You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2013/12/12 12:57:51 UTC

svn commit: r1550401 - /webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java

Author: coheigea
Date: Thu Dec 12 11:57:50 2013
New Revision: 1550401

URL: http://svn.apache.org/r1550401
Log:
[WSS-486] - Weaken policy validation for an initiator + no security header + soap fault

Modified:
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1550401&r1=1550400&r2=1550401&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java Thu Dec 12 11:57:50 2013
@@ -91,6 +91,7 @@ import org.apache.wss4j.policy.stax.asse
 import org.apache.wss4j.policy.stax.assertionStates.UsernameTokenAssertionState;
 import org.apache.wss4j.policy.stax.assertionStates.X509TokenAssertionState;
 import org.apache.wss4j.stax.ext.WSSConstants;
+import org.apache.wss4j.stax.securityEvent.NoSecuritySecurityEvent;
 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 import org.apache.xml.security.exceptions.XMLSecurityException;
@@ -116,6 +117,9 @@ public class PolicyEnforcer implements S
 
     protected static final transient org.slf4j.Logger log = 
         org.slf4j.LoggerFactory.getLogger(PolicyEnforcer.class);
+    
+    private static final QName SOAP11_FAULT = new QName(WSSConstants.NS_SOAP11, "Fault");
+    private static final QName SOAP12_FAULT = new QName(WSSConstants.NS_SOAP12, "Fault");
 
     private final List<OperationPolicy> operationPolicies;
     private OperationPolicy effectivePolicy;
@@ -127,6 +131,8 @@ public class PolicyEnforcer implements S
     private boolean initiator;
     private String actorOrRole;
     private int attachmentCount;
+    private boolean noSecurityHeader;
+    private boolean faultOccurred;
 
     public PolicyEnforcer(List<OperationPolicy> operationPolicies, String soapAction, boolean initiator,
                           String actorOrRole, int attachmentCount) throws WSSPolicyException {
@@ -426,7 +432,7 @@ public class PolicyEnforcer implements S
         }
         //if the assertionStateMap is empty (the size of the list is equal to the alternatives)
         //then we could not satisfy any alternative
-        if (assertionStateMap.isEmpty()) {
+        if (assertionStateMap.isEmpty() && !(faultOccurred && noSecurityHeader && initiator)) {
             logFailedAssertions();
             throw new PolicyViolationException(assertionMessage);
         }
@@ -464,7 +470,7 @@ public class PolicyEnforcer implements S
                 }
             }
         }
-        if (assertionStateMap.isEmpty()) {
+        if (assertionStateMap.isEmpty() && !(faultOccurred && noSecurityHeader && initiator)) {
             logFailedAssertions();
             throw new WSSPolicyException(assertionMessage);
         }
@@ -526,7 +532,7 @@ public class PolicyEnforcer implements S
                 }
             }
         }
-        if (assertionStateMap.isEmpty()) {
+        if (assertionStateMap.isEmpty() && !(faultOccurred && noSecurityHeader && initiator)) {
             logFailedAssertions();
             throw new WSSPolicyException(assertionMessage);
         }
@@ -562,6 +568,10 @@ public class PolicyEnforcer implements S
     @Override
     public synchronized void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
 
+        if (securityEvent instanceof NoSecuritySecurityEvent) {
+            noSecurityHeader = true;
+        }
+        
         if (operationSecurityEventOccured) {
             try {
                 verifyPolicy(securityEvent);
@@ -575,6 +585,11 @@ public class PolicyEnforcer implements S
         if (WSSecurityEventConstants.Operation.equals(securityEvent.getSecurityEventType())) {
             operationSecurityEventOccured = true;
             final OperationSecurityEvent operationSecurityEvent = (OperationSecurityEvent) securityEvent;
+            if (SOAP11_FAULT.equals(operationSecurityEvent.getOperation())
+                || SOAP12_FAULT.equals(operationSecurityEvent.getOperation())) {
+                faultOccurred = true;
+            }
+            
             if (effectivePolicy == null) {
                 effectivePolicy = findPolicyBySOAPOperationName(operationPolicies, operationSecurityEvent.getOperation().getLocalPart());
                 if (effectivePolicy == null) {