You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2009/03/07 18:41:08 UTC
svn commit: r751299 - in /cxf/trunk:
api/src/main/java/org/apache/cxf/ws/policy/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/
rt/ws/security/src/ma...
Author: dkulp
Date: Sat Mar 7 17:41:07 2009
New Revision: 751299
URL: http://svn.apache.org/viewvc?rev=751299&view=rev
Log:
Add some validation of incoming secure messages to make sure they match policies.
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (with props)
Modified:
cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/AssertionInfoMap.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/EncryptedPartsBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/RequiredPartsBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SignedPartsBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Header.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RecipientToken.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java
cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
Modified: cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/AssertionInfoMap.java
URL: http://svn.apache.org/viewvc/cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/AssertionInfoMap.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/AssertionInfoMap.java (original)
+++ cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/AssertionInfoMap.java Sat Mar 7 17:41:07 2009
@@ -24,8 +24,10 @@
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
+import java.util.LinkedHashSet;
import java.util.List;
import java.util.ResourceBundle;
+import java.util.Set;
import javax.xml.namespace.QName;
@@ -115,20 +117,25 @@
return;
}
}
- StringBuilder error = new StringBuilder("\n");
+
+ Set<String> msgs = new LinkedHashSet<String>();
+
for (QName name : errors) {
Collection<AssertionInfo> ais = getAssertionInfo(name);
for (AssertionInfo ai : ais) {
if (!ai.isAsserted()) {
- error.append("\n ");
- error.append(name.toString());
+ String s = name.toString();
if (ai.getErrorMessage() != null) {
- error.append(": ").append(ai.getErrorMessage());
+ s += ": " + ai.getErrorMessage();
}
+ msgs.add(s);
}
}
}
-
+ StringBuilder error = new StringBuilder("\n");
+ for (String msg : msgs) {
+ error.append("\n").append(msg);
+ }
throw new PolicyException(new Message("NO_ALTERNATIVE_EXC", BUNDLE, error.toString()));
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/EncryptedPartsBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/EncryptedPartsBuilder.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/EncryptedPartsBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/EncryptedPartsBuilder.java Sat Mar 7 17:41:07 2009
@@ -67,17 +67,12 @@
private void processElement(Element element, SignedEncryptedParts parent) {
if ("Header".equals(element.getLocalName())) {
- Header header = new Header();
-
String nameAttribute = element.getAttribute(SPConstants.NAME);
- if (nameAttribute != null) {
- header.setName(nameAttribute);
+ if (nameAttribute == null) {
+ nameAttribute = "";
}
-
String namespaceAttribute = element.getAttribute(SPConstants.NAMESPACE);
- header.setNamespace(namespaceAttribute);
-
- parent.addHeader(header);
+ parent.addHeader(new Header(nameAttribute, namespaceAttribute));
} else if ("Body".equals(element.getLocalName())) {
parent.setBody(true);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/RequiredPartsBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/RequiredPartsBuilder.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/RequiredPartsBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/RequiredPartsBuilder.java Sat Mar 7 17:41:07 2009
@@ -55,17 +55,14 @@
private void processElement(Element element, RequiredParts parent) {
if ("Header".equals(element.getLocalName())) {
- Header header = new Header();
String nameAttribute = element.getAttribute(SPConstants.NAME);
- if (nameAttribute != null) {
- header.setName(nameAttribute);
+ if (nameAttribute == null) {
+ nameAttribute = "";
}
String namespaceAttribute = element.getAttribute(SPConstants.NAMESPACE);
- header.setNamespace(namespaceAttribute);
-
- parent.addHeader(header);
+ parent.addHeader(new Header(nameAttribute, namespaceAttribute));
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SignedPartsBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SignedPartsBuilder.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SignedPartsBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SignedPartsBuilder.java Sat Mar 7 17:41:07 2009
@@ -68,17 +68,14 @@
private void processElement(Element element, SignedEncryptedParts parent) {
if ("Header".equals(element.getLocalName())) {
- Header header = new Header();
String nameAttribute = element.getAttribute(SPConstants.NAME);
- if (nameAttribute != null) {
- header.setName(nameAttribute);
+ if (nameAttribute == null) {
+ nameAttribute = "";
}
-
String namespaceAttribute = element.getAttribute(SPConstants.NAMESPACE);
- header.setNamespace(namespaceAttribute);
- parent.addHeader(header);
+ parent.addHeader(new Header(nameAttribute, namespaceAttribute));
} else if ("Body".equals(element.getLocalName())) {
parent.setBody(true);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java Sat Mar 7 17:41:07 2009
@@ -21,6 +21,7 @@
import java.util.Arrays;
import java.util.Collection;
+import java.util.Vector;
import org.apache.cxf.Bus;
@@ -43,6 +44,9 @@
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.trust.STSClient;
+import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
/**
*
@@ -171,6 +175,7 @@
static class IssuedTokenInInterceptor extends AbstractPhaseInterceptor<Message> {
public IssuedTokenInInterceptor() {
super(Phase.PRE_PROTOCOL);
+ addAfter(WSS4JInInterceptor.class.getName());
}
public void handleMessage(Message message) throws Fault {
@@ -182,7 +187,25 @@
return;
}
if (!isRequestor(message)) {
- //TODO
+ boolean found = false;
+ Vector results = (Vector)message.get(WSHandlerConstants.RECV_RESULTS);
+ for (int i = 0; i < results.size(); i++) {
+ WSHandlerResult rResult =
+ (WSHandlerResult) results.get(i);
+
+ Vector wsSecEngineResults = rResult.getResults();
+
+ for (int j = 0; j < wsSecEngineResults.size(); j++) {
+ //WSSecurityEngineResult wser =
+ // (WSSecurityEngineResult) wsSecEngineResults.get(j);
+ //Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ //how to find if it's due to an IssuedToken?
