You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/03/14 13:44:23 UTC
[1/2] cxf git commit: An initial refactor about how policies are
asserted
Repository: cxf
Updated Branches:
refs/heads/master 08f376bdf -> a2e5fae3a
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
index bd9ae7c..abf12e6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
@@ -44,6 +44,7 @@ import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
@@ -243,7 +244,8 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
}
private boolean isAllowNoPassword(AssertionInfoMap aim) throws WSSecurityException {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
@@ -283,12 +285,12 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
protected UsernameToken assertTokens(SoapMessage message) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
- assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
- assertPolicy(aim, SPConstants.HASH_PASSWORD);
- assertPolicy(aim, SPConstants.NO_PASSWORD);
- assertPolicy(aim, SP13Constants.NONCE);
- assertPolicy(aim, SP13Constants.CREATED);
+ PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
+ PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
+ PolicyUtils.assertPolicy(aim, SPConstants.HASH_PASSWORD);
+ PolicyUtils.assertPolicy(aim, SPConstants.NO_PASSWORD);
+ PolicyUtils.assertPolicy(aim, SP13Constants.NONCE);
+ PolicyUtils.assertPolicy(aim, SP13Constants.CREATED);
return (UsernameToken)assertTokens(message, SPConstants.USERNAME_TOKEN, true);
}
@@ -299,7 +301,8 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
boolean signed
) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
UsernameToken tok = null;
for (AssertionInfo ai : ais) {
tok = (UsernameToken)ai.getAssertion();
@@ -308,7 +311,7 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
&& (princ == null || !princ.isPasswordDigest())) {
ai.setNotAsserted("Password hashing policy not enforced");
} else {
- assertPolicy(aim, SPConstants.HASH_PASSWORD);
+ PolicyUtils.assertPolicy(aim, SPConstants.HASH_PASSWORD);
}
if ((tok.getPasswordType() != UsernameToken.PasswordType.NoPassword)
@@ -316,28 +319,28 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
&& (princ == null || princ.getPassword() == null)) {
ai.setNotAsserted("Username Token No Password supplied");
} else {
- assertPolicy(aim, SPConstants.NO_PASSWORD);
+ PolicyUtils.assertPolicy(aim, SPConstants.NO_PASSWORD);
}
if (tok.isCreated() && princ.getCreatedTime() == null) {
ai.setNotAsserted("No Created Time");
} else {
- assertPolicy(aim, SP13Constants.CREATED);
+ PolicyUtils.assertPolicy(aim, SP13Constants.CREATED);
}
if (tok.isNonce() && princ.getNonce() == null) {
ai.setNotAsserted("No Nonce");
} else {
- assertPolicy(aim, SP13Constants.NONCE);
+ PolicyUtils.assertPolicy(aim, SP13Constants.NONCE);
}
}
- assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
- assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
- assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
+ PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
+ PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
+ PolicyUtils.assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
if (signed || isTLSInUse(message)) {
- assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+ PolicyUtils.assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
}
return tok;
}
@@ -366,7 +369,7 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
if (utBuilder == null) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
for (AssertionInfo ai : ais) {
if (ai.isAsserted()) {
ai.setAsserted(false);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
index d748ede..d69e94d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
@@ -350,5 +350,5 @@ public final class WSS4JUtils {
}
return CryptoFactory.getInstance(propFilename, classLoader);
}
-
+
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 7dd95af..8198aa0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -69,6 +69,7 @@ import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyConstants;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler;
@@ -1057,7 +1058,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return new ArrayList<WSEncryptionPart>();
}
- List<WSEncryptionPart> signedParts = new ArrayList<WSEncryptionPart>();
+ List<WSEncryptionPart> signedParts = new ArrayList<>();
if (parts != null) {
isBody = parts.isBody();
for (Header head : parts.getHeaders()) {
@@ -2038,36 +2039,36 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
protected void addSupportingTokens(List<WSEncryptionPart> sigs) throws WSSecurityException {
Collection<AssertionInfo> sgndSuppTokens =
- getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
List<SupportingToken> sigSuppTokList = this.handleSupportingTokens(sgndSuppTokens, false);
Collection<AssertionInfo> endSuppTokens =
- getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
endSuppTokList = this.handleSupportingTokens(endSuppTokens, true);
Collection<AssertionInfo> sgndEndSuppTokens =
- getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
sgndEndSuppTokList = this.handleSupportingTokens(sgndEndSuppTokens, true);
Collection<AssertionInfo> sgndEncryptedSuppTokens =
- getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
List<SupportingToken> sgndEncSuppTokList
= this.handleSupportingTokens(sgndEncryptedSuppTokens, false);
Collection<AssertionInfo> endorsingEncryptedSuppTokens =
- getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
endSuppTokList.addAll(this.handleSupportingTokens(endorsingEncryptedSuppTokens, true));
Collection<AssertionInfo> sgndEndEncSuppTokens =
- getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
sgndEndSuppTokList.addAll(this.handleSupportingTokens(sgndEndEncSuppTokens, true));
Collection<AssertionInfo> supportingToks =
- getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
this.handleSupportingTokens(supportingToks, false);
Collection<AssertionInfo> encryptedSupportingToks =
- getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
this.handleSupportingTokens(encryptedSupportingToks, false);
//Setup signature parts
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
index 5c8250c..e175f67 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
@@ -20,8 +20,6 @@
package org.apache.cxf.ws.security.wss4j.policyhandlers;
import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -35,13 +33,12 @@ import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.neethi.Assertion;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.util.WSSecurityUtil;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SP13Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
@@ -408,48 +405,11 @@ public abstract class AbstractCommonBindingHandler {
}
}
- protected AssertionInfo getFirstAssertionByLocalname(
- AssertionInfoMap aim, String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- if (sp11Ais != null && !sp11Ais.isEmpty()) {
- return sp11Ais.iterator().next();
- }
-
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
- if (sp12Ais != null && !sp12Ais.isEmpty()) {
- return sp12Ais.iterator().next();
- }
-
- return null;
- }
-
protected Collection<AssertionInfo> getAllAssertionsByLocalname(String localname) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- return getAllAssertionsByLocalname(aim, localname);
+ return PolicyUtils.getAllAssertionsByLocalname(aim, localname);
}
- protected Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
-
protected SoapMessage getMessage() {
return message;
}
@@ -487,14 +447,15 @@ public abstract class AbstractCommonBindingHandler {
protected Wss10 getWss10() {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS10);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
return (Wss10)ai.getAssertion();
}
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
return (Wss10)ai.getAssertion();
@@ -515,14 +476,9 @@ public abstract class AbstractCommonBindingHandler {
return st;
}
- protected void assertPolicy(QName n) {
+ protected void assertPolicy(QName name) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
- if (ais != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- }
+ PolicyUtils.assertPolicy(aim, name);
}
protected void assertPolicy(Assertion assertion) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
index f65085a..3715162 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
@@ -44,6 +44,7 @@ import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.wss4j.common.ext.WSPasswordCallback;
@@ -83,7 +84,6 @@ import org.apache.wss4j.policy.model.Wss11;
import org.apache.wss4j.policy.model.X509Token;
import org.apache.wss4j.policy.model.X509Token.TokenType;
import org.apache.wss4j.policy.model.XPath;
-import org.apache.wss4j.policy.stax.PolicyUtils;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSConstants.UsernameTokenPasswordType;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
@@ -472,7 +472,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
}
protected void configureLayout(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
Layout layout = null;
for (AssertionInfo ai : ais) {
layout = (Layout)ai.getAssertion();
