You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/02/29 21:54:56 UTC
svn commit: r1295267 [5/11] - in /webservices/wss4j/branches/swssf:
rampart-policy/src/main/java/org/apache/ws/secpolicy/builders/
streaming-ws-policy/src/main/java/org/swssf/policy/
streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ s...
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSConstants.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSConstants.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSConstants.java Wed Feb 29 20:54:51 2012
@@ -23,9 +23,7 @@ import org.swssf.xmlsec.ext.XMLSecurityC
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.namespace.QName;
-import java.util.EnumSet;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.*;
/**
* WSSConstants for global use
@@ -47,6 +45,8 @@ public class WSSConstants extends XMLSec
protected WSSConstants() {
}
+ public static final String TRANSPORT_SECURITY_ACTIVE = "transportSecurityActive";
+
public static final String TIMESTAMP_PROCESSED = "TimestampProcessed";
public static final String NS_WSSE10 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
@@ -295,6 +295,192 @@ public class WSSConstants extends XMLSec
}
}
+ public static final List<QName> SOAP_11_BODY_PATH = new LinkedList<QName>();
+ public static final List<QName> SOAP_11_HEADER_PATH = new LinkedList<QName>();
+ public static final List<QName> WSSE_SECURITY_HEADER_PATH = new LinkedList<QName>();
+
+ static {
+ SOAP_11_BODY_PATH.add(WSSConstants.TAG_soap11_Envelope);
+ SOAP_11_BODY_PATH.add(WSSConstants.TAG_soap11_Body);
+
+ SOAP_11_HEADER_PATH.add(WSSConstants.TAG_soap11_Envelope);
+ SOAP_11_HEADER_PATH.add(WSSConstants.TAG_soap11_Header);
+
+ WSSE_SECURITY_HEADER_PATH.addAll(SOAP_11_HEADER_PATH);
+ WSSE_SECURITY_HEADER_PATH.add(WSSConstants.TAG_wsse_Security);
+
+ }
+
+ public enum BSPRule {
+ R3203("A TIMESTAMP MUST contain exactly one CREATED"),
+ R3224("Any TIMESTAMP MUST NOT contain more than one EXPIRES"),
+ R3221("Any TIMESTAMP containing an EXPIRES MUST contain a CREATED that precedes its sibling EXPIRES"),
+ R3222("Any TIMESTAMP MUST NOT contain anything other than CREATED or EXPIRES elements"),
+ R3220("Any CREATED SHOULD NOT contain a seconds value with more than three digits to the right of the decimal (milliseconds)"),
+ R3229("Any EXPIRES SHOULD NOT contain a seconds value with more than three digits to the right of the decimal (milliseconds)"),
+ R3213("Any CREATED containing second values MUST specify seconds values less than 60"),
+ R3215("Any EXPIRES containing second values MUST specify seconds values less than 60"),
+ R3225("Any CREATED MUST NOT include a ValueType attribute"),
+ R3226("Any EXPIRES MUST NOT include a ValueType attribute"),
+ R3217("Any CREATED MUST contain time values in UTC format as specified by the XML Schema type (dateTime)"),
+ R3223("Any EXPIRES MUST contain time values in UTC format as specified by the XML Schema type (dateTime)"),
+
+ R3061("A SECURITY_TOKEN_REFERENCE MUST provide exactly one token reference"),
+ R3074("Any wsse:11:TokenType Attribute in a SECURITY_TOKEN_REFERENCE MUST specify a value that a TokenType specified by a security token profile for the referenced SECURITY_TOKEN"),
+ R3057("Any STR_REFERENCE MUST NOT reference a SECURITY_TOKEN_REFERENCE"),
+ R3064("Any STR_REFERENCE MUST NOT reference an STR_EMBEDDED"),
+ R3059("Any STR_REFERENCE MUST specify a ValueType attribute with the exception of STR_REFERENCE pointing to a SAML_V2_0_TOKEN or a KERBEROS_TOKEN or an ENCRYPTED_KEY_TOKEN"),
+ R3058("Any STR_REFERENCE ValueType attribute MUST contain a value for the referenced SECURITY_TOKEN specified by the corresponding security token profile"),
+ R3062("Any STR_REFERENCE MUST specify a URI attribute"),
+ R3027("Any SECURITY_TOKEN_REFERENCE MUST NOT contain an STR_KEY_NAME"),
+ R3054("Any STR_KEY_IDENTIFIER MUST specify a ValueType attribute"),
+ R3063("Any STR_KEY_IDENTIFIER ValueType attribute MUST contain a value specified within the security token profile associated with the referenced SECURITY_TOKEN"),
+ R3070("Any STR_KEY_IDENTIFIER that refers to a SECURITY_TOKEN other than a SAML_TOKEN MUST specify an EncodingType attribute"),
+ R3071("Any STR_KEY_IDENTIFIER EncodingType attribute MUST have a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\""),
+ R3060("Any STR_EMBEDDED MUST contain only a single child element which is an INTERNAL_SECURITY_TOKEN"),
+ R3025("Any INTERNAL_SECURITY_TOKEN contained in an STR_EMBEDDED MUST be in the same format as if it were a child of a SECURITY_HEADER"),
+ R3056("Any STR_EMBEDDED MUST NOT contain a wsse:SecurityTokenReference child element"),
+ R3022("Any SECURITY_TOKEN_REFERENCE that references an INTERNAL_SECURITY_TOKEN which has a wsu:Id attribute MUST contain an STR_REFERENCE or STR_EMBEDDED"),
+ R3023("Any SECURITY_TOKEN_REFERENCE that references an INTERNAL_SECURITY_TOKEN that is referenced several times SHOULD contain an STR_REFERENCE rather than an STR_EMBEDDED"),
+ R5204("Any STR_REFERENCE to an INTERNAL_SECURITY_TOKEN having an ID attribute MUST contain a URI attribute with a Shorthand XPointer value"),
+ R5205("Any INTERNAL_SECURITY_TOKEN that is not contained in an STR_EMBEDDED MUST precede all SECURITY_TOKEN_REFERENCE elements that reference it in the SOAP_ENVELOPE"),
+ R3066("Any STR_REFERENCE that is a descendant of a SECURITY_HEADER MUST NOT use a Shorthand XPointer to refer to an INTERNAL_SECURITY_TOKEN located in a SECURITY_HEADER other than the SECURITY_HEADER that contains the STR_REFERENCE"),
+ R3067("Any STR_REFERENCE that is a descendant of an ENCRYPTED_DATA MUST NOT use a Shorthand XPointer to refer to an INTERNAL_SECURITY_TOKEN located in a SECURITY_HEADER other than the SECURITY_HEADER containing a reference (EK_REFERENCE_LIST or an ENC_REFERENCE_LIST) to the ENCRYPTED_DATA"),
+ R3024("Any EXTERNAL_TOKEN_REFERENCE that can use an STR_REFERENCE MUST contain an STR_REFERENCE"),
+ R3211("Any SECURITY_TOKEN_REFERENCE MUST NOT reference a ds:KeyInfo element"),
+
+ R3102("A SIGNATURE MUST NOT be an Enveloping Signature as defined by the XML Signature specification"),
+ R3104("A SIGNATURE SHOULD NOT be an Enveloped Signature as defined by the XML Signature specification"),
+ R3103("A SIGNATURE SHOULD be a Detached Signature as defined by the XML Signature specification"),
+ R3001("Any SIG_REFERENCE SHOULD contain a URI attribute containing a Shorthand XPointer"),
+ R3003("Any SIG_REFERENCE to a SIGNATURE or descendant of a SIGNATURE MUST contain a URI attribute with a reference value that is a Shorthand XPointer to Local ID attribute defined by XML Signature"),
+ R3004("Any SIG_REFERENCE to an element defined in XML Encryption MUST contain a URI attribute with a reference value that is a Shorthand XPointer to Local ID attribute defined by XML Encryption"),
+ R3005("Any SIG_REFERENCE to an element that is not defined in XML Encryption, a SIGNATURE, or a descendant of a SIGNATURE SHOULD contain a URI attribute with a reference value that is a Shorthand XPointer to a wsu:Id attribute"),
+ R3002("Any SIG_REFERENCE to an element that does not have an ID attribute MUST contain a TRANSFORM with an Algorithm attribute value of \"http://www.w3.org/2002/06/xmldsig-filter2\""),
+ R5416("Any SIG_REFERENCE MUST contain a SIG_TRANSFORMS child element"),
+ R5411("Any SIG_TRANSFORMS MUST contain at least one SIG_TRANSFORM child element"),
+ R5423("Any SIG_TRANSFORM Algorithm attribute MUST have a value of \"http://www.w3.org/2001/10/xml-exc-c14n#\" or \"http://www.w3.org/2002/06/xmldsig-filter2\" or \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\" or \"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" or \"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform\" or \"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform\""),
+ R5412("Any SIG_TRANSFORMS MUST contain as its last child a SIG_TRANSFORM with an Algorithm attribute with a value of \"http://www.w3.org/2001/10/xml-exc-c14n#\" or \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\" or \"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform\" or \"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform\""),