+ found = true;
+ }
+ }
+ if (!found) {
+ ais.iterator().next().setAsserted(false);
+ }
} else {
//client side should be checked on the way out
for (AssertionInfo ai : ais) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java Sat Mar 7 17:41:07 2009
@@ -364,6 +364,7 @@
public void handleMessage(SoapMessage message) throws Fault {
//Find the SC token
+ boolean found = false;
Vector results = (Vector)message.get(WSHandlerConstants.RECV_RESULTS);
for (int i = 0; i < results.size(); i++) {
WSHandlerResult rResult =
@@ -380,9 +381,21 @@
= (SecurityContextToken)wser
.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getID());
+ found = true;
}
}
}
+ if (!found) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ // extract Assertion information
+ if (aim != null) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
+ if (ais == null || ais.isEmpty()) {
+ return;
+ }
+ ais.iterator().next().setNotAsserted("No SecureConversation token found in message.");
+ }
+ }
}
}
static class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java Sat Mar 7 17:41:07 2009
@@ -27,8 +27,8 @@
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.security.policy.SP11Constants;
import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
-import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
/**
*
@@ -52,7 +52,7 @@
super(ASSERTION_TYPES);
this.getOutInterceptors().add(new PolicyBasedWSS4JOutInterceptor());
this.getOutFaultInterceptors().add(new PolicyBasedWSS4JOutInterceptor());
- this.getInInterceptors().add(new WSS4JInInterceptor(true));
- this.getInFaultInterceptors().add(new WSS4JInInterceptor());
+ this.getInInterceptors().add(new PolicyBasedWSS4JInInterceptor());
+ this.getInFaultInterceptors().add(new PolicyBasedWSS4JInInterceptor());
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Header.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Header.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Header.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Header.java Sat Mar 7 17:41:07 2009
@@ -18,45 +18,37 @@
*/
package org.apache.cxf.ws.security.policy.model;
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.common.util.StringUtils;
+
public class Header {
- private String name;
- private String namespace;
+ private QName name;
- public Header() {
- }
public Header(String nm, String ns) {
- name = nm;
- namespace = ns;
+ name = new QName(ns, nm);
}
- /**
- * @return Returns the name.
- */
- public String getName() {
+ public QName getQName() {
return name;
}
-
+
/**
- * @param name The name to set.
+ * @return Returns the name.
*/
- public void setName(String name) {
- this.name = name;
+ public String getName() {
+ if (StringUtils.isEmpty(name.getLocalPart())) {
+ return null;
+ }
+ return name.getLocalPart();
}
-
/**
* @return Returns the namespace.
*/
public String getNamespace() {
- return namespace;
- }
-
- /**
- * @param namespace The namespace to set.
