You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/10/21 15:32:50 UTC
svn commit: r1534146 -
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
Author: coheigea
Date: Mon Oct 21 13:32:50 2013
New Revision: 1534146
URL: http://svn.apache.org/r1534146
Log:
Consolidated some common code between DOM + StAX WS-Security code
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1534146&r1=1534145&r2=1534146&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Mon Oct 21 13:32:50 2013
@@ -25,7 +25,6 @@ import java.net.URL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
-import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
@@ -57,7 +56,6 @@ import org.apache.cxf.Bus;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.saaj.SAAJUtils;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
-import org.apache.cxf.common.i18n.Message;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.endpoint.Endpoint;
@@ -71,7 +69,6 @@ import org.apache.cxf.service.model.Endp
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyConstants;
-import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
@@ -151,7 +148,7 @@ import org.opensaml.common.SAMLVersion;
/**
*
*/
-public abstract class AbstractBindingBuilder {
+public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandler {
public static final String CRYPTO_CACHE = "ws-security.crypto.cache";
protected static final Logger LOG = LogUtils.getL7dLogger(AbstractBindingBuilder.class);
@@ -163,7 +160,6 @@ public abstract class AbstractBindingBui
protected WSSecHeader secHeader;
protected AssertionInfoMap aim;
protected AbstractBinding binding;
- protected SoapMessage message;
protected WSSecTimestamp timestampEl;
protected String mainSigId;
protected List<WSEncryptionPart> sigConfList;
@@ -192,12 +188,12 @@ public abstract class AbstractBindingBui
WSSecHeader secHeader,
AssertionInfoMap aim,
SoapMessage message) {
+ super(message);
this.wssConfig = config;
this.binding = binding;
this.aim = aim;
this.secHeader = secHeader;
this.saaj = saaj;
- this.message = message;
message.getExchange().put(WSHandlerConstants.SEND_SIGV, signatures);
}
@@ -284,116 +280,6 @@ public abstract class AbstractBindingBui
topDownElement = el;
}
- protected boolean isRequestor() {
- return MessageUtils.isRequestor(message);
- }
-
- protected Collection<AssertionInfo> getAllAssertionsByLocalname(String localname) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
-
- protected void policyNotAsserted(Assertion assertion, Exception reason) {
- if (assertion == null) {
- return;
- }
- if (LOG.isLoggable(Level.FINE)) {
- LOG.log(Level.FINE, "Not asserting " + assertion.getName() + ": " + reason);
- }
- Collection<AssertionInfo> ais = aim.get(assertion.getName());
- if (ais != null) {
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == assertion) {
- ai.setNotAsserted(reason.getMessage());
- }
- }
- }
- if (!assertion.isOptional()) {
- throw new PolicyException(new Message(reason.getMessage(), LOG), reason);
- }
- }
-
- protected void policyNotAsserted(Assertion assertion, String reason) {
- if (assertion == null) {
- return;
- }
- if (LOG.isLoggable(Level.FINE)) {
- LOG.log(Level.FINE, "Not asserting " + assertion.getName() + ": " + reason);
- }
- Collection<AssertionInfo> ais = aim.get(assertion.getName());
- if (ais != null) {
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == assertion) {
- ai.setNotAsserted(reason);
- }
- }
- }
- if (!assertion.isOptional()) {
- throw new PolicyException(new Message(reason, LOG));
- }
- }
-
- protected void policyAsserted(Assertion assertion) {
- if (assertion == null) {
- return;
- }
- if (LOG.isLoggable(Level.FINE)) {
- LOG.log(Level.FINE, "Asserting " + assertion.getName());
- }
- Collection<AssertionInfo> ais = aim.get(assertion.getName());
- if (ais != null) {
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == assertion) {
- ai.setAsserted(true);
- }
- }
- }
- }
-
- protected void policyAsserted(QName n) {
- Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
- if (ais != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- }
- }
-
- protected void policyAsserted(String localname) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(localname);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- }
- }
-
- protected Collection<Assertion> findAndAssertPolicy(QName n) {
- Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
- if (ais != null && !ais.isEmpty()) {
- List<Assertion> p = new ArrayList<Assertion>(ais.size());
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- p.add(ai.getAssertion());
- }
- return p;
- }
- return null;
- }
-
protected final Map<Object, Crypto> getCryptoCache() {
EndpointInfo info = message.getExchange().get(Endpoint.class).getEndpointInfo();
synchronized (info) {
@@ -445,7 +331,9 @@ public abstract class AbstractBindingBui
ai.setNotAsserted(SPConstants.LAYOUT_LAX_TIMESTAMP_LAST + " requires a timestamp");
} else {
ai.setAsserted(true);
- policyAsserted(SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
+ assertPolicy(
+ new QName(layout.getName().getNamespaceURI(),
+ SPConstants.LAYOUT_LAX_TIMESTAMP_LAST));
Element el = timestamp.getElement();
secHeader.getSecurityHeader().appendChild(el);
if (bottomUpElement == null) {
@@ -457,14 +345,18 @@ public abstract class AbstractBindingBui
ai.setNotAsserted(SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST + " requires a timestamp");
} else {
addTopDownElement(timestampEl.getElement());
- policyAsserted(SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
+ assertPolicy(
+ new QName(layout.getName().getNamespaceURI(),
+ SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST));
}
} else if (timestampEl != null) {
