You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/12/20 14:13:55 UTC
svn commit: r1552638 - in
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security:
policy/interceptors/ wss4j/policyhandlers/
Author: coheigea
Date: Fri Dec 20 13:13:54 2013
New Revision: 1552638
URL: http://svn.apache.org/r1552638
Log:
Asserting more security policies
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1552638&r1=1552637&r2=1552638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java Fri Dec 20 13:13:54 2013
@@ -27,6 +27,8 @@ import java.util.List;
import java.util.Map;
import java.util.Properties;
+import javax.xml.namespace.QName;
+
import org.w3c.dom.Element;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.helpers.CastUtils;
@@ -97,6 +99,30 @@ public class IssuedTokenInterceptorProvi
this.getInFaultInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE);
}
+ protected static void assertIssuedToken(IssuedToken issuedToken, AssertionInfoMap aim) {
+ if (issuedToken == null) {
+ return;
+ }
+ // Assert some policies
+ if (issuedToken.isRequireExternalReference()) {
+ assertPolicy(new QName(issuedToken.getName().getNamespaceURI(),
+ SPConstants.REQUIRE_EXTERNAL_REFERENCE), aim);
+ }
+ if (issuedToken.isRequireInternalReference()) {
+ assertPolicy(new QName(issuedToken.getName().getNamespaceURI(),
+ SPConstants.REQUIRE_INTERNAL_REFERENCE), aim);
+ }
+ }
+
+ protected static void assertPolicy(QName n, AssertionInfoMap aim) {
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
+ if (ais != null && !ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ }
+ }
+
static class IssuedTokenOutInterceptor extends AbstractPhaseInterceptor<Message> {
public IssuedTokenOutInterceptor() {
super(Phase.PREPARE_SEND);
@@ -124,6 +150,7 @@ public class IssuedTokenInterceptorProvi
}
if (isRequestor(message)) {
IssuedToken itok = (IssuedToken)ais.iterator().next().getAssertion();
+ assertIssuedToken(itok, aim);
SecurityToken tok = retrieveCachedToken(message);
if (tok == null) {
@@ -155,10 +182,13 @@ public class IssuedTokenInterceptorProvi
//server side should be checked on the way in
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
- }
+ }
+ IssuedToken itok = (IssuedToken)ais.iterator().next().getAssertion();
+ assertIssuedToken(itok, aim);
}
}
}
+
private Trust10 getTrust10(AssertionInfoMap aim) {
Collection<AssertionInfo> ais =
NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
@@ -502,17 +532,19 @@ public class IssuedTokenInterceptorProvi
if (ais.isEmpty()) {
return;
}
+
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ IssuedToken itok = (IssuedToken)ais.iterator().next().getAssertion();
+ assertIssuedToken(itok, aim);
+
if (!isRequestor(message)) {
List<WSHandlerResult> results =
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
if (results != null && results.size() > 0) {
parseHandlerResults(results.get(0), message, aim);
}
- } else {
- //client side should be checked on the way out
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
}
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1552638&r1=1552637&r2=1552638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Fri Dec 20 13:13:54 2013
@@ -112,7 +112,6 @@ import org.apache.wss4j.dom.message.toke
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
-import org.apache.wss4j.policy.SP13Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
import org.apache.wss4j.policy.model.AbstractBinding;
@@ -692,8 +691,6 @@ public abstract class AbstractBindingBui
if (token.getPasswordType() == UsernameToken.PasswordType.NoPassword) {
utBuilder.setUserInfo(userName, null);
utBuilder.setPasswordType(null);
- assertPolicy(
- new QName(token.getName().getNamespaceURI(), SPConstants.NO_PASSWORD));
} else {
String password = (String)message.getContextualProperty(SecurityConstants.PASSWORD);
if (StringUtils.isEmpty(password)) {
@@ -704,9 +701,6 @@ public abstract class AbstractBindingBui
// If the password is available then build the token
if (token.getPasswordType() == UsernameToken.PasswordType.HashPassword) {
utBuilder.setPasswordType(WSConstants.PASSWORD_DIGEST);
- assertPolicy(
- new QName(token.getName().getNamespaceURI(),
- SPConstants.HASH_PASSWORD));
} else {
utBuilder.setPasswordType(WSConstants.PASSWORD_TEXT);
}
@@ -719,17 +713,11 @@ public abstract class AbstractBindingBui
if (token.isCreated() && token.getPasswordType() != UsernameToken.PasswordType.HashPassword) {
utBuilder.addCreated();
- assertPolicy(SP13Constants.CREATED);
}
if (token.isNonce() && token.getPasswordType() != UsernameToken.PasswordType.HashPassword) {
utBuilder.addNonce();
- assertPolicy(SP13Constants.NONCE);
}
- assertPolicy(
- new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN10));
- assertPolicy(
- new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN11));
