You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/01/16 12:55:09 UTC
svn commit: r1558765 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/
systests/...
Author: coheigea
Date: Thu Jan 16 11:55:08 2014
New Revision: 1558765
URL: http://svn.apache.org/r1558765
Log:
Changed DefaultCryptoCoverageChecker to require UsernameTokens to be encrypted by default
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageChecker.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageCheckerTest.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/CryptoCoverageCheckerTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/stax-server.xml
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java?rev=1558765&r1=1558764&r2=1558765&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java Thu Jan 16 11:55:08 2014
@@ -58,15 +58,6 @@ import org.apache.wss4j.dom.util.WSSecur
* coverage based on the results of the WSS4J processors. This interceptor
* provides an alternative to using WS-Policy based configuration for crypto
* coverage enforcement.
- * <p/>
- * Note that the processor must properly address the Security Token
- * Reference Dereference transform in the case of a signed security token
- * such as a SAML assertion. Consequently, a version of WSS4J that properly
- * addresses this transform must be used with this utility if you wish to
- * check coverage over a message part referenced through the Security Token
- * Reference Dereference transform.
- * See <a href="https://issues.apache.org/jira/browse/WSS-222">WSS-222</a>
- * for more details.
*/
public class CryptoCoverageChecker extends AbstractSoapInterceptor {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java?rev=1558765&r1=1558764&r2=1558765&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java Thu Jan 16 11:55:08 2014
@@ -27,10 +27,12 @@ import org.apache.wss4j.dom.WSConstants;
/**
* This utility extends the CryptoCoverageChecker to provide an easy way to check to see
* if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, if the Timestamp was signed,
- * and if the WS-Addressing ReplyTo and FaultTo headers were signed.
+ * if the WS-Addressing ReplyTo and FaultTo headers were signed, and if the UsernameToken
+ * was encrypted.
*
- * The default configuration is that the SOAP Body, Timestamp must be signed, and WS-Addressing
- * ReplyTo and FaultTo headers must be signed (if they exist in the message payload).
+ * The default configuration is that the SOAP Body, Timestamp must be signed, WS-Addressing
+ * ReplyTo and FaultTo headers must be signed, and a WSS UsernameToken must be encrypted
+ * (if they exist in the message payload).
*/
public class DefaultCryptoCoverageChecker extends CryptoCoverageChecker {
@@ -44,6 +46,8 @@ public class DefaultCryptoCoverageChecke
private boolean signTimestamp;
private boolean encryptBody;
private boolean signAddressingHeaders;
+ private boolean signUsernameToken;
+ private boolean encryptUsernameToken;
/**
* Creates a new instance. Enforces that the SOAP Body, Timestamp, and WS-Addressing
@@ -66,6 +70,9 @@ public class DefaultCryptoCoverageChecke
// Sign Addressing Headers
setSignAddressingHeaders(true);
+
+ // Encrypt UsernameToken
+ setEncryptUsernameToken(true);
}
public boolean isSignBody() {
@@ -219,5 +226,75 @@ public class DefaultCryptoCoverageChecke
}
}
}
+
+ public boolean isEncryptUsernameToken() {
+ return encryptUsernameToken;
+ }
+
+ public void setEncryptUsernameToken(boolean encryptUsernameToken) {
+ this.encryptUsernameToken = encryptUsernameToken;
+
+ XPathExpression soap11Expression =
+ new XPathExpression(
+ "/soapenv:Envelope/soapenv:Header/wsse:Security/wsse:UsernameToken",
+ CoverageType.ENCRYPTED
+ );
+ XPathExpression soap12Expression =
+ new XPathExpression(
+ "/soapenv12:Envelope/soapenv12:Header/wsse:Security/wsse:UsernameToken",
+ CoverageType.ENCRYPTED
+ );
+
+ if (encryptUsernameToken) {
+ if (!xPaths.contains(soap11Expression)) {
+ xPaths.add(soap11Expression);
+ }
+ if (!xPaths.contains(soap12Expression)) {
+ xPaths.add(soap12Expression);
+ }
+ } else {