- */
- public void setNamespace(String namespace) {
- this.namespace = namespace;
+ return name.getNamespaceURI();
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RecipientToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RecipientToken.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RecipientToken.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RecipientToken.java Sat Mar 7 17:41:07 2009
@@ -25,7 +25,7 @@
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
-public class RecipientToken extends TokenWrapper {
+public class RecipientToken extends TokenWrapper {
public RecipientToken(SPConstants version) {
super(version);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java Sat Mar 7 17:41:07 2009
@@ -26,6 +26,7 @@
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamWriter;
+import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.neethi.PolicyComponent;
@@ -86,7 +87,7 @@
// <sp:Header Name=".." Namespace=".." />
writer.writeStartElement(prefix, SPConstants.HEADER, namespaceURI);
// Name attribute is optional
- if (header.getName() != null) {
+ if (!StringUtils.isEmpty(header.getName())) {
writer.writeAttribute("Name", header.getName());
}
writer.writeAttribute("Namespace", header.getNamespace());
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java Sat Mar 7 17:41:07 2009
@@ -26,6 +26,7 @@
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamWriter;
+import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.neethi.PolicyComponent;
@@ -140,7 +141,7 @@
// <sp:Header Name=".." Namespace=".." />
writer.writeStartElement(prefix, SPConstants.HEADER, namespaceURI);
// Name attribute is optional
- if (header.getName() != null) {
+ if (!StringUtils.isEmpty(header.getName())) {
writer.writeAttribute("Name", header.getName());
}
writer.writeAttribute("Namespace", header.getNamespace());
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java Sat Mar 7 17:41:07 2009
@@ -18,41 +18,22 @@
*/
package org.apache.cxf.ws.security.wss4j;
-import java.io.IOException;
import java.net.URI;
-import java.net.URL;
-import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
-import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.xml.namespace.QName;
-import org.apache.cxf.Bus;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.SoapInterceptor;
-import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.PhaseInterceptor;
-import org.apache.cxf.resource.ResourceManager;
-import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.policy.PolicyAssertion;
-import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.Wss11;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
@@ -63,7 +44,7 @@
public abstract class AbstractWSS4JInterceptor extends WSHandler implements SoapInterceptor,
PhaseInterceptor<SoapMessage> {
-
+
private static final Set<QName> HEADERS = new HashSet<QName>();
static {
HEADERS.add(new QName(WSConstants.WSSE_NS, "Security"));
@@ -165,286 +146,11 @@
this.before = before;
}
- private boolean isRequestor(SoapMessage message) {
- return Boolean.TRUE.equals(message.get(
- org.apache.cxf.message.Message.REQUESTOR_ROLE));
+ protected boolean isRequestor(SoapMessage message) {
+ return MessageUtils.isRequestor(message);
}
-
- protected void policyAsserted(AssertionInfoMap aim, PolicyAssertion assertion) {
- if (assertion == null) {
- return;
- }
- Collection<AssertionInfo> ais;
- ais = aim.get(assertion.getName());
- if (ais != null) {
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == assertion) {
- ai.setAsserted(true);
- }
- }
- }
- }
- protected void policyAsserted(AssertionInfoMap aim, QName qn) {
- Collection<AssertionInfo> ais;
- ais = aim.get(qn);
- if (ais != null) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- }
- }
- private static Properties getProps(Object o, SoapMessage message) {
- Properties properties = null;
- if (o instanceof Properties) {
- properties = (Properties)o;
- } else if (o instanceof String) {
- ResourceManager rm = message.getExchange().get(Bus.class).getExtension(ResourceManager.class);
- URL url = rm.resolveResource((String)o, URL.class);
- try {
- if (url == null) {
- url = ClassLoaderUtils.getResource((String)o, AbstractWSS4JInterceptor.class);
- }
- if (url != null) {
- properties = new Properties();
- properties.load(url.openStream());
- }
- } catch (IOException e) {
- properties = null;
- }
- } else if (o instanceof URL) {
- properties = new Properties();
- try {
- properties.load(((URL)o).openStream());
- } catch (IOException e) {
- properties = null;
- }
- }
-
- return properties;
- }
-
- String addToAction(String action, String val, boolean pre) {
- if (action.contains(val)) {
