You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/11/10 15:25:08 UTC
svn commit: r1200342 - in /cxf/branches/2.4.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/
systests/ws-security/src/test/java/org/apache/cxf/systes...
Author: coheigea
Date: Thu Nov 10 14:25:08 2011
New Revision: 1200342
URL: http://svn.apache.org/viewvc?rev=1200342&view=rev
Log:
Abstracted most of the supporting token policy validation code in CXF into a common abstract class.
Added support for SignedEndorsingSupportingToken policy validation.
Added some tests for SignedEndorsingSupportingToken policy validation in CXF.
Added:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
- copied, changed from r1200196, cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
Removed:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SupportingTokenPolicyValidator.java
Modified:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1200342&r1=1200341&r2=1200342&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Thu Nov 10 14:25:08 2011
@@ -75,7 +75,8 @@ import org.apache.cxf.ws.security.wss4j.
import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.SupportingTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
@@ -569,21 +570,24 @@ public class PolicyBasedWSS4JInIntercept
new SecurityContextTokenPolicyValidator(msg, results);
sctValidator.validatePolicy(aim);
- SupportingTokenPolicyValidator suppValidator =
- new SupportingTokenPolicyValidator(msg, results, signedResults);
+ SignedTokenPolicyValidator suppValidator =
+ new SignedTokenPolicyValidator(msg, results, signedResults);
suppValidator.setValidateUsernameToken(utWithCallbacks);
suppValidator.validatePolicy(aim);
EndorsingTokenPolicyValidator endorsingValidator =
- new EndorsingTokenPolicyValidator(results, signedResults, msg);
+ new EndorsingTokenPolicyValidator(msg, results, signedResults);
endorsingValidator.validatePolicy(aim);
+ SignedEndorsingTokenPolicyValidator signedEdorsingValidator =
+ new SignedEndorsingTokenPolicyValidator(msg, results, signedResults);
+ signedEdorsingValidator.validatePolicy(aim);
+
//REVISIT - probably can verify some of these like if UT is encrypted and/or signed, etc...
assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
if (hasEndorsement || isRequestor(msg)) {
- assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
}
Copied: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (from r1200196, cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java)
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java?p2=cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java&p1=cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java&r1=1200196&r2=1200342&rev=1200342&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java Thu Nov 10 14:25:08 2011
@@ -22,7 +22,6 @@ package org.apache.cxf.ws.security.wss4j
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
-import java.util.Collection;
import java.util.List;
import javax.xml.namespace.QName;
@@ -32,15 +31,6 @@ import org.w3c.dom.Element;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
-import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngine;
@@ -53,30 +43,43 @@ import org.apache.ws.security.message.to
import org.apache.ws.security.util.WSSecurityUtil;
/**
- * Validate an EndorsingSupportingToken policy.
+ * A base class to use to validate various SupportingToken policies.
*/
-public class EndorsingTokenPolicyValidator extends AbstractTokenPolicyValidator {
+public abstract class AbstractSupportingTokenPolicyValidator extends AbstractTokenPolicyValidator {
- private List<WSSecurityEngineResult> results;
- private List<WSSecurityEngineResult> signedResults;
- private Message message;
- private Element timestamp;
- private boolean tls;
-
- public EndorsingTokenPolicyValidator(
+ protected Message message;
+ protected List<WSSecurityEngineResult> results;
+ protected List<WSSecurityEngineResult> signedResults;
+ protected List<WSSecurityEngineResult> encryptedResults;
+ protected boolean tls;
+ protected boolean validateUsernameToken = true;
+ protected Element timestamp;
+
+ public AbstractSupportingTokenPolicyValidator(
+ Message message,
List<WSSecurityEngineResult> results,
- List<WSSecurityEngineResult> signedResults,
- Message message
+ List<WSSecurityEngineResult> signedResults
) {
