You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/11/22 14:29:07 UTC
svn commit: r1204985 - in
/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security:
policy/interceptors/ wss4j/ wss4j/policyvalidators/
Author: coheigea
Date: Tue Nov 22 13:29:06 2011
New Revision: 1204985
URL: http://svn.apache.org/viewvc?rev=1204985&view=rev
Log:
More SecPol refactoring.
Added:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java
Modified:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1204985&r1=1204984&r2=1204985&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java Tue Nov 22 13:29:06 2011
@@ -389,8 +389,8 @@ public class IssuedTokenInterceptorProvi
if (!isRequestor(message)) {
List<WSHandlerResult> results =
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
- if (results != null) {
- parseHandlerResults(results, message, aim);
+ if (results != null && results.size() > 0) {
+ parseHandlerResults(results.get(0), message, aim);
}
} else {
//client side should be checked on the way out
@@ -402,39 +402,33 @@ public class IssuedTokenInterceptorProvi
}
private void parseHandlerResults(
- List<WSHandlerResult> results,
+ WSHandlerResult rResult,
Message message,
AssertionInfoMap aim
) {
- if (results != null) {
- for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> signedResults =
- new ArrayList<WSSecurityEngineResult>();
- WSSecurityUtil.fetchAllActionResults(
- rResult.getResults(), WSConstants.SIGN, signedResults
- );
- IssuedTokenPolicyValidator issuedValidator =
- new IssuedTokenPolicyValidator(signedResults, message);
- Collection<AssertionInfo> issuedAis = aim.get(SP12Constants.ISSUED_TOKEN);
-
- for (AssertionWrapper assertionWrapper
- : findSamlTokenResults(rResult.getResults())) {
- boolean valid = issuedValidator.validatePolicy(issuedAis, assertionWrapper);
- if (valid) {
- SecurityToken token = createSecurityToken(assertionWrapper);
- message.getExchange().put(SecurityConstants.TOKEN, token);
- return;
- }
- }
- for (BinarySecurity binarySecurityToken
- : findBinarySecurityTokenResults(rResult.getResults())) {
- boolean valid = issuedValidator.validatePolicy(issuedAis, binarySecurityToken);
- if (valid) {
- SecurityToken token = createSecurityToken(binarySecurityToken);
- message.getExchange().put(SecurityConstants.TOKEN, token);
- return;
- }
- }
+ List<WSSecurityEngineResult> signedResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(
+ rResult.getResults(), WSConstants.SIGN, signedResults
+ );
+
+ IssuedTokenPolicyValidator issuedValidator =
+ new IssuedTokenPolicyValidator(signedResults, message);
+ Collection<AssertionInfo> issuedAis = aim.get(SP12Constants.ISSUED_TOKEN);
+
+ for (AssertionWrapper assertionWrapper : findSamlTokenResults(rResult.getResults())) {
+ boolean valid = issuedValidator.validatePolicy(issuedAis, assertionWrapper);
+ if (valid) {
+ SecurityToken token = createSecurityToken(assertionWrapper);
+ message.getExchange().put(SecurityConstants.TOKEN, token);
+ return;
+ }
+ }
+ for (BinarySecurity binarySecurityToken : findBinarySecurityTokenResults(rResult.getResults())) {
+ boolean valid = issuedValidator.validatePolicy(issuedAis, binarySecurityToken);
+ if (valid) {
+ SecurityToken token = createSecurityToken(binarySecurityToken);
+ message.getExchange().put(SecurityConstants.TOKEN, token);
+ return;
}
}
}
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java?rev=1204985&r1=1204984&r2=1204985&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java Tue Nov 22 13:29:06 2011
@@ -159,8 +159,8 @@ public class KerberosTokenInterceptorPro
if (!isRequestor(message)) {
List<WSHandlerResult> results =
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
- if (results != null) {
- parseHandlerResults(results, message, aim);
+ if (results != null && results.size() > 0) {
+ parseHandlerResults(results.get(0), message, aim);
}
} else {
//client side should be checked on the way out
@@ -172,26 +172,22 @@ public class KerberosTokenInterceptorPro
}
private void parseHandlerResults(
- List<WSHandlerResult> results,
+ WSHandlerResult rResult,
Message message,
AssertionInfoMap aim
) {
- if (results != null) {
- for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> kerberosResults = findKerberosResults(rResult.getResults());
- for (WSSecurityEngineResult wser : kerberosResults) {
- KerberosSecurity kerberosToken =
- (KerberosSecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- KerberosTokenPolicyValidator kerberosValidator =
- new KerberosTokenPolicyValidator(message);