addTopDownElement(timestampEl.getElement());
}
- policyAsserted(SPConstants.LAYOUT_LAX);
- policyAsserted(SPConstants.LAYOUT_STRICT);
+ assertPolicy(
+ new QName(layout.getName().getNamespaceURI(), SPConstants.LAYOUT_LAX));
+ assertPolicy(
+ new QName(layout.getName().getNamespaceURI(), SPConstants.LAYOUT_STRICT));
}
} else if (timestampEl != null) {
addTopDownElement(timestampEl.getElement());
@@ -479,7 +371,7 @@ public abstract class AbstractBindingBui
for (Assertion pa : suppTokens) {
if (pa instanceof SupportingTokens) {
for (AbstractToken token : ((SupportingTokens)pa).getTokens()) {
- this.policyAsserted(token);
+ this.assertPolicy(token);
}
}
}
@@ -664,21 +556,6 @@ public abstract class AbstractBindingBui
return (Element)secHeader.getSecurityHeader().getOwnerDocument().importNode(el, true);
}
- protected SecurityToken getSecurityToken() {
- SecurityToken st = (SecurityToken)message.getContextualProperty(SecurityConstants.TOKEN);
- if (st == null) {
- String id = (String)message.getContextualProperty(SecurityConstants.TOKEN_ID);
- if (id != null) {
- st = getTokenStore().getToken(id);
- }
- }
- if (st != null) {
- getTokenStore().add(st);
- return st;
- }
- return null;
- }
-
protected void addSignatureParts(Map<AbstractToken, Object> tokenMap,
List<WSEncryptionPart> sigParts) {
@@ -835,7 +712,8 @@ public abstract class AbstractBindingBui
if (token.getPasswordType() == UsernameToken.PasswordType.NoPassword) {
utBuilder.setUserInfo(userName, null);
utBuilder.setPasswordType(null);
- policyAsserted(SPConstants.NO_PASSWORD);
+ assertPolicy(
+ new QName(token.getName().getNamespaceURI(), SPConstants.NO_PASSWORD));
} else {
String password = (String)message.getContextualProperty(SecurityConstants.PASSWORD);
if (StringUtils.isEmpty(password)) {
@@ -846,7 +724,9 @@ public abstract class AbstractBindingBui
// If the password is available then build the token
if (token.getPasswordType() == UsernameToken.PasswordType.HashPassword) {
utBuilder.setPasswordType(WSConstants.PASSWORD_DIGEST);
- policyAsserted(SPConstants.HASH_PASSWORD);
+ assertPolicy(
+ new QName(token.getName().getNamespaceURI(),
+ SPConstants.HASH_PASSWORD));
} else {
utBuilder.setPasswordType(WSConstants.PASSWORD_TEXT);
}
@@ -859,16 +739,18 @@ public abstract class AbstractBindingBui
if (token.isCreated() && token.getPasswordType() != UsernameToken.PasswordType.HashPassword) {
utBuilder.addCreated();
- policyAsserted(SP13Constants.CREATED);
+ assertPolicy(SP13Constants.CREATED);
}
if (token.isNonce() && token.getPasswordType() != UsernameToken.PasswordType.HashPassword) {
utBuilder.addNonce();
- policyAsserted(SP13Constants.NONCE);
+ assertPolicy(SP13Constants.NONCE);
}
info.setAsserted(true);
- policyAsserted(SPConstants.USERNAME_TOKEN10);
- policyAsserted(SPConstants.USERNAME_TOKEN11);
+ assertPolicy(
+ new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN10));
+ assertPolicy(
+ new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN11));
return utBuilder;
} else {
policyNotAsserted(token, "No username available");
@@ -909,8 +791,10 @@ public abstract class AbstractBindingBui
}
info.setAsserted(true);
- policyAsserted(SPConstants.USERNAME_TOKEN10);
- policyAsserted(SPConstants.USERNAME_TOKEN11);
+ assertPolicy(
+ new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN10));
+ assertPolicy(
+ new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN11));
return utBuilder;
} else {
policyNotAsserted(token, "No username available");
@@ -973,11 +857,14 @@ public abstract class AbstractBindingBui
SamlTokenType tokenType = token.getSamlTokenType();
if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) {
samlCallback.setSamlVersion(SAMLVersion.VERSION_11);
- policyAsserted("WssSamlV11Token10");
- policyAsserted("WssSamlV11Token11");
+ assertPolicy(
+ new QName(token.getName().getNamespaceURI(), "WssSamlV11Token10"));
+ assertPolicy(
+ new QName(token.getName().getNamespaceURI(), "WssSamlV11Token11"));
} else if (tokenType == SamlTokenType.WssSamlV20Token11) {
samlCallback.setSamlVersion(SAMLVersion.VERSION_20);
- policyAsserted("WssSamlV20Token11");
+ assertPolicy(
+ new QName(token.getName().getNamespaceURI(), "WssSamlV20Token11"));
}
SAMLUtil.doSAMLCallback(handler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
@@ -1634,13 +1521,13 @@ public abstract class AbstractBindingBui
tokenTypeSet = true;
}
- policyAsserted(token);
- policyAsserted(wrapper);
+ assertPolicy(token);
+ assertPolicy(wrapper);
if (!tokenTypeSet) {
if (token.getIncludeTokenType() == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
Wss10 wss = getWss10();
- policyAsserted(wss);
+ assertPolicy(wss);
if (wss == null || wss.isMustSupportRefKeyIdentifier()) {
secBase.setKeyIdentifierType(WSConstants.SKI_KEY_IDENTIFIER);
} else if (wss.isMustSupportRefIssuerSerial()) {
@@ -1744,24 +1631,6 @@ public abstract class AbstractBindingBui
return null;
}
- protected Wss10 getWss10() {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.WSS10);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- return (Wss10)ai.getAssertion();
- }
- }
-
- ais = getAllAssertionsByLocalname(SPConstants.WSS11);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- return (Wss10)ai.getAssertion();
- }
- }
-
- return null;
- }
-
private void checkForX509PkiPath(WSSecSignature sig, AbstractToken token) {
if (token instanceof X509Token) {
X509Token x509Token = (X509Token) token;
@@ -1786,8 +1655,8 @@ public abstract class AbstractBindingBui
checkForX509PkiPath(sig, token);
boolean alsoIncludeToken = false;
if (token instanceof IssuedToken || token instanceof SamlToken) {
- policyAsserted(token);
- policyAsserted(wrapper);
+ assertPolicy(token);
+ assertPolicy(wrapper);
SecurityToken securityToken = getSecurityToken();