+ this.message = message;
this.results = results;
this.signedResults = signedResults;
- this.message = message;
- WSSecurityEngineResult result = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
- if (result != null) {
- Timestamp ts = (Timestamp)result.get(WSSecurityEngineResult.TAG_TIMESTAMP);
+
+ // Store the timestamp element
+ WSSecurityEngineResult tsResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
+ if (tsResult != null) {
+ Timestamp ts = (Timestamp)tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
timestamp = ts.getElement();
}
+ // Store the encryption results
+ encryptedResults = new ArrayList<WSSecurityEngineResult>();
+ for (WSSecurityEngineResult result : results) {
+ Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.ENCR) {
+ encryptedResults.add(result);
+ }
+ }
+
// See whether TLS is in use or not
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
if (tlsInfo != null) {
@@ -84,60 +87,62 @@ public class EndorsingTokenPolicyValidat
}
}
- public boolean validatePolicy(
- AssertionInfoMap aim
- ) {
- Collection<AssertionInfo> endorsingAis = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
- if (endorsingAis != null && !endorsingAis.isEmpty()) {
- for (AssertionInfo ai : endorsingAis) {
- SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENDORSING != binding.getTokenType()) {
- continue;
- }
- ai.setAsserted(true);
-
- List<Token> tokens = binding.getTokens();
- for (Token token : tokens) {
- if (!isTokenRequired(token, message)) {
- continue;
- }
- boolean derived = token.isDerivedKeys();
- if (token instanceof KerberosToken && !processKerberosTokens(derived)) {
- ai.setNotAsserted(
- "The received token does not match the supporting token requirement"
- );
- return false;
- } else if (token instanceof X509Token && !processX509Tokens(derived)) {
- ai.setNotAsserted(
- "The received token does not match the supporting token requirement"
- );
- return false;
- } else if (token instanceof SecurityContextToken && !processSCTokens(derived)) {
- ai.setNotAsserted(
- "The received token does not match the supporting token requirement"
- );
- return false;
- }
- }
- }
+ public void setValidateUsernameToken(boolean validateUsernameToken) {
+ this.validateUsernameToken = validateUsernameToken;
+ }
+
+ /**
+ * Process UsernameTokens. Only SignedSupportingTokens are currently enforced.
+ */
+ protected boolean processUsernameTokens(boolean signed, boolean endorsed, boolean derived) {
+ if (!validateUsernameToken) {
+ return true;
}
+ List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, tokenResults);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, tokenResults);
- return true;
+ if (tokenResults.isEmpty()) {
+ return false;
+ }
+
+ return areTokensSigned(tokenResults);
}
- private boolean processKerberosTokens(boolean derived) {
+
+ /**
+ * Process SAML Tokens. Only SignedSupportingTokens are currently enforced.
+ */
+ protected boolean processSAMLTokens(boolean signed, boolean endorsed, boolean derived) {
List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, tokenResults);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, tokenResults);
+
+ if (tokenResults.isEmpty()) {
+ return false;
+ }
+
+ return areTokensSigned(tokenResults);
+ }
+
+
+ /**
+ * Process Kerberos Tokens.
+ */
+ protected boolean processKerberosTokens(boolean signed, boolean endorsed, boolean derived) {
+ List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+ List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
for (WSSecurityEngineResult wser : results) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.BST) {
BinarySecurity binarySecurity =
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof KerberosSecurity) {
- if (derived) {
+ if (endorsed && derived) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
if (dktResult != null) {
- tokenResults.add(dktResult);
+ dktResults.add(dktResult);
}
}
tokenResults.add(wser);
@@ -149,11 +154,23 @@ public class EndorsingTokenPolicyValidat
return false;
}
- return checkEndorsed(tokenResults, tls);
+ if (signed && !areTokensSigned(tokenResults)) {
+ return false;
+ }
+ tokenResults.addAll(dktResults);
+ if (endorsed && !checkEndorsed(tokenResults)) {
+ return false;
+ }
+ return true;
}
- private boolean processX509Tokens(boolean derived) {
+
+ /**
+ * Process X509 Tokens.