+ R5407("Any SIG_TRANSFORM with an Algorithm attribute with a value of \"http://www.w3.org/2001/10/xml-exc-c14n#\" MUST contain an INCLUSIVE_NAMESPACES with an PrefixList attribute unless the PrefixList is empty"),
+ R5413("Any SIG_TRANSFORM with an Algorithm attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\" MUST have an INCLUSIVE_NAMESPACES with an PrefixList attribute unless the PrefixList is empty"),
+ R3065("Any SIG_TRANSFORM with an Algorithm attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\" MUST contain a child wsse:TransformationParameters element containing a child ds:CanonicalizationMethod element"),
+ R5404("Any CANONICALIZATION_METHOD Algorithm attribute MUST have a value of \"http://www.w3.org/2001/10/xml-exc-c14n#\" indicating that it uses Exclusive C14N without comments for canonicalization"),
+ R5406("Any CANONICALIZATION_METHOD MUST contain an INCLUSIVE_NAMESPACES with a PrefixList attribute unless the PrefixList is empty"),
+ R5414("A RECEIVER MUST be capable of accepting and processing an INCLUSIVE_NAMESPACES PrefixList attribute containing prefixes in any order within the string"),
+ R5415("A RECEIVER MUST be capable of accepting and processing an INCLUSIVE_NAMESPACES PrefixList attribute containing arbitrary whitespace before, after and between the prefixes within the string"),
+ R5405("Any INCLUSIVE_NAMESPACES MUST contain the prefix of all namespaces that are in-scope and desired to be protected, but not visibly utilized, for the element being signed and its descendants, per Exclusive XML Canonicalization Version 1.0"),
+ R5408("Any INCLUSIVE_NAMESPACES MUST contain the string \"#default\" if a default namespace is in-scope and desired to be protected, but not visibly utilized, for the element being signed and its descendants, per Exclusive XML Canonicalization Version 1.0"),
+ R5420("Any DIGEST_METHOD Algorithm attribute SHOULD have the value \"http://www.w3.org/2000/09/xmldsig#sha1\""),
+ R5421("Any SIGNATURE_METHOD Algorithm attribute SHOULD have a value of \"http://www.w3.org/2000/09/xmldsig#hmac-sha1\" or \"http://www.w3.org/2000/09/xmldsig#rsa-sha1\""),
+ R5401("Any SIGNATURE_METHOD MUST NOT contain a ds:HMACOutputLength child element"),
+ R5402("Any SIG_KEY_INFO MUST contain exactly one child element"),
+ R5417("Any SIG_KEY_INFO MUST contain a SECURITY_TOKEN_REFERENCE child element"),
+ R5403("A SIGNATURE MUST NOT contain a ds:Manifest descendant element"),
+ R5440("A SIGNATURE MUST NOT have any xenc:EncryptedData elements amongst its descendants"),
+ R5441("A SIGNATURE_CONFIRMATION MUST contain a wsu:Id attribute"),
+
+ R3228("A soap:Header element in a SECURE_ENVELOPE MUST NOT contain any child ENCRYPTED_DATA"),
+ R3299("A soap:Header element in a SECURE_ENVELOPE MAY contain ENCRYPTED_HEADER children"),
+ R3230("An ENCRYPTED_HEADER MUST NOT contain any children other than a single required ENCRYPTED_DATA"),
+ R3232("In cases where a wsu:Id does exist on the ENCRYPTED_HEADER, the child ENCRYPTED_DATA MAY contain an Id attribute"),
+ R3205("Any ENC_REFERENCE_LIST produced as part of an encryption step MUST use a single key"),
+ R3231("Any ENC_REFERENCE_LIST MUST contain an xenc:DataReference element for each ENCRYPTED_DATA produced in the associated encryption step"),
+ R3214("Any EK_REFERENCE_LIST MUST contain a xenc:DataReference for each ENCRYPTED_DATA produced in the associated encryption step"),
+ R3208("Any ENCRYPTED_KEY MUST precede any ENCRYPTED_DATA in the same SECURITY_HEADER referenced by the associated EK_REFERENCE_LIST"),
+ R3209("Any ENCRYPTED_KEY MUST NOT specify a Type attribute"),
+ R5622("Any ENCRYPTED_KEY MUST NOT specify a MimeType attribute"),
+ R5623("Any ENCRYPTED_KEY MUST NOT specify a Encoding attribute"),
+ R5602("Any ENCRYPTED_KEY MUST NOT contain a Recipient attribute"),
+ R5603("Any ENCRYPTED_KEY MUST contain an xenc:EncryptionMethod child element"),
+ R5629("An ENCRYPTED_DATA which is not referenced from an ENCRYPTED_KEY MUST contain a ds:KeyInfo"),
+ R5624("In cases where a wsu:Id does not exist on the ENCRYPTED_HEADER, the child ENCRYPTED_DATA MUST contain an ID attribute"),
+ R5627("In cases where an ID does not exist on the ENCRYPTED_DATA, the parent ENCRYPTED_HEADER MUST contain a wsu:Id attribute"),
+ R5601("Any ENCRYPTED_DATA MUST contain an xenc:EncryptionMethod child element"),
+ R5424("Any ENC_KEY_INFO MUST have exactly one child element"),
+ R5426("Any ENC_KEY_INFO MUST contain a child SECURITY_TOKEN_REFERENCE"),
+ R5608("Any ENC_DATA_REFERENCE MUST contain a URI attribute containing a Shorthand XPointer reference value based on either the Id attribute of the referenced ENCRYPTED_DATA or the wsu:Id attribute of the referenced ENCRYPTED_HEADER"),
+ R3006("Any EK_DATA_REFERENCE MUST contain a URI attribute containing a Shorthand XPointer reference value based on either the Id attribute of the referenced ENCRYPTED_DATA or the wsu:Id attribute of the referenced ENCRYPTED_HEADER"),
+ R5613("Any ENC_KEY_REFERENCE MUST contain a URI attribute containing a Shorthand XPointer reference value based on the Id attribute of the referred to ENCRYPTED_KEY"),
+ R3007("Any EK_KEY_REFERENCE MUST contain a URI attribute containing a Shorthand XPointer reference value based on the Id attribute of the referred to ENCRYPTED_KEY"),
+ R5620("Any ED_ENCRYPTION_METHOD Algorithm attribute MUST have a value of \"http://www.w3.org/2001/04/xmlenc#tripledes-cbc\", \"http://www.w3.org/2001/04/xmlenc#aes128-cbc\" or \"http://www.w3.org/2001/04/xmlenc#aes256-cbc\""),
+ R5621("When used for Key Transport, any EK_ENCRYPTION_METHOD Algorithm attribute MUST have a value of \"http://www.w3.org/2001/04/xmlenc#rsa-1_5\" or \"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\""),
+ R5625("When used for Key Wrap, any EK_ENCRYPTION_METHOD Algorithm attribute MUST have a value of \"http://www.w3.org/2001/04/xmlenc#kw-tripledes\", \"http://www.w3.org/2001/04/xmlenc#kw-aes128\", or \"http://www.w3.org/2001/04/xmlenc#kw-aes256\""),
+ R5626("Any EK_ENCRYPTION_METHOD Algorithm attribute MUST have a value of \"http://www.w3.org/2001/04/xmlenc#rsa-1_5\" or \"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" or \"http://www.w3.org/2001/04/xmlenc#kw-tripledes\" or \"http://www.w3.org/2001/04/xmlenc#kw-aes128\" or \"http://www.w3.org/2001/04/xmlenc#kw-aes256\""),
+ R5614("A HEADER encrypted as a result of an encryption step MUST be replaced by a corresponding ENCRYPTED_HEADER"),
+ R5606("Any encrypted element or element content within a SECURE_ENVELOPE, encrypted as a result of an encryption step, MUST be replaced by a corresponding ENCRYPTED_DATA, unless the element is a HEADER_ELEMENT"),
+
+ R3029("Any BINARY_SECURITY_TOKEN MUST specify an EncodingType attribute"),
+ R3030("Any BINARY_SECURITY_TOKEN EncodingType attribute MUST have a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\""),
+ R3031("Any BINARY_SECURITY_TOKEN MUST specify an ValueType attribute"),
+ R3032("Any BINARY_SECURITY_TOKEN ValueType attribute MUST have a value specified by the related security token profile"),
+
+ R4222("Any USERNAME_TOKEN MUST NOT have more than one PASSWORD"),
+ R4201("Any PASSWORD MUST specify a Type attribute"),
+ R4212("Any PASSWORD with a Type attribute value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\" MUST have its value computed using the following formula, where \"+\" indicates concatenation: Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ). That is, concatenate the text forms of the nonce, creation time, and the password (or shared secret or password equivalent), digest the combination using the SHA-1 hash algorithm, then include the Base64 encoding of that result as the password (digest). Any elements that are not present are simply omitted from the concatenation"),
+ R4216("When a SECURITY_TOKEN_REFERENCE, within a SIGNATURE or ENCRYPTED_KEY, refers to a SECURITY_TOKEN named wsse:UsernameToken to derive a key, the key MUST be derived using the algorithm specified in Section 4 of Web Services Security: UsernameToken Profile 1.1"),
