You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/05/14 16:30:38 UTC
svn commit: r1338220 - in /cxf/branches/2.5.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/
systests/ws-security/src/test/java/org/apache/cxf/systes...
Author: coheigea
Date: Mon May 14 14:30:37 2012
New Revision: 1338220
URL: http://svn.apache.org/viewvc?rev=1338220&view=rev
Log:
Merged revisions 1338219 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1338219 | coheigea | 2012-05-14 15:27:05 +0100 (Mon, 14 May 2012) | 2 lines
Improved SupportingToken policy validation
........
Added:
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
- copied, changed from r1338130, cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
Modified:
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Mon May 14 14:30:37 2012
@@ -69,6 +69,7 @@ import org.apache.cxf.ws.security.wss4j.
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.BindingPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
@@ -562,9 +563,6 @@ public class PolicyBasedWSS4JInIntercept
LOG.fine("Incoming request failed supporting token policy validation");
}
- // The supporting tokens are already validated
- assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
-
// relatively irrelevant stuff from a verification standpoint
assertPolicy(aim, SP12Constants.LAYOUT);
assertPolicy(aim, SP12Constants.WSS10);
@@ -703,7 +701,13 @@ public class PolicyBasedWSS4JInIntercept
boolean check = true;
- SupportingTokenPolicyValidator validator = new SignedTokenPolicyValidator();
+ SupportingTokenPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator();
+ validator.setUsernameTokenResults(utResults, utWithCallbacks);
+ validator.setSAMLTokenResults(samlResults);
+ validator.setTimestampElement(timestamp);
+ check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults);
+
+ validator = new SignedTokenPolicyValidator();
validator.setUsernameTokenResults(utResults, utWithCallbacks);
validator.setSAMLTokenResults(samlResults);
validator.setTimestampElement(timestamp);
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -23,14 +23,30 @@ import java.security.cert.X509Certificat
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
+import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
import javax.xml.namespace.QName;
+import javax.xml.soap.SOAPException;
+import javax.xml.soap.SOAPMessage;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.helpers.MapNamespaceContext;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
+import org.apache.cxf.ws.security.policy.model.Header;
+import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
+import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngine;
@@ -48,6 +64,8 @@ import org.apache.ws.security.saml.ext.A
public abstract class AbstractSupportingTokenPolicyValidator
extends AbstractTokenPolicyValidator implements SupportingTokenPolicyValidator {
+ private static final Logger LOG = LogUtils.getL7dLogger(AbstractSupportingTokenPolicyValidator.class);
+
private Message message;
private List<WSSecurityEngineResult> results;
private List<WSSecurityEngineResult> signedResults;
@@ -59,7 +77,11 @@ public abstract class AbstractSupporting
private boolean signed;
private boolean encrypted;
private boolean derived;
- private boolean endorsed;
+ private boolean endorsed;
+ private SignedEncryptedElements signedElements;
+ private SignedEncryptedElements encryptedElements;
+ private SignedEncryptedParts signedParts;
+ private SignedEncryptedParts encryptedParts;
/**
* Set the list of UsernameToken results
@@ -130,7 +152,7 @@ public abstract class AbstractSupporting
tokenResults.addAll(utResults);
List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
for (WSSecurityEngineResult wser : utResults) {
- if (endorsed && derived) {
+ if (derived) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
if (dktResult != null) {
@@ -150,9 +172,10 @@ public abstract class AbstractSupporting
return false;
}
tokenResults.addAll(dktResults);
- if (endorsed && !checkEndorsed(tokenResults)) {
+ if ((endorsed && !checkEndorsed(tokenResults)) || !validateSignedEncryptedPolicies(tokenResults)) {
return false;
}
+
return true;
}
@@ -174,6 +197,11 @@ public abstract class AbstractSupporting
if (endorsed && !checkEndorsed(samlResults)) {
return false;
}
+
+ if (!validateSignedEncryptedPolicies(samlResults)) {
+ return false;
+ }
+
return true;
}
@@ -190,7 +218,7 @@ public abstract class AbstractSupporting
BinarySecurity binarySecurity =
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof KerberosSecurity) {
- if (endorsed && derived) {
+ if (derived) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
if (dktResult != null) {
@@ -216,6 +244,11 @@ public abstract class AbstractSupporting
if (endorsed && !checkEndorsed(tokenResults)) {
return false;
}
+
+ if (!validateSignedEncryptedPolicies(tokenResults)) {
+ return false;
+ }
+
return true;
}
@@ -233,7 +266,7 @@ public abstract class AbstractSupporting
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof X509Security
|| binarySecurity instanceof PKIPathSecurity) {
- if (endorsed && derived) {
+ if (derived) {
WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser);
if (resultToStore != null) {
dktResults.add(resultToStore);
@@ -258,6 +291,35 @@ public abstract class AbstractSupporting
if (endorsed && !checkEndorsed(tokenResults)) {
return false;
}
+
+ if (!validateSignedEncryptedPolicies(tokenResults)) {
+ return false;
+ }
+
+ return true;
+ }
+
+ /**
+ * Validate (SignedParts|SignedElements|EncryptedParts|EncryptedElements) policies of this
+ * SupportingToken.
