMLUtils {
return Collections.unmodifiableList(roles);
}
- public static void validateSAMLResults(
- List<WSSecurityEngineResult> results,
- Message message,
- Element body
- ) throws WSSecurityException {
- final List<Integer> samlActions = new ArrayList<Integer>(2);
- samlActions.add(WSConstants.ST_SIGNED);
- samlActions.add(WSConstants.ST_UNSIGNED);
- List<WSSecurityEngineResult> samlResults =
- WSS4JUtils.fetchAllActionResults(results, samlActions);
-
- if (samlResults.isEmpty()) {
- return;
- }
-
- final List<Integer> signedActions = new ArrayList<Integer>(2);
- signedActions.add(WSConstants.SIGN);
- signedActions.add(WSConstants.UT_SIGN);
- List<WSSecurityEngineResult> signedResults =
- WSS4JUtils.fetchAllActionResults(results, signedActions);
-
- for (WSSecurityEngineResult samlResult : samlResults) {
- AssertionWrapper assertionWrapper =
- (AssertionWrapper)samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-
- TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
- Certificate[] tlsCerts = null;
- if (tlsInfo != null) {
- tlsCerts = tlsInfo.getPeerCertificates();
- }
- if (!SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
- LOG.warning("Assertion fails holder-of-key requirements");
- throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
- }
- if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signedResults)) {
- LOG.warning("Assertion fails sender-vouches requirements");
- throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
- }
- }
-
- }
-
- /**
- * Check the holder-of-key requirements against the received assertion. The subject
- * credential of the SAML Assertion must have been used to sign some portion of
- * the message, thus showing proof-of-possession of the private/secret key. Alternatively,
- * the subject credential of the SAML Assertion must match a client certificate credential
- * when 2-way TLS is used.
- * @param assertionWrapper the SAML Assertion wrapper object
- * @param signedResults a list of all of the signed results
- */
- public static boolean checkHolderOfKey(
- AssertionWrapper assertionWrapper,
- List<WSSecurityEngineResult> signedResults,
- Certificate[] tlsCerts
- ) {
- List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
- for (String confirmationMethod : confirmationMethods) {
- if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
- if (tlsCerts == null && (signedResults == null || signedResults.isEmpty())) {
- return false;
- }
- SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
- if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) {
- return false;
- }
- }
- }
- return true;
- }
-
- /**
- * Compare the credentials of the assertion to the credentials used in 2-way TLS or those
- * used to verify signatures.
- * Return true on a match
- * @param subjectKeyInfo the SAMLKeyInfo object
- * @param signedResults a list of all of the signed results
- * @return true if the credentials of the assertion were used to verify a signature
- */
- public static boolean compareCredentials(
- SAMLKeyInfo subjectKeyInfo,
- List<WSSecurityEngineResult> signedResults,
- Certificate[] tlsCerts
- ) {
- X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
- PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
- byte[] subjectSecretKey = subjectKeyInfo.getSecret();
-
- //
- // Try to match the TLS certs first
- //
- if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts != null
- && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0])) {
- return true;
- } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey != null
- && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
- return true;
- }
-
- //
- // Now try the message-level signatures
- //
- for (WSSecurityEngineResult signedResult : signedResults) {
- X509Certificate[] certs =
- (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
- PublicKey publicKey =
- (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
- byte[] secretKey =
- (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET);
- if (certs != null && certs.length > 0 && subjectCerts != null
- && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0])) {
- return true;
- }
- if (publicKey != null && publicKey.equals(subjectPublicKey)) {
- return true;
- }
- if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) {
- return true;
- }
- }
- return false;
- }
-
- private static boolean checkSecretKey(
- byte[] secretKey,
- byte[] subjectSecretKey,
- WSSecurityEngineResult signedResult
- ) {
- if (secretKey != null && subjectSecretKey != null) {
- if (Arrays.equals(secretKey, subjectSecretKey)) {
- return true;
- } else {
- Principal principal =
- (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
- if (principal instanceof WSDerivedKeyTokenPrincipal) {
- secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret();
- if (Arrays.equals(secretKey, subjectSecretKey)) {
- return true;
- }
- }
- }
- }
- return false;
- }
-
- /**
- * Check the sender-vouches requirements against the received assertion. The SAML
- * Assertion and the SOAP Body must be signed by the same signature.