+ R4217("When a SECURITY_TOKEN_REFERENCE, within a SIGNATURE or ENCRYPTED_KEY, refers to a SECURITY_TOKEN named wsse:UsernameToken to derive a key, the SECURITY_TOKEN MUST contain a wsse11:Salt child element"),
+ R4218("When a SECURITY_TOKEN_REFERENCE, within a SIGNATURE or ENCRYPTED_KEY, refers to a SECURITY_TOKEN named wsse:UsernameToken to derive a key, the SECURITY_TOKEN MUST contain a wsse11:Iteration child element with a value greater than or equal to 1000"),
+ R4223("Any USERNAME_TOKEN MUST NOT have more than one CREATED"),
+ R4225("Any USERNAME_TOKEN MUST NOT have more than one NONCE"),
+ R4220("Any NONCE MUST specify an EncodingType attribute"),
+ R4221("Any NONCE EncodingType attribute MUST have a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\""),
+ R4214("Any STR_REFERENCE to a USERNAME_TOKEN MUST have a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken\""),
+ R4215("Any SECURITY_TOKEN_REFERENCE to a USERNAME_TOKEN MUST NOT contain an STR_KEY_IDENTIFIER"),
+
+ R3033("Any X509_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3\""),
+ R5201("Any BINARY_SECURITY_TOKEN containing an X.509 Certificate Path MUST be either a PKCS7_TOKEN or a PKIPATH_TOKEN"),
+ R5202("Any BINARY_SECURITY_TOKEN containing an X.509 Certificate Path SHOULD be a PKIPATH_TOKEN"),
+ R5211("Any PKCS7_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7\""),
+ R5218("Any STR_REFERENCE to a X509_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3\""),
+ R5212("Any SECURITY_TOKEN_REFERENCE to a PKCS7_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7\""),
+ R5213("Any STR_REFERENCE to a PKCS7_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7\""),
+ R5214("Any PKIPATH_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1\""),
+ R5215("Any SECURITY_TOKEN_REFERENCE to a PKIPATH_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1\""),
+ R5216("Any STR_REFERENCE to a PKIPATH_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1\""),
+ R5209("When a SECURITY_TOKEN_REFERENCE references an EXTERNAL_SECURITY_TOKEN that cannot be referred to using an STR_REFERENCE but can be referred to using an STR_KEY_IDENTIFIER or STR_ISSUER_SERIAL, an STR_KEY_IDENTIFIER or STR_ISSUER_SERIAL MUST be used"),
+ R5206("Any STR_KEY_IDENTIFIER that references an X509_TOKEN MUST have a ValueType attribute with the value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier\" or \"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1\""),
+ R5208("Any STR_KEY_IDENTIFIER that references an X509_TOKEN and has a ValueType attribute with the value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier\" MUST contain the value of the token's SubjectKeyIdentifier extension"),
+ R5210("Any STR_KEY_IDENTIFIER that references an X509_TOKEN which does not contain a SubjectKeyIdentifier extension MUST have a ValueType attribute with the value of \"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1\" and MUST contain the value of the SHA1 of the raw octets of the X509_TOKEN that is referenced"),
+ R5409("Any STR_ISSUER_SERIAL MUST contain a value following the encoding rules specified in the XML Signature specification for DNames"),
+
+ R6304("Any STR_REFERENCE to a REL_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license\""),
+ R6301("Any STR_REFERENCE to a INTERNAL_SECURITY_TOKEN that is an REL_TOKEN containing a wsu:Id attribute, MUST NOT use a licenseId reference"),
+ R6302("Any SECURITY_HEADER child elements MUST be ordered so that any SIGNATURE necessary to verify the issuance of an REL_TOKEN precedes the first SECURITY_TOKEN_REFERENCE that refers to that REL_TOKEN"),
+
+ R6902("Any KERBEROS_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ\""),
+ R6903("Any KERBEROS_TOKEN MUST be an INTERNAL_SECURITY_TOKEN in the initial SECURE_ENVELOPE of an authenticated message exchange between a SENDER and RECEIVER"),
+ R6904("Any KERBEROS_TOKEN MUST be an EXTERNAL_SECURITY_TOKEN in each SECURE_ENVELOPE after the initial SECURE_ENVELOPE of an authenticated message exchange between a SENDER and RECEIVER"),
+ R6907("Any SECURITY_TOKEN_REFERENCE to a KERBEROS_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ\""),
+ R6906("Any STR_KEY_IDENTIFIER to a KERBEROS_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1\""),
+ R6905("Any SECURITY_TOKEN_REFERENCE to an EXTERNAL_SECURITY_TOKEN which is a KERBEROS_TOKEN MUST contain an STR_KEY_IDENTIFIER"),
+
+ R6601("Any SAML_SC_KEY_INFO MUST NOT contain a reference to a SAML_TOKEN"),
+ R6611("Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1\""),
+ R6617("Any SECURITY_TOKEN_REFERENCE to a SAML_V2_0_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0\""),
+ R6614("Any SECURITY_TOKEN_REFERENCE that references an INTERNAL_SAML_V2_0_TOKEN using a STR_REFERENCE MUST NOT contain a ValueType attribute"),
+ R6602("Any STR_KEY_IDENTIFIER that references a INTERNAL_SAML_TOKEN MUST include a ValueType attribute"),
+ R6609("Any STR_KEY_IDENTIFIER that references a EXTERNAL_SAML_TOKEN MUST include a ValueType attribute"),
+ R6603("Any STR_KEY_IDENTIFIER ValueType attribute that references a SAML_V1_1_TOKEN MUST have a value of \"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID\""),
+ R6616("Any STR_KEY_IDENTIFIER ValueType attribute that references a SAML_V2_0_TOKEN MUST have a value of \"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID\""),
+ R6604("Any STR_KEY_IDENTIFIER that references a SAML_TOKEN MUST NOT include an EncodingType attribute"),
+ R6605("Any STR_KEY_IDENTIFIER that references a SAML_TOKEN MUST have a value encoded as an xs:string"),
+ R6610("Any SECURITY_TOKEN_REFERENCE that references an INTERNAL_SAML_TOKEN that has an ID attribute, the reference MUST contain an STR_REFERENCE or an STR_EMBEDDED"),
+ R6612("Any SIG_REFERENCE to a SECURITY_TOKEN_REFERENCE which contains an STR_EMBEDDED which contains an INTERNAL_SAML_V2_0_TOKEN MUST NOT include a SIG_TRANSFORM with an Algorithm attribute value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\""),
+ R6606("Any SECURITY_TOKEN_REFERENCE that references an EXTERNAL_SAML_TOKEN MUST contain a SAML_AUTHORITY_BINDING"),
+ R6607("Any AuthorityKind attribute of a SAML_AUTHORITY_BINDING MUST have a value of saml:AssertionIDReference"),
+ R6608("Any SECURITY_TOKEN_REFERENCE that references an INTERNAL_SAML_TOKEN MUST NOT contain a SAML_AUTHORITY_BINDING"),
+ R6613("Any SECURITY_TOKEN_REFERENCE to an EXTERNAL_SAML_V2_0_TOKEN MUST contain an STR_REFERENCE"),
+
+ R3069("Any SECURITY_TOKEN_REFERENCE to a ENCRYPTED_KEY_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey\""),
+ R3072("Any STR_KEY_IDENTIFIER element in a SECURITY_TOKEN_REFERENCE that refers to an ENCRYPTED_KEY_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1\"");
+
+ private String msg;
+
+ private BSPRule(String msg) {
+ this.msg = msg;
+ }
+ }
+
/****************************************************************************
* Fault codes defined in the WSS 1.1 spec under section 12, Error handling
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java Wed Feb 29 20:54:51 2012
@@ -337,7 +337,7 @@ public class WSSUtils extends XMLSecurit
abstractOutputProcessor.createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_Reference);
}
- public static TokenSecurityEvent createTokenSecurityEvent(SecurityToken securityToken) throws WSSecurityException {
+ public static TokenSecurityEvent createTokenSecurityEvent(final SecurityToken securityToken) throws WSSecurityException {
WSSConstants.TokenType tokenType = (WSSConstants.TokenType) securityToken.getTokenType();
TokenSecurityEvent tokenSecurityEvent;
@@ -378,4 +378,43 @@ public class WSSUtils extends XMLSecurit
tokenSecurityEvent.setSecurityToken(securityToken);
return tokenSecurityEvent;
}
+
+ public static boolean pathMatches(List<QName> path1, List<QName> path2, boolean matchAnySoapNS, boolean lastElementWildCard) {
+ //todo remove these null checks! paths must not be null!