@@ -828,13 +828,13 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
SignedElements elements = null;
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- AssertionInfo assertionInfo = getFirstAssertionByLocalname(aim, SPConstants.SIGNED_PARTS);
+ AssertionInfo assertionInfo = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SIGNED_PARTS);
if (assertionInfo != null) {
parts = (SignedParts)assertionInfo.getAssertion();
assertionInfo.setAsserted(true);
}
- assertionInfo = getFirstAssertionByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+ assertionInfo = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
if (assertionInfo != null) {
elements = (SignedElements)assertionInfo.getAssertion();
assertionInfo.setAsserted(true);
@@ -871,7 +871,8 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
if (elements != null && elements.getXPaths() != null) {
for (XPath xPath : elements.getXPaths()) {
- List<QName> qnames = PolicyUtils.getElementPath(xPath);
+ List<QName> qnames =
+ org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
if (!qnames.isEmpty()) {
SecurePart securePart =
new SecurePart(qnames.get(qnames.size() - 1), Modifier.Element);
@@ -892,7 +893,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
ContentEncryptedElements celements = null;
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
parts = (EncryptedParts)ai.getAssertion();
@@ -900,7 +901,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
}
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
elements = (EncryptedElements)ai.getAssertion();
@@ -908,7 +909,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
}
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
celements = (ContentEncryptedElements)ai.getAssertion();
@@ -944,7 +945,8 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
if (elements != null && elements.getXPaths() != null) {
for (XPath xPath : elements.getXPaths()) {
- List<QName> qnames = PolicyUtils.getElementPath(xPath);
+ List<QName> qnames =
+ org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
if (!qnames.isEmpty()) {
SecurePart securePart =
new SecurePart(qnames.get(qnames.size() - 1), Modifier.Element);
@@ -955,7 +957,8 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
if (celements != null && celements.getXPaths() != null) {
for (XPath xPath : celements.getXPaths()) {
- List<QName> qnames = PolicyUtils.getElementPath(xPath);
+ List<QName> qnames =
+ org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
if (!qnames.isEmpty()) {
SecurePart securePart =
new SecurePart(qnames.get(qnames.size() - 1), Modifier.Content);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
index f932698..1beb200 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
@@ -33,6 +33,7 @@ import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.policy.SP11Constants;
@@ -57,7 +58,6 @@ import org.apache.wss4j.policy.model.TransportToken;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.wss4j.policy.model.X509Token;
import org.apache.wss4j.policy.model.XPath;
-import org.apache.wss4j.policy.stax.PolicyUtils;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.xml.security.stax.ext.OutboundSecurityContext;
@@ -159,7 +159,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
private void handleNonEndorsingSupportingTokens(AssertionInfoMap aim) throws Exception {
Collection<AssertionInfo> ais;
- ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens sgndSuppTokens = (SupportingTokens)ai.getAssertion();
@@ -170,7 +170,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
}
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens sgndSuppTokens = (SupportingTokens)ai.getAssertion();
@@ -181,7 +181,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
}
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens encrSuppTokens = (SupportingTokens)ai.getAssertion();
@@ -192,7 +192,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
}
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
SupportingTokens suppTokens = (SupportingTokens)ai.getAssertion();
@@ -233,7 +233,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
private void handleEndorsingSupportingTokens(AssertionInfoMap aim) throws Exception {
Collection<AssertionInfo> ais;
- ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
SupportingTokens sgndSuppTokens = null;
for (AssertionInfo ai : ais) {
@@ -247,7 +247,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
}
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
SupportingTokens endSuppTokens = null;
for (AssertionInfo ai : ais) {
@@ -261,7 +261,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
}
}
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
SupportingTokens endSuppTokens = null;
for (AssertionInfo ai : ais) {
@@ -275,7 +275,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
}
}
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
SupportingTokens endSuppTokens = null;
for (AssertionInfo ai : ais) {
@@ -412,7 +412,8 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
// Handle SignedElements
if (signedElements != null && signedElements.getXPaths() != null) {
for (XPath xPath : signedElements.getXPaths()) {
- List<QName> qnames = PolicyUtils.getElementPath(xPath);
+ List<QName> qnames =
+ org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
if (!qnames.isEmpty()) {
SecurePart part =
new SecurePart(qnames.get(qnames.size() - 1), Modifier.Element);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index d6a4462..0003d7e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -22,21 +22,18 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
import java.util.List;
import javax.xml.namespace.QName;
import org.w3c.dom.Element;
-
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.neethi.Assertion;
-
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSConstants;
@@ -47,8 +44,6 @@ import org.apache.wss4j.dom.message.token.PKIPathSecurity;
import org.apache.wss4j.dom.message.token.Timestamp;
import org.apache.wss4j.dom.message.token.X509Security;
import org.apache.wss4j.dom.util.WSSecurityUtil;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding.ProtectionOrder;
@@ -170,7 +165,7 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
ai.setNotAsserted(error);
return false;
}
- assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
+ PolicyUtils.assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
// Check the EntireHeaderAndBodySignatures property
if (binding.isOnlySignEntireHeadersAndBody()
@@ -179,15 +174,15 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
ai.setNotAsserted(error);
return false;
}
- assertPolicy(aim, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
+ PolicyUtils.assertPolicy(aim, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
// Check whether the signatures were encrypted or not
if (binding.isEncryptSignature() && !isSignatureEncrypted(results)) {
ai.setNotAsserted("The signature is not protected");
return false;
}
- assertPolicy(aim, SPConstants.ENCRYPT_SIGNATURE);
- assertPolicy(aim, SPConstants.PROTECT_TOKENS);
+ PolicyUtils.assertPolicy(aim, SPConstants.ENCRYPT_SIGNATURE);
+ PolicyUtils.assertPolicy(aim, SPConstants.PROTECT_TOKENS);
/*
// Check ProtectTokens
@@ -215,13 +210,13 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
ai.setNotAsserted("Not encrypted before signed");
return false;
}
- assertPolicy(aim, SPConstants.ENCRYPT_BEFORE_SIGNING);
+ PolicyUtils.assertPolicy(aim, SPConstants.ENCRYPT_BEFORE_SIGNING);
} else if (protectionOrder == ProtectionOrder.SignBeforeEncrypting) {
if (isEncryptedBeforeSigned(results)) {
ai.setNotAsserted("Not signed before encrypted");
return false;
}
- assertPolicy(aim, SPConstants.SIGN_BEFORE_ENCRYPTING);
+ PolicyUtils.assertPolicy(aim, SPConstants.SIGN_BEFORE_ENCRYPTING);
}
return true;
}
@@ -447,17 +442,6 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
return false;
}
- protected void assertPolicy(AssertionInfoMap aim, Assertion token) {
- Collection<AssertionInfo> ais = aim.get(token.getName());
- if (ais != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == token) {
- ai.setAsserted(true);
- }
- }
- }
- }
-
protected void notAssertPolicy(AssertionInfoMap aim, Assertion token, String msg) {
Collection<AssertionInfo> ais = aim.get(token.getName());
if (ais != null && !ais.isEmpty()) {
@@ -469,28 +453,6 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
}
}
- protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
- protected boolean assertPolicy(AssertionInfoMap aim, QName q) {
- Collection<AssertionInfo> ais = aim.get(q);
- if (ais != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
protected void notAssertPolicy(AssertionInfoMap aim, QName q, String msg) {
Collection<AssertionInfo> ais = aim.get(q);
if (ais != null && !ais.isEmpty()) {
@@ -500,24 +462,4 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
}
}
- protected Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
index 734a495..ba046d6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
@@ -19,18 +19,8 @@
package org.apache.cxf.ws.security.wss4j.policyvalidators;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
-
-import javax.xml.namespace.QName;
