You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/03/15 21:35:34 UTC
svn commit: r1301185 - in
/webservices/wss4j/branches/swssf/streaming-ws-policy/src:
main/java/org/swssf/policy/assertionStates/
test/java/org/swssf/policy/test/ test/resources/testdata/policy/
Author: giger
Date: Thu Mar 15 20:35:33 2012
New Revision: 1301185
URL: http://svn.apache.org/viewvc?rev=1301185&view=rev
Log:
Multiple token usages handling
Added:
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21a.xml (props changed)
- copied unchanged from r1299402, webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21.xml
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21b.xml
- copied, changed from r1299402, webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21.xml
Modified:
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/WSP13SpecTest.java
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java?rev=1301185&r1=1301184&r2=1301185&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java Thu Mar 15 20:35:33 2012
@@ -29,17 +29,18 @@ import org.swssf.wss.securityEvent.Token
import org.swssf.xmlsec.ext.SecurityToken;
import org.swssf.xmlsec.ext.XMLSecurityException;
+import java.util.Iterator;
+
/**
+ * WSP1.3, 5 Token Assertions
+ *
* @author $Author$
* @version $Revision$ $Date$
*/
-
public abstract class TokenAssertionState extends AssertionState implements Assertable {
- //todo how to verify the issuer of the UsernameToken??
- //todo <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>
- //todo issuerName
- //todo claims
+ //todo WSP1.3, 5.2.1 Token Issuer: <sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>
+ //todo? WSP1.3 5.2.3 Required Claims
//todo derived keys?
public TokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
@@ -51,53 +52,66 @@ public abstract class TokenAssertionStat
TokenSecurityEvent tokenSecurityEvent = (TokenSecurityEvent) securityEvent;
AbstractToken abstractToken = (AbstractToken) getAssertion();
-
final AbstractSecurityAssertion parentAssertion = abstractToken.getParentAssertion();
- //todo what todo with the other usages if there are any? What when a sig and enc derives from the same source token?
- SecurityToken.TokenUsage tokenUsage = tokenSecurityEvent.getSecurityToken().getTokenUsages().get(0);
- switch (tokenUsage) {
- case MainSignature:
- if (!(parentAssertion instanceof InitiatorToken)
- && !(parentAssertion instanceof InitiatorSignatureToken)
- && !(parentAssertion instanceof SignatureToken)
- && !(parentAssertion instanceof ProtectionToken)
- && !(parentAssertion instanceof TransportToken)) {
- return true;
- }
- break;
- case Signature:
- throw new WSSPolicyException("Illegal token usage!");
- case MainEncryption:
- if (!(parentAssertion instanceof RecipientToken)
- && !(parentAssertion instanceof RecipientEncryptionToken)
- && !(parentAssertion instanceof EncryptionToken)
- && !(parentAssertion instanceof ProtectionToken)
- && !(parentAssertion instanceof TransportToken)) {
- return true;
- }
- break;
- case Encryption:
- throw new WSSPolicyException("Illegal token usage!");
- case SupportingTokens:
- case SignedSupportingTokens:
- case EndorsingSupportingTokens:
- case SignedEndorsingSupportingTokens:
- case SignedEncryptedSupportingTokens:
- case EncryptedSupportingTokens:
- case EndorsingEncryptedSupportingTokens:
- case SignedEndorsingEncryptedSupportingTokens:
- if (!(parentAssertion instanceof SupportingTokens)) {
- return true;
- }
-
- SupportingTokens supportingTokens = (SupportingTokens) parentAssertion;
- SecurityToken.TokenUsage expectedTokenUsage = SecurityToken.TokenUsage.valueOf(supportingTokens.getName().getLocalPart());
- if (expectedTokenUsage != tokenUsage) {
- return true;
- }
- break;
+
+ int ignoreToken = 0;
+ Iterator<SecurityToken.TokenUsage> tokenUsageIterator = tokenSecurityEvent.getSecurityToken().getTokenUsages().iterator();
