You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/12/08 15:53:03 UTC
svn commit: r1211923 - in
/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security:
policy/ policy/builders/ policy/interceptors/ policy/model/
wss4j/policyhandlers/ wss4j/policyvalidators/
Author: coheigea
Date: Thu Dec 8 14:53:02 2011
New Revision: 1211923
URL: http://svn.apache.org/viewvc?rev=1211923&view=rev
Log:
[WSS-3960] - Patch for InitiatorSignatureToken Support in WS-Policy definition
- Patch applied (with some minor modifications), thanks.
- I added a systest.
Added:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java
- copied unchanged from r1211875, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java
- copied unchanged from r1211875, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java
Modified:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java?rev=1211923&r1=1211922&r2=1211923&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java Thu Dec 8 14:53:02 2011
@@ -177,6 +177,9 @@ public final class SP11Constants extends
public static final QName INITIATOR_TOKEN = new QName(SP11Constants.SP_NS,
SPConstants.INITIATOR_TOKEN , SP11Constants.SP_PREFIX);
+
+ public static final QName INITIATOR_SIGNATURE_TOKEN = new QName(SP11Constants.SP_NS,
+ SPConstants.INITIATOR_SIGNATURE_TOKEN , SP11Constants.SP_PREFIX);
public static final QName RECIPIENT_TOKEN = new QName(SP11Constants.SP_NS,
SPConstants.RECIPIENT_TOKEN , SP11Constants.SP_PREFIX);
@@ -342,6 +345,9 @@ public final class SP11Constants extends
public QName getInitiatorToken() {
return INITIATOR_TOKEN;
}
+ public QName getInitiatorSignatureToken() {
+ return INITIATOR_SIGNATURE_TOKEN;
+ }
public QName getIssuedToken() {
return ISSUED_TOKEN;
}
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java?rev=1211923&r1=1211922&r2=1211923&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java Thu Dec 8 14:53:02 2011
@@ -213,7 +213,10 @@ public final class SP12Constants extends
public static final QName INITIATOR_TOKEN = new QName(SP12Constants.SP_NS,
SPConstants.INITIATOR_TOKEN , SP12Constants.SP_PREFIX);
-
+
+ public static final QName INITIATOR_SIGNATURE_TOKEN = new QName(SP12Constants.SP_NS,
+ SPConstants.INITIATOR_SIGNATURE_TOKEN , SP12Constants.SP_PREFIX);
+
public static final QName RECIPIENT_TOKEN = new QName(SP12Constants.SP_NS,
SPConstants.RECIPIENT_TOKEN , SP12Constants.SP_PREFIX);
@@ -401,6 +404,9 @@ public final class SP12Constants extends
public QName getInitiatorToken() {
return INITIATOR_TOKEN;
}
+ public QName getInitiatorSignatureToken() {
+ return INITIATOR_SIGNATURE_TOKEN;
+ }
public QName getIssuedToken() {
return ISSUED_TOKEN;
}
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1211923&r1=1211922&r2=1211923&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java Thu Dec 8 14:53:02 2011
@@ -171,9 +171,9 @@ public abstract class SPConstants {
public static final String INITIATOR_TOKEN = "InitiatorToken";
- public static final String RECIPIENT_TOKEN = "RecipientToken";
-
+ public static final String INITIATOR_SIGNATURE_TOKEN = "InitiatorSignatureToken";
+ public static final String RECIPIENT_TOKEN = "RecipientToken";
public static final String SUPPORTING_TOKENS = "SupportingTokens";
@@ -439,6 +439,7 @@ public abstract class SPConstants {
public abstract QName getEncryptionToken();
public abstract QName getHttpsToken();
public abstract QName getInitiatorToken();
+ public abstract QName getInitiatorSignatureToken();
public abstract QName getIssuedToken();