- boolean valid = kerberosValidator.validatePolicy(aim, kerberosToken);
- if (valid) {
- SecurityToken token = createSecurityToken(kerberosToken);
- token.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET));
- message.getExchange().put(SecurityConstants.TOKEN, token);
- return;
- }
- }
+ List<WSSecurityEngineResult> kerberosResults = findKerberosResults(rResult.getResults());
+ for (WSSecurityEngineResult wser : kerberosResults) {
+ KerberosSecurity kerberosToken =
+ (KerberosSecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ KerberosTokenPolicyValidator kerberosValidator =
+ new KerberosTokenPolicyValidator(message);
+ boolean valid = kerberosValidator.validatePolicy(aim, kerberosToken);
+ if (valid) {
+ SecurityToken token = createSecurityToken(kerberosToken);
+ token.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET));
+ message.getExchange().put(SecurityConstants.TOKEN, token);
+ return;
}
}
}
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1204985&r1=1204984&r2=1204985&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Tue Nov 22 13:29:06 2011
@@ -76,6 +76,7 @@ import org.apache.cxf.ws.security.wss4j.
import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.TokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator;
@@ -523,41 +524,21 @@ public class PolicyBasedWSS4JInIntercept
List<WSSecurityEngineResult> signedResults,
boolean utWithCallbacks
) {
- List<WSSecurityEngineResult> utResults = new ArrayList<WSSecurityEngineResult>();
- WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults);
- WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults);
-
- List<WSSecurityEngineResult> samlResults = new ArrayList<WSSecurityEngineResult>();
- WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
- WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
-
boolean check = true;
- X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results);
- check &= x509Validator.validatePolicy(aim);
+ TokenPolicyValidator x509Validator = new X509TokenPolicyValidator();
+ check &= x509Validator.validatePolicy(aim, msg, soapBody, results, signedResults);
- if (utWithCallbacks) {
- UsernameTokenPolicyValidator utValidator =
- new UsernameTokenPolicyValidator(msg, results);
- check &= utValidator.validatePolicy(aim);
- } else {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
- if (ais != null) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- }
- }
+ TokenPolicyValidator utValidator = new UsernameTokenPolicyValidator(utWithCallbacks);
+ check &= utValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
- SamlTokenPolicyValidator samlValidator =
- new SamlTokenPolicyValidator(soapBody, signedResults, msg, results);
- check &= samlValidator.validatePolicy(aim);
+ TokenPolicyValidator samlValidator = new SamlTokenPolicyValidator();
+ check &= samlValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
- SecurityContextTokenPolicyValidator sctValidator =
- new SecurityContextTokenPolicyValidator(msg, results);
- check &= sctValidator.validatePolicy(aim);
+ TokenPolicyValidator sctValidator = new SecurityContextTokenPolicyValidator();
+ check &= sctValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
- WSS11PolicyValidator wss11Validator = new WSS11PolicyValidator(msg, results);
- check &= wss11Validator.validatePolicy(aim);
+ TokenPolicyValidator wss11Validator = new WSS11PolicyValidator();
+ check &= wss11Validator.validatePolicy(aim, msg, soapBody, results, signedResults);
return check;
}
@@ -600,6 +581,14 @@ public class PolicyBasedWSS4JInIntercept
) {
boolean check = true;
+ List<WSSecurityEngineResult> utResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults);
+
+ List<WSSecurityEngineResult> samlResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
+
SignedTokenPolicyValidator suppValidator =
new SignedTokenPolicyValidator(msg, results, signedResults);
suppValidator.setValidateUsernameToken(utWithCallbacks);
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1204985&r1=1204984&r2=1204985&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java Tue Nov 22 13:29:06 2011
@@ -26,6 +26,10 @@ import java.security.cert.X509Certificat
import java.util.Arrays;
import java.util.List;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
+import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.saml.SAMLKeyInfo;
@@ -38,6 +42,33 @@ import org.apache.ws.security.saml.ext.O
public abstract class AbstractSamlPolicyValidator extends AbstractTokenPolicyValidator {
/**
+ * Check to see if a token is required or not.