+ while (tokenUsageIterator.hasNext()) {
+ SecurityToken.TokenUsage tokenUsage = tokenUsageIterator.next();
+ switch (tokenUsage) {
+ case MainSignature:
+ if (!(parentAssertion instanceof InitiatorToken)
+ && !(parentAssertion instanceof InitiatorSignatureToken)
+ && !(parentAssertion instanceof SignatureToken)
+ && !(parentAssertion instanceof ProtectionToken)
+ && !(parentAssertion instanceof TransportToken)) {
+ ignoreToken++;
+ break;
+ }
+ break;
+ case Signature:
+ throw new WSSPolicyException("Illegal token usage!");
+ case MainEncryption:
+ if (!(parentAssertion instanceof RecipientToken)
+ && !(parentAssertion instanceof RecipientEncryptionToken)
+ && !(parentAssertion instanceof EncryptionToken)
+ && !(parentAssertion instanceof ProtectionToken)
+ && !(parentAssertion instanceof TransportToken)) {
+ ignoreToken++;
+ break;
+ }
+ break;
+ case Encryption:
+ throw new WSSPolicyException("Illegal token usage!");
+ case SupportingTokens:
+ case SignedSupportingTokens:
+ case EndorsingSupportingTokens:
+ case SignedEndorsingSupportingTokens:
+ case SignedEncryptedSupportingTokens:
+ case EncryptedSupportingTokens:
+ case EndorsingEncryptedSupportingTokens:
+ case SignedEndorsingEncryptedSupportingTokens:
+ if (!(parentAssertion instanceof SupportingTokens)) {
+ ignoreToken++;
+ break;
+ }
+
+ SupportingTokens supportingTokens = (SupportingTokens) parentAssertion;
+ SecurityToken.TokenUsage expectedTokenUsage = SecurityToken.TokenUsage.valueOf(supportingTokens.getName().getLocalPart());
+ if (expectedTokenUsage != tokenUsage) {
+ ignoreToken++;
+ break;
+ }
+ break;
+ }
+ }
+ if (ignoreToken >= tokenSecurityEvent.getSecurityToken().getTokenUsages().size()) {
+ //token is not for us, so return true to prevent false alarm
+ return true;
}
+ //WSP1.3, 5.1 Token Inclusion
+ //todo do we need a global token cache to fullfill ".../IncludeToken/Once" ?
SPConstants.IncludeTokenType includeTokenType = abstractToken.getIncludeTokenType();
if (includeTokenType == SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER) {
setAsserted(false);
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/WSP13SpecTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/WSP13SpecTest.java?rev=1301185&r1=1301184&r2=1301185&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/WSP13SpecTest.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/WSP13SpecTest.java Thu Mar 15 20:35:33 2012
@@ -20,6 +20,7 @@ package org.swssf.policy.test;
import org.apache.ws.secpolicy.WSSPolicyException;
import org.swssf.policy.PolicyEnforcer;
+import org.swssf.wss.ext.WSSecurityException;
import org.swssf.wss.securityEvent.SecurityEvent;
import org.swssf.wss.test.InboundWSSecurityContextImplTest;
import org.testng.Assert;
@@ -36,8 +37,8 @@ public class WSP13SpecTest extends Abstr
private InboundWSSecurityContextImplTest inboundWSSecurityContextImplTest = new InboundWSSecurityContextImplTest();
- @DataProvider(name = "ignoreEventsTransportBinding")
- public Object[][] ignoreEventsTransportBinding() {
+ @DataProvider(name = "ignoreEventsTransportBindingC11a")
+ public Object[][] ignoreEventsTransportBindingC11a() {
return new Object[][]{
{null, null, null},
{SecurityEvent.Event.HttpsToken, 1, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}HttpsToken not satisfied"},
@@ -47,40 +48,18 @@ public class WSP13SpecTest extends Abstr
};
}
- @Test(dataProvider = "ignoreEventsTransportBinding")
- public void testTransportBindingC11(SecurityEvent.Event ignoreEvent, Integer eventIndex, String expectedErrorMessage) throws Exception {
+ @Test(dataProvider = "ignoreEventsTransportBindingC11a")
+ public void testTransportBindingC11a(SecurityEvent.Event ignoreEvent, Integer eventIndex, String expectedErrorMessage) throws Exception {
String policyString = loadResourceAsString("testdata/policy/transportBindingPolicyC11.xml", "UTF-8");
PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateTransportBindingSecurityEvents();
- for (int i = 0; i < securityEventList.size(); i++) {
- SecurityEvent securityEvent = securityEventList.get(i);
- if (eventIndex != null && i == eventIndex && securityEvent.getSecurityEventType() != ignoreEvent) {
- for (int j = 0; j < securityEventList.size(); j++) {
- System.out.println(j + " " + securityEventList.get(j));
- }
- Assert.fail("Event at index " + eventIndex + " is not of type " + ignoreEvent);
- }
- if (ignoreEvent == null || i != eventIndex) {
- policyEnforcer.registerSecurityEvent(securityEvent);
- }
- }
- try {
- policyEnforcer.doFinal();
- if (ignoreEvent != null) {
- Assert.fail("Expected WSSPolicyException");
- }
- } catch (WSSPolicyException e) {
- if (ignoreEvent == null) {
- Assert.fail("Unexpected WSSPolicyException");
- }
- Assert.assertEquals(e.getMessage(), expectedErrorMessage);
- }
+ applyPolicy(ignoreEvent, eventIndex, expectedErrorMessage, policyEnforcer, securityEventList);
}
- @DataProvider(name = "ignoreEventsAsymmetricBinding")
- public Object[][] ignoreEventsAsymmetricBinding() {
+ @DataProvider(name = "ignoreEventsAsymmetricBindingC31a")
+ public Object[][] ignoreEventsAsymmetricBindingC31a() {
return new Object[][]{
{null, null, null},
{SecurityEvent.Event.RequiredElement, 2, "\nElement /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp must be present"},
@@ -89,57 +68,64 @@ public class WSP13SpecTest extends Abstr
};
}
- @Test(dataProvider = "ignoreEventsAsymmetricBinding")
- public void testAsymmetricBindingC31(SecurityEvent.Event ignoreEvent, Integer eventIndex, String expectedErrorMessage) throws Exception {
+ @Test(dataProvider = "ignoreEventsAsymmetricBindingC31a")
+ public void testAsymmetricBindingC31a(SecurityEvent.Event ignoreEvent, Integer eventIndex, String expectedErrorMessage) throws Exception {
String policyString = loadResourceAsString("testdata/policy/asymmetricBindingPolicyC31.xml", "UTF-8");
PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateAsymmetricBindingSecurityEvents();
- for (int i = 0; i < securityEventList.size(); i++) {
- SecurityEvent securityEvent = securityEventList.get(i);
- if (eventIndex != null && i == eventIndex && securityEvent.getSecurityEventType() != ignoreEvent) {
- for (int j = 0; j < securityEventList.size(); j++) {
- System.out.println(j + " " + securityEventList.get(j));
- }
- Assert.fail("Event at index " + eventIndex + " is not of type " + ignoreEvent);
- }
- if (ignoreEvent == null || i != eventIndex) {
- policyEnforcer.registerSecurityEvent(securityEvent);
- }
- }
- try {
- policyEnforcer.doFinal();
- if (ignoreEvent != null) {
- Assert.fail("Expected WSSPolicyException");
- }
- } catch (WSSPolicyException e) {
- if (ignoreEvent == null) {
- Assert.fail("Unexpected WSSPolicyException");
- }
- Assert.assertEquals(e.getMessage(), expectedErrorMessage);
- }
+ applyPolicy(ignoreEvent, eventIndex, expectedErrorMessage, policyEnforcer, securityEventList);
}
- @DataProvider(name = "ignoreEventsSymmetricBinding")
- public Object[][] ignoreEventsSymmetricBinding() {
+ @DataProvider(name = "ignoreEventsSymmetricBindingC21a")
+ public Object[][] ignoreEventsSymmetricBindingC21a() {
return new Object[][]{
{null, null, null},
{SecurityEvent.Event.RequiredElement, 2, "\nElement /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp must be present"},
+ {SecurityEvent.Event.SamlToken, -1, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken not satisfied"},
{SecurityEvent.Event.UsernameToken, 5, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken not satisfied"},
{SecurityEvent.Event.X509Token, 16, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token not satisfied"},
};
}
- @Test(dataProvider = "ignoreEventsSymmetricBinding")
- public void testSymmetricBindingC31(SecurityEvent.Event ignoreEvent, Integer eventIndex, String expectedErrorMessage) throws Exception {