String tokenType = securityToken.getTokenType();
@@ -2020,7 +1889,7 @@ public abstract class AbstractBindingBui
//Check for whether the token is attached in the message or not
boolean attached = false;
- if (includeToken(policyToken.getIncludeTokenType())) {
+ if (isTokenRequired(policyToken.getIncludeTokenType())) {
attached = true;
}
@@ -2296,7 +2165,8 @@ public abstract class AbstractBindingBui
}
}
- policyAsserted(SPConstants.REQUIRE_SIGNATURE_CONFIRMATION);
+ assertPolicy(
+ new QName(wss10.getName().getNamespaceURI(), SPConstants.REQUIRE_SIGNATURE_CONFIRMATION));
}
/**
@@ -2364,22 +2234,4 @@ public abstract class AbstractBindingBui
return part;
}
- protected boolean includeToken(IncludeTokenType inclusion) {
- if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
- return true;
- }
- if (isRequestor()) {
- if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- || inclusion == IncludeTokenType.INCLUDE_TOKEN_ONCE) {
- return true;
- }
- } else {
- if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR) {
- return true;
- }
- }
- return false;
- }
-
-
}
Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java?rev=1534146&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java Mon Oct 21 13:32:50 2013
@@ -0,0 +1,388 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyhandlers;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.common.i18n.Message;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
+import org.apache.neethi.Assertion;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
+import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
+import org.apache.wss4j.policy.model.Wss10;
+import org.apache.wss4j.policy.model.Wss11;
+import org.apache.xml.security.utils.Base64;
+
+/**
+ * Some common functionality to be shared between the two binding handlers (DOM + StAX)
+ */
+public abstract class AbstractCommonBindingHandler {
+ private static final Logger LOG = LogUtils.getL7dLogger(AbstractCommonBindingHandler.class);
+ protected final SoapMessage message;
+
+ public AbstractCommonBindingHandler(
+ SoapMessage msg
+ ) {
+ this.message = msg;
+ }
+
+ protected void policyNotAsserted(Assertion assertion, String reason) {
+ if (assertion == null) {
+ return;
+ }
+ LOG.log(Level.FINE, "Not asserting " + assertion.getName() + ": " + reason);
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> ais = aim.get(assertion.getName());
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ if (ai.getAssertion() == assertion) {
+ ai.setNotAsserted(reason);
+ }
+ }
+ }
+ if (!assertion.isOptional()) {
+ throw new PolicyException(new Message(reason, LOG));
+ }
+ }
+
+ protected void policyNotAsserted(Assertion assertion, Exception reason) {
+ if (assertion == null) {
+ return;
+ }
+ if (LOG.isLoggable(Level.FINE)) {
+ LOG.log(Level.FINE, "Not asserting " + assertion.getName() + ": " + reason);
+ }
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> ais = aim.get(assertion.getName());
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ if (ai.getAssertion() == assertion) {
+ ai.setNotAsserted(reason.getMessage());
+ }
+ }
+ }
+ if (!assertion.isOptional()) {
+ throw new PolicyException(new Message(reason.getMessage(), LOG), reason);
+ }
+ }
+
+ protected void assertAlgorithmSuite(AlgorithmSuite algorithmSuite) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> algorithmSuiteAis = aim.get(algorithmSuite.getName());
+ for (AssertionInfo ai : algorithmSuiteAis) {
+ ai.setAsserted(true);
+ }
+
+ AlgorithmSuiteType algorithmSuiteType = algorithmSuite.getAlgorithmSuiteType();
+ String namespace = algorithmSuiteType.getNamespace();
+ if (namespace != null) {
+ Collection<AssertionInfo> algAis =
+ aim.get(new QName(namespace, algorithmSuiteType.getName()));
+ if (algAis != null) {
+ for (AssertionInfo algAi : algAis) {
+ algAi.setAsserted(true);
+ }
+ }
+ }
+ }
+
+ protected void assertWSSProperties(String namespace) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> wss10Ais = aim.get(new QName(namespace, SPConstants.WSS10));
+ if (wss10Ais != null) {
+ for (AssertionInfo ai : wss10Ais) {
+ ai.setAsserted(true);
+ Wss10 wss10 = (Wss10)ai.getAssertion();
+ assertWSS10Properties(wss10);
+ }
+ }
+
+ Collection<AssertionInfo> wss11Ais = aim.get(new QName(namespace, SPConstants.WSS11));
+ if (wss11Ais != null) {
+ for (AssertionInfo ai : wss11Ais) {
+ ai.setAsserted(true);
+ Wss11 wss11 = (Wss11)ai.getAssertion();
+ assertWSS10Properties(wss11);
+
+ if (wss11.isMustSupportRefThumbprint()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_THUMBPRINT));
+ }
+ if (wss11.isMustSupportRefEncryptedKey()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY));
+ }
+ if (wss11.isRequireSignatureConfirmation()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION));
+ }
+ }
+ }
+ }
+
+ private void assertWSS10Properties(Wss10 wss10) {
+ String namespace = wss10.getName().getNamespaceURI();
+ if (wss10.isMustSupportRefEmbeddedToken()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN));
+ }
+ if (wss10.isMustSupportRefKeyIdentifier()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER));
+ }
+ if (wss10.isMustSupportRefIssuerSerial()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL));
+ }
+ if (wss10.isMustSupportRefExternalURI()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI));
+ }
+ }
+
+ protected void assertTrustProperties(String namespace) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> trust10Ais = aim.get(new QName(namespace, SPConstants.TRUST_10));
+ if (trust10Ais != null) {
+ for (AssertionInfo ai : trust10Ais) {
+ ai.setAsserted(true);
+ Trust10 trust10 = (Trust10)ai.getAssertion();
+ assertTrust10Properties(trust10);
+ }
+ }
+