+ if (xPaths.contains(soap11Expression)) {
+ xPaths.remove(soap11Expression);
+ }
+ if (xPaths.contains(soap12Expression)) {
+ xPaths.remove(soap12Expression);
+ }
+ }
+ }
+
+ public boolean isSignUsernameToken() {
+ return signUsernameToken;
+ }
+
+ public void setSignUsernameToken(boolean signUsernameToken) {
+ this.signUsernameToken = signUsernameToken;
+
+ XPathExpression soap11Expression =
+ new XPathExpression(
+ "/soapenv:Envelope/soapenv:Header/wsse:Security/wsse:UsernameToken",
+ CoverageType.SIGNED
+ );
+ XPathExpression soap12Expression =
+ new XPathExpression(
+ "/soapenv12:Envelope/soapenv12:Header/wsse:Security/wsse:UsernameToken",
+ CoverageType.SIGNED
+ );
+
+ if (signUsernameToken) {
+ if (!xPaths.contains(soap11Expression)) {
+ xPaths.add(soap11Expression);
+ }
+ if (!xPaths.contains(soap12Expression)) {
+ xPaths.add(soap12Expression);
+ }
+ } else {
+ if (xPaths.contains(soap11Expression)) {
+ xPaths.remove(soap11Expression);
+ }
+ if (xPaths.contains(soap12Expression)) {
+ xPaths.remove(soap12Expression);
+ }
+ }
+ }
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageChecker.java?rev=1558765&r1=1558764&r2=1558765&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageChecker.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageChecker.java Thu Jan 16 11:55:08 2014
@@ -41,8 +41,8 @@ import org.apache.xml.security.stax.secu
/**
* This interceptor handles parsing the StaX WS-Security results (events) + checks that the
* specified crypto coverage events actually occurred. The default functionality is to enforce
- * that the SOAP Body, Timestamp, and WS-Addressing ReplyTo and FaultTo headers must be signed
- * (if they exist in the message payload).
+ * that the SOAP Body, Timestamp, and WS-Addressing ReplyTo and FaultTo headers must be signed,
+ * and the UsernameToken must be encrypted (if they exist in the message payload).
*
* Note that this interceptor must be explicitly added to the InInterceptor chain.
*/
@@ -71,6 +71,9 @@ public class StaxCryptoCoverageChecker e
// Sign Addressing Headers
setSignAddressingHeaders(true);
+
+ // Encrypt UsernameToken
+ setEncryptUsernameToken(true);
}
@Override
Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java?rev=1558765&r1=1558764&r2=1558765&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java (original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java Thu Jan 16 11:55:08 2014
@@ -38,7 +38,8 @@ import org.junit.Test;
/**
* Test the DefaultCryptoCoverageChecker, which extends the CryptoCoverageChecker to provide
* an easier way to check to see if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, if
- * the Timestamp was signed, and if the WS-Addressing ReplyTo and FaultTo headers were signed.
+ * the Timestamp was signed, and if the WS-Addressing ReplyTo and FaultTo headers were signed,
+ * and if a UsernameToken was encrypted.
*/
public class DefaultCryptoCoverageCheckerTest extends AbstractSecurityTest {
Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageCheckerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageCheckerTest.java?rev=1558765&r1=1558764&r2=1558765&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageCheckerTest.java (original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/StaxCryptoCoverageCheckerTest.java Thu Jan 16 11:55:08 2014
@@ -240,6 +240,8 @@ public class StaxCryptoCoverageCheckerTe
properties.setCallbackHandler(new TestPwdCallback());
WSS4JStaxOutInterceptor ohandler = new WSS4JStaxOutInterceptor(properties);
client.getOutInterceptors().add(ohandler);
+
+ checker.setEncryptUsernameToken(false);
assertEquals("test", echo.echo("test"));
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/CryptoCoverageCheckerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/CryptoCoverageCheckerTest.java?rev=1558765&r1=1558764&r2=1558765&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/CryptoCoverageCheckerTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/CryptoCoverageCheckerTest.java Thu Jan 16 11:55:08 2014
@@ -35,6 +35,7 @@ import org.apache.cxf.systest.ws.common.