-
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -66,46 +56,4 @@ public abstract class AbstractTokenPolicyValidator {
}
}
- protected boolean assertPolicy(AssertionInfoMap aim, QName name) {
- Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
- if (aim != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
- protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
- protected Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index 533489d..8f9ce14 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -30,11 +30,11 @@ import java.util.List;
import javax.xml.namespace.QName;
import org.w3c.dom.Element;
-
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
@@ -57,7 +57,8 @@ public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
if (!ais.isEmpty()) {
parsePolicies(aim, ais, message, results);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
index b4047cf..04c6777 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
@@ -24,10 +24,10 @@ import java.util.Collection;
import java.util.List;
import org.w3c.dom.Element;
-
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.policy.SPConstants;
@@ -49,7 +49,8 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (!ais.isEmpty()) {
parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults);
}
@@ -163,14 +164,14 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
return false;
}
}
- assertPolicy(aim, wrapper);
+ PolicyUtils.assertPolicy(aim, wrapper.getName());
if (!checkDerivedKeys(wrapper, hasDerivedKeys, signedResults, encryptedResults)) {
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
- assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
- assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
- assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
return true;
}
@@ -184,14 +185,14 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults) {
- assertPolicy(aim, wrapper);
+ PolicyUtils.assertPolicy(aim, wrapper.getName());
if (!checkDerivedKeys(wrapper, hasDerivedKeys, signedResults, encryptedResults)) {
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
- assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
- assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
- assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
return true;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
index b332486..15c2508 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -54,7 +55,8 @@ public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTo
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
setMessage(message);
setResults(results);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
index 2ebb47c..f545be4 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -54,7 +55,8 @@ public class EncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicy
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
setMessage(message);
setResults(results);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
index cb490ba..3fc837f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -57,7 +58,7 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
List<WSSecurityEngineResult> encryptedResults
) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
setMessage(message);
setResults(results);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
index 50082c3..cbdc07b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -57,7 +58,7 @@ public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicy
List<WSSecurityEngineResult> encryptedResults
) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
setMessage(message);
setResults(results);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
index 8cdf20f..55db72f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
@@ -29,6 +29,7 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSConstants;
@@ -107,8 +108,8 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
}
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
- assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
return true;
}
@@ -143,8 +144,8 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
}
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
- assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
return true;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
index 6624e9c..aa22d73 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
@@ -26,6 +26,7 @@ import javax.xml.namespace.QName;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.KerberosToken;
@@ -49,11 +50,12 @@ public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
AssertionInfoMap aim,
KerberosSecurity kerberosToken
) {
- Collection<AssertionInfo> krbAis = getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+ Collection<AssertionInfo> krbAis =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
if (!krbAis.isEmpty()) {
parsePolicies(aim, krbAis, kerberosToken);
- assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
}
return true;
@@ -69,12 +71,12 @@ public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
ai.setAsserted(true);
if (!isTokenRequired(kerberosTokenPolicy, message)) {
- assertPolicy(
+ PolicyUtils.assertPolicy(
aim,
new QName(kerberosTokenPolicy.getVersion().getNamespace(),
"WssKerberosV5ApReqToken11")
);
- assertPolicy(
+ PolicyUtils.assertPolicy(
aim,
new QName(kerberosTokenPolicy.getVersion().getNamespace(),
"WssGssKerberosV5ApReqToken11")
@@ -98,14 +100,14 @@ public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
if (apReqTokenType == ApReqTokenType.WssKerberosV5ApReqToken11
&& kerberosToken.isV5ApReq()) {
- assertPolicy(
+ PolicyUtils.assertPolicy(
aim,
new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssKerberosV5ApReqToken11")
);
return true;
} else if (apReqTokenType == ApReqTokenType.WssGssKerberosV5ApReqToken11
&& kerberosToken.isGssV5ApReq()) {
- assertPolicy(
+ PolicyUtils.assertPolicy(
aim,
new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11")
);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
index 370906b..4ac51b0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
@@ -32,6 +32,7 @@ import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSConstants;
@@ -57,7 +58,8 @@ public class LayoutPolicyValidator extends AbstractTokenPolicyValidator {
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
if (!ais.isEmpty()) {
parsePolicies(aim, ais, message, results, signedResults);
}
@@ -82,10 +84,10 @@ public class LayoutPolicyValidator extends AbstractTokenPolicyValidator {
}
}
- assertPolicy(aim, SPConstants.LAYOUT_LAX);
- assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
- assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
- assertPolicy(aim, SPConstants.LAYOUT_STRICT);
+ PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_LAX);
+ PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
+ PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
+ PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_STRICT);
}
public boolean validatePolicy(
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
index 6a77ff6..37adc67 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
@@ -27,11 +27,11 @@ import java.util.List;
import javax.xml.namespace.QName;
import org.w3c.dom.Element;
-
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
@@ -60,11 +60,12 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implem
body = soapBody;
signed = signedResults;
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
if (!ais.isEmpty()) {
parsePolicies(aim, ais, message, results, signedResults);
- assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
}
return true;
@@ -88,7 +89,7 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implem
ai.setAsserted(true);
if (!isTokenRequired(samlToken, message)) {
- assertPolicy(
+ PolicyUtils.assertPolicy(
aim,
new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name())
);
@@ -166,7 +167,7 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implem
}
if (samlTokenType != null) {
- assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), samlTokenType.name()));
+ PolicyUtils.assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), samlTokenType.name()));
}
return true;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
index 5103b2b..6171e9e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
@@ -23,10 +23,10 @@ import java.util.Collection;
import java.util.List;
import org.w3c.dom.Element;
-
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.util.WSSecurityUtil;
@@ -49,7 +49,7 @@ public class SecurityContextTokenPolicyValidator
List<WSSecurityEngineResult> signedResults
) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
if (!ais.isEmpty()) {
parsePolicies(aim, ais, message, results);
}
@@ -70,9 +70,9 @@ public class SecurityContextTokenPolicyValidator
SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
ai.setAsserted(true);
- assertPolicy(aim, SP12Constants.REQUIRE_EXTERNAL_URI_REFERENCE);
- assertPolicy(aim, SP12Constants.SC13_SECURITY_CONTEXT_TOKEN);
- assertPolicy(aim, SP11Constants.SC10_SECURITY_CONTEXT_TOKEN);
+ PolicyUtils.assertPolicy(aim, SP12Constants.REQUIRE_EXTERNAL_URI_REFERENCE);
+ PolicyUtils.assertPolicy(aim, SP12Constants.SC13_SECURITY_CONTEXT_TOKEN);