+ * @param token the token
+ * @param message The message
+ * @return true if the token is required
+ */
+ protected boolean isTokenRequired(
+ Token token,
+ Message message
+ ) {
+ IncludeTokenType inclusion = token.getInclusion();
+ if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
+ return false;
+ } else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
+ return true;
+ } else {
+ boolean initiator = MessageUtils.isRequestor(message);
+ if (initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR)) {
+ return true;
+ } else if (!initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ONCE
+ || inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT)) {
+ return true;
+ }
+ return false;
+ }
+ }
+
+ /**
* Check the holder-of-key requirements against the received assertion. The subject
* credential of the SAML Assertion must have been used to sign some portion of
* the message, thus showing proof-of-possession of the private/secret key. Alternatively,
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java?rev=1204985&r1=1204984&r2=1204985&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java Tue Nov 22 13:29:06 2011
@@ -39,7 +39,7 @@ import org.apache.ws.security.WSSecurity
* Validate a WSSecurityEngineResult corresponding to the processing of a Signature, EncryptedKey or
* EncryptedData structure against an AlgorithmSuite policy.
*/
-public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator {
+public class AlgorithmSuitePolicyValidator {
private List<WSSecurityEngineResult> results;
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1204985&r1=1204984&r2=1204985&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java Tue Nov 22 13:29:06 2011
@@ -40,7 +40,7 @@ import org.opensaml.common.SAMLVersion;
/**
* Validate a WSSecurityEngineResult corresponding to the processing of a SAML Assertion
- * against an IssuedToken policy.
+ * or Kerberos token against an IssuedToken policy.
*/
public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
@@ -56,70 +56,73 @@ public class IssuedTokenPolicyValidator
}
public boolean validatePolicy(
- Collection<AssertionInfo> issuedAis,
+ Collection<AssertionInfo> ais,
AssertionWrapper assertionWrapper
) {
- if (issuedAis != null) {
- for (AssertionInfo ai : issuedAis) {
- IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
- ai.setAsserted(true);
-
- boolean tokenRequired = isTokenRequired(issuedToken, message);
- if (tokenRequired && assertionWrapper == null) {
- ai.setNotAsserted(
- "The received token does not match the token inclusion requirement"
- );
- return false;
- }
- if (!tokenRequired) {
- continue;
- }
-
- Element template = issuedToken.getRstTemplate();
- if (template != null && !checkIssuedTokenTemplate(template, assertionWrapper)) {
- ai.setNotAsserted("Error in validating the IssuedToken policy");
- return false;
- }
-
- TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
- Certificate[] tlsCerts = null;
- if (tlsInfo != null) {
- tlsCerts = tlsInfo.getPeerCertificates();
- }
- if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
- ai.setNotAsserted("Assertion fails holder-of-key requirements");
- return false;
- }
+ if (ais == null || ais.isEmpty()) {
+ return true;
+ }
+
+ for (AssertionInfo ai : ais) {
+ IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
+ ai.setAsserted(true);
+
+ if (!isTokenRequired(issuedToken, message)) {
+ continue;
+ }
+
+ if (assertionWrapper == null) {
+ ai.setNotAsserted(
+ "The received token does not match the token inclusion requirement"
+ );
+ return false;
+ }
+
+ Element template = issuedToken.getRstTemplate();
+ if (template != null && !checkIssuedTokenTemplate(template, assertionWrapper)) {
+ ai.setNotAsserted("Error in validating the IssuedToken policy");
+ return false;
+ }
+
+ TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+ Certificate[] tlsCerts = null;
+ if (tlsInfo != null) {
+ tlsCerts = tlsInfo.getPeerCertificates();
+ }
+ if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
+ ai.setNotAsserted("Assertion fails holder-of-key requirements");
+ return false;
}
}
return true;
}
public boolean validatePolicy(
- Collection<AssertionInfo> issuedAis,
+ Collection<AssertionInfo> ais,
BinarySecurity binarySecurityToken
) {
- if (issuedAis != null) {