- return action;
- }
- if (pre) {
- return val + " " + action;
- }
- return action + " " + val;
- }
- boolean assertPolicy(AssertionInfoMap aim, QName q) {
- Collection<AssertionInfo> ais = aim.get(q);
- if (ais != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
- String assertAsymetricBinding(AssertionInfoMap aim, String action, SoapMessage message) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
- if (ais != null) {
- for (AssertionInfo ai : ais) {
- AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
- if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
- action = addToAction(action, "Signature", true);
- action = addToAction(action, "Encrypt", true);
- } else {
- action = addToAction(action, "Encrypt", true);
- action = addToAction(action, "Signature", true);
- }
- Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
- Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
- if (e != null) {
- message.put("SignaturePropRefId", "RefId-" + e.toString());
- message.put("RefId-" + e.toString(), getProps(e, message));
- }
- if (s != null) {
- message.put("decryptionPropRefId", "RefId-" + s.toString());
- message.put("RefId-" + s.toString(), getProps(s, message));
- }
- ai.setAsserted(true);
- policyAsserted(aim, abinding.getInitiatorToken());
- policyAsserted(aim, abinding.getRecipientToken());
- policyAsserted(aim, abinding.getInitiatorToken().getToken());
- policyAsserted(aim, abinding.getRecipientToken().getToken());
- policyAsserted(aim, SP12Constants.ENCRYPTED_PARTS);
- }
- }
-
- return action;
- }
- String assertSymetricBinding(AssertionInfoMap aim, String action, SoapMessage message) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
- if (ais != null) {
- for (AssertionInfo ai : ais) {
- SymmetricBinding abinding = (SymmetricBinding)ai.getAssertion();
- if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
- action = addToAction(action, "Signature", true);
- action = addToAction(action, "Encrypt", true);
- } else {
- action = addToAction(action, "Encrypt", true);
- action = addToAction(action, "Signature", true);
- }
- Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
- Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
- if (abinding.getProtectionToken() != null) {
- s = e;
- }
- if (isRequestor(message)) {
- if (e != null) {
- message.put("SignaturePropRefId", "RefId-" + e.toString());
- message.put("RefId-" + e.toString(), getProps(e, message));
- }
- if (s != null) {
- message.put("decryptionPropRefId", "RefId-" + s.toString());
- message.put("RefId-" + s.toString(), getProps(s, message));
- }
- } else {
- if (s != null) {
- message.put("SignaturePropRefId", "RefId-" + s.toString());
- message.put("RefId-" + s.toString(), getProps(s, message));
- }
- if (e != null) {
- message.put("decryptionPropRefId", "RefId-" + e.toString());
- message.put("RefId-" + e.toString(), getProps(e, message));
- }
- }
- ai.setAsserted(true);
- if (abinding.getEncryptionToken() != null) {
- policyAsserted(aim, abinding.getEncryptionToken());
- policyAsserted(aim, abinding.getEncryptionToken().getToken());
- }
- if (abinding.getSignatureToken() != null) {
- policyAsserted(aim, abinding.getSignatureToken());
- policyAsserted(aim, abinding.getSignatureToken().getToken());
- }
- if (abinding.getProtectionToken() != null) {
- policyAsserted(aim, abinding.getProtectionToken());
- policyAsserted(aim, abinding.getProtectionToken().getToken());
- }
- policyAsserted(aim, SP12Constants.ENCRYPTED_PARTS);
- }
- }
- return action;
- }
- void assertTransportBinding(AssertionInfoMap aim, SoapMessage message) {
- assertPolicy(aim, SP12Constants.TRANSPORT_BINDING);
- assertPolicy(aim, SP12Constants.TRANSPORT_TOKEN);
- policyAsserted(aim, SP12Constants.ENCRYPTED_PARTS);
- }
- void assertWSS11(AssertionInfoMap aim, SoapMessage message) {
- if (isRequestor(message)) {
- message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
- }
- Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
- if (ais != null) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- Wss11 wss11 = (Wss11)ai.getAssertion();
- if (isRequestor(message)) {
- message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION,
- wss11.isRequireSignatureConfirmation() ? "true" : "false");
- }
- }
- }
- }
-
- protected PolicyAssertion findAndAssertPolicy(AssertionInfoMap aim, QName n) {
- Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
- if (ais != null && !ais.isEmpty()) {
- AssertionInfo ai = ais.iterator().next();
- ai.setAsserted(true);
- return ai.getAssertion();
- }
- return null;
- }
- protected String assertSupportingTokens(AssertionInfoMap aim,
- SoapMessage message,
- String action,
- QName n) {