+ Collection<AssertionInfo> trust13Ais = aim.get(new QName(namespace, SPConstants.TRUST_13));
+ if (trust13Ais != null) {
+ for (AssertionInfo ai : trust13Ais) {
+ ai.setAsserted(true);
+ Trust13 trust13 = (Trust13)ai.getAssertion();
+ assertTrust10Properties(trust13);
+
+ if (trust13.isRequireRequestSecurityTokenCollection()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION));
+ }
+ if (trust13.isRequireAppliesTo()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_APPLIES_TO));
+ }
+ if (trust13.isScopePolicy15()) {
+ assertPolicy(new QName(namespace, SPConstants.SCOPE_POLICY_15));
+ }
+ if (trust13.isMustSupportInteractiveChallenge()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_INTERACTIVE_CHALLENGE));
+ }
+ }
+ }
+ }
+
+ private void assertTrust10Properties(Trust10 trust10) {
+ String namespace = trust10.getName().getNamespaceURI();
+ if (trust10.isMustSupportClientChallenge()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE));
+ }
+ if (trust10.isMustSupportIssuedTokens()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_ISSUED_TOKENS));
+ }
+ if (trust10.isMustSupportServerChallenge()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE));
+ }
+ if (trust10.isRequireClientEntropy()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_ENTROPY));
+ }
+ if (trust10.isRequireServerEntropy()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_SERVER_ENTROPY));
+ }
+ }
+
+ protected Collection<AssertionInfo> getAllAssertionsByLocalname(String localname) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ return getAllAssertionsByLocalname(aim, localname);
+ }
+
+ protected Collection<AssertionInfo> getAllAssertionsByLocalname(
+ AssertionInfoMap aim,
+ String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+ if (sp11Ais != null) {
+ ais.addAll(sp11Ais);
+ }
+ if (sp12Ais != null) {
+ ais.addAll(sp12Ais);
+ }
+ return ais;
+ }
+
+ return Collections.emptySet();
+ }
+
+ protected SoapMessage getMessage() {
+ return message;
+ }
+
+ protected static String getSHA1(byte[] input) {
+ try {
+ byte[] digestBytes = WSSecurityUtil.generateDigest(input);
+ return Base64.encode(digestBytes);
+ } catch (WSSecurityException e) {
+ //REVISIT
+ }
+ return null;
+ }
+
+ protected AbstractBinding getBinding(AssertionInfoMap aim) {
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (ais != null && ais.size() > 0) {
+ return (AbstractBinding)ais.iterator().next().getAssertion();
+ }
+
+ ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (ais != null && ais.size() > 0) {
+ return (AbstractBinding)ais.iterator().next().getAssertion();
+ }
+
+ ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (ais != null && ais.size() > 0) {
+ return (AbstractBinding)ais.iterator().next().getAssertion();
+ }
+
+ return null;
+ }
+
+ protected boolean isRequestor() {
+ return MessageUtils.isRequestor(message);
+ }
+
+ protected boolean isTokenRequired(IncludeTokenType includeToken) {
+ if (includeToken == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
+ return false;
+ } else if (includeToken == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
+ return true;
+ } else {
+ boolean initiator = MessageUtils.isRequestor(message);
+ if (initiator && (includeToken == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
+ || includeToken == IncludeTokenType.INCLUDE_TOKEN_ONCE)) {
+ return true;
+ } else if (!initiator && includeToken == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR) {
+ return true;
+ }
+ return false;
+ }
+ }
+
+ protected Wss10 getWss10() {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ return (Wss10)ai.getAssertion();
+ }
+ }
+
+ ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ return (Wss10)ai.getAssertion();
+ }
+ }
+
+ return null;
+ }
+
+ protected SecurityToken getSecurityToken() {
+ SecurityToken st = (SecurityToken)message.getContextualProperty(SecurityConstants.TOKEN);
+ if (st == null) {
+ String id = (String)message.getContextualProperty(SecurityConstants.TOKEN_ID);
+ if (id != null) {
+ st = WSS4JUtils.getTokenStore(message).getToken(id);
+ }
+ }
+ if (st != null) {
+ WSS4JUtils.getTokenStore(message).add(st);
+ return st;
+ }
+ return null;
+ }
+
+ protected Collection<Assertion> findAndAssertPolicy(QName n) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
+ if (ais != null && !ais.isEmpty()) {
+ List<Assertion> p = new ArrayList<Assertion>(ais.size());
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ p.add(ai.getAssertion());
+ }
+ return p;
+ }
+ return null;
+ }
+
+ protected void assertPolicy(QName n) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
+ if (ais != null && !ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ }
+ }
+
+ protected void assertPolicy(Assertion assertion) {
+ if (assertion == null) {
+ return;
+ }
+ if (LOG.isLoggable(Level.FINE)) {
+ LOG.log(Level.FINE, "Asserting " + assertion.getName());
+ }
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> ais = aim.get(assertion.getName());
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ if (ai.getAssertion() == assertion) {
+ ai.setAsserted(true);
+ }
+ }
+ }
+ }
+
+}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java?rev=1534146&r1=1534145&r2=1534146&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java Mon Oct 21 13:32:50 2013
@@ -24,14 +24,11 @@ import java.security.Key;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
-import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.callback.Callback;
@@ -41,18 +38,15 @@ import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import org.w3c.dom.Element;
+
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.classloader.ClassLoaderUtils;
-import org.apache.cxf.common.i18n.Message;