+ */
+ private boolean validateSignedEncryptedPolicies(List<WSSecurityEngineResult> tokenResults) {
+ if (!validateSignedEncryptedParts(signedParts, false, signedResults, tokenResults)) {
+ return false;
+ }
+
+ if (!validateSignedEncryptedParts(encryptedParts, true, encryptedResults, tokenResults)) {
+ return false;
+ }
+
+ if (!validateSignedEncryptedElements(signedElements, false, signedResults, tokenResults)) {
+ return false;
+ }
+
+ if (!validateSignedEncryptedElements(encryptedElements, false, encryptedResults, tokenResults)) {
+ return false;
+ }
+
return true;
}
@@ -271,7 +333,7 @@ public abstract class AbstractSupporting
for (WSSecurityEngineResult wser : results) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.SCT) {
- if (endorsed && derived) {
+ if (derived) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
if (dktResult != null) {
@@ -296,6 +358,11 @@ public abstract class AbstractSupporting
if (endorsed && !checkEndorsed(tokenResults)) {
return false;
}
+
+ if (!validateSignedEncryptedPolicies(tokenResults)) {
+ return false;
+ }
+
return true;
}
@@ -417,7 +484,7 @@ public abstract class AbstractSupporting
if (sl != null) {
for (WSDataRef dataRef : sl) {
if (timestamp == dataRef.getProtectedElement()
- && checkSignature(signedResult, tokenResults)) {
+ && checkSignatureOrEncryptionResult(signedResult, tokenResults)) {
return true;
}
}
@@ -441,7 +508,7 @@ public abstract class AbstractSupporting
for (WSDataRef dataRef : sl) {
QName signedQName = dataRef.getName();
if (WSSecurityEngine.SIGNATURE.equals(signedQName)
- && checkSignature(signedResult, tokenResults)) {
+ && checkSignatureOrEncryptionResult(signedResult, tokenResults)) {
return true;
}
}
@@ -451,20 +518,20 @@ public abstract class AbstractSupporting
}
/**
- * Check that a WSSecurityEngineResult corresponding to a signature uses the same
- * signing credential as one of the tokens.
- * @param signatureResult a WSSecurityEngineResult corresponding to a signature
+ * Check that a WSSecurityEngineResult corresponding to a signature or encryption uses the same
+ * signing/encrypting credential as one of the tokens.
+ * @param signatureResult a WSSecurityEngineResult corresponding to a signature or encryption
* @param tokenResult A list of WSSecurityEngineResults corresponding to tokens
* @return
*/
- private boolean checkSignature(
- WSSecurityEngineResult signatureResult,
+ private boolean checkSignatureOrEncryptionResult(
+ WSSecurityEngineResult result,
List<WSSecurityEngineResult> tokenResult
) {
- // See what was used to sign this result
+ // See what was used to sign/encrypt this result
X509Certificate cert =
- (X509Certificate)signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
- byte[] secret = (byte[])signatureResult.get(WSSecurityEngineResult.TAG_SECRET);
+ (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
// Now see if the same credential exists in the tokenResult list
for (WSSecurityEngineResult token : tokenResult) {
@@ -510,6 +577,165 @@ public abstract class AbstractSupporting
}
/**
+ * Validate the SignedParts or EncryptedParts policies
+ */
+ private boolean validateSignedEncryptedParts(
+ SignedEncryptedParts parts,
+ boolean content,
+ List<WSSecurityEngineResult> protResults,
+ List<WSSecurityEngineResult> tokenResults
+ ) {
+ if (parts == null) {
+ return true;
+ }
+
+ if (parts.isBody()) {
+ SOAPMessage soapMessage = message.getContent(SOAPMessage.class);
+ Element soapBody = null;
+ try {
+ soapBody = soapMessage.getSOAPBody();
+ } catch (SOAPException ex) {
+ LOG.log(Level.FINE, ex.getMessage(), ex);
+ return false;
+ }
+
+ if (!checkProtectionResult(soapBody, content, protResults, tokenResults)) {
+ return false;
+ }
+ }
+
+ for (Header h : parts.getHeaders()) {
+ SOAPMessage soapMessage = message.getContent(SOAPMessage.class);
+ Element soapHeader = null;
+ try {
+ soapHeader = soapMessage.getSOAPHeader();
+ } catch (SOAPException ex) {
+ LOG.log(Level.FINE, ex.getMessage(), ex);
+ return false;
+ }
+
+ final List<Element> elements;
+ if (h.getName() == null) {
+ elements = DOMUtils.getChildrenWithNamespace(soapHeader, h.getNamespace());
+ } else {
+ elements = DOMUtils.getChildrenWithName(soapHeader, h.getNamespace(), h.getName());
+ }
+
+ for (Element el : elements) {
+ if (!checkProtectionResult(el, false, protResults, tokenResults)) {
+ return false;
+ }
+ }
+ }
+
+ return true;
+ }
+
+ /**
+ * Check that an Element is signed or encrypted by one of the token results
+ */
+ private boolean checkProtectionResult(
+ Element elementToProtect,
+ boolean content,
+ List<WSSecurityEngineResult> protResults,
+ List<WSSecurityEngineResult> tokenResults
+ ) {
+ for (WSSecurityEngineResult result : protResults) {
+ List<WSDataRef> dataRefs =
+ CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ if (dataRefs != null) {
+ for (WSDataRef dataRef : dataRefs) {
+ if (elementToProtect == dataRef.getProtectedElement()
+ && content == dataRef.isContent()
+ && checkSignatureOrEncryptionResult(result, tokenResults)) {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Validate SignedElements or EncryptedElements policies
+ */
+ private boolean validateSignedEncryptedElements(
+ SignedEncryptedElements elements,
+ boolean content,
+ List<WSSecurityEngineResult> protResults,
+ List<WSSecurityEngineResult> tokenResults
+ ) {
+ if (elements == null) {
+ return true;
+ }
+
+ Map<String, String> namespaces = elements.getDeclaredNamespaces();
+ List<String> xpaths = elements.getXPathExpressions();
+
+ if (xpaths != null) {
+ SOAPMessage soapMessage = message.getContent(SOAPMessage.class);
+ Element soapEnvelope = soapMessage.getSOAPPart().getDocumentElement();
+
+ for (String xPath : xpaths) {
+ if (!checkXPathResult(soapEnvelope, xPath, namespaces, protResults, tokenResults)) {
+ return false;
+ }
+ }
+ }
+
+ return true;
+ }
+
+ /**
+ * Check a particular XPath result
+ */
+ private boolean checkXPathResult(
+ Element soapEnvelope,
+ String xPath,
+ Map<String, String> namespaces,
+ List<WSSecurityEngineResult> protResults,
+ List<WSSecurityEngineResult> tokenResults
+ ) {
+ // XPathFactory and XPath are not thread-safe so we must recreate them
+ // each request.
+ final XPathFactory factory = XPathFactory.newInstance();
+ final XPath xpath = factory.newXPath();
+
+ if (namespaces != null) {
+ xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
+ }
+
+ // For each XPath
+ for (String xpathString : Arrays.asList(xPath)) {
+ // Get the matching nodes
+ NodeList list;
+ try {
+ list = (NodeList)xpath.evaluate(
+ xpathString,
+ soapEnvelope,
+ XPathConstants.NODESET);
+ } catch (XPathExpressionException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ return false;
+ }
+
+ // If we found nodes then we need to do the check.
+ if (list.getLength() != 0) {
+ // For each matching element, check for a ref that
+ // covers it.
+ for (int x = 0; x < list.getLength(); x++) {
+ final Element el = (Element)list.item(x);
+
+ if (!checkProtectionResult(el, false, protResults, tokenResults)) {
+ return false;
+ }
+ }
+ }
+ }
+ return true;
+ }
+
+ /**
* Return true if a token was signed, false otherwise.
*/
private boolean isTokenSigned(Element token) {
@@ -543,5 +769,33 @@ public abstract class AbstractSupporting
}
return false;
}
+
+ public void setUtResults(List<WSSecurityEngineResult> utResults) {
+ this.utResults = utResults;
+ }
+
+ public void setValidateUsernameToken(boolean validateUsernameToken) {
+ this.validateUsernameToken = validateUsernameToken;
+ }
+
+ public void setTimestamp(Element timestamp) {
+ this.timestamp = timestamp;
+ }
+
+ public void setSignedElements(SignedEncryptedElements signedElements) {
+ this.signedElements = signedElements;
+ }
+
+ public void setEncryptedElements(SignedEncryptedElements encryptedElements) {
+ this.encryptedElements = encryptedElements;
+ }
+
+ public void setSignedParts(SignedEncryptedParts signedParts) {
+ this.signedParts = signedParts;
+ }
+
+ public void setEncryptedParts(SignedEncryptedParts encryptedParts) {
+ this.encryptedParts = encryptedParts;
+ }
}
Copied: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java (from r1338130, cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java)
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java?p2=cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java&p1=cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java&r1=1338130&r2=1338220&rev=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -38,12 +38,12 @@ import org.apache.cxf.ws.security.policy
import org.apache.ws.security.WSSecurityEngineResult;
/**
- * Validate SignedSupportingToken policies.
+ * Validate SupportingToken policies.
*/
-public class SignedTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
+public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
- public SignedTokenPolicyValidator() {
- setSigned(true);
+ public ConcreteSupportingTokenPolicyValidator() {
+ setSigned(false);
}
public boolean validatePolicy(
@@ -53,7 +53,7 @@ public class SignedTokenPolicyValidator
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.SUPPORTING_TOKENS);
if (ais == null || ais.isEmpty()) {
return true;
}
@@ -65,11 +65,16 @@ public class SignedTokenPolicyValidator
for (AssertionInfo ai : ais) {
SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED != binding.getTokenType()) {
+ if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SUPPORTING != binding.getTokenType()) {
continue;
}
ai.setAsserted(true);
+ setSignedParts(binding.getSignedParts());
+ setEncryptedParts(binding.getEncryptedParts());
+ setSignedElements(binding.getSignedElements());
+ setEncryptedElements(binding.getEncryptedElements());
+
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
if (!isTokenRequired(token, message)) {
@@ -103,7 +108,7 @@ public class SignedTokenPolicyValidator
if (processingFailed) {
ai.setNotAsserted(
- "The received token does not match the signed supporting token requirement"
+ "The received token does not match the supporting token requirement"
);
return false;
}
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -69,6 +69,11 @@ public class EncryptedTokenPolicyValidat
continue;
}
ai.setAsserted(true);
+
+ setSignedParts(binding.getSignedParts());
+ setEncryptedParts(binding.getEncryptedParts());
+ setSignedElements(binding.getSignedElements());
+ setEncryptedElements(binding.getEncryptedElements());
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -71,6 +71,11 @@ public class EndorsingEncryptedTokenPoli