+ if (path1 == null || path2 == null || path1.size() != path2.size()) {
+ return false;
+ }
+ Iterator<QName> path1Iterator = path1.iterator();
+ Iterator<QName> path2Iterator = path2.iterator();
+ while (path1Iterator.hasNext()) {
+ QName qName1 = path1Iterator.next();
+ QName qName2 = path2Iterator.next();
+ if (matchAnySoapNS && (WSSConstants.NS_SOAP11.equals(qName1.getNamespaceURI())
+ || WSSConstants.NS_SOAP12.equals(qName1.getNamespaceURI()))) {
+ if (!qName1.getLocalPart().equals(qName2.getLocalPart())) {
+ return false;
+ }
+ } else if (!qName1.equals(qName2)) {
+ if (!path1Iterator.hasNext() && lastElementWildCard) {
+ if (!qName1.getNamespaceURI().equals(qName2.getNamespaceURI())) {
+ return false;
+ }
+ } else {
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+ public static String pathAsString(List<QName> path) {
+ StringBuilder stringBuilder = new StringBuilder();
+ Iterator<QName> pathIterator = path.iterator();
+ while (pathIterator.hasNext()) {
+ QName qName = pathIterator.next();
+ stringBuilder.append('/');
+ stringBuilder.append(qName.toString());
+ }
+ return stringBuilder.toString();
+ }
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityContext.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityContext.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityContext.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityContext.java Wed Feb 29 20:54:51 2012
@@ -36,7 +36,7 @@ public interface WSSecurityContext exten
*
* @param securityEventListener The SecurityEventListener
*/
- public void setSecurityEventListener(SecurityEventListener securityEventListener);
+ public void addSecurityEventListener(SecurityEventListener securityEventListener);
/**
* Registers a SecurityEvent which will be forwarded to the registered SecurityEventListener
Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityToken.java?rev=1295267&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityToken.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityToken.java Wed Feb 29 20:54:51 2012
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.swssf.wss.ext;
+
+import org.swssf.xmlsec.ext.SecurityToken;
+
+import javax.xml.namespace.QName;
+import java.util.List;
+
+/**
+ * @author $Author: giger $
+ * @version $Revision: 1228829 $ $Date: 2012-01-08 12:44:13 +0100 (Sun, 08 Jan 2012) $
+ */
+public interface WSSecurityToken extends SecurityToken {
+
+ List<QName> getElementPath();
+
+ void setElementPath(List<QName> elementPath);
+}
Copied: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java (from r1235883, webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java?p2=webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java&p1=webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java&r1=1235883&r2=1295267&rev=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java Wed Feb 29 20:54:51 2012
@@ -19,11 +19,18 @@
package org.swssf.wss.impl;
-import org.swssf.wss.ext.WSSecurityContext;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
import org.swssf.wss.ext.WSSecurityException;
-import org.swssf.wss.securityEvent.SecurityEvent;
-import org.swssf.wss.securityEvent.SecurityEventListener;
-import org.swssf.xmlsec.impl.SecurityContextImpl;
+import org.swssf.wss.securityEvent.*;
+import org.swssf.xmlsec.ext.SecurityToken;
+import org.swssf.xmlsec.ext.XMLSecurityException;
+
+import javax.xml.namespace.QName;
+import java.util.Deque;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
/**
* Concrete security context implementation
@@ -31,18 +38,389 @@ import org.swssf.xmlsec.impl.SecurityCon
* @author $Author$
* @version $Revision$ $Date$
*/
-public class WSSecurityContextImpl extends SecurityContextImpl implements WSSecurityContext {
-
- private SecurityEventListener securityEventListener;
+public class InboundWSSecurityContextImpl extends WSSecurityContextImpl {
- public void setSecurityEventListener(SecurityEventListener securityEventListener) {
- this.securityEventListener = securityEventListener;
- }
+ private Deque<SecurityEvent> securityEventQueue = new LinkedList<SecurityEvent>();
+ private boolean operationSecurityEventOccured = false;
+ private boolean messageEncryptionTokenOccured = false;
public synchronized void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
- if (securityEventListener == null) {
+
+ if (operationSecurityEventOccured) {
+ if (!this.messageEncryptionTokenOccured) {
+ if (securityEvent instanceof TokenSecurityEvent) {
+ TokenSecurityEvent tokenSecurityEvent = ((TokenSecurityEvent) securityEvent);
+ if (tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(SecurityToken.TokenUsage.Encryption)) {
+ SecurityToken securityToken = tokenSecurityEvent.getSecurityToken();
+
+ try {
+ while (securityToken.getKeyWrappingToken() != null) {
+ securityToken = securityToken.getKeyWrappingToken();
+ }
+ TokenSecurityEvent newTokenSecurityEvent = WSSUtils.createTokenSecurityEvent(securityToken);
+ setTokenUsage(newTokenSecurityEvent, SecurityToken.TokenUsage.MainEncryption);
+ forwardSecurityEvent(newTokenSecurityEvent);
+ } catch (XMLSecurityException e) {
+ throw new WSSecurityException(e.getMessage(), e);
+ }
+ this.messageEncryptionTokenOccured = true;
+ }
+ }
+ }
+
+ forwardSecurityEvent(securityEvent);
return;
}
- securityEventListener.registerSecurityEvent(securityEvent);
+
+ if (securityEvent.getSecurityEventType() == SecurityEvent.Event.Operation) {
+ operationSecurityEventOccured = true;
+
+ try {
+ identifySecurityTokenDepenedenciesAndUsage(securityEventQueue);
+ } catch (XMLSecurityException e) {
+ throw new WSSecurityException(e.getMessage(), e);
+ }
+
+ //forward operation security event
+ forwardSecurityEvent(securityEvent);
+
+ Iterator<SecurityEvent> securityEventIterator = securityEventQueue.descendingIterator();
+ while (securityEventIterator.hasNext()) {
+ SecurityEvent prevSecurityEvent = securityEventIterator.next();
+ forwardSecurityEvent(prevSecurityEvent);
+ }
+ securityEventQueue.clear();
+ return;
+ }
+
+ securityEventQueue.push(securityEvent);
+ }
+
+ private void identifySecurityTokenDepenedenciesAndUsage(
+ Deque<SecurityEvent> securityEventDeque) throws XMLSecurityException {
+
+ List<TokenSecurityEvent> messageSignatureTokens = new LinkedList<TokenSecurityEvent>();
+ List<TokenSecurityEvent> messageEncryptionTokens = new LinkedList<TokenSecurityEvent>();
+ List<TokenSecurityEvent> supportingTokens = new LinkedList<TokenSecurityEvent>();
+ List<TokenSecurityEvent> signedSupportingTokens = new LinkedList<TokenSecurityEvent>();
+ List<TokenSecurityEvent> endorsingSupportingTokens = new LinkedList<TokenSecurityEvent>();
+ List<TokenSecurityEvent> signedEndorsingSupportingTokens = new LinkedList<TokenSecurityEvent>();
+ List<TokenSecurityEvent> signedEncryptedSupportingTokens = new LinkedList<TokenSecurityEvent>();
+ List<TokenSecurityEvent> endorsingEncryptedSupportingTokens = new LinkedList<TokenSecurityEvent>();
+ List<TokenSecurityEvent> signedEndorsingEncryptedSupportingTokens = new LinkedList<TokenSecurityEvent>();
+
+ HttpsTokenSecurityEvent httpsTokenSecurityEvent = null;
+
+ List<TokenSecurityEvent> tokenSecurityEvents = new LinkedList<TokenSecurityEvent>();
+ Iterator<SecurityEvent> securityEventIterator = securityEventDeque.iterator();
+ while (securityEventIterator.hasNext()) {
+ SecurityEvent securityEvent = securityEventIterator.next();
+ if (securityEvent instanceof TokenSecurityEvent) {