+ */
+ protected boolean processX509Tokens(boolean signed, boolean endorsed, boolean derived) {
List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+ List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
for (WSSecurityEngineResult wser : results) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.BST) {
@@ -161,10 +178,10 @@ public class EndorsingTokenPolicyValidat
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof X509Security
|| binarySecurity instanceof PKIPathSecurity) {
- if (derived) {
+ if (endorsed && derived) {
WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser);
if (resultToStore != null) {
- tokenResults.add(resultToStore);
+ dktResults.add(resultToStore);
}
}
tokenResults.add(wser);
@@ -176,33 +193,31 @@ public class EndorsingTokenPolicyValidat
return false;
}
- return checkEndorsed(tokenResults, tls);
- }
-
- private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result) {
- X509Certificate cert =
- (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
- WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert);
- if (encrResult != null) {
- byte[] secret = (byte[])encrResult.get(WSSecurityEngineResult.TAG_SECRET);
- WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
- if (dktResult != null) {
- return dktResult;
- }
+ if (signed && !areTokensSigned(tokenResults)) {
+ return false;
}
- return null;
+ tokenResults.addAll(dktResults);
+ if (endorsed && !checkEndorsed(tokenResults)) {
+ return false;
+ }
+ return true;
}
- private boolean processSCTokens(boolean derived) {
+
+ /**
+ * Process Security Context Tokens.
+ */
+ protected boolean processSCTokens(boolean signed, boolean endorsed, boolean derived) {
List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+ List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
for (WSSecurityEngineResult wser : results) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.SCT) {
- if (derived) {
+ if (endorsed && derived) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
if (dktResult != null) {
- tokenResults.add(dktResult);
+ dktResults.add(dktResult);
}
}
tokenResults.add(wser);
@@ -213,7 +228,32 @@ public class EndorsingTokenPolicyValidat
return false;
}
- return checkEndorsed(tokenResults, tls);
+ if (signed && !areTokensSigned(tokenResults)) {
+ return false;
+ }
+ tokenResults.addAll(dktResults);
+ if (endorsed && !checkEndorsed(tokenResults)) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
+ * Find an EncryptedKey element that has a cert that matches the cert of the signature, then
+ * find a DerivedKey element that matches that EncryptedKey element.
+ */
+ private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result) {
+ X509Certificate cert =
+ (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert);
+ if (encrResult != null) {
+ byte[] secret = (byte[])encrResult.get(WSSecurityEngineResult.TAG_SECRET);
+ WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
+ if (dktResult != null) {
+ return dktResult;
+ }
+ }
+ return null;
}
/**
@@ -253,16 +293,32 @@ public class EndorsingTokenPolicyValidat
/**
* Check the endorsing supporting token policy. If we're using the Transport Binding then
* check that the Timestamp is signed. Otherwise, check that the signature is signed.
- * @param transport
* @return true if the endorsed supporting token policy is correct
*/
- private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults, boolean transport) {
- if (transport) {
+ private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults) {
+ if (tls) {
return checkTimestampIsSigned(tokenResults);
}
return checkSignatureIsSigned(tokenResults);
}
+
+ /**
+ * Return true if a list of tokens were signed, false otherwise.
+ */
+ private boolean areTokensSigned(List<WSSecurityEngineResult> tokens) {
+ if (tls) {
+ return true;
+ }
+ for (WSSecurityEngineResult wser : tokens) {
+ Element tokenElement = (Element)wser.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ if (!isTokenSigned(tokenElement)) {
+ return false;
+ }
+ }
+ return true;
+ }
+
/**
* Return true if the Timestamp is signed by one of the token results
* @param tokenResults A list of WSSecurityEngineResults corresponding to tokens
@@ -352,4 +408,21 @@ public class EndorsingTokenPolicyValidat
return false;
}
+
+ /**
+ * Return true if a token was signed, false otherwise.
+ */
+ private boolean isTokenSigned(Element token) {
+ for (WSSecurityEngineResult signedResult : signedResults) {
+ List<WSDataRef> dataRefs =
+ CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ for (WSDataRef dataRef : dataRefs) {
+ if (token == dataRef.getProtectedElement()) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+
}
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1200342&r1=1200341&r2=1200342&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java Thu Nov 10 14:25:08 2011
@@ -19,337 +19,84 @@
package org.apache.cxf.ws.security.wss4j.policyvalidators;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collection;
import java.util.List;
-import javax.xml.namespace.QName;
-
-import org.w3c.dom.Element;
-
-import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
-import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.IssuedToken;
import org.apache.cxf.ws.security.policy.model.KerberosToken;
import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.KerberosSecurity;
-import org.apache.ws.security.message.token.PKIPathSecurity;
-import org.apache.ws.security.message.token.Timestamp;
-import org.apache.ws.security.message.token.X509Security;
-import org.apache.ws.security.util.WSSecurityUtil;
/**
* Validate an EndorsingSupportingToken policy.