+ PolicyUtils.assertPolicy(aim, SP11Constants.SC10_SECURITY_CONTEXT_TOKEN);
if (!isTokenRequired(sctPolicy, message)) {
continue;
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
index c40bae3..7d7287a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -56,7 +57,7 @@ public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingToken
List<WSSecurityEngineResult> encryptedResults
) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
setMessage(message);
setResults(results);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
index da0640b..2d4f691 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -58,7 +59,7 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
List<WSSecurityEngineResult> encryptedResults
) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
setMessage(message);
setResults(results);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
index 5262e7f..14ef12f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -57,7 +58,7 @@ public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingToken
List<WSSecurityEngineResult> encryptedResults
) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
setMessage(message);
setResults(results);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
index b695b41..0727d19 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -54,7 +55,7 @@ public class SignedTokenPolicyValidator extends AbstractSupportingTokenPolicyVal
List<WSSecurityEngineResult> encryptedResults
) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
if (!ais.isEmpty()) {
setMessage(message);
setResults(results);
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
index 2501eba..cbaecbb 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
@@ -23,10 +23,10 @@ import java.util.Collection;
import java.util.List;
import org.w3c.dom.Element;
-
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.policy.SPConstants;
@@ -45,7 +45,8 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (!ais.isEmpty()) {
parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults);
}
@@ -104,42 +105,42 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
List<WSSecurityEngineResult> encryptedResults
) {
if (binding.getEncryptionToken() != null) {
- assertPolicy(aim, binding.getEncryptionToken());
+ PolicyUtils.assertPolicy(aim, binding.getEncryptionToken().getName());
if (!checkDerivedKeys(
binding.getEncryptionToken(), hasDerivedKeys, signedResults, encryptedResults
)) {
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
- assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
- assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
- assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
}
if (binding.getSignatureToken() != null) {
- assertPolicy(aim, binding.getSignatureToken());
+ PolicyUtils.assertPolicy(aim, binding.getSignatureToken().getName());
if (!checkDerivedKeys(
binding.getSignatureToken(), hasDerivedKeys, signedResults, encryptedResults
)) {
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
- assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
- assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
- assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
}
if (binding.getProtectionToken() != null) {
- assertPolicy(aim, binding.getProtectionToken());
+ PolicyUtils.assertPolicy(aim, binding.getProtectionToken().getName());
if (!checkDerivedKeys(
binding.getProtectionToken(), hasDerivedKeys, signedResults, encryptedResults
)) {
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
- assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
- assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
- assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
}
return true;
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
index 963efca..cb4ccbb 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
@@ -23,12 +23,12 @@ import java.util.Collection;
import java.util.List;
import org.w3c.dom.Element;
-
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
@@ -48,15 +48,16 @@ public class TransportBindingPolicyValidator extends AbstractBindingPolicyValida
List<WSSecurityEngineResult> signedResults,
List<WSSecurityEngineResult> encryptedResults
) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
if (!ais.isEmpty()) {
parsePolicies(aim, ais, message, results, signedResults);
// We don't need to check these policies for the Transport binding
- assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
- assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS);
- assertPolicy(aim, SP12Constants.SIGNED_PARTS);
- assertPolicy(aim, SP11Constants.SIGNED_PARTS);
+ PolicyUtils.assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
+ PolicyUtils.assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS);
+ PolicyUtils.assertPolicy(aim, SP12Constants.SIGNED_PARTS);
+ PolicyUtils.assertPolicy(aim, SP11Constants.SIGNED_PARTS);
}
return true;
@@ -83,7 +84,7 @@ public class TransportBindingPolicyValidator extends AbstractBindingPolicyValida
// HttpsToken is validated by the HttpsTokenInterceptorProvider
if (binding.getTransportToken() != null) {
- assertPolicy(aim, binding.getTransportToken());
+ PolicyUtils.assertPolicy(aim, binding.getTransportToken().getName());
}
// Check the IncludeTimestamp
@@ -92,7 +93,7 @@ public class TransportBindingPolicyValidator extends AbstractBindingPolicyValida
ai.setNotAsserted(error);
continue;
}
- assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
+ PolicyUtils.assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
index 0133bb9..e642a9a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
@@ -24,10 +24,10 @@ import java.util.Collection;
import java.util.List;
import org.w3c.dom.Element;
-
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.message.token.UsernameToken;
@@ -51,16 +51,17 @@ public class UsernameTokenPolicyValidator
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
if (!ais.isEmpty()) {
parsePolicies(ais, message, results);
- assertPolicy(aim, SP13Constants.CREATED);
- assertPolicy(aim, SP13Constants.NONCE);
- assertPolicy(aim, SPConstants.NO_PASSWORD);
- assertPolicy(aim, SPConstants.HASH_PASSWORD);
- assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
- assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
+ PolicyUtils.assertPolicy(aim, SP13Constants.CREATED);
+ PolicyUtils.assertPolicy(aim, SP13Constants.NONCE);
+ PolicyUtils.assertPolicy(aim, SPConstants.NO_PASSWORD);
+ PolicyUtils.assertPolicy(aim, SPConstants.HASH_PASSWORD);
+ PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
+ PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
}
return true;
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
index bbaebf9..f163b81 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
@@ -23,11 +23,11 @@ import java.util.Collection;
import java.util.List;
import org.w3c.dom.Element;
-
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.util.WSSecurityUtil;
@@ -47,19 +47,20 @@ public class WSS11PolicyValidator
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11);
if (!ais.isEmpty()) {
parsePolicies(ais, message, results);
- assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT);
- assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY);
- assertPolicy(aim, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION);
// WSS 1.0
- assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
- assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
- assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
- assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
}
return true;
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
index 4759f27..dfc6a74 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
@@ -30,6 +30,7 @@ import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSecurityEngineResult;
@@ -59,21 +60,22 @@ public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator imple
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
if (!ais.isEmpty()) {
parsePolicies(ais, message, signedResults, results);
- assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
- assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
- assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN10);
- assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN11);
- assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN10);
- assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN11);
+ PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
+ PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
+ PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN10);
+ PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN11);
+ PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN10);
+ PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN11);
- assertPolicy(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
- assertPolicy(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
- assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
- assertPolicy(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
}
return true;
[2/2] cxf git commit: An initial refactor about how policies are
asserted
Posted by co...@apache.org.
