You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/10/26 20:06:33 UTC
svn commit: r1189352 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/
service...
Author: coheigea
Date: Wed Oct 26 18:06:32 2011
New Revision: 1189352
URL: http://svn.apache.org/viewvc?rev=1189352&view=rev
Log:
Added new policy validators for the Symmetric binding + Asymmetric binding
- Started properly validating a load more policies
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/DoubleIt.wsdl
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java Wed Oct 26 18:06:32 2011
@@ -68,6 +68,9 @@ public final class SP11Constants extends
public static final QName INCLUDE_TIMESTAMP = new QName(SP_NS,
SPConstants.INCLUDE_TIMESTAMP, SP11Constants.SP_PREFIX);
+
+ public static final QName ONLY_SIGN_ENTIRE_HEADERS_AND_BODY = new QName(SP_NS,
+ SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY, SP11Constants.SP_PREFIX);
public static final QName TRANSPORT_TOKEN = new QName(SP_NS,
SPConstants.TRANSPORT_TOKEN, SP11Constants.SP_PREFIX);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java Wed Oct 26 18:06:32 2011
@@ -130,7 +130,7 @@ public final class WSSecurityPolicyLoade
SP12Constants.INCLUDE_TIMESTAMP, SP11Constants.INCLUDE_TIMESTAMP,
SP12Constants.ENCRYPT_SIGNATURE, SP11Constants.ENCRYPT_SIGNATURE,
SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY,
- new QName(SP11Constants.SP_NS, SP11Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY),
+ SP11Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY,
SP12Constants.WSS_X509_V1_TOKEN_10,
SP12Constants.WSS_X509_V1_TOKEN_11,
SP12Constants.WSS_X509_V3_TOKEN_10,
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Wed Oct 26 18:06:32 2011
@@ -66,21 +66,19 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.policy.model.TransportBinding;
import org.apache.cxf.ws.security.policy.model.TransportToken;
import org.apache.cxf.ws.security.policy.model.Wss11;
-import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
-import org.apache.neethi.Assertion;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngineResult;
@@ -204,35 +202,6 @@ public class PolicyBasedWSS4JInIntercept
}
return false;
}
- private void assertPolicy(AssertionInfoMap aim, Token token, Boolean derived) {
- if (derived == null) {
- //no keys were needed for anything
- return;
- }
- if (!derived && token instanceof X509Token && token.isDerivedKeys()) {
- notAssertPolicy(aim, token, "No derived keys found.");
- }
- }
- private void assertPolicy(AssertionInfoMap aim, Assertion token) {
- Collection<AssertionInfo> ais = aim.get(token.getName());
- if (ais != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == token) {
- ai.setAsserted(true);
- }
- }
- }
- }
- private void notAssertPolicy(AssertionInfoMap aim, Assertion token, String msg) {
- Collection<AssertionInfo> ais = aim.get(token.getName());
- if (ais != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == token) {
- ai.setNotAsserted(msg);
- }
- }
- }
- }
private String checkAsymetricBinding(AssertionInfoMap aim,
String action,
@@ -472,37 +441,6 @@ public class PolicyBasedWSS4JInIntercept
}
}
- enum Protections {
- NONE,
- SIGN,
- ENCRYPT,
- SIGN_ENCRYPT,
- ENCRYPT_SIGN,
- ENCRYPT_SIGN_PROTECT,
- };
- private Protections addSign(Protections prots) {
- if (prots == Protections.NONE) {
- return Protections.SIGN;
- }
- if (prots == Protections.ENCRYPT) {
- return Protections.ENCRYPT_SIGN;
- }
- return prots;
- }
- private Protections addEncrypt(Protections prots) {
- if (prots == Protections.NONE) {
- return Protections.ENCRYPT;
- }
- if (prots == Protections.SIGN) {
- return Protections.SIGN_ENCRYPT;
- }
- if (prots == Protections.ENCRYPT_SIGN
- || prots == Protections.SIGN_ENCRYPT) {
- return Protections.ENCRYPT_SIGN_PROTECT;
- }
- return prots;
- }
-
@Override
protected void doResults(
SoapMessage msg,
@@ -517,7 +455,6 @@ public class PolicyBasedWSS4JInIntercept
Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
Boolean hasDerivedKeys = null;
boolean hasEndorsement = false;
- Protections prots = Protections.NONE;
//