- String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21.xml", "UTF-8");
+ @Test(dataProvider = "ignoreEventsSymmetricBindingC21a")
+ public void testSymmetricBindingC21a(SecurityEvent.Event ignoreEvent, Integer eventIndex, String expectedErrorMessage) throws Exception {
+ String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21a.xml", "UTF-8");
PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
+ applyPolicy(ignoreEvent, eventIndex, expectedErrorMessage, policyEnforcer, securityEventList);
+ }
+
+ @DataProvider(name = "ignoreEventsSymmetricBindingC21b")
+ public Object[][] ignoreEventsSymmetricBindingC21b() {
+ return new Object[][]{
+ {null, null, null},
+ {SecurityEvent.Event.RequiredElement, 2, "\nElement /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp must be present"},
+ {SecurityEvent.Event.SamlToken, -1, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken not satisfied"},
+ {SecurityEvent.Event.UsernameToken, 5, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken not satisfied"},
+ {SecurityEvent.Event.X509Token, 16, "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token not satisfied"},
+ };
+ }
+
+ @Test(dataProvider = "ignoreEventsSymmetricBindingC21b")
+ public void testSymmetricBindingC21b(SecurityEvent.Event ignoreEvent, Integer eventIndex, String expectedErrorMessage) throws Exception {
+ String policyString = loadResourceAsString("testdata/policy/symmetricBindingPolicyC21b.xml", "UTF-8");
+
+ PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+
+ List<SecurityEvent> securityEventList = inboundWSSecurityContextImplTest.generateSymmetricBindingSecurityEvents();
+ applyPolicy(ignoreEvent, eventIndex, expectedErrorMessage, policyEnforcer, securityEventList);
+ }
+
+ private void applyPolicy(SecurityEvent.Event ignoreEvent, Integer eventIndex, String expectedErrorMessage, PolicyEnforcer policyEnforcer, List<SecurityEvent> securityEventList) throws WSSecurityException {
for (int i = 0; i < securityEventList.size(); i++) {
SecurityEvent securityEvent = securityEventList.get(i);
+ if (eventIndex != null && eventIndex == -1 && securityEvent.getSecurityEventType() == ignoreEvent) {
+ continue;
+ }
if (eventIndex != null && i == eventIndex && securityEvent.getSecurityEventType() != ignoreEvent) {
for (int j = 0; j < securityEventList.size(); j++) {
System.out.println(j + " " + securityEventList.get(j));
Propchange: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21a.xml
------------------------------------------------------------------------------
svn:eol-style = native
Copied: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21b.xml (from r1299402, webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21.xml)
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21b.xml?p2=webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21b.xml&p1=webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21.xml&r1=1299402&r2=1301185&rev=1301185&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21.xml (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/resources/testdata/policy/symmetricBindingPolicyC21b.xml Thu Mar 15 20:35:33 2012
@@ -3,7 +3,7 @@
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:SymmetricBinding>
<wsp:Policy>
- <sp:ProtectionToken>
+ <sp:EncryptionToken>
<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once" >
<sp:Issuer>...</sp:Issuer>
@@ -12,7 +12,17 @@
</sp:RequestSecurityTokenTemplate>
</sp:IssuedToken>
</wsp:Policy>
- </sp:ProtectionToken>
+ </sp:EncryptionToken>
+ <sp:SignatureToken>
+ <wsp:Policy>
+ <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once" >
+ <sp:Issuer>...</sp:Issuer>
+ <sp:RequestSecurityTokenTemplate>
+ ...
+ </sp:RequestSecurityTokenTemplate>
+ </sp:IssuedToken>
+ </wsp:Policy>
+ </sp:SignatureToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />