You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2013/12/12 12:57:51 UTC
svn commit: r1550401 -
/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
Author: coheigea
Date: Thu Dec 12 11:57:50 2013
New Revision: 1550401
URL: http://svn.apache.org/r1550401
Log:
[WSS-486] - Weaken policy validation for an initiator + no security header + soap fault
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1550401&r1=1550400&r2=1550401&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java Thu Dec 12 11:57:50 2013
@@ -91,6 +91,7 @@ import org.apache.wss4j.policy.stax.asse
import org.apache.wss4j.policy.stax.assertionStates.UsernameTokenAssertionState;
import org.apache.wss4j.policy.stax.assertionStates.X509TokenAssertionState;
import org.apache.wss4j.stax.ext.WSSConstants;
+import org.apache.wss4j.stax.securityEvent.NoSecuritySecurityEvent;
import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
@@ -116,6 +117,9 @@ public class PolicyEnforcer implements S
protected static final transient org.slf4j.Logger log =
org.slf4j.LoggerFactory.getLogger(PolicyEnforcer.class);
+
+ private static final QName SOAP11_FAULT = new QName(WSSConstants.NS_SOAP11, "Fault");
+ private static final QName SOAP12_FAULT = new QName(WSSConstants.NS_SOAP12, "Fault");
private final List<OperationPolicy> operationPolicies;
private OperationPolicy effectivePolicy;
@@ -127,6 +131,8 @@ public class PolicyEnforcer implements S
private boolean initiator;
private String actorOrRole;
private int attachmentCount;
+ private boolean noSecurityHeader;
+ private boolean faultOccurred;
public PolicyEnforcer(List<OperationPolicy> operationPolicies, String soapAction, boolean initiator,
String actorOrRole, int attachmentCount) throws WSSPolicyException {
@@ -426,7 +432,7 @@ public class PolicyEnforcer implements S
}
//if the assertionStateMap is empty (the size of the list is equal to the alternatives)
//then we could not satisfy any alternative
- if (assertionStateMap.isEmpty()) {
+ if (assertionStateMap.isEmpty() && !(faultOccurred && noSecurityHeader && initiator)) {
logFailedAssertions();
throw new PolicyViolationException(assertionMessage);
}
@@ -464,7 +470,7 @@ public class PolicyEnforcer implements S
}
}
}
- if (assertionStateMap.isEmpty()) {
+ if (assertionStateMap.isEmpty() && !(faultOccurred && noSecurityHeader && initiator)) {
logFailedAssertions();
throw new WSSPolicyException(assertionMessage);
}
@@ -526,7 +532,7 @@ public class PolicyEnforcer implements S
}
}
}
- if (assertionStateMap.isEmpty()) {
+ if (assertionStateMap.isEmpty() && !(faultOccurred && noSecurityHeader && initiator)) {
logFailedAssertions();
throw new WSSPolicyException(assertionMessage);
}
@@ -562,6 +568,10 @@ public class PolicyEnforcer implements S
@Override
public synchronized void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
+ if (securityEvent instanceof NoSecuritySecurityEvent) {
+ noSecurityHeader = true;
+ }
+
if (operationSecurityEventOccured) {
try {
verifyPolicy(securityEvent);
@@ -575,6 +585,11 @@ public class PolicyEnforcer implements S
if (WSSecurityEventConstants.Operation.equals(securityEvent.getSecurityEventType())) {
operationSecurityEventOccured = true;
final OperationSecurityEvent operationSecurityEvent = (OperationSecurityEvent) securityEvent;
+ if (SOAP11_FAULT.equals(operationSecurityEvent.getOperation())
+ || SOAP12_FAULT.equals(operationSecurityEvent.getOperation())) {
+ faultOccurred = true;
+ }
+
if (effectivePolicy == null) {
effectivePolicy = findPolicyBySOAPOperationName(operationPolicies, operationSecurityEvent.getOperation().getLocalPart());
if (effectivePolicy == null) {