- */
- public static boolean checkSenderVouches(
- AssertionWrapper assertionWrapper,
- Certificate[] tlsCerts,
- Element body,
- List<WSSecurityEngineResult> signed
- ) {
- //
- // If we have a 2-way TLS connection, then we don't have to check that the
- // assertion + SOAP body are signed
- //
- if (tlsCerts != null && tlsCerts.length > 0) {
- return true;
- }
- List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
- for (String confirmationMethod : confirmationMethods) {
- if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
- if (signed == null || signed.isEmpty()) {
- return false;
- }
- if (!checkAssertionAndBodyAreSigned(assertionWrapper, body, signed)) {
- return false;
- }
- }
- }
- return true;
- }
-
- /**
- * Return true if there is a signature which references the Assertion and the SOAP Body.
- * @param assertionWrapper the AssertionWrapper object
- * @param body The SOAP body
- * @param signed The List of signed results
- * @return true if there is a signature which references the Assertion and the SOAP Body.
- */
- private static boolean checkAssertionAndBodyAreSigned(
- AssertionWrapper assertionWrapper,
- Element body,
- List<WSSecurityEngineResult> signed
- ) {
- for (WSSecurityEngineResult signedResult : signed) {
- List<WSDataRef> sl =
- CastUtils.cast((List<?>)signedResult.get(
- WSSecurityEngineResult.TAG_DATA_REF_URIS
- ));
- boolean assertionIsSigned = false;
- boolean bodyIsSigned = false;
- if (sl != null) {
- for (WSDataRef dataRef : sl) {
- Element se = dataRef.getProtectedElement();
- if (se == assertionWrapper.getElement()) {
- assertionIsSigned = true;
- }
- if (se == body) {
- bodyIsSigned = true;
- }
- if (assertionIsSigned && bodyIsSigned) {
- return true;
- }
- }
- }
- }
- return false;
- }
-
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java Thu May 23 13:17:26 2013
@@ -48,25 +48,27 @@ import org.apache.cxf.security.SecurityC
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDocInfo;
-import org.apache.ws.security.WSPasswordCallback;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityEngine;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.processor.SAMLTokenProcessor;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.saml.ext.SAMLParms;
-import org.apache.ws.security.validate.Validator;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SAMLCallback;
+import org.apache.wss4j.common.saml.SAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDocInfo;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.WSSecurityEngine;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.processor.SAMLTokenProcessor;
+import org.apache.wss4j.dom.validate.Validator;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SamlToken.SamlTokenType;
import org.opensaml.common.SAMLVersion;
/**
@@ -104,24 +106,24 @@ public class SamlTokenInterceptor extend
boolean signed = false;
for (WSSecurityEngineResult result : samlResults) {
- AssertionWrapper wrapper =
- (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ SamlAssertionWrapper wrapper =
+ (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (wrapper.isSigned()) {
signed = true;
break;
}
}
- assertTokens(message, SP12Constants.SAML_TOKEN, signed);
+ assertTokens(message, SPConstants.SAML_TOKEN, signed);
// Check version against policy
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- for (AssertionInfo ai : aim.getAssertionInfo(SP12Constants.SAML_TOKEN)) {
+ for (AssertionInfo ai : getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN)) {
SamlToken samlToken = (SamlToken)ai.getAssertion();
for (WSSecurityEngineResult result : samlResults) {
- AssertionWrapper assertionWrapper =
- (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ SamlAssertionWrapper assertionWrapper =
+ (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- if (!checkVersion(samlToken, assertionWrapper)) {
+ if (!checkVersion(aim, samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
}
}