-import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.neethi.Assertion;
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.common.ext.WSPasswordCallback;
@@ -62,7 +56,6 @@ import org.apache.wss4j.common.saml.bean
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
@@ -108,14 +101,12 @@ import org.apache.xml.security.stax.secu
import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityTokenConstants;
import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
-import org.apache.xml.security.utils.Base64;
import org.opensaml.common.SAMLVersion;
/**
*
*/
-public abstract class AbstractStaxBindingHandler {
- private static final Logger LOG = LogUtils.getL7dLogger(AbstractStaxBindingHandler.class);
+public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHandler {
protected boolean timestampAdded;
protected boolean signatureConfirmationAdded;
protected Set<SecurePart> encryptedTokensList = new HashSet<SecurePart>();
@@ -127,15 +118,14 @@ public abstract class AbstractStaxBindin
protected Map<String, SecurityTokenProvider<OutboundSecurityToken>> outboundTokens;
private final Map<String, Object> properties;
- private final SoapMessage message;
public AbstractStaxBindingHandler(
Map<String, Object> properties,
SoapMessage msg,
Map<String, SecurityTokenProvider<OutboundSecurityToken>> outboundTokens
) {
+ super(msg);
this.properties = properties;
- this.message = msg;
this.outboundTokens = outboundTokens;
}
@@ -489,29 +479,11 @@ public abstract class AbstractStaxBindin
encryptedKeySecurityTokenProvider);
}
- protected void policyNotAsserted(Assertion assertion, String reason) {
- if (assertion == null) {
- return;
- }
- LOG.log(Level.FINE, "Not asserting " + assertion.getName() + ": " + reason);
- AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais = aim.get(assertion.getName());
- if (ais != null) {
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == assertion) {
- ai.setNotAsserted(reason);
- }
- }
- }
- if (!assertion.isOptional()) {
- throw new PolicyException(new Message(reason, LOG));
- }
- }
-
protected void configureTimestamp(AssertionInfoMap aim) {
AbstractBinding binding = getBinding(aim);
if (binding != null && binding.isIncludeTimestamp()) {
timestampAdded = true;
+ assertPolicy(new QName(binding.getName().getNamespaceURI(), SPConstants.INCLUDE_TIMESTAMP));
}
}
@@ -520,6 +492,12 @@ public abstract class AbstractStaxBindin
Layout layout = null;
for (AssertionInfo ai : ais) {
layout = (Layout)ai.getAssertion();
+ Collection<AssertionInfo> layoutTypeAis = aim.get(layout.getName());
+ if (layoutTypeAis != null) {
+ for (AssertionInfo layoutAi : layoutTypeAis) {
+ layoutAi.setAsserted(true);
+ }
+ }
ai.setAsserted(true);
}
@@ -546,76 +524,10 @@ public abstract class AbstractStaxBindin
}
}
- protected AbstractBinding getBinding(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
- if (ais != null && ais.size() > 0) {
- return (AbstractBinding)ais.iterator().next().getAssertion();
- }
-
- ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
- if (ais != null && ais.size() > 0) {
- return (AbstractBinding)ais.iterator().next().getAssertion();
- }
-
- ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
- if (ais != null && ais.size() > 0) {
- return (AbstractBinding)ais.iterator().next().getAssertion();
- }
-
- return null;
- }
-
- protected boolean isRequestor() {
- return MessageUtils.isRequestor(message);
- }
-
- protected boolean isTokenRequired(IncludeTokenType includeToken) {
- if (includeToken == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
- return false;
- } else if (includeToken == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
- return true;
- } else {
- boolean initiator = MessageUtils.isRequestor(message);
- if (initiator && (includeToken == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- || includeToken == IncludeTokenType.INCLUDE_TOKEN_ONCE)) {
- return true;
- } else if (!initiator && includeToken == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR) {
- return true;
- }
- return false;
- }
- }
-
- protected Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
-
protected Map<String, Object> getProperties() {
return properties;
}
- protected SoapMessage getMessage() {
- return message;
- }
-
protected void configureSignature(
AbstractTokenWrapper wrapper, AbstractToken token, boolean attached
) throws WSSecurityException {
@@ -703,25 +615,6 @@ public abstract class AbstractStaxBindin
return "IssuerSerial";
}
- protected Wss10 getWss10() {
- AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- return (Wss10)ai.getAssertion();
- }
- }
-
- ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- return (Wss10)ai.getAssertion();
- }
- }
-
- return null;
- }
-
protected Map<AbstractToken, SecurePart> handleSupportingTokens(
Collection<Assertion> tokens,
boolean signed,
@@ -888,36 +781,6 @@ public abstract class AbstractStaxBindin
}
}
- protected SecurityToken getSecurityToken() {
- SecurityToken st = (SecurityToken)message.getContextualProperty(SecurityConstants.TOKEN);
- if (st == null) {
- String id = (String)message.getContextualProperty(SecurityConstants.TOKEN_ID);
- if (id != null) {
- st = WSS4JUtils.getTokenStore(message).getToken(id);
- }
- }
- if (st != null) {
- WSS4JUtils.getTokenStore(message).add(st);
- return st;
- }
- return null;
- }
-
-
- protected Collection<Assertion> findAndAssertPolicy(QName n) {
- AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
- if (ais != null && !ais.isEmpty()) {
- List<Assertion> p = new ArrayList<Assertion>(ais.size());
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- p.add(ai.getAssertion());
- }
- return p;
- }
- return null;
- }
-
protected void addSupportingTokens() throws Exception {
Collection<Assertion> sgndSuppTokens =
@@ -1184,16 +1047,6 @@ public abstract class AbstractStaxBindin
}
}
- private static String getSHA1(byte[] input) {
- try {
- byte[] digestBytes = WSSecurityUtil.generateDigest(input);
- return Base64.encode(digestBytes);
- } catch (WSSecurityException e) {
- //REVISIT
- }
- return null;
- }
-
protected org.apache.xml.security.stax.securityToken.SecurityToken
findInboundSecurityToken(SecurityEventConstants.Event event) throws XMLSecurityException {
@SuppressWarnings("unchecked")
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1534146&r1=1534145&r2=1534146&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Mon Oct 21 13:32:50 2013
@@ -28,11 +28,11 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.crypto.dsig.Reference;
+import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.w3c.dom.Element;
-
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
@@ -68,7 +68,6 @@ import org.apache.wss4j.policy.model.Alg
import org.apache.wss4j.policy.model.AsymmetricBinding;
import org.apache.wss4j.policy.model.IssuedToken;
import org.apache.wss4j.policy.model.SamlToken;
-
import org.opensaml.common.SAMLVersion;
/**
@@ -102,11 +101,19 @@ public class AsymmetricBindingHandler ex
if (abinding.getProtectionOrder()
== AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
doEncryptBeforeSign();
- policyAsserted(SPConstants.ENCRYPT_BEFORE_SIGNING);
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_BEFORE_SIGNING));
} else {
doSignBeforeEncrypt();
- policyAsserted(SPConstants.SIGN_BEFORE_ENCRYPTING);
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.SIGN_BEFORE_ENCRYPTING));
}
+
+ assertAlgorithmSuite(abinding.getAlgorithmSuite());
+ assertWSSProperties(abinding.getName().getNamespaceURI());
+ assertTrustProperties(abinding.getName().getNamespaceURI());
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
}
private void doSignBeforeEncrypt() {
@@ -124,9 +131,9 @@ public class AsymmetricBindingHandler ex
policyNotAsserted(initiatorToken, "Security token is not found or expired");
return;
} else {
- policyAsserted(initiatorToken);
+ assertPolicy(initiatorToken);
- if (includeToken(initiatorToken.getIncludeTokenType())) {
+ if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
Element el = secToken.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
@@ -135,11 +142,11 @@ public class AsymmetricBindingHandler ex
} else if (initiatorToken instanceof SamlToken && isRequestor()) {
SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)initiatorToken);
if (assertionWrapper != null) {
- if (includeToken(initiatorToken.getIncludeTokenType())) {
+ if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
storeAssertionAsSecurityToken(assertionWrapper);
}
- policyAsserted(initiatorToken);
+ assertPolicy(initiatorToken);
}
} else if (initiatorToken instanceof SamlToken) {
String tokenId = getSAMLToken();
@@ -187,7 +194,8 @@ public class AsymmetricBindingHandler ex
if (sigConfList != null && !sigConfList.isEmpty()) {
enc.addAll(sigConfList);
}
- policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
//Do encryption
@@ -244,9 +252,9 @@ public class AsymmetricBindingHandler ex
policyNotAsserted(initiatorToken, "Security token is not found or expired");
return;
} else {
- policyAsserted(initiatorToken);
+ assertPolicy(initiatorToken);
- if (includeToken(initiatorToken.getIncludeTokenType())) {
+ if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
Element el = secToken.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
@@ -256,11 +264,11 @@ public class AsymmetricBindingHandler ex
try {
SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)initiatorToken);
if (assertionWrapper != null) {
- if (includeToken(initiatorToken.getIncludeTokenType())) {
+ if (isTokenRequired(initiatorToken.getIncludeTokenType())) {
addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
storeAssertionAsSecurityToken(assertionWrapper);
}
- policyAsserted(initiatorToken);
+ assertPolicy(initiatorToken);
}
} catch (Exception e) {
String reason = e.getMessage();
@@ -354,7 +362,8 @@ public class AsymmetricBindingHandler ex
// Check for signature protection
if (abinding.isEncryptSignature()) {
- policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
// Now encrypt the signature using the above token
if (mainSigId != null) {
@@ -415,8 +424,8 @@ public class AsymmetricBindingHandler ex
//Do encryption
if (recToken != null && recToken.getToken() != null && encrParts.size() > 0) {
AbstractToken encrToken = recToken.getToken();
- policyAsserted(recToken);
- policyAsserted(encrToken);
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
try {
@@ -556,7 +565,7 @@ public class AsymmetricBindingHandler ex
sigParts.addAll(this.getSignedParts());
if (sigParts.isEmpty()) {
// Add the BST to the security header if required
- if (!attached && includeToken(sigToken.getIncludeTokenType())) {
+ if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) {
WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, attached, false);
sig.prependBSTElementToHeader(secHeader);
}
@@ -581,7 +590,8 @@ public class AsymmetricBindingHandler ex
dkSign.prepare(saaj.getSOAPPart(), secHeader);
if (abinding.isProtectTokens()) {
- policyAsserted(SPConstants.PROTECT_TOKENS);
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
if (bstElement != null) {
WSEncryptionPart bstPart =
new WSEncryptionPart(bstElement.getAttributeNS(WSConstants.WSU_NS, "Id"));
@@ -621,7 +631,8 @@ public class AsymmetricBindingHandler ex
// This action must occur before sig.prependBSTElementToHeader
if (abinding.isProtectTokens()) {
- policyAsserted(SPConstants.PROTECT_TOKENS);
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
if (sig.getBSTTokenId() != null) {