- SupportingToken sp = (SupportingToken)findAndAssertPolicy(aim, n);
- if (sp != null) {
- action = doTokens(sp.getTokens(), action, aim, message);
- }
- return action;
- }
- protected void checkPolicies(SoapMessage message, RequestData data) {
- AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- // extract Assertion information
- String action = getString(WSHandlerConstants.ACTION, message);
- if (action == null) {
- action = "";
- }
- if (aim != null) {
- if (assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP)) {
- action = addToAction(action, WSHandlerConstants.TIMESTAMP, true);
- }
- assertPolicy(aim, SP12Constants.LAYOUT);
- action = assertAsymetricBinding(aim, action, message);
- action = assertSymetricBinding(aim, action, message);
- assertTransportBinding(aim, message);
-
- action = assertSupportingTokens(aim, message,
- action, SP12Constants.SIGNED_SUPPORTING_TOKENS);
- action = assertSupportingTokens(aim, message,
- action, SP12Constants.ENDORSING_SUPPORTING_TOKENS);
- action = assertSupportingTokens(aim, message,
- action, SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
- action = assertSupportingTokens(aim, message,
- action, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
- action = assertSupportingTokens(aim, message,
- action, SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
- action = assertSupportingTokens(aim, message,
- action,
- SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
- action = assertSupportingTokens(aim, message,
- action, SP12Constants.SUPPORTING_TOKENS);
- action = assertSupportingTokens(aim, message,
- action, SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
- assertWSS11(aim, message);
- assertPolicy(aim, SP12Constants.WSS10);
- assertPolicy(aim, SP12Constants.TRUST_13);
- assertPolicy(aim, SP11Constants.TRUST_10);
- policyAsserted(aim, SP12Constants.SIGNED_PARTS);
- message.put(WSHandlerConstants.ACTION, action.trim());
- }
- }
-
- private String doTokens(List<Token> tokens,
- String action,
- AssertionInfoMap aim,
- SoapMessage msg) {
- for (Token token : tokens) {
- if (token instanceof UsernameToken) {
- if (!action.contains(WSHandlerConstants.USERNAME_TOKEN)
- && !isRequestor(msg)) {
- action = WSHandlerConstants.USERNAME_TOKEN + " " + action;
- }
- Collection<AssertionInfo> ais2 = aim.get(SP12Constants.USERNAME_TOKEN);
- if (ais2 != null && !ais2.isEmpty()) {
- for (AssertionInfo ai2 : ais2) {
- if (ai2.getAssertion() == token) {
- ai2.setAsserted(true);
- }
- }
- }
- } else {
- Collection<AssertionInfo> ais2 = aim.get(token.getName());
- if (ais2 != null && !ais2.isEmpty()) {
- for (AssertionInfo ai2 : ais2) {
- if (ai2.getAssertion() == token) {
- ai2.setAsserted(true);
- }
- }
- }
- }
- }
- return action;
- }
-
+
public Crypto loadSignatureCrypto(RequestData reqData)
throws WSSecurityException {
Crypto crypto = null;
Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=751299&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Sat Mar 7 17:41:07 2009
@@ -0,0 +1,510 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Properties;
+import java.util.Vector;
+
+import javax.xml.namespace.QName;
+import javax.xml.soap.SOAPException;
+import javax.xml.soap.SOAPMessage;
+import javax.xml.stream.XMLStreamException;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.resource.ResourceManager;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.policy.PolicyAssertion;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.SP11Constants;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.cxf.ws.security.policy.model.Header;
+import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
+import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
+import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.Wss11;
+import org.apache.cxf.ws.security.policy.model.X509Token;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.handler.WSHandlerConstants;
+
+/**
+ *
+ */
+public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
+
+ /**
+ *
+ */
+ public PolicyBasedWSS4JInInterceptor() {
+ super(true);
+ }
+
+
+ private static Properties getProps(Object o, SoapMessage message) {
+ Properties properties = null;
+ if (o instanceof Properties) {
+ properties = (Properties)o;
+ } else if (o instanceof String) {
+ ResourceManager rm = message.getExchange().get(Bus.class).getExtension(ResourceManager.class);
+ URL url = rm.resolveResource((String)o, URL.class);
+ try {
+ if (url == null) {
+ url = ClassLoaderUtils.getResource((String)o, AbstractWSS4JInterceptor.class);
+ }
+ if (url != null) {
+ properties = new Properties();
+ properties.load(url.openStream());
+ }
+ } catch (IOException e) {