- for (AssertionInfo ai : issuedAis) {
- IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
- ai.setAsserted(true);
-
- boolean tokenRequired = isTokenRequired(issuedToken, message);
- if (tokenRequired && binarySecurityToken == null) {
- ai.setNotAsserted(
- "The received token does not match the token inclusion requirement"
- );
- return false;
- }
- if (!tokenRequired) {
- continue;
- }
+ if (ais == null || ais.isEmpty()) {
+ return true;
+ }
+
+ for (AssertionInfo ai : ais) {
+ IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
+ ai.setAsserted(true);
- Element template = issuedToken.getRstTemplate();
- if (template != null && !checkIssuedTokenTemplate(template, binarySecurityToken)) {
- ai.setNotAsserted("Error in validating the IssuedToken policy");
- return false;
- }
+ if (!isTokenRequired(issuedToken, message)) {
+ continue;
+ }
+ if (binarySecurityToken == null) {
+ ai.setNotAsserted(
+ "The received token does not match the token inclusion requirement"
+ );
+ return false;
+ }
+
+ Element template = issuedToken.getRstTemplate();
+ if (template != null && !checkIssuedTokenTemplate(template, binarySecurityToken)) {
+ ai.setNotAsserted("Error in validating the IssuedToken policy");
+ return false;
}
}
return true;
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1204985&r1=1204984&r2=1204985&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java Tue Nov 22 13:29:06 2011
@@ -43,53 +43,48 @@ import org.apache.ws.security.util.WSSec
import org.opensaml.common.SAMLVersion;
/**
- * Validate a WSSecurityEngineResult corresponding to the processing of a SAML Assertion
- * against the appropriate policy.
+ * Validate a SamlToken policy.
*/
-public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator {
+public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implements TokenPolicyValidator {
- private List<WSSecurityEngineResult> signedResults;
- private Element soapBody;
- private Message message;
- private List<WSSecurityEngineResult> samlResults;
-
- public SamlTokenPolicyValidator(
- Element soapBody,
- List<WSSecurityEngineResult> signedResults,
- Message message,
- List<WSSecurityEngineResult> results
- ) {
- this.soapBody = soapBody;
- this.signedResults = signedResults;
- this.message = message;
- samlResults = new ArrayList<WSSecurityEngineResult>();
- WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
- WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
- }
+ private Element body;
+ private List<WSSecurityEngineResult> signed;
public boolean validatePolicy(
- AssertionInfoMap aim
+ AssertionInfoMap aim,
+ Message message,
+ Element soapBody,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> samlAis = aim.get(SP12Constants.SAML_TOKEN);
- if (samlAis == null || samlAis.isEmpty()) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.SAML_TOKEN);
+ if (ais == null || ais.isEmpty()) {
return true;
}
- for (AssertionInfo ai : samlAis) {
+ body = soapBody;
+ signed = signedResults;
+
+ List<WSSecurityEngineResult> samlResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
+
+ for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken)ai.getAssertion();
ai.setAsserted(true);
- boolean tokenRequired = isTokenRequired(samlToken, message);
- if (tokenRequired && samlResults.isEmpty()) {
+ if (!isTokenRequired(samlToken, message)) {
+ continue;
+ }
+
+ if (samlResults.isEmpty()) {
ai.setNotAsserted(
"The received token does not match the token inclusion requirement"
);
return false;
}
- if (!tokenRequired) {
- continue;
- }
-
+
+ // All of the received SAML Assertions must conform to the policy
for (WSSecurityEngineResult result : samlResults) {
AssertionWrapper assertionWrapper =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
@@ -169,7 +164,7 @@ public class SamlTokenPolicyValidator ex
List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
for (String confirmationMethod : confirmationMethods) {
if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
- if (signedResults == null || signedResults.isEmpty()) {
+ if (signed == null || signed.isEmpty()) {
return false;
}
if (!checkAssertionAndBodyAreSigned(assertionWrapper)) {
@@ -186,7 +181,7 @@ public class SamlTokenPolicyValidator ex
* @return true if there is a signature which references the Assertion and the SOAP Body.