+ if (securityEvent.getSecurityEventType() == SecurityEvent.Event.HttpsToken) {
+ HttpsTokenSecurityEvent actHttpsTokenSecurityEvent = (HttpsTokenSecurityEvent) securityEvent;
+ actHttpsTokenSecurityEvent.getSecurityToken().getTokenUsages().clear();
+ actHttpsTokenSecurityEvent.getSecurityToken().addTokenUsage(SecurityToken.TokenUsage.MainSignature);
+ messageSignatureTokens.add(actHttpsTokenSecurityEvent);
+ HttpsTokenSecurityEvent clonedHttpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
+ clonedHttpsTokenSecurityEvent.setAuthenticationType(actHttpsTokenSecurityEvent.getAuthenticationType());
+ clonedHttpsTokenSecurityEvent.setIssuerName(actHttpsTokenSecurityEvent.getIssuerName());
+ clonedHttpsTokenSecurityEvent.setSecurityToken(actHttpsTokenSecurityEvent.getSecurityToken());
+ clonedHttpsTokenSecurityEvent.getSecurityToken().addTokenUsage(SecurityToken.TokenUsage.MainEncryption);
+ messageEncryptionTokens.add(clonedHttpsTokenSecurityEvent);
+ httpsTokenSecurityEvent = clonedHttpsTokenSecurityEvent;
+ continue;
+ }
+ tokenSecurityEvents.add((TokenSecurityEvent) securityEvent);
+ }
+ }
+
+ Iterator<TokenSecurityEvent> tokenSecurityEventIterator = tokenSecurityEvents.iterator();
+ while (tokenSecurityEventIterator.hasNext()) {
+ TokenSecurityEvent tokenSecurityEvent = tokenSecurityEventIterator.next();
+ SecurityToken securityToken = tokenSecurityEvent.getSecurityToken();
+ if (securityToken.getKeyWrappingToken() == null) {
+ supportingTokens.add(tokenSecurityEvent);
+ } else {
+ while (securityToken.getKeyWrappingToken() != null) {
+ securityToken = securityToken.getKeyWrappingToken();
+ }
+ if (!containsSecurityToken(supportingTokens, securityToken)) {
+ TokenSecurityEvent newTokenSecurityEvent = WSSUtils.createTokenSecurityEvent(securityToken);
+ supportingTokens.add(newTokenSecurityEvent);
+ securityEventDeque.offer(newTokenSecurityEvent);
+ }
+ }
+ }
+
+ Iterator<TokenSecurityEvent> supportingTokensIterator = supportingTokens.iterator();
+ while (supportingTokensIterator.hasNext()) {
+ TokenSecurityEvent tokenSecurityEvent = supportingTokensIterator.next();
+ List<SecurityToken> signingSecurityTokens = isSignedToken(tokenSecurityEvent, securityEventDeque, httpsTokenSecurityEvent);
+
+ List<QName> signatureElementPath = new LinkedList<QName>();
+ signatureElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+ signatureElementPath.add(WSSConstants.TAG_dsig_Signature);
+ boolean signsSignature = signsElement(tokenSecurityEvent, signatureElementPath, securityEventDeque);
+ boolean encryptsSignature = encryptsElement(tokenSecurityEvent, signatureElementPath, securityEventDeque);
+
+ List<QName> signatureConfirmationElementPath = new LinkedList<QName>();
+ signatureConfirmationElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+ signatureConfirmationElementPath.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
+ boolean signsSignatureConfirmation = signsElement(tokenSecurityEvent, signatureConfirmationElementPath, securityEventDeque);
+ boolean encryptsSignatureConfirmation = encryptsElement(tokenSecurityEvent, signatureConfirmationElementPath, securityEventDeque);
+
+ List<QName> timestampElementPath = new LinkedList<QName>();
+ timestampElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+ timestampElementPath.add(WSSConstants.TAG_wsu_Timestamp);
+ boolean signsTimestamp = signsElement(tokenSecurityEvent, timestampElementPath, securityEventDeque);
+
+ List<QName> usernameTokenElementPath = new LinkedList<QName>();
+ timestampElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+ timestampElementPath.add(WSSConstants.TAG_wsse_UsernameToken);
+ boolean encryptsUsernameToken = encryptsElement(tokenSecurityEvent, usernameTokenElementPath, securityEventDeque);
+
+ boolean transportSecurityActive = Boolean.TRUE == get(WSSConstants.TRANSPORT_SECURITY_ACTIVE);
+
+ if (!transportSecurityActive && signsSignatureConfirmation && signsTimestamp) {
+ supportingTokensIterator.remove();
+ messageSignatureTokens.add(tokenSecurityEvent);
+ } else if (!transportSecurityActive && signsSignatureConfirmation) {
+ supportingTokensIterator.remove();
+ messageSignatureTokens.add(tokenSecurityEvent);
+ } else if (!transportSecurityActive && signsTimestamp) {
+ supportingTokensIterator.remove();
+ messageSignatureTokens.add(tokenSecurityEvent);
+ } else if (signsSignature && signingSecurityTokens.size() > 0) {
+ supportingTokensIterator.remove();
+ signedEndorsingSupportingTokens.add(tokenSecurityEvent);
+ } else if (signsSignature) {
+ supportingTokensIterator.remove();
+ endorsingSupportingTokens.add(tokenSecurityEvent);
+ } else if (signingSecurityTokens.size() > 0) {
+ supportingTokensIterator.remove();
+ signedSupportingTokens.add(tokenSecurityEvent);
+ } else if (!transportSecurityActive &&
+ (encryptsSignature || encryptsSignatureConfirmation || encryptsUsernameToken)) {
+ messageEncryptionTokens.add(tokenSecurityEvent);
+ }
+ }
+
+ if (messageSignatureTokens.size() == 0) {
+ SecurityToken messageSignatureToken = getSupportingTokenSigningToken(
+ signedSupportingTokens,
+ signedEndorsingSupportingTokens,
+ signedEncryptedSupportingTokens,
+ signedEndorsingEncryptedSupportingTokens,
+ securityEventDeque);
+
+ TokenSecurityEvent tokenSecurityEvent = getTokenSecurityEvent(messageSignatureToken, tokenSecurityEvents);
+ if (tokenSecurityEvent != null) {
+ supportingTokens.remove(tokenSecurityEvent);
+ signedSupportingTokens.remove(tokenSecurityEvent);
+ endorsingSupportingTokens.remove(tokenSecurityEvent);
+ signedEndorsingSupportingTokens.remove(tokenSecurityEvent);
+ signedEncryptedSupportingTokens.remove(tokenSecurityEvent);
+ endorsingEncryptedSupportingTokens.remove(tokenSecurityEvent);
+ signedEndorsingEncryptedSupportingTokens.remove(tokenSecurityEvent);
+ messageSignatureTokens.add(tokenSecurityEvent);
+ }
+ }
+
+ if (messageSignatureTokens.size() == 0) {
+ for (Iterator<TokenSecurityEvent> iterator = supportingTokens.iterator(); iterator.hasNext(); ) {
+ TokenSecurityEvent supportingToken = iterator.next();
+ if (supportingToken.getSecurityToken().getTokenUsages().contains(SecurityToken.TokenUsage.Signature)) {
+ iterator.remove();
+ messageSignatureTokens.add(supportingToken);
+ break;
+ }
+ }
+ }
+
+ if (messageEncryptionTokens.size() == 0) {
+ for (Iterator<TokenSecurityEvent> iterator = supportingTokens.iterator(); iterator.hasNext(); ) {
+ TokenSecurityEvent supportingToken = iterator.next();
+ if (supportingToken.getSecurityToken().getTokenUsages().contains(SecurityToken.TokenUsage.Encryption)) {
+ iterator.remove();
+ messageEncryptionTokens.add(supportingToken);
+ break;
+ }
+ }
+ }
+
+ if (messageEncryptionTokens.size() > 0) {
+ this.messageEncryptionTokenOccured = true;
+ }
+
+ setTokenUsage(messageSignatureTokens, SecurityToken.TokenUsage.MainSignature);
+ setTokenUsage(messageEncryptionTokens, SecurityToken.TokenUsage.MainEncryption);
+ setTokenUsage(supportingTokens, SecurityToken.TokenUsage.SupportingToken);
+ setTokenUsage(signedSupportingTokens, SecurityToken.TokenUsage.SignedSupportingTokens);
+ setTokenUsage(endorsingSupportingTokens, SecurityToken.TokenUsage.EndorsingSupportingTokens);
+ setTokenUsage(signedEndorsingSupportingTokens, SecurityToken.TokenUsage.SignedEndorsingSupportingTokens);
+ setTokenUsage(signedEncryptedSupportingTokens, SecurityToken.TokenUsage.SignedEncryptedSupportingTokens);
+ setTokenUsage(endorsingEncryptedSupportingTokens, SecurityToken.TokenUsage.EndorsingEncryptedSupportingTokens);