*/
-public class EndorsingTokenPolicyValidator extends AbstractTokenPolicyValidator {
-
- private List<WSSecurityEngineResult> results;
- private List<WSSecurityEngineResult> signedResults;
- private Message message;
- private Element timestamp;
- private boolean tls;
+public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
public EndorsingTokenPolicyValidator(
+ Message message,
List<WSSecurityEngineResult> results,
- List<WSSecurityEngineResult> signedResults,
- Message message
+ List<WSSecurityEngineResult> signedResults
) {
- this.results = results;
- this.signedResults = signedResults;
- this.message = message;
- WSSecurityEngineResult result = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
- if (result != null) {
- Timestamp ts = (Timestamp)result.get(WSSecurityEngineResult.TAG_TIMESTAMP);
- timestamp = ts.getElement();
- }
-
- // See whether TLS is in use or not
- TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
- if (tlsInfo != null) {
- tls = true;
- }
+ super(message, results, signedResults);
}
public boolean validatePolicy(
AssertionInfoMap aim
) {
- Collection<AssertionInfo> endorsingAis = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
- if (endorsingAis != null && !endorsingAis.isEmpty()) {
- for (AssertionInfo ai : endorsingAis) {
- SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENDORSING != binding.getTokenType()) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
+ if (ais == null || ais.isEmpty()) {
+ return true;
+ }
+
+ for (AssertionInfo ai : ais) {
+ SupportingToken binding = (SupportingToken)ai.getAssertion();
+ if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENDORSING != binding.getTokenType()) {
+ continue;
+ }
+ ai.setAsserted(true);
+
+ List<Token> tokens = binding.getTokens();
+ for (Token token : tokens) {
+ if (!isTokenRequired(token, message)) {
continue;
}
- ai.setAsserted(true);
- List<Token> tokens = binding.getTokens();
- for (Token token : tokens) {
- if (!isTokenRequired(token, message)) {
- continue;
+ boolean derived = token.isDerivedKeys();
+ boolean processingFailed = false;
+ if (token instanceof KerberosToken) {
+ if (!processKerberosTokens(false, true, derived)) {
+ processingFailed = true;
+ }
+ } else if (token instanceof X509Token) {
+ if (!processX509Tokens(false, true, derived)) {
+ processingFailed = true;
+ }
+ } else if (token instanceof SecurityContextToken) {
+ if (!processSCTokens(false, true, derived)) {
+ processingFailed = true;
}
- boolean derived = token.isDerivedKeys();
- if (token instanceof KerberosToken && !processKerberosTokens(derived)) {
- ai.setNotAsserted(
- "The received token does not match the supporting token requirement"
- );
- return false;
- } else if (token instanceof X509Token && !processX509Tokens(derived)) {
- ai.setNotAsserted(
- "The received token does not match the supporting token requirement"
- );
- return false;
- } else if (token instanceof SecurityContextToken && !processSCTokens(derived)) {
- ai.setNotAsserted(
- "The received token does not match the supporting token requirement"
- );
- return false;
- }
- }
- }
- }
-
- return true;
- }
-
- private boolean processKerberosTokens(boolean derived) {
- List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
- for (WSSecurityEngineResult wser : results) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.BST) {
- BinarySecurity binarySecurity =
- (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- if (binarySecurity instanceof KerberosSecurity) {
- if (derived) {
- byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
- WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
- if (dktResult != null) {
- tokenResults.add(dktResult);
- }
- }
- tokenResults.add(wser);
+ } else if (!(token instanceof IssuedToken)) {
+ processingFailed = true;
}
- }
- }
-
- if (tokenResults.isEmpty()) {
- return false;
- }
-
- return checkEndorsed(tokenResults, tls);
- }
-
- private boolean processX509Tokens(boolean derived) {
- List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
- for (WSSecurityEngineResult wser : results) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.BST) {
- BinarySecurity binarySecurity =
- (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- if (binarySecurity instanceof X509Security
- || binarySecurity instanceof PKIPathSecurity) {
- if (derived) {
- WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser);
- if (resultToStore != null) {
- tokenResults.add(resultToStore);
- }
- }
- tokenResults.add(wser);
- }
- }
- }
-
- if (tokenResults.isEmpty()) {
- return false;
- }
-
- return checkEndorsed(tokenResults, tls);
- }
-
- private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result) {
- X509Certificate cert =
- (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
- WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert);
- if (encrResult != null) {
- byte[] secret = (byte[])encrResult.get(WSSecurityEngineResult.TAG_SECRET);
- WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
- if (dktResult != null) {
- return dktResult;
- }
- }
- return null;
- }
-
- private boolean processSCTokens(boolean derived) {
- List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
- for (WSSecurityEngineResult wser : results) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.SCT) {
- if (derived) {
- byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
- WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
- if (dktResult != null) {
- tokenResults.add(dktResult);
- }
+
+ if (processingFailed) {
+ ai.setNotAsserted(
+ "The received token does not match the endorsing supporting token requirement"
+ );
+ return false;
}
- tokenResults.add(wser);
}
}
- if (tokenResults.isEmpty()) {
- return false;
- }
-
- return checkEndorsed(tokenResults, tls);
- }
-
- /**
- * Get a security result representing a Derived Key that has a secret key that
- * matches the parameter.
- */
- private WSSecurityEngineResult getMatchingDerivedKey(byte[] secret) {
- for (WSSecurityEngineResult wser : results) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.DKT) {
- byte[] dktSecret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
- if (Arrays.equals(secret, dktSecret)) {
- return wser;
- }
- }
- }
- return null;
- }
-
- /**
- * Get a security result representing an EncryptedKey that matches the parameter.
- */
- private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate cert) {
- for (WSSecurityEngineResult wser : results) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.ENCR) {
- X509Certificate encrCert =
- (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
- if (cert.equals(encrCert)) {
- return wser;
- }
- }
- }
- return null;
- }
-
- /**
- * Check the endorsing supporting token policy. If we're using the Transport Binding then
- * check that the Timestamp is signed. Otherwise, check that the signature is signed.
- * @param transport
- * @return true if the endorsed supporting token policy is correct
- */
- private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults, boolean transport) {
- if (transport) {
- return checkTimestampIsSigned(tokenResults);
- }
- return checkSignatureIsSigned(tokenResults);
- }
-
- /**
- * Return true if the Timestamp is signed by one of the token results
- * @param tokenResults A list of WSSecurityEngineResults corresponding to tokens
- * @return true if the Timestamp is signed
- */
- private boolean checkTimestampIsSigned(List<WSSecurityEngineResult> tokenResults) {
- for (WSSecurityEngineResult signedResult : signedResults) {
- List<WSDataRef> sl =
- CastUtils.cast((List<?>)signedResult.get(
- WSSecurityEngineResult.TAG_DATA_REF_URIS
- ));
- if (sl != null) {
- for (WSDataRef dataRef : sl) {
- if (timestamp == dataRef.getProtectedElement()
- && checkSignature(signedResult, tokenResults)) {
- return true;
- }
- }
- }
- }
- return false;
- }
-
- /**
- * Return true if the Signature is itself signed by one of the token results
- * @param tokenResults A list of WSSecurityEngineResults corresponding to tokens
- * @return true if the Signature is itself signed
- */
- private boolean checkSignatureIsSigned(List<WSSecurityEngineResult> tokenResults) {
- for (WSSecurityEngineResult signedResult : signedResults) {
- List<WSDataRef> sl =
- CastUtils.cast((List<?>)signedResult.get(
- WSSecurityEngineResult.TAG_DATA_REF_URIS
- ));
- if (sl != null && sl.size() == 1) {
- for (WSDataRef dataRef : sl) {
- QName signedQName = dataRef.getName();
- if (WSSecurityEngine.SIGNATURE.equals(signedQName)
- && checkSignature(signedResult, tokenResults)) {
- return true;
- }
- }
- }
- }
- return false;
+ return true;
}
- /**
- * Check that a WSSecurityEngineResult corresponding to a signature uses the same
- * signing credential as one of the tokens.
- * @param signatureResult a WSSecurityEngineResult corresponding to a signature
- * @param tokenResult A list of WSSecurityEngineResults corresponding to tokens
- * @return
- */
- private boolean checkSignature(
- WSSecurityEngineResult signatureResult,
- List<WSSecurityEngineResult> tokenResult
- ) {
- // See what was used to sign this result
- X509Certificate cert =
- (X509Certificate)signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
- byte[] secret = (byte[])signatureResult.get(WSSecurityEngineResult.TAG_SECRET);
-
- // Now see if the same credential exists in the tokenResult list
- for (WSSecurityEngineResult token : tokenResult) {
- BinarySecurity binarySecurity =
- (BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- if (binarySecurity instanceof X509Security
- || binarySecurity instanceof PKIPathSecurity) {
- X509Certificate foundCert =
- (X509Certificate)token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
- if (foundCert.equals(cert)) {
- return true;
- }
- } else {
- byte[] foundSecret = (byte[])token.get(WSSecurityEngineResult.TAG_SECRET);
- if (foundSecret != null && Arrays.equals(foundSecret, secret)) {
- return true;
- }
- byte[] derivedKey =
- (byte[])token.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY);
- if (derivedKey != null && Arrays.equals(derivedKey, secret)) {
- return true;
- }
- }
- }
-
- return false;
- }
}
Added: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java?rev=1200342&view=auto
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java (added)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java Thu Nov 10 14:25:08 2011
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.IssuedToken;
+import org.apache.cxf.ws.security.policy.model.KerberosToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
+import org.apache.cxf.ws.security.policy.model.SupportingToken;
+import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.X509Token;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate a SignedEndorsingSupportingToken policy.
+ */
+public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
+
+ public SignedEndorsingTokenPolicyValidator(
+ Message message,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ ) {
+ super(message, results, signedResults);
+ }
+
+ public boolean validatePolicy(
+ AssertionInfoMap aim
+ ) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+ if (ais == null || ais.isEmpty()) {
+ return true;
+ }
+
+ for (AssertionInfo ai : ais) {
+ SupportingToken binding = (SupportingToken)ai.getAssertion();
+ if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENDORSING != binding.getTokenType()) {
+ continue;
+ }
+ ai.setAsserted(true);
+
+ List<Token> tokens = binding.getTokens();
+ for (Token token : tokens) {
+ if (!isTokenRequired(token, message)) {
+ continue;
+ }
+
+ boolean derived = token.isDerivedKeys();
+ boolean processingFailed = false;
+ if (token instanceof KerberosToken) {
+ if (!processKerberosTokens(true, true, derived)) {
+ processingFailed = true;
+ }
+ } else if (token instanceof X509Token) {
+ if (!processX509Tokens(true, true, derived)) {
+ processingFailed = true;
+ }
+ } else if (token instanceof SecurityContextToken) {
+ if (!processSCTokens(true, true, derived)) {
+ processingFailed = true;
+ }
+ } else if (!(token instanceof IssuedToken)) {
+ processingFailed = true;
+ }
+
+ if (processingFailed) {
+ ai.setNotAsserted(
+ "The received token does not match the signed endorsing supporting token requirement"
+ );
+ return false;
+ }
+ }
+ }
+
+ return true;
+ }
+
+}
Added: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java?rev=1200342&view=auto
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java (added)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java Thu Nov 10 14:25:08 2011
@@ -0,0 +1,112 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.IssuedToken;
+import org.apache.cxf.ws.security.policy.model.KerberosToken;
+import org.apache.cxf.ws.security.policy.model.SamlToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
+import org.apache.cxf.ws.security.policy.model.SupportingToken;
+import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.UsernameToken;
+import org.apache.cxf.ws.security.policy.model.X509Token;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate SignedSupportingToken policies.