@@ -173,8 +175,8 @@ public class SamlTokenInterceptor extend
}
} catch (RuntimeException t) {
throw t;
- } catch (Throwable t) {
- throw new WSSecurityException(t.getMessage(), t);
+ } catch (Exception ex) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
}
return super.getValidator(qName);
@@ -188,8 +190,12 @@ public class SamlTokenInterceptor extend
return results;
}
- protected Token assertTokens(SoapMessage message) {
- return assertTokens(message, SP12Constants.SAML_TOKEN, true);
+ protected AbstractToken assertTokens(SoapMessage message) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ assertPolicy(aim, "WssSamlV11Token10");
+ assertPolicy(aim, "WssSamlV11Token11");
+ assertPolicy(aim, "WssSamlV20Token11");
+ return assertTokens(message, SPConstants.SAML_TOKEN, true);
}
protected void addToken(SoapMessage message) {
@@ -198,10 +204,11 @@ public class SamlTokenInterceptor extend
Header h = findSecurityHeader(message, true);
try {
- AssertionWrapper wrapper = addSamlToken(tok, message);
+ SamlAssertionWrapper wrapper = addSamlToken(tok, message);
if (wrapper == null) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais = aim.getAssertionInfo(SP12Constants.SAML_TOKEN);
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
for (AssertionInfo ai : ais) {
if (ai.isAsserted()) {
ai.setAsserted(false);
@@ -217,7 +224,7 @@ public class SamlTokenInterceptor extend
}
- private AssertionWrapper addSamlToken(
+ private SamlAssertionWrapper addSamlToken(
SamlToken token, SoapMessage message
) throws WSSecurityException {
//
@@ -240,14 +247,21 @@ public class SamlTokenInterceptor extend
return null;
}
- SAMLParms samlParms = new SAMLParms();
- samlParms.setCallbackHandler(handler);
- if (token.isUseSamlVersion11Profile10() || token.isUseSamlVersion11Profile11()) {
- samlParms.setSAMLVersion(SAMLVersion.VERSION_11);
- } else if (token.isUseSamlVersion20Profile11()) {
- samlParms.setSAMLVersion(SAMLVersion.VERSION_20);
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SamlTokenType tokenType = token.getSamlTokenType();
+ if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) {
+ samlCallback.setSamlVersion(SAMLVersion.VERSION_11);
+ assertPolicy(aim, "WssSamlV11Token10");
+ assertPolicy(aim, "WssSamlV11Token11");
+
+ } else if (tokenType == SamlTokenType.WssSamlV20Token11) {
+ samlCallback.setSamlVersion(SAMLVersion.VERSION_20);
+ assertPolicy(aim, "WssSamlV20Token11");
}
- AssertionWrapper assertion = new AssertionWrapper(samlParms);
+ SAMLUtil.doSAMLCallback(handler, samlCallback);
+ SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
boolean selfSignAssertion =
MessageUtils.getContextualBoolean(
@@ -275,7 +289,7 @@ public class SamlTokenInterceptor extend
String password = (String)message.getContextualProperty(SecurityConstants.PASSWORD);
if (StringUtils.isEmpty(password)) {
- password = getPassword(user, token, WSPasswordCallback.SIGNATURE, message);
+ password = getPassword(user, token, WSPasswordCallback.Usage.SIGNATURE, message);
}
if (password == null) {
password = "";
@@ -356,15 +370,21 @@ public class SamlTokenInterceptor extend
/**
* Check the policy version against the received assertion
*/
- private boolean checkVersion(SamlToken samlToken, AssertionWrapper assertionWrapper) {
- if ((samlToken.isUseSamlVersion11Profile10()
- || samlToken.isUseSamlVersion11Profile11())
+ private boolean checkVersion(
+ AssertionInfoMap aim,
+ SamlToken samlToken,
+ SamlAssertionWrapper assertionWrapper
+ ) {
+ SamlTokenType tokenType = samlToken.getSamlTokenType();
+ if ((tokenType == SamlTokenType.WssSamlV11Token10
+ || tokenType == SamlTokenType.WssSamlV11Token11)
&& assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
return false;
- } else if (samlToken.isUseSamlVersion20Profile11()
+ } else if (tokenType == SamlTokenType.WssSamlV20Token11
&& assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
return false;
}
+ assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), tokenType.name()));
return true;
}