continue;
}
ai.setAsserted(true);
+
+ setSignedParts(binding.getSignedParts());
+ setEncryptedParts(binding.getEncryptedParts());
+ setSignedElements(binding.getSignedElements());
+ setEncryptedElements(binding.getEncryptedElements());
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -70,7 +70,12 @@ public class EndorsingTokenPolicyValidat
continue;
}
ai.setAsserted(true);
-
+
+ setSignedParts(binding.getSignedParts());
+ setEncryptedParts(binding.getEncryptedParts());
+ setSignedElements(binding.getSignedElements());
+ setEncryptedElements(binding.getEncryptedElements());
+
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
if (!isTokenRequired(token, message)) {
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -70,6 +70,11 @@ public class SignedEncryptedTokenPolicyV
continue;
}
ai.setAsserted(true);
+
+ setSignedParts(binding.getSignedParts());
+ setEncryptedParts(binding.getEncryptedParts());
+ setSignedElements(binding.getSignedElements());
+ setEncryptedElements(binding.getEncryptedElements());
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -72,6 +72,11 @@ public class SignedEndorsingEncryptedTok
continue;
}
ai.setAsserted(true);
+
+ setSignedParts(binding.getSignedParts());
+ setEncryptedParts(binding.getEncryptedParts());
+ setSignedElements(binding.getSignedElements());
+ setEncryptedElements(binding.getEncryptedElements());
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -70,6 +70,11 @@ public class SignedEndorsingTokenPolicyV
continue;
}
ai.setAsserted(true);
+
+ setSignedParts(binding.getSignedParts());
+ setEncryptedParts(binding.getEncryptedParts());
+ setSignedElements(binding.getSignedElements());
+ setEncryptedElements(binding.getEncryptedElements());
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -70,6 +70,11 @@ public class SignedTokenPolicyValidator
}
ai.setAsserted(true);
+ setSignedParts(binding.getSignedParts());
+ setEncryptedParts(binding.getEncryptedParts());
+ setSignedElements(binding.getSignedElements());
+ setEncryptedElements(binding.getEncryptedElements());
+
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
if (!isTokenRequired(token, message)) {
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java Mon May 14 14:30:37 2012
@@ -79,7 +79,7 @@ public class PolicyAlternativeTest exten
QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricPort");
DoubleItPortType utPort =
service.getPort(portQName, DoubleItPortType.class);
- updateAddressPort(utPort, PORT2);
+ updateAddressPort(utPort, PORT);
utPort.doubleIt(25);
@@ -104,7 +104,7 @@ public class PolicyAlternativeTest exten
QName portQName = new QName(NAMESPACE, "DoubleItNoSecurityPort");
DoubleItPortType utPort =
service.getPort(portQName, DoubleItPortType.class);
- updateAddressPort(utPort, PORT2);
+ updateAddressPort(utPort, PORT);
try {
utPort.doubleIt(25);
@@ -134,11 +134,70 @@ public class PolicyAlternativeTest exten
QName portQName = new QName(NAMESPACE, "DoubleItUsernameTokenPort");
DoubleItPortType utPort =
service.getPort(portQName, DoubleItPortType.class);
- updateAddressPort(utPort, PORT2);
+ updateAddressPort(utPort, PORT);
utPort.doubleIt(25);
bus.shutdown(true);
}
+ /**
+ * The client uses a Transport binding policy with a Endorsing Supporting X509 Token. The client does
+ * not sign part of the WSA header though and so the invocation should fail.
+ */
+ @org.junit.Test
+ public void testTransportSupportingSigned() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = PolicyAlternativeTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = PolicyAlternativeTest.class.getResource("DoubleItPolicy.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItTransportSupportingSignedPort");
+ DoubleItPortType transportPort =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportPort, PORT2);
+
+ try {
+ transportPort.doubleIt(25);
+ fail("Failure expected on not signing a wsa header");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ // expected
+ }
+ }
+
+ /**
+ * The client uses a Transport binding policy with a Endorsing Supporting X509 Token as well as a
+ * Signed Endorsing UsernameToken. Here the client is trying to trick the Service Provider as
+ * the UsernameToken signs the wsa:To Header, not the X.509 Token.