+ properties = null;
+ }
+ } else if (o instanceof URL) {
+ properties = new Properties();
+ try {
+ properties.load(((URL)o).openStream());
+ } catch (IOException e) {
+ properties = null;
+ }
+ }
+
+ return properties;
+ }
+
+ private boolean containsPolicy(AssertionInfoMap aim,
+ QName n) {
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
+ return ais != null && !ais.isEmpty();
+ }
+ private void handleWSS11(AssertionInfoMap aim, SoapMessage message) {
+ if (!isRequestor(message)) {
+ assertPolicy(aim, SP12Constants.WSS11);
+ return;
+ }
+ message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ Wss11 wss11 = (Wss11)ai.getAssertion();
+ if (wss11.isRequireSignatureConfirmation()) {
+ message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION,
+ "true");
+ } else {
+ ai.setAsserted(true);
+ }
+ }
+ }
+ }
+
+ private String addToAction(String action, String val, boolean pre) {
+ if (action.contains(val)) {
+ return action;
+ }
+ if (pre) {
+ return val + " " + action;
+ }
+ return action + " " + val;
+ }
+ private boolean assertPolicy(AssertionInfoMap aim, QName q) {
+ Collection<AssertionInfo> ais = aim.get(q);
+ if (ais != null && !ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+ private void assertPolicy(AssertionInfoMap aim, Token token, boolean derived) {
+ if (!derived && token instanceof X509Token && token.isDerivedKeys()) {
+ notAssertPolicy(aim, token, "No derived keys found.");
+ }
+ }
+ private void assertPolicy(AssertionInfoMap aim, PolicyAssertion token) {
+ Collection<AssertionInfo> ais = aim.get(token.getName());
+ if (ais != null && !ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ if (ai.getAssertion() == token) {
+ ai.setAsserted(true);
+ }
+ }
+ }
+ }
+ private void notAssertPolicy(AssertionInfoMap aim, PolicyAssertion token, String msg) {
+ Collection<AssertionInfo> ais = aim.get(token.getName());
+ if (ais != null && !ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ if (ai.getAssertion() == token) {
+ ai.setNotAsserted(msg);
+ }
+ }
+ }
+ }
+
+ private String checkAsymetricBinding(AssertionInfoMap aim,
+ String action,
+ SoapMessage message) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
+ if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
+ action = addToAction(action, "Signature", true);
+ action = addToAction(action, "Encrypt", true);
+ } else {
+ action = addToAction(action, "Encrypt", true);
+ action = addToAction(action, "Signature", true);
+ }
+ Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+ Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+ if (e != null) {
+ message.put("SignaturePropRefId", "RefId-" + e.toString());
+ message.put("RefId-" + e.toString(), getProps(e, message));
+ }
+ if (s != null) {
+ message.put("decryptionPropRefId", "RefId-" + s.toString());
+ message.put("RefId-" + s.toString(), getProps(s, message));
+ }
+ }
+ }
+
+ return action;
+ }
+ private String checkSymetricBinding(AssertionInfoMap aim,
+ String action,
+ SoapMessage message) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ SymmetricBinding abinding = (SymmetricBinding)ai.getAssertion();
+ if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
+ action = addToAction(action, "Signature", true);
+ action = addToAction(action, "Encrypt", true);
+ } else {
+ action = addToAction(action, "Encrypt", true);
+ action = addToAction(action, "Signature", true);
+ }
+ Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+ Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+ if (abinding.getProtectionToken() != null) {
+ s = e;
+ }
+ if (isRequestor(message)) {
+ if (e != null) {
+ message.put("SignaturePropRefId", "RefId-" + e.toString());
+ message.put("RefId-" + e.toString(), getProps(e, message));
+ }
+ if (s != null) {
+ message.put("decryptionPropRefId", "RefId-" + s.toString());
+ message.put("RefId-" + s.toString(), getProps(s, message));
+ }
+ } else {
+ if (s != null) {
+ message.put("SignaturePropRefId", "RefId-" + s.toString());
+ message.put("RefId-" + s.toString(), getProps(s, message));
+ }
+ if (e != null) {
+ message.put("decryptionPropRefId", "RefId-" + e.toString());
+ message.put("RefId-" + e.toString(), getProps(e, message));
+ }
+ }
+ }
+ }
+ return action;
+ }
+
+
+ private void assertTokens(AssertionInfoMap aim,
+ QName name,
+ Collection<QName> signed,
+ SoapMessage msg,
+ SOAPMessage doc,
+ String type) throws SOAPException {
+ Collection<AssertionInfo> ais = aim.get(name);
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ SignedEncryptedParts p = (SignedEncryptedParts)ai.getAssertion();
+ if (p.isBody() && !signed.contains(msg.getVersion().getBody())) {
+ ai.setNotAsserted(msg.getVersion().getBody() + " not " + type);