An initial refactor about how policies are asserted
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a2e5fae3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a2e5fae3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a2e5fae3
Branch: refs/heads/master
Commit: a2e5fae3a093965b75361210ef475abb9e6abf56
Parents: 08f376b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Sat Mar 14 12:43:35 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Sat Mar 14 12:43:35 2015 +0000
----------------------------------------------------------------------
.../cxf/ws/security/policy/PolicyUtils.java | 111 +++++++++++
.../HttpsTokenInterceptorProvider.java | 23 +--
.../IssuedTokenInterceptorProvider.java | 9 +-
.../KerberosTokenInterceptorProvider.java | 19 +-
.../policy/interceptors/NegotiationUtils.java | 90 +--------
.../SecureConversationInInterceptor.java | 25 +--
.../SecureConversationOutInterceptor.java | 7 +-
.../SecurityVerificationOutInterceptor.java | 17 +-
.../SpnegoContextTokenInInterceptor.java | 5 +-
.../SpnegoContextTokenOutInterceptor.java | 3 +-
.../wss4j/AbstractTokenInterceptor.java | 54 +-----
.../wss4j/AlgorithmSuiteTranslater.java | 78 +++-----
.../wss4j/KerberosTokenInterceptor.java | 5 +-
.../wss4j/PolicyBasedWSS4JInInterceptor.java | 67 +++----
.../wss4j/PolicyBasedWSS4JOutInterceptor.java | 189 +++++++++----------
.../ws/security/wss4j/SamlTokenInterceptor.java | 20 +-
.../wss4j/UsernameTokenInterceptor.java | 37 ++--
.../cxf/ws/security/wss4j/WSS4JUtils.java | 2 +-
.../policyhandlers/AbstractBindingBuilder.java | 19 +-
.../AbstractCommonBindingHandler.java | 58 +-----
.../AbstractStaxBindingHandler.java | 23 ++-
.../StaxTransportBindingHandler.java | 21 ++-
.../AbstractBindingPolicyValidator.java | 72 +------
.../AbstractTokenPolicyValidator.java | 52 -----
.../AlgorithmSuitePolicyValidator.java | 5 +-
.../AsymmetricBindingPolicyValidator.java | 21 ++-
.../ConcreteSupportingTokenPolicyValidator.java | 4 +-
.../EncryptedTokenPolicyValidator.java | 4 +-
.../EndorsingEncryptedTokenPolicyValidator.java | 3 +-
.../EndorsingTokenPolicyValidator.java | 3 +-
.../IssuedTokenPolicyValidator.java | 9 +-
.../KerberosTokenPolicyValidator.java | 14 +-
.../policyvalidators/LayoutPolicyValidator.java | 12 +-
.../SamlTokenPolicyValidator.java | 11 +-
.../SecurityContextTokenPolicyValidator.java | 10 +-
.../SignedEncryptedTokenPolicyValidator.java | 3 +-
...dEndorsingEncryptedTokenPolicyValidator.java | 3 +-
.../SignedEndorsingTokenPolicyValidator.java | 3 +-
.../SignedTokenPolicyValidator.java | 3 +-
.../SymmetricBindingPolicyValidator.java | 29 +--
.../TransportBindingPolicyValidator.java | 17 +-
.../UsernameTokenPolicyValidator.java | 17 +-
.../policyvalidators/WSS11PolicyValidator.java | 19 +-
.../X509TokenPolicyValidator.java | 24 +--
44 files changed, 519 insertions(+), 701 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
new file mode 100644
index 0000000..b8cf971
--- /dev/null
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
@@ -0,0 +1,111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.policy;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+
+/**
+ * Some common functionality that can be shared for working with policies
+ */
+public final class PolicyUtils {
+
+ private PolicyUtils() {
+ // complete
+ }
+
+ public static Collection<AssertionInfo> getAllAssertionsByLocalname(
+ AssertionInfoMap aim, String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ Collection<AssertionInfo> ais = new HashSet<>();
+ if (sp11Ais != null) {
+ ais.addAll(sp11Ais);
+ }
+ if (sp12Ais != null) {
+ ais.addAll(sp12Ais);
+ }
+ return ais;
+ }
+
+ return Collections.emptySet();
+ }
+
+ public static boolean assertPolicy(AssertionInfoMap aim, QName name) {
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
+ if (ais != null && !ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
+ public static boolean assertPolicy(AssertionInfoMap aim, String localname) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
+ public static AssertionInfo getFirstAssertionByLocalname(
+ AssertionInfoMap aim, String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ if (sp11Ais != null && !sp11Ais.isEmpty()) {
+ return sp11Ais.iterator().next();
+ }
+
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+ if (sp12Ais != null && !sp12Ais.isEmpty()) {
+ return sp12Ais.iterator().next();
+ }
+
+ return null;
+ }
+
+ public static boolean isThereAnAssertionByLocalname(
+ AssertionInfoMap aim, String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ return true;
+ }
+
+ return false;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
index 55bca22..5d6ebae 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
@@ -50,6 +50,7 @@ import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor;
import org.apache.neethi.Assertion;
import org.apache.wss4j.policy.SP11Constants;
@@ -127,7 +128,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -171,7 +172,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
}
};
message.put(MessageTrustDecider.class, trust);
- NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
}
if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpBasicAuthentication) {
List<String> auth = headers.get("Authorization");
@@ -179,7 +180,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
|| !auth.get(0).startsWith("Basic")) {
ai.setNotAsserted("HttpBasicAuthentication is set, but not being used");
} else {
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
}
}
if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpDigestAuthentication) {
@@ -188,7 +189,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
|| !auth.get(0).startsWith("Digest")) {
ai.setNotAsserted("HttpDigestAuthentication is set, but not being used");
} else {
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
}
}
} else {
@@ -213,7 +214,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
boolean requestor = isRequestor(message);
if (ais.isEmpty()) {
if (!requestor) {
@@ -252,9 +253,9 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
ai.setAsserted(true);
}
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
- NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
}
}
}
@@ -287,7 +288,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
new HttpsSecurityTokenImpl(true, policy.getUserName());
httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
}
}
if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpDigestAuthentication) {
@@ -303,7 +304,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
new HttpsSecurityTokenImpl(false, policy.getUserName());
httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
}
}
@@ -315,7 +316,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
|| tlsInfo.getPeerCertificates().length == 0) {
asserted = false;
} else {
- NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
index 20249be..5e5b0d1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
@@ -45,6 +45,7 @@ import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.trust.STSClient;
@@ -149,7 +150,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -196,7 +197,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
private Trust10 getTrust10(AssertionInfoMap aim) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
if (ais.isEmpty()) {
return null;
}
@@ -204,7 +205,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
}
private Trust13 getTrust13(AssertionInfoMap aim) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
if (ais.isEmpty()) {
return null;
}
@@ -550,7 +551,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
if (ais.isEmpty()) {
return;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
index 1907276..6083f66 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
@@ -43,6 +43,7 @@ import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.kerberos.KerberosClient;
import org.apache.cxf.ws.security.kerberos.KerberosUtils;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.wss4j.KerberosTokenInterceptor;
@@ -112,7 +113,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -150,8 +151,8 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
}
}
- NegotiationUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
- NegotiationUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
}
}
@@ -172,7 +173,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
MessageUtils.isTrue(message.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
if (aim != null && !enableStax) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -189,8 +190,8 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
}
}
- NegotiationUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
- NegotiationUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
}
}
@@ -252,7 +253,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
MessageUtils.isTrue(message.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
if (aim != null && enableStax) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -275,8 +276,8 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
}
}
- NegotiationUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
- NegotiationUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
index 68c05b8..5283822 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
@@ -20,12 +20,9 @@
package org.apache.cxf.ws.security.policy.interceptors;
import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