+ setTokenUsage(signedEndorsingEncryptedSupportingTokens, SecurityToken.TokenUsage.SignedEndorsingEncryptedSupportingTokens);
+ }
+
+ private boolean containsSecurityToken(List<TokenSecurityEvent> supportingTokens, SecurityToken securityToken) {
+ for (int i = 0; i < supportingTokens.size(); i++) {
+ TokenSecurityEvent tokenSecurityEvent = supportingTokens.get(i);
+ if (tokenSecurityEvent.getSecurityToken() == securityToken) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ private TokenSecurityEvent getTokenSecurityEvent(SecurityToken securityToken, List<TokenSecurityEvent> tokenSecurityEvents) throws XMLSecurityException {
+ for (int i = 0; i < tokenSecurityEvents.size(); i++) {
+ TokenSecurityEvent tokenSecurityEvent = tokenSecurityEvents.get(i);
+ if (tokenSecurityEvent.getSecurityToken() == securityToken) {
+ return tokenSecurityEvent;
+ }
+ }
+ return null;
+ }
+
+ private SecurityToken getSupportingTokenSigningToken(
+ List<TokenSecurityEvent> signedSupportingTokens,
+ List<TokenSecurityEvent> signedEndorsingSupportingTokens,
+ List<TokenSecurityEvent> signedEncryptedSupportingTokens,
+ List<TokenSecurityEvent> signedEndorsingEncryptedSupportingTokens,
+ Deque<SecurityEvent> securityEventDeque
+ ) throws XMLSecurityException {
+
+ //todo we have to check if the signingTokens also cover the other supporting tokens!
+ for (int i = 0; i < signedSupportingTokens.size(); i++) {
+ TokenSecurityEvent tokenSecurityEvent = signedSupportingTokens.get(i);
+ List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
+ if (signingSecurityTokens.size() == 1) {
+ return signingSecurityTokens.get(0);
+ }
+ }
+ for (int i = 0; i < signedEndorsingSupportingTokens.size(); i++) {
+ TokenSecurityEvent tokenSecurityEvent = signedEndorsingSupportingTokens.get(i);
+ List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
+ if (signingSecurityTokens.size() == 1) {
+ return signingSecurityTokens.get(0);
+ }
+ }
+ for (int i = 0; i < signedEncryptedSupportingTokens.size(); i++) {
+ TokenSecurityEvent tokenSecurityEvent = signedEncryptedSupportingTokens.get(i);
+ List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
+ if (signingSecurityTokens.size() == 1) {
+ return signingSecurityTokens.get(0);
+ }
+ }
+ for (int i = 0; i < signedEndorsingEncryptedSupportingTokens.size(); i++) {
+ TokenSecurityEvent tokenSecurityEvent = signedEndorsingEncryptedSupportingTokens.get(i);
+ List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
+ if (signingSecurityTokens.size() == 1) {
+ return signingSecurityTokens.get(0);
+ }
+ }
+ return null;
+ }
+
+ private List<SecurityToken> getSigningToken(TokenSecurityEvent tokenSecurityEvent, Deque<SecurityEvent> securityEventDeque) throws XMLSecurityException {
+ List<SecurityToken> signingSecurityTokens = new LinkedList<SecurityToken>();
+
+ for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
+ SecurityEvent securityEvent = iterator.next();
+ if (securityEvent.getSecurityEventType() == SecurityEvent.Event.SignedElement) {
+ SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
+ if (signedElementSecurityEvent.isSigned()
+ && WSSUtils.pathMatches(signedElementSecurityEvent.getElementPath(), tokenSecurityEvent.getSecurityToken().getElementPath(), true, false)) {
+ signingSecurityTokens.add(signedElementSecurityEvent.getSecurityToken());
+ }
+ }
+ }
+ return signingSecurityTokens;
+ }
+
+ private void setTokenUsage(List<TokenSecurityEvent> tokenSecurityEvents, SecurityToken.TokenUsage tokenUsage) throws XMLSecurityException {
+ Iterator<TokenSecurityEvent> tokenSecurityEventIterator = tokenSecurityEvents.iterator();
+ while (tokenSecurityEventIterator.hasNext()) {
+ TokenSecurityEvent tokenSecurityEvent = tokenSecurityEventIterator.next();
+ setTokenUsage(tokenSecurityEvent, tokenUsage);
+ }
+ }
+
+ private void setTokenUsage(TokenSecurityEvent tokenSecurityEvent, SecurityToken.TokenUsage tokenUsage) throws XMLSecurityException {
+ if (tokenUsage == SecurityToken.TokenUsage.MainSignature) {
+ tokenSecurityEvent.getSecurityToken().getTokenUsages().remove(SecurityToken.TokenUsage.SupportingToken);
+ tokenSecurityEvent.getSecurityToken().getTokenUsages().remove(SecurityToken.TokenUsage.Signature);
+ } else if (tokenUsage == SecurityToken.TokenUsage.MainEncryption) {
+ tokenSecurityEvent.getSecurityToken().getTokenUsages().remove(SecurityToken.TokenUsage.SupportingToken);
+ tokenSecurityEvent.getSecurityToken().getTokenUsages().remove(SecurityToken.TokenUsage.Encryption);
+ }
+ tokenSecurityEvent.getSecurityToken().addTokenUsage(tokenUsage);
+ }
+
+ private List<SecurityToken> isSignedToken(TokenSecurityEvent tokenSecurityEvent,
+ Deque<SecurityEvent> securityEventDeque,
+ HttpsTokenSecurityEvent httpsTokenSecurityEvent) throws XMLSecurityException {
+ List<SecurityToken> securityTokenList = new LinkedList<SecurityToken>();
+ if (httpsTokenSecurityEvent != null) {
+ securityTokenList.add(httpsTokenSecurityEvent.getSecurityToken());
+ return securityTokenList;
+ }
+ for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
+ SecurityEvent securityEvent = iterator.next();
+ if (securityEvent.getSecurityEventType() == SecurityEvent.Event.SignedElement) {
+ SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
+ if (signedElementSecurityEvent.isSigned()
+ && tokenSecurityEvent.getSecurityToken() != null
+ && WSSUtils.pathMatches(
+ tokenSecurityEvent.getSecurityToken().getElementPath(),
+ signedElementSecurityEvent.getElementPath(), true, false)) {
+
+ if (!securityTokenList.contains(signedElementSecurityEvent.getSecurityToken())) {
+ securityTokenList.add(signedElementSecurityEvent.getSecurityToken());
+ }
+ }
+ }
+ }
+ return securityTokenList;
+ }
+
+ private boolean signsElement(TokenSecurityEvent tokenSecurityEvent, List<QName> elementPath,
+ Deque<SecurityEvent> securityEventDeque) throws XMLSecurityException {
+ for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
+ SecurityEvent securityEvent = iterator.next();
+ if (securityEvent.getSecurityEventType() == SecurityEvent.Event.SignedElement) {
+ SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
+ if (signedElementSecurityEvent.isSigned()
+ && signedElementSecurityEvent.getSecurityToken() == tokenSecurityEvent.getSecurityToken()
+ && WSSUtils.pathMatches(elementPath, signedElementSecurityEvent.getElementPath(), true, false)) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+
+ private boolean encryptsElement(TokenSecurityEvent tokenSecurityEvent, List<QName> elementPath,
+ Deque<SecurityEvent> securityEventDeque) throws XMLSecurityException {
+ for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
+ SecurityEvent securityEvent = iterator.next();
+ if (securityEvent.getSecurityEventType() == SecurityEvent.Event.EncryptedElement) {
+ EncryptedElementSecurityEvent encryptedElementSecurityEvent = (EncryptedElementSecurityEvent) securityEvent;
+ if (encryptedElementSecurityEvent.isEncrypted()
+ && encryptedElementSecurityEvent.getSecurityToken() == tokenSecurityEvent.getSecurityToken()
+ && WSSUtils.pathMatches(elementPath, encryptedElementSecurityEvent.getElementPath(), true, false)) {
+ return true;
+ }
+ } else if (securityEvent.getSecurityEventType() == SecurityEvent.Event.ContentEncrypted) {
+ ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = (ContentEncryptedElementSecurityEvent) securityEvent;
+ if (contentEncryptedElementSecurityEvent.isEncrypted()