+ return;
+ }
+ for (Header h : p.getHeaders()) {
+ if (!signed.contains(h.getQName())) {
+ boolean found = false;
+ Element nd = DOMUtils.getFirstElement(doc.getSOAPHeader());
+ while (nd != null && !found) {
+ if (h.getNamespace().equals(nd.getNamespaceURI())
+ && (nd.getLocalName().equals(h.getName())
+ || h.getName() == null)) {
+ found = true;
+ }
+ nd = DOMUtils.getNextElement(nd);
+ }
+ if (found) {
+ ai.setNotAsserted(h.getQName() + " not + " + type);
+ return;
+ }
+ }
+ }
+
+ }
+ }
+ }
+ protected void computeAction(SoapMessage message, RequestData data) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ // extract Assertion information
+ String action = getString(WSHandlerConstants.ACTION, message);
+ if (action == null) {
+ action = "";
+ }
+ if (aim != null) {
+ if (containsPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP)) {
+ action = addToAction(action, WSHandlerConstants.TIMESTAMP, true);
+ }
+ if (containsPolicy(aim, SP12Constants.USERNAME_TOKEN)) {
+ if (isRequestor(message)) {
+ assertPolicy(aim, SP12Constants.USERNAME_TOKEN);
+ } else {
+ action = addToAction(action, WSHandlerConstants.USERNAME_TOKEN, true);
+ }
+ }
+
+ //relatively irrelevant stuff from a verification standpoint
+ assertPolicy(aim, SP12Constants.LAYOUT);
+ assertPolicy(aim, SP12Constants.WSS10);
+ assertPolicy(aim, SP12Constants.TRUST_13);
+ assertPolicy(aim, SP11Constants.TRUST_10);
+
+ //things that DO impact setup
+ handleWSS11(aim, message);
+ action = checkAsymetricBinding(aim, action, message);
+ action = checkSymetricBinding(aim, action, message);
+
+ //stuff we can default to asserted an un-assert if a condition isn't met
+ assertPolicy(aim, SP12Constants.KEYVALUE_TOKEN);
+ assertPolicy(aim, SP12Constants.X509_TOKEN);
+
+ message.put(WSHandlerConstants.ACTION, action.trim());
+ }
+ }
+
+ enum Protections {
+ NONE,
+ SIGN,
+ ENCRYPT,
+ SIGN_ENCRYPT,
+ ENCRYPT_SIGN,
+ ENCRYPT_SIGN_PROTECT,
+ };
+ private Protections addSign(Protections prots) {
+ if (prots == Protections.NONE) {
+ return Protections.SIGN;
+ }
+ if (prots == Protections.ENCRYPT) {
+ return Protections.ENCRYPT_SIGN;
+ }
+ return prots;
+ }
+ private Protections addEncrypt(Protections prots) {
+ if (prots == Protections.NONE) {
+ return Protections.ENCRYPT;
+ }
+ if (prots == Protections.SIGN) {
+ return Protections.SIGN_ENCRYPT;
+ }
+ if (prots == Protections.ENCRYPT_SIGN
+ || prots == Protections.SIGN_ENCRYPT) {
+ return Protections.ENCRYPT_SIGN_PROTECT;
+ }
+ return prots;
+ }
+
+ protected void doResults(SoapMessage msg, String actor,
+ SOAPMessage doc, Vector results) throws SOAPException, XMLStreamException {
+ AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+ Collection<QName> signed = new HashSet<QName>();
+ Collection<QName> encrypted = new HashSet<QName>();
+ boolean hasDerivedKeys = false;
+ boolean hasEndorsement = false;
+ Protections prots = Protections.NONE;
+
+ for (int j = 0; j < results.size(); j++) {
+ WSSecurityEngineResult wser =
+ (WSSecurityEngineResult) results.get(j);
+ Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ switch (actInt.intValue()) {
+ case WSConstants.SIGN:
+ List<WSDataRef> sl = CastUtils.cast((List<?>)wser
+ .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ if (sl != null) {
+ if (sl.size() == 1
+ && sl.get(0).getName().equals(new QName(WSConstants.SIG_NS, WSConstants.SIG_LN))) {
+ //endorsing the signature
+ hasEndorsement = true;
+ break;
+ }
+ for (WSDataRef r : sl) {
+ signed.add(r.getName());
+ }
+ prots = addSign(prots);
+ }
+ break;
+ case WSConstants.ENCR:
+ List<WSDataRef> el = CastUtils.cast((List<?>)wser
+ .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ if (el != null) {
+ for (WSDataRef r : el) {
+ encrypted.add(r.getName());
+ }
+ prots = addEncrypt(prots);
+ }
+ break;
+ case WSConstants.UT:
+ assertPolicy(aim, SP12Constants.USERNAME_TOKEN);
+ break;
+ case WSConstants.TS:
+ assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
+ break;
+ case WSConstants.DKT:
+ hasDerivedKeys = true;
+ break;
+ case WSConstants.SC:
+ assertPolicy(aim, SP12Constants.WSS11);
+ break;
+ default:
+ //System.out.println(actInt);
+ //anything else to process? Maybe check tokens for BKT requirements?
+ }
+ }
+ assertTokens(aim, SP12Constants.SIGNED_PARTS, signed, msg, doc, "signed");
+ assertTokens(aim, SP12Constants.ENCRYPTED_PARTS, signed, msg, doc, "encrypted");
+
+ assertAsymetricBinding(aim, msg, doc, prots, hasDerivedKeys);
+ assertSymetricBinding(aim, msg, doc, prots, hasDerivedKeys);
+ assertTransportBinding(aim);
+
+
+ //REVISIT - probably can verify some of these like if UT is encrypted and/or signed, etc...