-import javax.xml.namespace.QName;
import org.apache.cxf.Bus;
import org.apache.cxf.binding.soap.SoapMessage;
@@ -49,6 +46,7 @@ import org.apache.cxf.ws.policy.EndpointPolicy;
import org.apache.cxf.ws.policy.PolicyEngine;
import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.trust.STSUtils;
@@ -62,8 +60,6 @@ import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.SecurityContextToken;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AlgorithmSuite;
@@ -83,7 +79,7 @@ final class NegotiationUtils {
}
static Trust10 getTrust10(AssertionInfoMap aim) {
- AssertionInfo ai = getFirstAssertionByLocalname(aim, SPConstants.TRUST_10);
+ AssertionInfo ai = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.TRUST_10);
if (ai == null) {
return null;
}
@@ -91,7 +87,7 @@ final class NegotiationUtils {
}
static Trust13 getTrust13(AssertionInfoMap aim) {
- AssertionInfo ai = getFirstAssertionByLocalname(aim, SPConstants.TRUST_13);
+ AssertionInfo ai = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.TRUST_13);
if (ai == null) {
return null;
}
@@ -133,19 +129,19 @@ final class NegotiationUtils {
static AlgorithmSuite getAlgorithmSuite(AssertionInfoMap aim) {
AbstractBinding transport = null;
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
transport = (AbstractBinding)ai.getAssertion();
}
} else {
- ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
transport = (AbstractBinding)ai.getAssertion();
}
} else {
- ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
transport = (AbstractBinding)ai.getAssertion();
@@ -303,78 +299,4 @@ final class NegotiationUtils {
return handler;
}
- static boolean assertPolicy(AssertionInfoMap aim, QName name) {
- Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
- if (ais != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
- static boolean assertPolicy(AssertionInfoMap aim, String localname) {
- Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, localname);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
- static Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
-
- static AssertionInfo getFirstAssertionByLocalname(
- AssertionInfoMap aim, String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- if (sp11Ais != null && !sp11Ais.isEmpty()) {
- return sp11Ais.iterator().next();
- }
-
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
- if (sp12Ais != null && !sp12Ais.isEmpty()) {
- return sp12Ais.iterator().next();
- }
-
- return null;
- }
-
- static boolean isThereAnAssertionByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- return true;
- }
-
- return false;
- }
-
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
index b70f13a..ada01ef 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
@@ -47,6 +47,7 @@ import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider.HttpsTokenInInterceptor;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
@@ -84,15 +85,15 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
}
private AbstractBinding getBinding(AssertionInfoMap aim) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (!ais.isEmpty()) {
return (AbstractBinding)ais.iterator().next().getAssertion();
}
- ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (!ais.isEmpty()) {
return (AbstractBinding)ais.iterator().next().getAssertion();
}
- ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
if (!ais.isEmpty()) {
return (AbstractBinding)ais.iterator().next().getAssertion();
}
@@ -104,7 +105,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
// extract Assertion information
if (aim != null) {
final Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -255,7 +256,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
private SignedParts getSignedParts(AssertionInfoMap aim, String addNs) {
Collection<AssertionInfo> signedPartsAis =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
SignedParts signedParts = null;
if (!signedPartsAis.isEmpty()) {
signedParts = (SignedParts)signedPartsAis.iterator().next().getAssertion();
@@ -279,16 +280,16 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
}
private void assertPolicies(AssertionInfoMap aim) {
- NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
- NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_AMEND);
- NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_CANCEL);
- NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_RENEW);
+ PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_AMEND);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_CANCEL);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_RENEW);
QName oldCancelQName =
new QName(
"http://schemas.microsoft.com/ws/2005/07/securitypolicy",
SPConstants.MUST_NOT_SEND_CANCEL
);
- NegotiationUtils.assertPolicy(aim, oldCancelQName);
+ PolicyUtils.assertPolicy(aim, oldCancelQName);
}
private void unmapSecurityProps(Message message) {
@@ -473,7 +474,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -507,7 +508,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
return;
}
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
if (ais.isEmpty()) {
return;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
index cf67507..ee84f92 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
@@ -36,6 +36,7 @@ import org.apache.cxf.ws.addressing.AddressingProperties;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider.IssuedTokenOutInterceptor;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.trust.STSClient;
@@ -61,7 +62,7 @@ class SecureConversationOutInterceptor extends AbstractPhaseInterceptor<SoapMess
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -92,13 +93,13 @@ class SecureConversationOutInterceptor extends AbstractPhaseInterceptor<SoapMess
message.getExchange().put(SecurityConstants.TOKEN, tok);
NegotiationUtils.getTokenStore(message).add(tok);
}
- NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
+ PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
} else {
//server side should be checked on the way in
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
- NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
+ PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
index fe51e30..ff0bb03 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
@@ -31,6 +31,7 @@ import org.apache.cxf.phase.Phase;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
@@ -77,38 +78,38 @@ public class SecurityVerificationOutInterceptor extends AbstractPhaseInterceptor
private boolean isThereASecurityBinding(AssertionInfoMap aim) {
return
- NegotiationUtils.isThereAnAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING)
- || NegotiationUtils.isThereAnAssertionByLocalname(aim, SPConstants.ASYMMETRIC_BINDING)
- || NegotiationUtils.isThereAnAssertionByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ PolicyUtils.isThereAnAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING)
+ || PolicyUtils.isThereAnAssertionByLocalname(aim, SPConstants.ASYMMETRIC_BINDING)
+ || PolicyUtils.isThereAnAssertionByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
}
private AssertionInfo getSecuredPart(AssertionInfoMap aim) {
Collection<AssertionInfo> assertions =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
if (!assertions.isEmpty()) {
return assertions.iterator().next();
}
assertions =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
if (!assertions.isEmpty()) {
return assertions.iterator().next();
}
assertions =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
if (!assertions.isEmpty()) {
return assertions.iterator().next();
}
assertions =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
if (!assertions.isEmpty()) {
return assertions.iterator().next();
}
assertions =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
if (!assertions.isEmpty()) {
return assertions.iterator().next();
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
index 632ddea..e0be4e5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
@@ -42,6 +42,7 @@ import org.apache.cxf.ws.addressing.JAXWSAConstants;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider.HttpsTokenInInterceptor;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
@@ -74,7 +75,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -375,7 +376,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
if (ais.isEmpty()) {
return;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
index 6daca9d..cdbac47 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
@@ -32,6 +32,7 @@ import org.apache.cxf.ws.addressing.AddressingProperties;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.cxf.ws.security.trust.STSUtils;
@@ -52,7 +53,7 @@ class SpnegoContextTokenOutInterceptor extends AbstractPhaseInterceptor<SoapMess
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
if (ais.isEmpty()) {
return;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
index c943b79..4895e68 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
@@ -21,7 +21,6 @@ package org.apache.cxf.ws.security.wss4j;
import java.util.Collection;
import java.util.Collections;
-import java.util.HashSet;
import java.util.Set;
import java.util.logging.Logger;
@@ -30,7 +29,6 @@ import javax.xml.namespace.QName;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-
import org.apache.cxf.binding.soap.SoapHeader;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
@@ -49,11 +47,10 @@ import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -118,62 +115,19 @@ public abstract class AbstractTokenInterceptor extends AbstractSoapInterceptor {