+ */
+public class SignedTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
+
+ public SignedTokenPolicyValidator(
+ Message message,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ ) {
+ super(message, results, signedResults);
+ }
+
+ public boolean validatePolicy(
+ AssertionInfoMap aim
+ ) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+ if (ais == null || ais.isEmpty()) {
+ return true;
+ }
+
+ for (AssertionInfo ai : ais) {
+ SupportingToken binding = (SupportingToken)ai.getAssertion();
+ if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED != binding.getTokenType()) {
+ continue;
+ }
+ ai.setAsserted(true);
+
+ List<Token> tokens = binding.getTokens();
+ for (Token token : tokens) {
+ if (!isTokenRequired(token, message)) {
+ continue;
+ }
+
+ boolean processingFailed = false;
+ if (token instanceof UsernameToken) {
+ if (!processUsernameTokens(true, false, false)) {
+ processingFailed = true;
+ }
+ } else if (token instanceof SamlToken) {
+ if (!processSAMLTokens(true, false, false)) {
+ processingFailed = true;
+ }
+ } else if (token instanceof KerberosToken) {
+ if (!processKerberosTokens(true, false, false)) {
+ processingFailed = true;
+ }
+ } else if (token instanceof X509Token) {
+ if (!processX509Tokens(true, false, false)) {
+ processingFailed = true;
+ }
+ } else if (token instanceof SecurityContextToken) {
+ if (!processSCTokens(true, false, false)) {
+ processingFailed = true;
+ }
+ } else if (!(token instanceof IssuedToken)) {
+ processingFailed = true;
+ }
+
+ if (processingFailed) {
+ ai.setNotAsserted(
+ "The received token does not match the signed supporting token requirement"
+ );
+ return false;
+ }
+ }
+
+ }
+
+ return true;
+ }
+
+}
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java?rev=1200342&r1=1200341&r2=1200342&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java Thu Nov 10 14:25:08 2011
@@ -44,6 +44,9 @@ import wssec.kerberos.DoubleItService;
* @Ignore annotations and run the tests with:
*
* mvn test -Dtest=KerberosTokenTest -Djava.security.auth.login.config=src/test/resources/kerberos.jaas
+ *
+ * See here for more information:
+ * http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part.html
*/
public class KerberosTokenTest extends AbstractBusClientServerTestBase {
static final String PORT = allocatePort(Server.class);
@@ -229,6 +232,30 @@ public class KerberosTokenTest extends A
assertTrue(result.equals(BigInteger.valueOf(50)));
}
+ @org.junit.Test
+ @org.junit.Ignore
+ public void testKerberosOverAsymmetricSignedEndorsing() throws Exception {
+
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = KerberosTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+
+ DoubleItPortType kerberosPort = service.getDoubleItKerberosAsymmetricSignedEndorsingPort();
+ updateAddressPort(kerberosPort, PORT);
+
+ BigInteger result = kerberosPort.doubleIt(BigInteger.valueOf(25));
+ assertTrue(result.equals(BigInteger.valueOf(50)));
+ }
+
private boolean checkUnrestrictedPoliciesInstalled() {
try {
byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1200342&r1=1200341&r2=1200342&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Thu Nov 10 14:25:08 2011
@@ -188,6 +188,25 @@ public class X509TokenTest extends Abstr
x509Port.doubleIt(BigInteger.valueOf(25));
}
+ @org.junit.Test
+ public void testTransportSignedEndorsing() throws Exception {
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+ DoubleItPortType x509Port = service.getDoubleItTransportSignedEndorsingPort();
+ updateAddressPort(x509Port, PORT2);
+ x509Port.doubleIt(BigInteger.valueOf(25));
+ }
+
private boolean checkUnrestrictedPoliciesInstalled() {
try {
byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml?rev=1200342&r1=1200341&r2=1200342&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml Thu Nov 10 14:25:08 2011
@@ -184,4 +184,25 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://WSSec/kerberos}DoubleItKerberosAsymmetricSignedEndorsingPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.kerberos.client">
+ <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient">
+ <constructor-arg ref="cxf"/>
+ <property name="contextName" value="alice"/>
+ <property name="serviceName" value="bob@service.ws.apache.org"/>
+ </bean>
+ </entry>
+ </jaxws:properties>
+ </jaxws:client>
+
</beans>
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml?rev=1200342&r1=1200341&r2=1200342&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml Thu Nov 10 14:25:08 2011
@@ -239,4 +239,28 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="KerberosOverAsymmetricSignedEndorsing"
+ address="http://localhost:${testutil.ports.Server}/DoubleItKerberosAsymmetricSignedEndorsing"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItKerberosAsymmetricSignedEndorsingPort"
+ xmlns:s="http://WSSec/kerberos"
+ implementor="org.apache.cxf.systest.ws.kerberos.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.encryption.username" value="alice"/>
+ <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/>