+ assertPolicy(aim, SP12Constants.SIGNED_SUPPORTING_TOKENS);
+ assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+ assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
+ assertPolicy(aim, SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
+ if (hasEndorsement || isRequestor(msg)) {
+ assertPolicy(aim, SP12Constants.ENDORSING_SUPPORTING_TOKENS);
+ assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+ assertPolicy(aim, SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ }
+
+ super.doResults(msg, actor, doc, results);
+ }
+ private boolean assertSymetricBinding(AssertionInfoMap aim,
+ SoapMessage message,
+ SOAPMessage doc,
+ Protections prots,
+ boolean derived) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
+ if (ais == null) {
+ return true;
+ }
+
+ for (AssertionInfo ai : ais) {
+ SymmetricBinding abinding = (SymmetricBinding)ai.getAssertion();
+ ai.setAsserted(true);
+ if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
+ if (abinding.isSignatureProtection()) {
+ if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
+ ai.setNotAsserted("Not encrypted before signed and then protected");
+ }
+ } else if (prots != Protections.ENCRYPT_SIGN) {
+ ai.setNotAsserted("Not encrypted before signed");
+ }
+ } else if (prots != Protections.SIGN_ENCRYPT) {
+ ai.setNotAsserted("Not signed before encrypted");
+ }
+
+ if (abinding.getEncryptionToken() != null) {
+ assertPolicy(aim, abinding.getEncryptionToken());
+ assertPolicy(aim, abinding.getEncryptionToken().getToken(), derived);
+ }
+ if (abinding.getSignatureToken() != null) {
+ assertPolicy(aim, abinding.getSignatureToken());
+ assertPolicy(aim, abinding.getSignatureToken().getToken(), derived);
+ }
+ if (abinding.getProtectionToken() != null) {
+ assertPolicy(aim, abinding.getProtectionToken());
+ assertPolicy(aim, abinding.getProtectionToken().getToken(), derived);
+ }
+ }
+ return true;
+ }
+ private boolean assertAsymetricBinding(AssertionInfoMap aim,
+ SoapMessage message,
+ SOAPMessage doc,
+ Protections prots,
+ boolean derived) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
+ if (ais == null) {
+ return true;
+ }
+ for (AssertionInfo ai : ais) {
+ AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
+ ai.setAsserted(true);
+ if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
+ if (abinding.isSignatureProtection()) {
+ if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
+ ai.setNotAsserted("Not encrypted before signed and then protected");
+ }
+ } else if (prots != Protections.ENCRYPT_SIGN) {
+ ai.setNotAsserted("Not encrypted before signed");
+ }
+ } else if (prots != Protections.SIGN_ENCRYPT) {
+ ai.setNotAsserted("Not signed before encrypted");
+ }
+ assertPolicy(aim, abinding.getInitiatorToken());
+ assertPolicy(aim, abinding.getRecipientToken());
+ assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
+ assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
+ }
+ return true;
+ }
+ private boolean assertTransportBinding(AssertionInfoMap aim) {
+ assertPolicy(aim, SP12Constants.TRANSPORT_TOKEN);
+ assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
+ return !assertPolicy(aim, SP12Constants.TRANSPORT_BINDING);
+ }
+
+}
Propchange: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Sat Mar 7 17:41:07 2009
@@ -127,6 +127,7 @@
return doc;
}
+
public void handleMessage(SoapMessage msg) throws Fault {
SOAPMessage doc = getSOAPMessage(msg);
@@ -154,8 +155,7 @@
*/
try {
reqData.setMsgContext(msg);
- checkPolicies(msg, reqData);
-
+ computeAction(msg, reqData);
Vector actions = new Vector();
String action = getAction(msg, version);
@@ -257,7 +257,7 @@
LOG.warning("Security processing failed (actions mismatch)");
throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
}
-
+
doResults(msg, actor, doc, wsResult);
if (doTimeLog) {
@@ -286,7 +286,17 @@
}
}
- private void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult)
+ /**
+ * Do whatever is necessary to determine the action for the incoming message and
+ * do whatever other setup work is necessary.
+ *
+ * @param msg
+ * @param reqData
+ */
+ protected void computeAction(SoapMessage msg, RequestData reqData) {
+
+ }
+ protected void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult)
throws SOAPException, XMLStreamException {
/*
* All ok up to this point. Now construct and setup the security result
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java Sat Mar 7 17:41:07 2009
@@ -131,7 +131,6 @@
RequestData reqData = new RequestData();
reqData.setMsgContext(mc);
- checkPolicies(mc, reqData);
/*
* The overall try, just to have a finally at the end to perform some
Modified: cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java (original)
+++ cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java Sat Mar 7 17:41:07 2009
@@ -129,10 +129,11 @@
pt.doubleIt(BigInteger.valueOf(25));
} catch (Exception ex) {
String msg = ex.getMessage();
- if (!msg.contains("UsernameToken: No user")) {
+ if (!msg.contains("UsernameToken")) {
throw ex;
}
}
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.USERNAME, "bob");
((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_USERNAME, "bob");
((BindingProvider)pt).getRequestContext().put(SecurityConstants.PASSWORD, "pwd");
pt.doubleIt(BigInteger.valueOf(25));