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JStaxOutInterceptor;
+import org.apache.wss4j.dom.WSConstants;
import org.example.contract.doubleit.DoubleItPortType;
import org.junit.BeforeClass;
import org.junit.runner.RunWith;
@@ -630,4 +631,105 @@ public class CryptoCoverageCheckerTest e
bus.shutdown(true);
}
+ @org.junit.Test
+ public void testEncryptedUsernameToken() throws Exception {
+
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = CryptoCoverageCheckerTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = CryptoCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItEncryptedUsernameTokenPort");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, test.getPort());
+
+ Map<String, Object> outProps = new HashMap<String, Object>();
+ outProps.put("action", "UsernameToken Encrypt");
+ outProps.put("encryptionPropFile", "bob.properties");
+ outProps.put("user", "alice");
+ outProps.put("encryptionUser", "bob");
+ outProps.put("passwordCallbackClass",
+ "org.apache.cxf.systest.ws.common.KeystorePasswordCallback");
+ outProps.put("encryptionParts",
+ "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;"
+ + "{Element}{" + WSConstants.WSSE_NS + "}UsernameToken;");
+
+ if (test.isStreaming()) {
+ SecurityTestUtil.enableStreaming(port);
+ }
+
+ if (test.isStreaming()) {
+ WSS4JStaxOutInterceptor staxOutInterceptor = new WSS4JStaxOutInterceptor(outProps);
+ bus.getOutInterceptors().add(staxOutInterceptor);
+ } else {
+ WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProps);
+ bus.getOutInterceptors().add(outInterceptor);
+ }
+
+ port.doubleIt(25);
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testNotEncryptedUsernameToken() throws Exception {
+
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = CryptoCoverageCheckerTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = CryptoCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItEncryptedUsernameTokenPort");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, test.getPort());
+
+ Map<String, Object> outProps = new HashMap<String, Object>();
+ outProps.put("action", "UsernameToken Encrypt");
+ outProps.put("encryptionPropFile", "bob.properties");
+ outProps.put("user", "alice");
+ outProps.put("encryptionUser", "bob");
+ outProps.put("passwordCallbackClass",
+ "org.apache.cxf.systest.ws.common.KeystorePasswordCallback");
+ outProps.put("encryptionParts",
+ "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+
+ if (test.isStreaming()) {
+ SecurityTestUtil.enableStreaming(port);
+ }
+
+ if (test.isStreaming()) {
+ WSS4JStaxOutInterceptor staxOutInterceptor = new WSS4JStaxOutInterceptor(outProps);
+ bus.getOutInterceptors().add(staxOutInterceptor);
+ } else {
+ WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProps);
+ bus.getOutInterceptors().add(outInterceptor);
+ }
+
+ try {
+ port.doubleIt(25);
+ fail("Failure expected on not encrypting the UsernameToken");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
}
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl?rev=1558765&r1=1558764&r2=1558765&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl Thu Jan 16 11:55:08 2014
@@ -68,5 +68,8 @@
<wsdl:port name="DoubleItClientCheckerPort2" binding="tns:DoubleItSoapBinding">
<soap:address location="http://localhost:9001/DoubleItClientChecker2"/>
</wsdl:port>
+ <wsdl:port name="DoubleItEncryptedUsernameTokenPort" binding="tns:DoubleItSoapBinding">
+ <soap:address location="http://localhost:9001/DoubleItEncryptedUsernameToken"/>
+ </wsdl:port>
</wsdl:service>
</wsdl:definitions>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client.xml?rev=1558765&r1=1558764&r2=1558765&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client.xml Thu Jan 16 11:55:08 2014
@@ -76,4 +76,6 @@
</bean>
</jaxws:inFaultInterceptors>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItEncryptedUsernameTokenPort" createdFromAPI="true">
+ </jaxws:client>
</beans>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server.xml?rev=1558765&r1=1558764&r2=1558765&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server.xml Thu Jan 16 11:55:08 2014
@@ -132,4 +132,20 @@
</bean>
</jaxws:outFaultInterceptors>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="EncryptedUsernameToken" address="http://localhost:${testutil.ports.Server}/DoubleItEncryptedUsernameToken" serviceName="s:DoubleItService" endpointName="s:DoubleItEncryptedUsernameTokenPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl">
+ <jaxws:inInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Encrypt UsernameToken"/>
+ <entry key="decryptionPropFile" value="bob.properties"/>
+ <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ <bean class="org.apache.cxf.ws.security.wss4j.DefaultCryptoCoverageChecker">
+ <property name="signBody" value="false"/>
+ </bean>
+ </jaxws:inInterceptors>
+ </jaxws:endpoint>
</beans>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/stax-server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/stax-server.xml?rev=1558765&r1=1558764&r2=1558765&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/stax-server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/stax-server.xml Thu Jan 16 11:55:08 2014
@@ -92,4 +92,20 @@
<wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
</jaxws:features>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="EncryptedUsernameToken" address="http://localhost:${testutil.ports.StaxServer}/DoubleItEncryptedUsernameToken" serviceName="s:DoubleItService" endpointName="s:DoubleItEncryptedUsernameTokenPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl">
+ <jaxws:inInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Encrypt UsernameToken"/>
+ <entry key="decryptionPropFile" value="bob.properties"/>
+ <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ <bean class="org.apache.cxf.ws.security.wss4j.StaxCryptoCoverageChecker">
+ <property name="signBody" value="false"/>
+ </bean>
+ </jaxws:inInterceptors>
+ </jaxws:endpoint>
</beans>