+ <entry key="ws-security.is-bsp-compliant" value="false"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1200342&r1=1200341&r2=1200342&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml Thu Nov 10 14:25:08 2011
@@ -114,6 +114,17 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://WSSec/x509}DoubleItTransportSignedEndorsingPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
+
<http:conduit name="https://localhost:.*">
<http:tlsClientParameters disableCNCheck="true">
<sec:trustManagers>
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1200342&r1=1200341&r2=1200342&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Thu Nov 10 14:25:08 2011
@@ -137,8 +137,6 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
- <entry key="ws-security.callback-handler"
- value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.encryption.properties"
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
<entry key="ws-security.encryption.username" value="alice"/>
@@ -160,8 +158,6 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
- <entry key="ws-security.callback-handler"
- value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.encryption.properties"
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
<entry key="ws-security.encryption.username" value="alice"/>
@@ -204,4 +200,21 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="TransportSignedEndorsing"
+ address="https://localhost:${testutil.ports.Server.2}/DoubleItX509TransportSignedEndorsing"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItTransportSignedEndorsingPort"
+ xmlns:s="http://WSSec/x509"
+ implementor="org.apache.cxf.systest.ws.x509.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/x509/DoubleItX509.wsdl"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl?rev=1200342&r1=1200341&r2=1200342&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl Thu Nov 10 14:25:08 2011
@@ -234,6 +234,26 @@
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItKerberosAsymmetricSignedEndorsingBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItKerberosAsymmetricSignedEndorsingPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
+
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItKerberosTransportPort" binding="tns:DoubleItKerberosTransportBinding">
<soap:address location="https://localhost:9009/DoubleItKerberosTransport" />
@@ -266,6 +286,10 @@
binding="tns:DoubleItKerberosSymmetricDerivedProtectionBinding">
<soap:address location="http://localhost:9001/DoubleItKerberosSymmetricDerivedProtection" />
</wsdl:port>
+ <wsdl:port name="DoubleItKerberosAsymmetricSignedEndorsingPort"
+ binding="tns:DoubleItKerberosAsymmetricSignedEndorsingBinding">
+ <soap:address location="http://localhost:9001/DoubleItKerberosAsymmetricSignedEndorsing" />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItKerberosTransportPolicy">
@@ -649,6 +673,68 @@
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItKerberosAsymmetricSignedEndorsingPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireIssuerSerialReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireIssuerSerialReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:SignedEndorsingSupportingTokens>
+ <wsp:Policy>
+ <sp:KerberosToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once">
+ <wsp:Policy>
+ <sp:WssGssKerberosV5ApReqToken11/>
+ </wsp:Policy>
+ </sp:KerberosToken>
+ </wsp:Policy>
+ </sp:SignedEndorsingSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl?rev=1200342&r1=1200341&r2=1200342&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl Thu Nov 10 14:25:08 2011
@@ -187,7 +187,7 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
- <wsdl:binding name="DoubleItTransportEndorsingBinding" type="tns:DoubleItPortType">
+ <wsdl:binding name="DoubleItTransportEndorsingBinding" type="tns:DoubleItPortType">
<wsp:PolicyReference URI="#DoubleItTransportEndorsingPolicy" />
<soap:binding style="document"
transport="http://schemas.xmlsoap.org/soap/http" />
@@ -206,6 +206,25 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItTransportSignedEndorsingBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItTransportSignedEndorsingPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItKeyIdentifierPort" binding="tns:DoubleItKeyIdentifierBinding">
@@ -233,6 +252,10 @@
binding="tns:DoubleItTransportEndorsingBinding">
<soap:address location="https://localhost:9002/DoubleItX509TransportEndorsing" />
</wsdl:port>
+ <wsdl:port name="DoubleItTransportSignedEndorsingPort"
+ binding="tns:DoubleItTransportSignedEndorsingBinding">
+ <soap:address location="https://localhost:9002/DoubleItX509TransportSignedEndorsing" />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy">
@@ -500,6 +523,43 @@
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItTransportSignedEndorsingPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken RequireClientCertificate="false" />
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:SignedEndorsingSupportingTokens>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:SignedEndorsingSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>