+ && contentEncryptedElementSecurityEvent.getSecurityToken() == tokenSecurityEvent.getSecurityToken()
+ && WSSUtils.pathMatches(elementPath, contentEncryptedElementSecurityEvent.getElementPath(), true, false)) {
+ return true;
+ }
+ }
+ }
+ return false;
}
}
Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSDocumentContextImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSDocumentContextImpl.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSDocumentContextImpl.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSDocumentContextImpl.java Wed Feb 29 20:54:51 2012
@@ -20,6 +20,7 @@ package org.swssf.wss.impl;
import org.swssf.wss.ext.WSSConstants;
import org.swssf.wss.ext.WSSDocumentContext;
+import org.swssf.xmlsec.impl.DocumentContextImpl;
import javax.xml.namespace.QName;
import java.util.ArrayList;
@@ -31,7 +32,7 @@ import java.util.List;
* @author $Author$
* @version $Revision$ $Date$
*/
-public class WSSDocumentContextImpl extends org.swssf.xmlsec.impl.DocumentContextImpl implements WSSDocumentContext {
+public class WSSDocumentContextImpl extends DocumentContextImpl implements WSSDocumentContext {
public String getSOAPMessageVersionNamespace() {
if (getPath().size() >= 1 && getPath().get(0).equals(WSSConstants.TAG_soap11_Envelope)) {
Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java?rev=1295267&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java Wed Feb 29 20:54:51 2012
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.swssf.wss.impl;
+
+import org.swssf.wss.ext.WSSecurityContext;
+import org.swssf.wss.ext.WSSecurityException;
+import org.swssf.wss.securityEvent.SecurityEvent;
+import org.swssf.wss.securityEvent.SecurityEventListener;
+import org.swssf.xmlsec.impl.SecurityContextImpl;
+
+import java.util.LinkedList;
+import java.util.List;
+
+/**
+ * Concrete security context implementation
+ *
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class WSSecurityContextImpl extends SecurityContextImpl implements WSSecurityContext {
+
+ private List<SecurityEventListener> securityEventListeners = new LinkedList<SecurityEventListener>();
+
+ public void addSecurityEventListener(SecurityEventListener securityEventListener) {
+ if (securityEventListener != null) {
+ this.securityEventListeners.add(securityEventListener);
+ }
+ }
+
+ public synchronized void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
+ forwardSecurityEvent(securityEvent);
+ }
+
+ protected void forwardSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
+ for (int i = 0; i < securityEventListeners.size(); i++) {
+ SecurityEventListener securityEventListener = securityEventListeners.get(i);
+ securityEventListener.registerSecurityEvent(securityEvent);
+ }
+ }
+}
Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/BinarySecurityTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/BinarySecurityTokenInputHandler.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/BinarySecurityTokenInputHandler.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/BinarySecurityTokenInputHandler.java Wed Feb 29 20:54:51 2012
@@ -19,15 +19,18 @@
package org.swssf.wss.impl.processor.input;
import org.swssf.binding.wss10.BinarySecurityTokenType;
+import org.swssf.wss.ext.WSSecurityContext;
+import org.swssf.wss.ext.WSSecurityToken;
import org.swssf.wss.impl.securityToken.SecurityTokenFactoryImpl;
+import org.swssf.wss.securityEvent.X509TokenSecurityEvent;
import org.swssf.xmlsec.crypto.Crypto;
import org.swssf.xmlsec.ext.*;
import javax.xml.bind.JAXBElement;
+import javax.xml.namespace.QName;
import javax.xml.stream.events.XMLEvent;
import java.util.Deque;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.List;
import java.util.UUID;
/**
@@ -49,23 +52,32 @@ public class BinarySecurityTokenInputHan
binarySecurityTokenType.setId(UUID.randomUUID().toString());
}
+ final List<QName> elementPath = getElementPath(inputProcessorChain.getDocumentContext(), eventQueue);
+
SecurityTokenProvider securityTokenProvider = new SecurityTokenProvider() {
- private Map<Crypto, SecurityToken> securityTokens = new HashMap<Crypto, SecurityToken>();
+ private WSSecurityToken binarySecurityToken = null;
- public SecurityToken getSecurityToken(Crypto crypto) throws XMLSecurityException {
- SecurityToken securityToken = securityTokens.get(crypto);
- if (securityToken != null) {
- return securityToken;
+ public SecurityToken getSecurityToken() throws XMLSecurityException {
+ if (this.binarySecurityToken != null) {
+ return this.binarySecurityToken;
+ }
+ Crypto crypto = null;
+ try {
+ crypto = securityProperties.getSignatureVerificationCrypto();
+ } catch (XMLSecurityConfigurationException e) {
+ //ignore
}
- securityToken = SecurityTokenFactoryImpl.getSecurityToken(
+ if (crypto == null) {
+ crypto = securityProperties.getDecryptionCrypto();
+ }
+ this.binarySecurityToken = SecurityTokenFactoryImpl.getSecurityToken(
binarySecurityTokenType,
inputProcessorChain.getSecurityContext(),
crypto,
- securityProperties.getCallbackHandler(),
- null);
- securityTokens.put(crypto, securityToken);
- return securityToken;
+ securityProperties.getCallbackHandler());
+ this.binarySecurityToken.setElementPath(elementPath);
+ return this.binarySecurityToken;
}
public String getId() {
@@ -74,5 +86,10 @@ public class BinarySecurityTokenInputHan
};
inputProcessorChain.getSecurityContext().registerSecurityTokenProvider(binarySecurityTokenType.getId(), securityTokenProvider);
+
+ //fire a tokenSecurityEvent
+ X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
+ x509TokenSecurityEvent.setSecurityToken(securityTokenProvider.getSecurityToken());
+ ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(x509TokenSecurityEvent);
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DecryptInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DecryptInputProcessor.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DecryptInputProcessor.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DecryptInputProcessor.java Wed Feb 29 20:54:51 2012
@@ -56,18 +56,18 @@ public class DecryptInputProcessor exten
protected void handleEncryptedContent(
InputProcessorChain inputProcessorChain, XMLEvent xmlEvent, SecurityToken securityToken) throws XMLSecurityException {
- QName parentElement = inputProcessorChain.getDocumentContext().getParentElement(xmlEvent.getEventType());
+ List<QName> parentElementPath = inputProcessorChain.getDocumentContext().getParentElementPath(xmlEvent.getEventType());
if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 3
&& ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPBody()) {
//soap:body content encryption counts as EncryptedPart
EncryptedPartSecurityEvent encryptedPartSecurityEvent =
new EncryptedPartSecurityEvent(securityToken, true, isInSignedContent(inputProcessorChain));
- encryptedPartSecurityEvent.setElement(parentElement);
+ encryptedPartSecurityEvent.setElementPath(parentElementPath);
((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(encryptedPartSecurityEvent);
} else {
ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
new ContentEncryptedElementSecurityEvent(securityToken, true, isInSignedContent(inputProcessorChain));
- contentEncryptedElementSecurityEvent.setElement(parentElement);
+ contentEncryptedElementSecurityEvent.setElementPath(parentElementPath);
((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(contentEncryptedElementSecurityEvent);
}
}
@@ -83,21 +83,13 @@ public class DecryptInputProcessor exten
securityToken);
}
+ //todo remove me?
@Override
- protected void handleSecurityToken(
- SecurityToken securityToken, SecurityContext securityContext, EncryptedDataType encryptedDataType) throws XMLSecurityException {
+ protected void handleSecurityToken(SecurityToken securityToken, SecurityContext securityContext,
+ EncryptedDataType encryptedDataType) throws XMLSecurityException {
+ securityToken.addTokenUsage(SecurityToken.TokenUsage.Encryption);
TokenSecurityEvent tokenSecurityEvent = WSSUtils.createTokenSecurityEvent(securityToken);
- tokenSecurityEvent.setTokenUsage(TokenSecurityEvent.TokenUsage.Encryption);
((WSSecurityContext) securityContext).registerSecurityEvent(tokenSecurityEvent);
-
- /*AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
- algorithmSuiteSecurityEvent.setAlgorithmURI(encryptedDataType.getEncryptionMethod().getAlgorithm());
- if (securityToken.isAsymmetric()) {
- algorithmSuiteSecurityEvent.setKeyUsage(WSSConstants.Asym_Key_Wrap);
- } else {
- algorithmSuiteSecurityEvent.setKeyUsage(WSSConstants.Sym_Key_Wrap);
- }
- ((WSSecurityContext) securityContext).registerSecurityEvent(algorithmSuiteSecurityEvent);*/
}
/*
@@ -138,12 +130,12 @@ public class DecryptInputProcessor exten
&& ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPHeader()) {
EncryptedPartSecurityEvent encryptedPartSecurityEvent =
new EncryptedPartSecurityEvent(securityToken, true, isInSignedContent(inputProcessorChain));
- encryptedPartSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+ encryptedPartSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(encryptedPartSecurityEvent);
} else {
EncryptedElementSecurityEvent encryptedElementSecurityEvent =
new EncryptedElementSecurityEvent(securityToken, true, isInSignedContent(inputProcessorChain));
- encryptedElementSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+ encryptedElementSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(encryptedElementSecurityEvent);
}
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DerivedKeyTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DerivedKeyTokenInputHandler.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DerivedKeyTokenInputHandler.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DerivedKeyTokenInputHandler.java Wed Feb 29 20:54:51 2012
@@ -27,18 +27,18 @@ import org.swssf.wss.impl.securityToken.
import org.swssf.wss.impl.securityToken.SAMLSecurityToken;
import org.swssf.wss.impl.securityToken.SecurityTokenFactoryImpl;
import org.swssf.wss.impl.securityToken.UsernameSecurityToken;
+import org.swssf.wss.securityEvent.DerivedKeyTokenSecurityEvent;
import org.swssf.xmlsec.config.JCEAlgorithmMapper;
-import org.swssf.xmlsec.crypto.Crypto;
import org.swssf.xmlsec.ext.*;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.JAXBElement;
+import javax.xml.namespace.QName;
import javax.xml.stream.events.XMLEvent;
import java.security.Key;
import java.security.PublicKey;
import java.util.Deque;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.List;
import java.util.UUID;
/**
@@ -63,28 +63,38 @@ public class DerivedKeyTokenInputHandler
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "noReference");
}
+ final List<QName> elementPath = getElementPath(inputProcessorChain.getDocumentContext(), eventQueue);
+
SecurityTokenProvider securityTokenProvider = new SecurityTokenProvider() {
- private Map<Crypto, SecurityToken> securityTokens = new HashMap<Crypto, SecurityToken>();
+ private AbstractSecurityToken derivedKeySecurityToken = null;
- public SecurityToken getSecurityToken(Crypto crypto) throws XMLSecurityException {
+ public SecurityToken getSecurityToken() throws XMLSecurityException {
- SecurityToken securityToken = securityTokens.get(crypto);
- if (securityToken != null) {
- return securityToken;
+ if (this.derivedKeySecurityToken != null) {
+ return this.derivedKeySecurityToken;
}
- final SecurityToken referencedSecurityToken = SecurityTokenFactoryImpl.getSecurityToken(
- derivedKeyTokenType.getSecurityTokenReference(),
- securityProperties.getDecryptionCrypto(),
- securityProperties.getCallbackHandler(),
- inputProcessorChain.getSecurityContext(),
- null
- );
-
- securityToken = new AbstractSecurityToken(
+ this.derivedKeySecurityToken = new AbstractSecurityToken(
(WSSecurityContext) inputProcessorChain.getSecurityContext(), null, null,
- derivedKeyTokenType.getId(), null, null) {
+ derivedKeyTokenType.getId(), null) {
+
+ private SecurityToken referencedSecurityToken = null;
+
+ private SecurityToken getReferencedSecurityToken() throws XMLSecurityException {
+ if (this.referencedSecurityToken != null) {
+ return referencedSecurityToken;
+ }
+
+ this.referencedSecurityToken = SecurityTokenFactoryImpl.getSecurityToken(
+ derivedKeyTokenType.getSecurityTokenReference(),
+ securityProperties.getDecryptionCrypto(),
+ securityProperties.getCallbackHandler(),
+ inputProcessorChain.getSecurityContext()
+ );
+ this.referencedSecurityToken.addWrappedToken(this);
+ return this.referencedSecurityToken;
+ }
public boolean isAsymmetric() {
return false;
@@ -92,6 +102,7 @@ public class DerivedKeyTokenInputHandler
protected Key getKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage) throws XMLSecurityException {
byte[] secret;
+ SecurityToken referencedSecurityToken = getReferencedSecurityToken();
if (referencedSecurityToken != null) {
if (referencedSecurityToken instanceof UsernameSecurityToken) {
UsernameSecurityToken usernameSecurityToken = (UsernameSecurityToken) referencedSecurityToken;
@@ -104,13 +115,6 @@ public class DerivedKeyTokenInputHandler
SAMLSecurityToken samlSecurityToken = (SAMLSecurityToken) referencedSecurityToken;
secret = samlSecurityToken.getSamlKeyInfo().getSecret();
} else {
- //todo is this the correct algo and KeyUsage?
- WSSConstants.KeyUsage newKeyUsage;
- if (keyUsage == WSSConstants.Sym_Sig || keyUsage == WSSConstants.Asym_Sig || keyUsage == WSSConstants.Sig_KD) {
- newKeyUsage = WSSConstants.Sig_KD;
- } else {
- newKeyUsage = WSSConstants.Enc_KD;
- }
secret = referencedSecurityToken.getSecretKey(algorithmURI, keyUsage).getEncoded();
}
} else {
@@ -128,6 +132,7 @@ public class DerivedKeyTokenInputHandler
nonce,
derivedKeyTokenType.getOffset().intValue()
);
+ //todo algo sec event here!
String algo = JCEAlgorithmMapper.translateURItoJCEID(algorithmURI);
return new SecretKeySpec(keyBytes, algo);
}
@@ -137,21 +142,16 @@ public class DerivedKeyTokenInputHandler
return null;
}
- public SecurityToken getKeyWrappingToken() {
- return referencedSecurityToken;
- }
-
- public String getKeyWrappingTokenAlgorithm() {
- //todo?
- return null;
+ public SecurityToken getKeyWrappingToken() throws XMLSecurityException {
+ return getReferencedSecurityToken();
}
public WSSConstants.TokenType getTokenType() {
return WSSConstants.DerivedKeyToken;
}
};
- securityTokens.put(crypto, securityToken);
- return securityToken;
+ this.derivedKeySecurityToken.setElementPath(elementPath);
+ return this.derivedKeySecurityToken;
}
public String getId() {
@@ -159,5 +159,10 @@ public class DerivedKeyTokenInputHandler
}
};
inputProcessorChain.getSecurityContext().registerSecurityTokenProvider(derivedKeyTokenType.getId(), securityTokenProvider);
+
+ //fire a tokenSecurityEvent
+ DerivedKeyTokenSecurityEvent derivedKeyTokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
+ derivedKeyTokenSecurityEvent.setSecurityToken(securityTokenProvider.getSecurityToken());
+ ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(derivedKeyTokenSecurityEvent);
}
}