protected abstract AbstractToken assertTokens(SoapMessage message);
- protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
- protected boolean assertPolicy(AssertionInfoMap aim, QName name) {
- Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
- if (ais != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
- protected Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
-
protected AbstractToken assertTokens(SoapMessage message, String localname, boolean signed) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, localname);
AbstractToken tok = null;
for (AssertionInfo ai : ais) {
tok = (AbstractToken)ai.getAssertion();
ai.setAsserted(true);
}
- assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
+ PolicyUtils.assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
if (signed || isTLSInUse(message)) {
- assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+ PolicyUtils.assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
}
return tok;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
index aef7915..fac455b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
@@ -21,20 +21,15 @@ package org.apache.cxf.ws.security.wss4j;
import java.util.ArrayList;
import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
import java.util.List;
-import javax.xml.namespace.QName;
-
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.crypto.AlgorithmSuite;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.handler.RequestData;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
@@ -62,14 +57,14 @@ public final class AlgorithmSuiteTranslater {
}
// Now look for an AlgorithmSuite for a SAML Assertion
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
if (!ais.isEmpty()) {
- List<org.apache.wss4j.policy.model.AlgorithmSuite> samlAlgorithmSuites
- = new ArrayList<org.apache.wss4j.policy.model.AlgorithmSuite>();
+ List<org.apache.wss4j.policy.model.AlgorithmSuite> samlAlgorithmSuites = new ArrayList<>();
for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken)ai.getAssertion();
AbstractSecurityAssertion parentAssertion = samlToken.getParentAssertion();
- if ((parentAssertion instanceof SupportingTokens)
+ if (parentAssertion instanceof SupportingTokens
&& ((SupportingTokens)parentAssertion).getAlgorithmSuite() != null) {
samlAlgorithmSuites.add(((SupportingTokens)parentAssertion).getAlgorithmSuite());
}
@@ -89,8 +84,7 @@ public final class AlgorithmSuiteTranslater {
) {
AlgorithmSuite algorithmSuite = null;
- for (org.apache.wss4j.policy.model.AlgorithmSuite cxfAlgorithmSuite
- : algorithmSuites) {
+ for (org.apache.wss4j.policy.model.AlgorithmSuite cxfAlgorithmSuite : algorithmSuites) {
if (cxfAlgorithmSuite == null) {
continue;
}
@@ -151,28 +145,28 @@ public final class AlgorithmSuiteTranslater {
* Get all of the WS-SecurityPolicy Bindings that are in operation
*/
private List<AbstractBinding> getBindings(AssertionInfoMap aim) {
- List<AbstractBinding> bindings = new ArrayList<AbstractBinding>();
- if (aim != null) {
- Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- bindings.add((AbstractBinding)ai.getAssertion());
- }
+ List<AbstractBinding> bindings = new ArrayList<>();
+
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ bindings.add((AbstractBinding)ai.getAssertion());
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- bindings.add((AbstractBinding)ai.getAssertion());
- }
+ }
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ bindings.add((AbstractBinding)ai.getAssertion());
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- bindings.add((AbstractBinding)ai.getAssertion());
- }
+ }
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ bindings.add((AbstractBinding)ai.getAssertion());
}
}
+
return bindings;
}
@@ -182,8 +176,7 @@ public final class AlgorithmSuiteTranslater {
private List<org.apache.wss4j.policy.model.AlgorithmSuite> getAlgorithmSuites(
List<AbstractBinding> bindings
) {
- List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites =
- new ArrayList<org.apache.wss4j.policy.model.AlgorithmSuite>();
+ List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites = new ArrayList<>();
for (AbstractBinding binding : bindings) {
if (binding.getAlgorithmSuite() != null) {
algorithmSuites.add(binding.getAlgorithmSuite());
@@ -192,25 +185,4 @@ public final class AlgorithmSuiteTranslater {
return algorithmSuites;
}
- private Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
-
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
index 5900c10..de83d7b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -38,8 +39,8 @@ public class KerberosTokenInterceptor extends BinarySecurityTokenInterceptor {
protected AbstractToken assertTokens(SoapMessage message) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- assertPolicy(aim, "WssKerberosV5ApReqToken11");
- assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
return assertTokens(message, SPConstants.KERBEROS_TOKEN, false);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 116e2a0..abeb41c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -23,7 +23,6 @@ import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
-import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
@@ -56,6 +55,7 @@ import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
@@ -133,7 +133,8 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
private void handleWSS11(AssertionInfoMap aim, SoapMessage message) {
if (isRequestor(message)) {
message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
Wss11 wss11 = (Wss11)ai.getAssertion();
@@ -168,7 +169,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
private boolean assertPolicy(AssertionInfoMap aim, String localname) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, localname);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
@@ -178,32 +179,11 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
return false;
}
- private Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
-
private String checkAsymmetricBinding(
AssertionInfoMap aim, String action, SoapMessage message, RequestData data
) throws WSSecurityException {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (ais.isEmpty()) {
return action;
}
@@ -289,7 +269,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
if (aim != null) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
if (!ais.isEmpty()) {
return true;
@@ -307,7 +287,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
if (aim != null) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.INCLUDE_TIMESTAMP);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.INCLUDE_TIMESTAMP);
if (!ais.isEmpty()) {
return true;
@@ -325,7 +305,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
if (aim != null) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
if (!ais.isEmpty()) {
return true;
@@ -339,7 +319,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
AssertionInfoMap aim, SoapMessage message
) throws WSSecurityException {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
@@ -355,7 +335,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
AssertionInfoMap aim, String action, SoapMessage message, RequestData data
) throws WSSecurityException {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (ais.isEmpty()) {
return action;
}
@@ -505,7 +485,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
CoverageType type,
CoverageScope scope,
final XPath xpath) throws SOAPException {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, name);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, name);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
@@ -548,7 +528,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
Element soapHeader,
Element soapBody,
CoverageType type) throws SOAPException {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, name);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, name);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
@@ -654,7 +634,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
assertPolicy(aim, SPConstants.RSA_KEY_VALUE);
// WSS10
- ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS10);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
@@ -666,7 +646,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
// Trust 1.0
- ais = getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
boolean trust10Asserted = false;
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
@@ -681,7 +661,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
// Trust 1.3
- ais = getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
@@ -973,7 +953,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
private boolean assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header)
throws SOAPException {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
RequiredParts rp = (RequiredParts)ai.getAssertion();
@@ -988,7 +968,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
RequiredElements rp = (RequiredElements)ai.getAssertion();
@@ -1025,17 +1005,17 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
private boolean isTransportBinding(AssertionInfoMap aim, SoapMessage message) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (ais.size() > 0) {
return false;
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (ais.size() > 0) {
return false;