return utBuilder;
} else {
policyNotAsserted(token, "No username available");
@@ -762,10 +750,6 @@ public abstract class AbstractBindingBui
return null;
}
- assertPolicy(
- new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN10));
- assertPolicy(
- new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN11));
return utBuilder;
} else {
policyNotAsserted(token, "No username available");
@@ -819,14 +803,8 @@ public abstract class AbstractBindingBui
SamlTokenType tokenType = token.getSamlTokenType();
if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) {
samlCallback.setSamlVersion(SAMLVersion.VERSION_11);
- assertPolicy(
- new QName(token.getName().getNamespaceURI(), "WssSamlV11Token10"));
- assertPolicy(
- new QName(token.getName().getNamespaceURI(), "WssSamlV11Token11"));
} else if (tokenType == SamlTokenType.WssSamlV20Token11) {
samlCallback.setSamlVersion(SAMLVersion.VERSION_20);
- assertPolicy(
- new QName(token.getName().getNamespaceURI(), "WssSamlV20Token11"));
}
SAMLUtil.doSAMLCallback(handler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java?rev=1552638&r1=1552637&r2=1552638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java Fri Dec 20 13:13:54 2013
@@ -134,6 +134,10 @@ public abstract class AbstractCommonBind
assertPolicy(token.getName());
String namespace = token.getName().getNamespaceURI();
+ if (token.getDerivedKeys() != null) {
+ assertPolicy(new QName(namespace, token.getDerivedKeys().name()));
+ }
+
if (token instanceof X509Token) {
X509Token x509Token = (X509Token)token;
assertX509Token(x509Token);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java?rev=1552638&r1=1552637&r2=1552638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java Fri Dec 20 13:13:54 2013
@@ -118,9 +118,25 @@ public class StaxTransportBindingHandler
throw new Fault(e);
}
} else {
- if (tbinding != null && tbinding.getTransportToken() != null) {
- assertTokenWrapper(tbinding.getTransportToken());
- assertToken(tbinding.getTransportToken().getToken());
+ try {
+ handleNonEndorsingSupportingTokens(aim);
+ } catch (Exception e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ throw new Fault(e);
+ }
+ if (tbinding != null) {
+ assertPolicy(tbinding.getName());
+ if (tbinding.getTransportToken() != null) {
+ assertTokenWrapper(tbinding.getTransportToken());
+ assertToken(tbinding.getTransportToken().getToken());
+
+ try {
+ handleEndorsingSupportingTokens(aim);
+ } catch (Exception e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ throw new Fault(e);
+ }
+ }
}
addSignatureConfirmation(null);
}
@@ -192,6 +208,11 @@ public class StaxTransportBindingHandler
private void addSignedSupportingTokens(SupportingTokens sgndSuppTokens)
throws Exception {
for (AbstractToken token : sgndSuppTokens.getTokens()) {
+ assertToken(token);
+ if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
+ continue;
+ }
+
if (token instanceof UsernameToken) {
addUsernameToken((UsernameToken)token);
} else if (token instanceof IssuedToken) {
@@ -273,6 +294,11 @@ public class StaxTransportBindingHandler
private void handleEndorsingToken(
AbstractToken token, SupportingTokens wrapper
) throws Exception {
+ assertToken(token);
+ if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
+ return;
+ }
+
if (token instanceof IssuedToken) {
SecurityToken securityToken = getSecurityToken();
addIssuedToken(token, securityToken, false, true);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1552638&r1=1552637&r2=1552638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Fri Dec 20 13:13:54 2013
@@ -97,6 +97,11 @@ public class TransportBindingHandler ext
private void addSignedSupportingTokens(SupportingTokens sgndSuppTokens)
throws Exception {
for (AbstractToken token : sgndSuppTokens.getTokens()) {
+ assertToken(token);
+ if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
+ continue;
+ }
+
if (token instanceof UsernameToken) {
WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken)token);
if (utBuilder != null) {
@@ -159,9 +164,11 @@ public class TransportBindingHandler ext
handleEndorsingSupportingTokens();
}
} else {
+ handleNonEndorsingSupportingTokens();
if (tbinding != null && tbinding.getTransportToken() != null) {
assertTokenWrapper(tbinding.getTransportToken());
assertToken(tbinding.getTransportToken().getToken());
+ handleEndorsingSupportingTokens();
}
addSignatureConfirmation(null);
}
@@ -301,6 +308,11 @@ public class TransportBindingHandler ext
private void handleEndorsingToken(
AbstractToken token, SupportingTokens wrapper
) throws Exception {
+ assertToken(token);
+ if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
+ return;
+ }
+
if (token instanceof IssuedToken
|| token instanceof SecureConversationToken
|| token instanceof SecurityContextToken