*/
private boolean checkAssertionAndBodyAreSigned(AssertionWrapper assertionWrapper) {
- for (WSSecurityEngineResult signedResult : signedResults) {
+ for (WSSecurityEngineResult signedResult : signed) {
List<WSDataRef> sl =
CastUtils.cast((List<?>)signedResult.get(
WSSecurityEngineResult.TAG_DATA_REF_URIS
@@ -199,7 +194,7 @@ public class SamlTokenPolicyValidator ex
if (se == assertionWrapper.getElement()) {
assertionIsSigned = true;
}
- if (se == soapBody) {
+ if (se == body) {
bodyIsSigned = true;
}
if (assertionIsSigned && bodyIsSigned) {
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java?rev=1204985&r1=1204984&r2=1204985&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java Tue Nov 22 13:29:06 2011
@@ -23,6 +23,8 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
+import org.w3c.dom.Element;
+
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -33,39 +35,39 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.util.WSSecurityUtil;
/**
- * Validate a WSSecurityEngineResult corresponding to the processing of a SecurityContextToken
- * against the appropriate policy.
+ * Validate a SecurityContextToken policy.
*/
-public class SecurityContextTokenPolicyValidator extends AbstractTokenPolicyValidator {
+public class SecurityContextTokenPolicyValidator
+ extends AbstractTokenPolicyValidator implements TokenPolicyValidator {
- private List<WSSecurityEngineResult> sctResults;
- private Message message;
+ public boolean validatePolicy(
+ AssertionInfoMap aim,
+ Message message,
+ Element soapBody,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ ) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURITY_CONTEXT_TOKEN);
+ if (ais == null || ais.isEmpty()) {
+ return true;
+ }
- public SecurityContextTokenPolicyValidator(Message message, List<WSSecurityEngineResult> results) {
- this.message = message;
- sctResults = new ArrayList<WSSecurityEngineResult>();
+ List<WSSecurityEngineResult> sctResults = new ArrayList<WSSecurityEngineResult>();
WSSecurityUtil.fetchAllActionResults(results, WSConstants.SCT, sctResults);
- }
-
- public boolean validatePolicy(AssertionInfoMap aim) {
- Collection<AssertionInfo> sctAis = aim.get(SP12Constants.SECURITY_CONTEXT_TOKEN);
- if (sctAis != null && !sctAis.isEmpty()) {
- for (AssertionInfo ai : sctAis) {
- SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
- ai.setAsserted(true);
-
- boolean tokenRequired = isTokenRequired(sctPolicy, message);
-
- if (!tokenRequired) {
- continue;
- }
-
- if (sctResults.isEmpty()) {
- ai.setNotAsserted(
- "The received token does not match the token inclusion requirement"
- );
- return false;
- }
+
+ for (AssertionInfo ai : ais) {
+ SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
+ ai.setAsserted(true);
+
+ if (!isTokenRequired(sctPolicy, message)) {
+ continue;
+ }
+
+ if (sctResults.isEmpty()) {
+ ai.setNotAsserted(
+ "The received token does not match the token inclusion requirement"
+ );
+ return false;
}
}
return true;
Added: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java?rev=1204985&view=auto
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java (added)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java Tue Nov 22 13:29:06 2011
@@ -0,0 +1,45 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate a WS-SecurityPolicy corresponding to a received token.
+ */
+public interface TokenPolicyValidator {
+
+ /**
+ * Validate a particular policy from the AssertionInfoMap argument. Return true if the policy is valid.
+ */
+ boolean validatePolicy(
+ AssertionInfoMap aim,
+ Message message,
+ Element soapBody,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ );
+}
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java?rev=1204985&r1=1204984&r2=1204985&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java Tue Nov 22 13:29:06 2011
@@ -23,6 +23,8 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
+import org.w3c.dom.Element;
+
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -33,46 +35,50 @@ import org.apache.ws.security.message.to
import org.apache.ws.security.util.WSSecurityUtil;
/**
- * Validate a WSSecurityEngineResult corresponding to the processing of a UsernameToken
- * against the appropriate policy.
+ * Validate a UsernameToken policy.
*/
-public class UsernameTokenPolicyValidator extends AbstractTokenPolicyValidator {
+public class UsernameTokenPolicyValidator
+ extends AbstractTokenPolicyValidator implements TokenPolicyValidator {
- private Message message;
- private List<WSSecurityEngineResult> utResults;
-
- public UsernameTokenPolicyValidator(
- Message message,
- List<WSSecurityEngineResult> results
- ) {
- this.message = message;
- utResults = new ArrayList<WSSecurityEngineResult>();
- WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults);
- WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults);
+ private boolean utWithCallbacks;
+
+ public UsernameTokenPolicyValidator(boolean utWithCallbacks) {
+ this.utWithCallbacks = utWithCallbacks;
}
public boolean validatePolicy(
- AssertionInfoMap aim
+ AssertionInfoMap aim,
+ Message message,
+ Element soapBody,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> utAis = aim.get(SP12Constants.USERNAME_TOKEN);
- if (utAis == null || utAis.isEmpty()) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
+ if (ais == null || ais.isEmpty()) {
return true;
}
- for (AssertionInfo ai : utAis) {
+ List<WSSecurityEngineResult> utResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults);
+
+ for (AssertionInfo ai : ais) {
org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy =
(org.apache.cxf.ws.security.policy.model.UsernameToken)ai.getAssertion();
ai.setAsserted(true);
- boolean tokenRequired = isTokenRequired(usernameTokenPolicy, message);
- if (tokenRequired && utResults.isEmpty()) {
+ if (utWithCallbacks || !isTokenRequired(usernameTokenPolicy, message)) {
+ continue;
+ }
+
+ if (utResults.isEmpty()) {
ai.setNotAsserted(
"The received token does not match the token inclusion requirement"
);
return false;
}
-
- if (tokenRequired && !checkTokens(usernameTokenPolicy, ai)) {
+
+ if (!checkTokens(usernameTokenPolicy, ai, utResults)) {
return false;
}
@@ -80,9 +86,13 @@ public class UsernameTokenPolicyValidato
return true;
}
+ /**
+ * All UsernameTokens must conform to the policy
+ */
public boolean checkTokens(
org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy,
- AssertionInfo ai
+ AssertionInfo ai,
+ List<WSSecurityEngineResult> utResults
) {
for (WSSecurityEngineResult result : utResults) {
UsernameToken usernameToken =
@@ -96,7 +106,7 @@ public class UsernameTokenPolicyValidato
return false;
}
if (usernameTokenPolicy.isRequireCreated()
- && (usernameToken.getCreated() == null || usernameToken.isHashed())) {
+ && (usernameToken.getCreated() == null || usernameToken.isHashed())) {
ai.setNotAsserted("Username Token Created policy not enforced");
return false;
}
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java?rev=1204985&r1=1204984&r2=1204985&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java Tue Nov 22 13:29:06 2011
@@ -23,6 +23,8 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
+import org.w3c.dom.Element;
+
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
@@ -36,28 +38,23 @@ import org.apache.ws.security.util.WSSec
/**
* Validate a WSS11 policy.