+ */
+ @org.junit.Test
+ public void testTransportUTSupportingSigned() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = PolicyAlternativeTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = PolicyAlternativeTest.class.getResource("DoubleItPolicy.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItTransportUTSupportingSignedPort");
+ DoubleItPortType transportPort =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportPort, PORT2);
+
+ try {
+ transportPort.doubleIt(25);
+ fail("Failure expected on not signing a wsa header");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ // expected
+ }
+ }
+
}
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Mon May 14 14:30:37 2012
@@ -466,6 +466,28 @@ public class X509TokenTest extends Abstr
bus.shutdown(true);
}
+ @org.junit.Test
+ public void testTransportSupportingSigned() throws Exception {
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItTransportSupportingSignedPort");
+ DoubleItPortType x509Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(x509Port, PORT2);
+ x509Port.doubleIt(25);
+ }
+
private boolean checkUnrestrictedPoliciesInstalled() {
try {
byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl Mon May 14 14:30:37 2012
@@ -57,6 +57,12 @@
<wsdl:port name="DoubleItNoSecurityPort" binding="tns:DoubleItInlinePolicyBinding">
<soap:address location="http://localhost:9010/DoubleItNoSecurity" />
</wsdl:port>
+ <wsdl:port name="DoubleItTransportSupportingSignedPort" binding="tns:DoubleItInlinePolicyBinding">
+ <soap:address location="https://localhost:9011/DoubleItTransportSupportingSigned" />
+ </wsdl:port>
+ <wsdl:port name="DoubleItTransportUTSupportingSignedPort" binding="tns:DoubleItInlinePolicyBinding">
+ <soap:address location="https://localhost:9011/DoubleItTransportUTSupportingSigned" />
+ </wsdl:port>
</wsdl:service>
</wsdl:definitions>
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml Mon May 14 14:30:37 2012
@@ -98,8 +98,51 @@
</jaxws:features>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSupportingSignedPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ URI="#DoubleItTransportSupportingSignedPolicy" />
+ </p:policies>
+ </jaxws:features>
+ </jaxws:client>
+
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportUTSupportingSignedPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="alice"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ URI="#DoubleItTransportUTSupportingSignedPolicy" />
+ </p:policies>
+ </jaxws:features>
+ </jaxws:client>
+
+ <http:conduit name="https://localhost:.*">
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+ </sec:trustManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+
- <wsp:Policy wsu:Id="UsernameToken"
+ <wsp:Policy wsu:Id="UsernameToken"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:ExactlyOne>
@@ -164,4 +207,107 @@
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://www.w3.org/ns/ws-policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
+ <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ <sp:SignedParts>
+ <sp:Body/>
+ <!-- <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> -->
+ </sp:SignedParts>
+ </wsp:Policy>
+ </sp:EndorsingSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="DoubleItTransportUTSupportingSignedPolicy"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://www.w3.org/ns/ws-policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
+ <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" >
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ <sp:SignedParts>
+ <sp:Body/>
+ </sp:SignedParts>
+ </wsp:Policy>
+ </sp:EndorsingSupportingTokens>
+ <sp:SignedEndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:UsernameToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy/>
+ </sp:UsernameToken>
+ <sp:SignedParts>
+ <sp:Body/>
+ <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
+ </sp:SignedParts>
+ </wsp:Policy>
+ </sp:SignedEndorsingSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
</beans>
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml Mon May 14 14:30:37 2012
@@ -44,8 +44,32 @@
</cxf:features>
</cxf:bus>
+ <!-- -->
+ <!-- Any services listening on port 9009 must use the following -->
+ <!-- Transport Layer Security (TLS) settings -->
+ <!-- -->
+ <httpj:engine-factory id="tls-settings">
+ <httpj:engine port="${testutil.ports.Server.2}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_EXPORT_.*</sec:include>
+ <sec:include>.*_EXPORT1024_.*</sec:include>
+ <sec:include>.*_WITH_DES_.*</sec:include>