WSEncryptionPart bstPart =
new WSEncryptionPart(sig.getBSTTokenId());
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java?rev=1534146&r1=1534145&r2=1534146&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java Mon Oct 21 13:32:50 2013
@@ -38,6 +38,7 @@ import org.apache.cxf.ws.security.tokens
import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -90,11 +91,20 @@ public class StaxAsymmetricBindingHandle
if (abinding.getProtectionOrder()
== AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
doEncryptBeforeSign();
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_BEFORE_SIGNING));
} else {
doSignBeforeEncrypt();
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.SIGN_BEFORE_ENCRYPTING));
}
configureLayout(aim);
+ assertAlgorithmSuite(abinding.getAlgorithmSuite());
+ assertWSSProperties(abinding.getName().getNamespaceURI());
+ assertTrustProperties(abinding.getName().getNamespaceURI());
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
}
private void doSignBeforeEncrypt() {
@@ -175,6 +185,8 @@ public class StaxAsymmetricBindingHandle
new SecurePart(WSSConstants.TAG_wsse11_SignatureConfirmation, Modifier.Element);
enc.add(securePart);
}
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
//Do encryption
@@ -274,6 +286,8 @@ public class StaxAsymmetricBindingHandle
new SecurePart(WSSConstants.TAG_wsse11_SignatureConfirmation, Modifier.Element);
encrParts.add(securePart);
}
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
doEncryption(wrapper, encrParts, true);
@@ -424,6 +438,11 @@ public class StaxAsymmetricBindingHandle
config.put(ConfigurationConstants.INCLUDE_SIGNATURE_TOKEN, "false");
}
+ if (abinding.isProtectTokens()) {
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
+ }
+
config.put(ConfigurationConstants.SIGNATURE_PARTS, parts);
config.put(ConfigurationConstants.OPTIONAL_SIGNATURE_PARTS, optionalParts);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java?rev=1534146&r1=1534145&r2=1534146&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java Mon Oct 21 13:32:50 2013
@@ -124,8 +124,12 @@ public class StaxSymmetricBindingHandler
if (sbinding.getProtectionOrder()
== AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
doEncryptBeforeSign();
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_BEFORE_SIGNING));
} else {
doSignBeforeEncrypt();
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.SIGN_BEFORE_ENCRYPTING));
}
if (!isRequestor()) {
@@ -133,6 +137,11 @@ public class StaxSymmetricBindingHandler
}
configureLayout(aim);
+ assertAlgorithmSuite(sbinding.getAlgorithmSuite());
+ assertWSSProperties(sbinding.getName().getNamespaceURI());
+ assertTrustProperties(sbinding.getName().getNamespaceURI());
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
}
private void doEncryptBeforeSign() {
@@ -225,6 +234,8 @@ public class StaxSymmetricBindingHandler
SecurePart part =
new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element);
encrParts.add(part);
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
doEncryption(encryptionWrapper, encrParts, true);
@@ -369,6 +380,8 @@ public class StaxSymmetricBindingHandler
SecurePart part =
new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element);
enc.add(part);
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
//Do encryption
@@ -530,8 +543,12 @@ public class StaxSymmetricBindingHandler
}
AbstractToken sigToken = wrapper.getToken();
- if (sbinding.isProtectTokens() && (sigToken instanceof X509Token) && isRequestor()) {
- parts += "{Element}{" + WSSConstants.NS_XMLENC + "}EncryptedKey;";
+ if (sbinding.isProtectTokens()) {
+ if ((sigToken instanceof X509Token) && isRequestor()) {
+ parts += "{Element}{" + WSSConstants.NS_XMLENC + "}EncryptedKey;";
+ }
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
}
config.put(ConfigurationConstants.SIGNATURE_PARTS, parts);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java?rev=1534146&r1=1534145&r2=1534146&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java Mon Oct 21 13:32:50 2013
@@ -110,6 +110,9 @@ public class StaxTransportBindingHandler
}
configureLayout(aim);
+ assertAlgorithmSuite(tbinding.getAlgorithmSuite());
+ assertWSSProperties(tbinding.getName().getNamespaceURI());
+ assertTrustProperties(tbinding.getName().getNamespaceURI());
}
/**
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1534146&r1=1534145&r2=1534146&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Mon Oct 21 13:32:50 2013
@@ -26,6 +26,7 @@ import java.util.List;
import java.util.logging.Level;
import javax.xml.crypto.dsig.Reference;
+import javax.xml.namespace.QName;
import javax.xml.soap.SOAPMessage;
import org.w3c.dom.Document;
@@ -60,7 +61,6 @@ import org.apache.wss4j.dom.message.WSSe
import org.apache.wss4j.dom.message.WSSecTimestamp;
import org.apache.wss4j.dom.message.WSSecUsernameToken;
import org.apache.wss4j.dom.message.token.SecurityTokenReference;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -76,7 +76,6 @@ import org.apache.wss4j.policy.model.Spn
import org.apache.wss4j.policy.model.SymmetricBinding;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.wss4j.policy.model.X509Token;
-import org.apache.xml.security.utils.Base64;
/**
*
@@ -123,14 +122,19 @@ public class SymmetricBindingHandler ext
if (sbinding.getProtectionOrder()
== AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
doEncryptBeforeSign();
- policyAsserted(SPConstants.ENCRYPT_BEFORE_SIGNING);
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_BEFORE_SIGNING));
} else {
doSignBeforeEncrypt();
- policyAsserted(SPConstants.SIGN_BEFORE_ENCRYPTING);
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.SIGN_BEFORE_ENCRYPTING));
}
- //REVIST - what to do with these policies?