public abstract QName getIncludeToken();
public abstract QName getLayout();
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java?rev=1211923&r1=1211922&r2=1211923&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java Thu Dec 8 14:53:02 2011
@@ -38,6 +38,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.builders.EncryptedElementsBuilder;
import org.apache.cxf.ws.security.policy.builders.EncryptedPartsBuilder;
import org.apache.cxf.ws.security.policy.builders.HttpsTokenBuilder;
+import org.apache.cxf.ws.security.policy.builders.InitiatorSignatureTokenBuilder;
import org.apache.cxf.ws.security.policy.builders.InitiatorTokenBuilder;
import org.apache.cxf.ws.security.policy.builders.IssuedTokenBuilder;
import org.apache.cxf.ws.security.policy.builders.KerberosTokenBuilder;
@@ -100,6 +101,7 @@ public final class WSSecurityPolicyLoade
reg.registerBuilder(new EncryptedPartsBuilder());
reg.registerBuilder(new HttpsTokenBuilder(pbuild));
reg.registerBuilder(new InitiatorTokenBuilder(pbuild));
+ reg.registerBuilder(new InitiatorSignatureTokenBuilder(pbuild));
reg.registerBuilder(new IssuedTokenBuilder(pbuild));
reg.registerBuilder(new LayoutBuilder());
reg.registerBuilder(new ProtectionTokenBuilder(pbuild));
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java?rev=1211923&r1=1211922&r2=1211923&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java Thu Dec 8 14:53:02 2011
@@ -32,6 +32,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.cxf.ws.security.policy.model.InitiatorSignatureToken;
import org.apache.cxf.ws.security.policy.model.InitiatorToken;
import org.apache.cxf.ws.security.policy.model.Layout;
import org.apache.cxf.ws.security.policy.model.RecipientToken;
@@ -93,7 +94,10 @@ public class AsymmetricBindingBuilder im
if (SPConstants.INITIATOR_TOKEN.equals(name.getLocalPart())) {
asymmetricBinding.setInitiatorToken((InitiatorToken)assertion);
-
+
+ } else if (SPConstants.INITIATOR_SIGNATURE_TOKEN.equals(name.getLocalPart())) {
+ asymmetricBinding.setInitiatorSignatureToken((InitiatorSignatureToken)assertion);
+
} else if (SPConstants.RECIPIENT_TOKEN.equals(name.getLocalPart())) {
asymmetricBinding.setRecipientToken((RecipientToken)assertion);
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java?rev=1211923&r1=1211922&r2=1211923&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java Thu Dec 8 14:53:02 2011
@@ -48,6 +48,7 @@ public class WSSecurityPolicyInterceptor
ASSERTION_TYPES.add(SP12Constants.SIGNATURE_TOKEN);
ASSERTION_TYPES.add(SP12Constants.TRANSPORT_TOKEN);
ASSERTION_TYPES.add(SP12Constants.INITIATOR_TOKEN);
+ ASSERTION_TYPES.add(SP12Constants.INITIATOR_SIGNATURE_TOKEN);
ASSERTION_TYPES.add(SP12Constants.RECIPIENT_TOKEN);
ASSERTION_TYPES.add(SP12Constants.SIGNED_PARTS);
ASSERTION_TYPES.add(SP12Constants.REQUIRED_PARTS);
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java?rev=1211923&r1=1211922&r2=1211923&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java Thu Dec 8 14:53:02 2011
@@ -35,6 +35,8 @@ import org.apache.neethi.PolicyComponent
public class AsymmetricBinding extends SymmetricAsymmetricBindingBase {
private InitiatorToken initiatorToken;
+
+ private InitiatorSignatureToken initiatorSignatureToken;
private RecipientToken recipientToken;
@@ -55,6 +57,20 @@ public class AsymmetricBinding extends S
public void setInitiatorToken(InitiatorToken initiatorToken) {
this.initiatorToken = initiatorToken;
}
+
+ /**
+ * @return Returns the initiatorToken.
+ */
+ public InitiatorSignatureToken getInitiatorSignatureToken() {
+ return initiatorSignatureToken;
+ }
+
+ /**
+ * @param initiatorToken The initiatorToken to set.
+ */
+ public void setInitiatorSignatureToken(InitiatorSignatureToken initiatorSignatureToken) {
+ this.initiatorSignatureToken = initiatorSignatureToken;
+ }
/**
* @return Returns the recipientToken.
@@ -95,6 +111,9 @@ public class AsymmetricBinding extends S
if (getInitiatorToken() != null) {
all.addPolicyComponent(getInitiatorToken());
}
+ if (getInitiatorSignatureToken() != null) {
+ all.addPolicyComponent(getInitiatorSignatureToken());
+ }
if (getRecipientToken() != null) {
all.addPolicyComponent(getRecipientToken());
}
@@ -145,13 +164,22 @@ public class AsymmetricBinding extends S
writer.writeStartElement(pPrefix, SPConstants.POLICY.getLocalPart(), SPConstants.POLICY
.getNamespaceURI());
- if (initiatorToken == null) {
- throw new RuntimeException("InitiatorToken is not set");
+ if (initiatorToken == null && initiatorSignatureToken == null) {
+ throw new RuntimeException("InitiatorToken or InitiatorSignatureToken is not set");
}
- // <sp:InitiatorToken>
- initiatorToken.serialize(writer);
- // </sp:InitiatorToken>
+ if (initiatorToken != null) {
+ // <sp:InitiatorToken>
+ initiatorToken.serialize(writer);
+ // </sp:InitiatorToken>
+ }
+
+ if (initiatorSignatureToken != null) {
+ // <sp:InitiatorSignatureToken>
+ initiatorSignatureToken.serialize(writer);
+ // </sp:InitiatorSignatureToken>
+ }
+
if (recipientToken == null) {
throw new RuntimeException("RecipientToken is not set");
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1211923&r1=1211922&r2=1211923&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Thu Dec 8 14:53:02 2011
@@ -102,6 +102,9 @@ public class AsymmetricBindingHandler ex
private void doSignBeforeEncrypt() {
try {
TokenWrapper initiatorWrapper = abinding.getInitiatorToken();
+ if (initiatorWrapper == null) {
+ initiatorWrapper = abinding.getInitiatorSignatureToken();
+ }
boolean attached = false;
if (initiatorWrapper != null) {
Token initiatorToken = initiatorWrapper.getToken();
@@ -141,7 +144,7 @@ public class AsymmetricBindingHandler ex
}
addSupportingTokens(sigs);
- doSignature(sigs, attached);
+ doSignature(initiatorWrapper, sigs, attached);
doEndorse();
} else {
//confirm sig
@@ -153,9 +156,8 @@ public class AsymmetricBindingHandler ex
convertToEncryptionPart(timestampEl.getElement());
sigs.add(timestampPart);
}
-
addSignatureConfirmation(sigs);
- doSignature(sigs, attached);
+ doSignature(abinding.getRecipientToken(), sigs, attached);
}
List<WSEncryptionPart> enc = getEncryptedParts();
@@ -194,10 +196,16 @@ public class AsymmetricBindingHandler ex
wrapper = abinding.getRecipientToken();
} else {
wrapper = abinding.getInitiatorToken();
+ if (wrapper == null) {
+ wrapper = abinding.getInitiatorSignatureToken();
+ }
}
encryptionToken = wrapper.getToken();
TokenWrapper initiatorWrapper = abinding.getInitiatorToken();
+ if (initiatorWrapper == null) {
+ initiatorWrapper = abinding.getInitiatorSignatureToken();
+ }
boolean attached = false;
if (initiatorWrapper != null) {
Token initiatorToken = initiatorWrapper.getToken();
@@ -268,17 +276,16 @@ public class AsymmetricBindingHandler ex
addSignatureConfirmation(sigParts);
}
- if ((sigParts.size() > 0
- && isRequestor()
- && abinding.getInitiatorToken() != null)
- || (!isRequestor() && abinding.getRecipientToken() != null)) {
- try {
- doSignature(sigParts, attached);
- } catch (WSSecurityException ex) {
- throw new Fault(ex);
- } catch (SOAPException ex) {
- throw new Fault(ex);
+ try {
+ if ((sigParts.size() > 0) && initiatorWrapper != null && isRequestor()) {
+ doSignature(initiatorWrapper, sigParts, attached);
+ } else if (!isRequestor() && abinding.getRecipientToken() != null) {
+ doSignature(abinding.getRecipientToken(), sigParts, attached);
}
+ } catch (WSSecurityException ex) {
+ throw new Fault(ex);
+ } catch (SOAPException ex) {
+ throw new Fault(ex);
}
if (isRequestor()) {
@@ -412,31 +419,36 @@ public class AsymmetricBindingHandler ex
}
private void assertUnusedTokens(TokenWrapper wrapper) {
+ if (wrapper == null) {
+ return;
+ }
Collection<AssertionInfo> ais = aim.getAssertionInfo(wrapper.getName());
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == wrapper) {
- ai.setAsserted(true);
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ if (ai.getAssertion() == wrapper) {
+ ai.setAsserted(true);
+ }
}
}
ais = aim.getAssertionInfo(wrapper.getToken().getName());
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == wrapper.getToken()) {
- ai.setAsserted(true);
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ if (ai.getAssertion() == wrapper.getToken()) {
+ ai.setAsserted(true);
+ }
}
}
}
- private void doSignature(List<WSEncryptionPart> sigParts, boolean attached)
+ private void doSignature(TokenWrapper wrapper, List<WSEncryptionPart> sigParts, boolean attached)
throws WSSecurityException, SOAPException {
- Token sigToken = null;
- TokenWrapper wrapper = null;
- if (isRequestor()) {
- wrapper = abinding.getInitiatorToken();
- } else {
- wrapper = abinding.getRecipientToken();
+
+ if (!isRequestor()) {
assertUnusedTokens(abinding.getInitiatorToken());
+ assertUnusedTokens(abinding.getInitiatorSignatureToken());
}
- sigToken = wrapper.getToken();
+
+ Token sigToken = wrapper.getToken();
sigParts.addAll(this.getSignedParts());
if (sigParts.isEmpty()) {
// Add the BST to the security header if required
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java?rev=1211923&r1=1211922&r2=1211923&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java Thu Dec 8 14:53:02 2011
@@ -123,6 +123,33 @@ public class AsymmetricBindingPolicyVali
return false;
}
}
+ if (binding.getInitiatorSignatureToken() != null) {
+ Token token = binding.getInitiatorSignatureToken().getToken();
+ if (token instanceof X509Token) {
+ boolean foundCert = false;
+ for (WSSecurityEngineResult result : signedResults) {
+ X509Certificate cert =
+ (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ if (cert != null) {
+ foundCert = true;
+ break;
+ }
+ }
+ if (!foundCert && !signedResults.isEmpty()) {
+ String error = "An X.509 certificate was not used for the initiator signature token";
+ notAssertPolicy(aim, binding.getInitiatorSignatureToken().getName(), error);
+ ai.setNotAsserted(error);
+ return false;
+ }
+ }
+ assertPolicy(aim, binding.getInitiatorSignatureToken());
+ if (!checkDerivedKeys(
+ binding.getInitiatorSignatureToken(), hasDerivedKeys, signedResults, encryptedResults
+ )) {
+ ai.setNotAsserted("Message fails the DerivedKeys requirement");
+ return false;
+ }
+ }
if (binding.getRecipientToken() != null) {
assertPolicy(aim, binding.getRecipientToken());
if (!checkDerivedKeys(