+ <sec:include>.*_WITH_AES_.*</sec:include>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ <sec:clientAuthentication want="true" required="false"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
+
<jaxws:endpoint id="AsymmetricEndpoint"
- address="http://localhost:${testutil.ports.Server.2}/DoubleItAsymmetric"
+ address="http://localhost:${testutil.ports.Server}/DoubleItAsymmetric"
serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricPort"
xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl">
@@ -68,7 +92,7 @@
</jaxws:endpoint>
<jaxws:endpoint id="NoSecurityEndpoint"
- address="http://localhost:${testutil.ports.Server.2}/DoubleItNoSecurity"
+ address="http://localhost:${testutil.ports.Server}/DoubleItNoSecurity"
serviceName="s:DoubleItService" endpointName="s:DoubleItNoSecurityPort"
xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl">
@@ -91,7 +115,7 @@
</jaxws:endpoint>
<jaxws:endpoint id="UsernameTokenEndpoint"
- address="http://localhost:${testutil.ports.Server.2}/DoubleItUsernameToken"
+ address="http://localhost:${testutil.ports.Server}/DoubleItUsernameToken"
serviceName="s:DoubleItService" endpointName="s:DoubleItUsernameTokenPort"
xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl">
@@ -112,6 +136,54 @@
</jaxws:features>
</jaxws:endpoint>
+
+ <jaxws:endpoint
+ id="TransportSupportingSigned"
+ address="https://localhost:${testutil.ports.Server.2}/DoubleItTransportSupportingSigned"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItTransportSupportingSignedPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ URI="#DoubleItTransportSupportingSignedPolicy" />
+ </p:policies>
+ </jaxws:features>
+
+ </jaxws:endpoint>
+
+ <jaxws:endpoint
+ id="TransportUTSupportingSigned"
+ address="https://localhost:${testutil.ports.Server.2}/DoubleItTransportUTSupportingSigned"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItTransportUTSupportingSignedPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ URI="#DoubleItTransportSupportingSignedPolicy" />
+ </p:policies>
+ </jaxws:features>
+
+ </jaxws:endpoint>
<wsp:Policy wsu:Id="Combined"
@@ -189,6 +261,52 @@
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://www.w3.org/ns/ws-policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
+ <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" >
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ <sp:SignedParts>
+ <sp:Body/>
+ <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
+ </sp:SignedParts>
+ </wsp:Policy>
+ </sp:EndorsingSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
</beans>
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl Mon May 14 14:30:37 2012
@@ -258,6 +258,23 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItTransportSupportingSignedBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItTransportSupportingSignedPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItKeyIdentifierPort" binding="tns:DoubleItKeyIdentifierBinding">
@@ -305,6 +322,10 @@
binding="tns:DoubleItTransportSignedEndorsingEncryptedBinding">
<soap:address location="https://localhost:9002/DoubleItX509TransportSignedEndorsingEncrypted" />
</wsdl:port>
+ <wsdl:port name="DoubleItTransportSupportingSignedPort"
+ binding="tns:DoubleItTransportSupportingSignedBinding">
+ <soap:address location="https://localhost:9002/DoubleItX509TransportSupportingSigned" />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy">
@@ -778,6 +799,55 @@
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:EndorsingSupportingTokens>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ <sp:SignedParts>
+ <sp:Body/>
+ <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
+ </sp:SignedParts>
+ <!--
+ <sp:SignedElements>
+ <sp:XPath>//ReplyTo</sp:XPath>
+ </sp:SignedElements>
+ -->
+ </wsp:Policy>
+ </sp:EndorsingSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml Mon May 14 14:30:37 2012
@@ -211,6 +211,17 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSupportingSignedPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
+
<http:conduit name="https://localhost:.*">
<http:tlsClientParameters disableCNCheck="true">
<sec:trustManagers>
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Mon May 14 14:30:37 2012
@@ -348,4 +348,21 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="TransportSupportingSigned"
+ address="https://localhost:${testutil.ports.Server.2}/DoubleItX509TransportSupportingSigned"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItTransportSupportingSignedPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>