*/
-public class WSS11PolicyValidator {
-
- private List<WSSecurityEngineResult> scResults;
- private Message message;
-
- public WSS11PolicyValidator(
- Message message,
- List<WSSecurityEngineResult> results
- ) {
- this.message = message;
- scResults = new ArrayList<WSSecurityEngineResult>();
- WSSecurityUtil.fetchAllActionResults(results, WSConstants.SC, scResults);
- }
+public class WSS11PolicyValidator implements TokenPolicyValidator {
public boolean validatePolicy(
- AssertionInfoMap aim
+ AssertionInfoMap aim,
+ Message message,
+ Element soapBody,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
) {
Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
if (ais == null || ais.isEmpty()) {
return true;
}
+ List<WSSecurityEngineResult> scResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.SC, scResults);
+
for (AssertionInfo ai : ais) {
Wss11 wss11 = (Wss11)ai.getAssertion();
ai.setAsserted(true);
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java?rev=1204985&r1=1204984&r2=1204985&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java Tue Nov 22 13:29:06 2011
@@ -23,6 +23,8 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
+import org.w3c.dom.Element;
+
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -35,35 +37,29 @@ import org.apache.ws.security.message.to
import org.apache.ws.security.util.WSSecurityUtil;
/**
- * Validate a WSSecurityEngineResult corresponding to the processing of an X.509 Token
- * against the appropriate policy.
+ * Validate an X509 Token policy.
*/
-public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator {
+public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator implements TokenPolicyValidator {
private static final String X509_V3_VALUETYPE = WSConstants.X509TOKEN_NS + "#X509v3";
private static final String PKI_VALUETYPE = WSConstants.X509TOKEN_NS + "#X509PKIPathv1";
- private List<WSSecurityEngineResult> bstResults;
- private Message message;
-
- public X509TokenPolicyValidator(
- Message message,
- List<WSSecurityEngineResult> results
- ) {
- this.message = message;
- bstResults = new ArrayList<WSSecurityEngineResult>();
- WSSecurityUtil.fetchAllActionResults(results, WSConstants.BST, bstResults);
- }
-
public boolean validatePolicy(
- AssertionInfoMap aim
+ AssertionInfoMap aim,
+ Message message,
+ Element soapBody,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> x509Ais = aim.get(SP12Constants.X509_TOKEN);
- if (x509Ais == null || x509Ais.isEmpty()) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.X509_TOKEN);
+ if (ais == null || ais.isEmpty()) {
return true;
}
- for (AssertionInfo ai : x509Ais) {
+ List<WSSecurityEngineResult> bstResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.BST, bstResults);
+
+ for (AssertionInfo ai : ais) {
X509Token x509TokenPolicy = (X509Token)ai.getAssertion();
ai.setAsserted(true);
@@ -78,7 +74,7 @@ public class X509TokenPolicyValidator ex
return false;
}
- if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType())) {
+ if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType(), bstResults)) {
ai.setNotAsserted("An incorrect X.509 Token Type is detected");
return false;
}
@@ -86,22 +82,30 @@ public class X509TokenPolicyValidator ex
return true;
}
- private boolean checkTokenType(String requiredVersionAndType) {
- if (!bstResults.isEmpty()) {
- String requiredType = X509_V3_VALUETYPE;
- if (SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10.equals(requiredType)
- || SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11.equals(requiredType)) {
- requiredType = PKI_VALUETYPE;
- }
-
- for (WSSecurityEngineResult result : bstResults) {
- BinarySecurity binarySecurityToken =
- (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- if (binarySecurityToken != null) {
- String type = binarySecurityToken.getValueType();
- if (requiredType.equals(type)) {
- return true;
- }
+ /**
+ * Check that at least one received token matches the token type.
+ */
+ private boolean checkTokenType(
+ String requiredVersionAndType,
+ List<WSSecurityEngineResult> bstResults
+ ) {
+ if (bstResults.isEmpty()) {
+ return false;
+ }
+
+ String requiredType = X509_V3_VALUETYPE;
+ if (SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10.equals(requiredType)
+ || SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11.equals(requiredType)) {
+ requiredType = PKI_VALUETYPE;
+ }
+
+ for (WSSecurityEngineResult result : bstResults) {
+ BinarySecurity binarySecurityToken =
+ (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ if (binarySecurityToken != null) {
+ String type = binarySecurityToken.getValueType();
+ if (requiredType.equals(type)) {
+ return true;
}
}
}