- policyAsserted(SPConstants.TRUST_10);
- policyAsserted(SPConstants.TRUST_13);
+
+ assertAlgorithmSuite(sbinding.getAlgorithmSuite());
+ assertWSSProperties(sbinding.getName().getNamespaceURI());
+ assertTrustProperties(sbinding.getName().getNamespaceURI());
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
}
private void initializeTokens() {
@@ -200,7 +204,7 @@ public class SymmetricBindingHandler ext
boolean attached = false;
- if (includeToken(encryptionToken.getIncludeTokenType())) {
+ if (isTokenRequired(encryptionToken.getIncludeTokenType())) {
Element el = tok.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
@@ -253,7 +257,8 @@ public class SymmetricBindingHandler ext
if (sigConfList != null && !sigConfList.isEmpty()) {
secondEncrParts.addAll(sigConfList);
}
- policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
if (isRequestor()) {
@@ -320,7 +325,7 @@ public class SymmetricBindingHandler ext
policyNotAsserted(sigAbstractTokenWrapper, "No signature token id");
return;
} else {
- policyAsserted(sigAbstractTokenWrapper);
+ assertPolicy(sigAbstractTokenWrapper);
}
if (sigTok == null) {
sigTok = tokenStore.getToken(sigTokId);
@@ -330,7 +335,7 @@ public class SymmetricBindingHandler ext
//}
boolean tokIncluded = true;
- if (includeToken(sigToken.getIncludeTokenType())) {
+ if (isTokenRequired(sigToken.getIncludeTokenType())) {
Element el = sigTok.getToken();
sigTokElem = cloneElement(el);
this.addEncryptedKeyElement(sigTokElem);
@@ -388,7 +393,8 @@ public class SymmetricBindingHandler ext
if (sigConfList != null && !sigConfList.isEmpty()) {
enc.addAll(sigConfList);
}
- policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
if (isRequestor()) {
@@ -517,8 +523,8 @@ public class SymmetricBindingHandler ext
//Do encryption
if (recToken != null && recToken.getToken() != null && encrParts.size() > 0) {
AbstractToken encrToken = recToken.getToken();
- policyAsserted(recToken);
- policyAsserted(encrToken);
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
return doEncryptionDerived(recToken, encrTok, encrToken,
@@ -631,7 +637,7 @@ public class SymmetricBindingHandler ext
//Check for whether the token is attached in the message or not
boolean attached = false;
- if (includeToken(policyToken.getIncludeTokenType())) {
+ if (isTokenRequired(policyToken.getIncludeTokenType())) {
attached = true;
}
@@ -722,7 +728,8 @@ public class SymmetricBindingHandler ext
}
}
sigs.add(new WSEncryptionPart(sigTokId));
- policyAsserted(SPConstants.PROTECT_TOKENS);
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
}
dkSign.setParts(sigs);
@@ -829,7 +836,8 @@ public class SymmetricBindingHandler ext
if (included && sbinding.isProtectTokens()) {
sigs.add(new WSEncryptionPart(sigTokId));
- policyAsserted(SPConstants.PROTECT_TOKENS);
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
}
sig.setCustomTokenId(sigTokId);
@@ -972,17 +980,6 @@ public class SymmetricBindingHandler ext
return null;
}
- private String getSHA1(byte[] input) {
- try {
- byte[] digestBytes = WSSecurityUtil.generateDigest(input);
- return Base64.encode(digestBytes);
- } catch (WSSecurityException e) {
- LOG.log(Level.FINE, e.getMessage(), e);
- //REVISIT
- }
- return null;
- }
-
private boolean hasSignedPartsOrElements() {
Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.SIGNED_PARTS);
if (ais.size() > 0) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1534146&r1=1534145&r2=1534146&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Mon Oct 21 13:32:50 2013
@@ -103,7 +103,7 @@ public class TransportBindingHandler ext
} else if (token instanceof IssuedToken || token instanceof KerberosToken) {
SecurityToken secTok = getSecurityToken();
- if (includeToken(token.getIncludeTokenType())) {
+ if (isTokenRequired(token.getIncludeTokenType())) {
//Add the token
addEncryptedKeyElement(cloneElement(secTok.getToken()));
}
@@ -140,9 +140,9 @@ public class TransportBindingHandler ext
policyNotAsserted(transportToken, "No transport token id");
return;
} else {
- policyAsserted(transportToken);
+ assertPolicy(transportToken);
}
- if (includeToken(transportToken.getIncludeTokenType())) {
+ if (isTokenRequired(transportToken.getIncludeTokenType())) {
Element el = secToken.getToken();
addEncryptedKeyElement(cloneElement(el));
}
@@ -160,6 +160,10 @@ public class TransportBindingHandler ext
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
+
+ assertAlgorithmSuite(tbinding.getAlgorithmSuite());
+ assertWSSProperties(tbinding.getName().getNamespaceURI());
+ assertTrustProperties(tbinding.getName().getNamespaceURI());
}
/**
@@ -387,7 +391,7 @@ public class TransportBindingHandler ext
);
}
- if (includeToken(token.getIncludeTokenType())) {
+ if (isTokenRequired(token.getIncludeTokenType())) {
//Add the token
Element el = cloneElement(secTok.getToken());
//if (securityTok != null) {