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
if (ais.size() > 0) {
return true;
}
@@ -1055,15 +1035,16 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
private boolean containsXPathPolicy(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
if (ais.size() > 0) {
return true;
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
if (ais.size() > 0) {
return true;
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
if (ais.size() > 0) {
return true;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
index 54faf7e..b73cd6c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
@@ -21,16 +21,13 @@ package org.apache.cxf.ws.security.wss4j;
import java.security.Provider;
import java.util.Collection;
import java.util.Collections;
-import java.util.HashSet;
import java.util.Set;
import java.util.logging.Logger;
-import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.w3c.dom.Element;
-
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor;
@@ -45,6 +42,7 @@ import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler;
import org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler;
import org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler;
@@ -54,8 +52,6 @@ import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.message.WSSecHeader;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AsymmetricBinding;
@@ -120,6 +116,11 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa
}
private void handleMessageInternal(SoapMessage message) throws Fault {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ if (aim == null) {
+ // no policies available
+ return;
+ }
SOAPMessage saaj = message.getContent(SOAPMessage.class);
boolean mustUnderstand =
@@ -128,91 +129,100 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa
);
String actor = (String)message.getContextualProperty(SecurityConstants.ACTOR);
- AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
- if (aim != null) {
- AbstractBinding transport = null;
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- transport = (AbstractBinding)ai.getAssertion();
- ai.setAsserted(true);
- }
+ AbstractBinding binding = getSecurityBinding(aim);
+
+ if (binding == null && isRequestor(message)) {
+ Policy policy = new Policy();
+ binding = new TransportBinding(org.apache.wss4j.policy.SPConstants.SPVersion.SP11,
+ policy);
+ }
+
+ if (binding != null) {
+ WSSecHeader secHeader = new WSSecHeader(actor, mustUnderstand);
+ Element el = null;
+ try {
+ el = secHeader.insertSecurityHeader(saaj.getSOAPPart());
+ } catch (WSSecurityException e) {
+ throw new SoapFault(
+ new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
+ );
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- transport = (AbstractBinding)ai.getAssertion();
- ai.setAsserted(true);
- }
+ try {
+ //move to end
+ SAAJUtils.getHeader(saaj).removeChild(el);
+ SAAJUtils.getHeader(saaj).appendChild(el);
+ } catch (SOAPException e) {
+ //ignore
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- transport = (AbstractBinding)ai.getAssertion();
- ai.setAsserted(true);
- }
+
+ WSSConfig config = (WSSConfig)message.getContextualProperty(WSSConfig.class.getName());
+ if (config == null) {
+ config = WSSConfig.getNewInstance();
}
+ translateProperties(message);
- if (transport == null && isRequestor(message)) {
- Policy policy = new Policy();
- transport = new TransportBinding(org.apache.wss4j.policy.SPConstants.SPVersion.SP11,
- policy);
+ String asymSignatureAlgorithm =
+ (String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
+ if (asymSignatureAlgorithm != null && binding.getAlgorithmSuite() != null) {
+ binding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
}
-
- if (transport != null) {
- WSSecHeader secHeader = new WSSecHeader(actor, mustUnderstand);
- Element el = null;
- try {
- el = secHeader.insertSecurityHeader(saaj.getSOAPPart());
- } catch (WSSecurityException e) {
- throw new SoapFault(
- new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
- );
- }
- try {
- //move to end
- SAAJUtils.getHeader(saaj).removeChild(el);
- SAAJUtils.getHeader(saaj).appendChild(el);
- } catch (SOAPException e) {
- //ignore
- }
-
- WSSConfig config = (WSSConfig)message.getContextualProperty(WSSConfig.class.getName());
- if (config == null) {
- config = WSSConfig.getNewInstance();
- }
- translateProperties(message);
-
- String asymSignatureAlgorithm =
- (String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
- if (asymSignatureAlgorithm != null && transport.getAlgorithmSuite() != null) {
- transport.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
- }
- try {
- if (transport instanceof TransportBinding) {
- new TransportBindingHandler(config, (TransportBinding)transport, saaj,
- secHeader, aim, message).handleBinding();
- } else if (transport instanceof SymmetricBinding) {
- new SymmetricBindingHandler(config, (SymmetricBinding)transport, saaj,
- secHeader, aim, message).handleBinding();
- } else {
- new AsymmetricBindingHandler(config, (AsymmetricBinding)transport, saaj,
- secHeader, aim, message).handleBinding();
- }
- } catch (SOAPException e) {
- throw new SoapFault(
- new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
- );
- }
-
- if (el.getFirstChild() == null) {
- el.getParentNode().removeChild(el);
+ try {
+ if (binding instanceof TransportBinding) {
+ new TransportBindingHandler(config, (TransportBinding)binding, saaj,
+ secHeader, aim, message).handleBinding();
+ } else if (binding instanceof SymmetricBinding) {
+ new SymmetricBindingHandler(config, (SymmetricBinding)binding, saaj,
+ secHeader, aim, message).handleBinding();
+ } else {
+ new AsymmetricBindingHandler(config, (AsymmetricBinding)binding, saaj,
+ secHeader, aim, message).handleBinding();
}
+ } catch (SOAPException e) {
+ throw new SoapFault(
+ new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
+ );
+ }
+
+ if (el.getFirstChild() == null) {
+ el.getParentNode().removeChild(el);
+ }
+ }
+
+ }
+
+ private AbstractBinding getSecurityBinding(AssertionInfoMap aim) {
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (!ais.isEmpty()) {
+ AbstractBinding binding = null;
+ for (AssertionInfo ai : ais) {
+ binding = (AbstractBinding)ai.getAssertion();
+ ai.setAsserted(true);
+ }
+ return binding;
+ }
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ AbstractBinding binding = null;
+ for (AssertionInfo ai : ais) {
+ binding = (AbstractBinding)ai.getAssertion();
+ ai.setAsserted(true);
+ }
+ return binding;
+ }
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ AbstractBinding binding = null;
+ for (AssertionInfo ai : ais) {
+ binding = (AbstractBinding)ai.getAssertion();
+ ai.setAsserted(true);
}
+ return binding;
}
+ return null;
}
public Set<String> getAfter() {
@@ -247,26 +257,5 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa
msg.put(WSHandlerConstants.IS_BSP_COMPLIANT, bspCompliant);
}
}
-
- private Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
index ec2e51d..0d128d8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
@@ -44,6 +44,7 @@ import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.ext.WSPasswordCallback;
@@ -113,7 +114,8 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
// Check version against policy
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- for (AssertionInfo ai : getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN)) {
+ for (AssertionInfo ai
+ : PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN)) {
SamlToken samlToken = (SamlToken)ai.getAssertion();
for (WSSecurityEngineResult result : samlResults) {
SamlAssertionWrapper assertionWrapper =
@@ -175,9 +177,9 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
protected AbstractToken assertTokens(SoapMessage message) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- assertPolicy(aim, "WssSamlV11Token10");
- assertPolicy(aim, "WssSamlV11Token11");
- assertPolicy(aim, "WssSamlV20Token11");
+ PolicyUtils.assertPolicy(aim, "WssSamlV11Token10");
+ PolicyUtils.assertPolicy(aim, "WssSamlV11Token11");
+ PolicyUtils.assertPolicy(aim, "WssSamlV20Token11");
return assertTokens(message, SPConstants.SAML_TOKEN, true);
}
@@ -191,7 +193,7 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
if (wrapper == null) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
for (AssertionInfo ai : ais) {
if (ai.isAsserted()) {
ai.setAsserted(false);
@@ -236,12 +238,12 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
SamlTokenType tokenType = token.getSamlTokenType();
if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) {
samlCallback.setSamlVersion(Version.SAML_11);
- assertPolicy(aim, "WssSamlV11Token10");
- assertPolicy(aim, "WssSamlV11Token11");
+ PolicyUtils.assertPolicy(aim, "WssSamlV11Token10");
+ PolicyUtils.assertPolicy(aim, "WssSamlV11Token11");
} else if (tokenType == SamlTokenType.WssSamlV20Token11) {
samlCallback.setSamlVersion(Version.SAML_20);
- assertPolicy(aim, "WssSamlV20Token11");
+ PolicyUtils.assertPolicy(aim, "WssSamlV20Token11");
}
SAMLUtil.doSAMLCallback(handler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
@@ -324,7 +326,7 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
&& assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
return false;
}
- assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), tokenType.name()));
+ PolicyUtils.assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), tokenType.name()));
return true;
}