// Prefetch all signature results
@@ -544,7 +481,6 @@ public class PolicyBasedWSS4JInIntercept
for (WSDataRef r : sl) {
signed.add(r);
}
- prots = addSign(prots);
}
break;
case WSConstants.ENCR:
@@ -557,7 +493,6 @@ public class PolicyBasedWSS4JInIntercept
for (WSDataRef r : el) {
encrypted.add(r);
}
- prots = addEncrypt(prots);
}
break;
case WSConstants.UT:
@@ -581,13 +516,6 @@ public class PolicyBasedWSS4JInIntercept
new SamlTokenPolicyValidator(soapBody, signedResults, msg);
validator.validatePolicy(aim, wser);
break;
- // TODO remove
- case WSConstants.TS:
- assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
- break;
- case WSConstants.DKT:
- hasDerivedKeys = Boolean.TRUE;
- break;
case WSConstants.SC:
assertPolicy(aim, SP12Constants.WSS11);
break;
@@ -621,9 +549,6 @@ public class PolicyBasedWSS4JInIntercept
assertHeadersExists(aim, msg, soapHeader);
- assertAsymetricBinding(aim, msg, prots, results, hasDerivedKeys);
- assertSymmetricBinding(aim, msg, prots, results, hasDerivedKeys);
-
X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results);
x509Validator.validatePolicy(aim);
@@ -631,6 +556,14 @@ public class PolicyBasedWSS4JInIntercept
new TransportBindingPolicyValidator(msg, results, signedResults);
transportValidator.validatePolicy(aim);
+ SymmetricBindingPolicyValidator symmetricValidator =
+ new SymmetricBindingPolicyValidator(msg, results, signedResults);
+ symmetricValidator.validatePolicy(aim);
+
+ AsymmetricBindingPolicyValidator asymmetricValidator =
+ new AsymmetricBindingPolicyValidator(msg, results, signedResults);
+ asymmetricValidator.validatePolicy(aim);
+
SecurityContextTokenPolicyValidator sctValidator =
new SecurityContextTokenPolicyValidator(msg, results);
sctValidator.validatePolicy(aim);
@@ -700,100 +633,6 @@ public class PolicyBasedWSS4JInIntercept
}
- private boolean assertSymmetricBinding(AssertionInfoMap aim,
- SoapMessage message,
- Protections prots,
- List<WSSecurityEngineResult> results,
- Boolean derived) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
- if (ais == null) {
- return true;
- }
-
- for (AssertionInfo ai : ais) {
- SymmetricBinding abinding = (SymmetricBinding)ai.getAssertion();
- ai.setAsserted(true);
- if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
- if (abinding.isSignatureProtection()) {
- if (prots == Protections.ENCRYPT_SIGN
- || prots == Protections.SIGN_ENCRYPT) {
- ai.setNotAsserted("Not encrypted before signed and then protected");
- return false;
- }
- } else if (prots == Protections.SIGN_ENCRYPT) {
- ai.setNotAsserted("Not encrypted before signed");
- return false;
- }
- } else if (prots == Protections.ENCRYPT_SIGN) {
- ai.setNotAsserted("Not signed before encrypted");
- return false;
- }
-
- AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
- if (!algorithmValidator.validatePolicy(ai, abinding.getAlgorithmSuite())) {
- return false;
- }
-
- if (abinding.getEncryptionToken() != null) {
- assertPolicy(aim, abinding.getEncryptionToken());
- assertPolicy(aim, abinding.getEncryptionToken().getToken(), derived);
- }
- if (abinding.getSignatureToken() != null) {
- assertPolicy(aim, abinding.getSignatureToken());
- assertPolicy(aim, abinding.getSignatureToken().getToken(), derived);
- }
- if (abinding.getProtectionToken() != null) {
- assertPolicy(aim, abinding.getProtectionToken());
- assertPolicy(aim, abinding.getProtectionToken().getToken(), derived);
- }
- }
- return true;
- }
- private boolean assertAsymetricBinding(AssertionInfoMap aim,
- SoapMessage message,
- Protections prots,
- List<WSSecurityEngineResult> results,
- Boolean derived) {
- Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
- if (ais == null) {
- return true;
- }
- for (AssertionInfo ai : ais) {
- AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
- ai.setAsserted(true);
- if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
- if (abinding.isSignatureProtection()) {
- if (prots == Protections.ENCRYPT_SIGN
- || prots == Protections.SIGN_ENCRYPT) {
- ai.setNotAsserted("Not encrypted before signed and then protected");
- return false;
- }
- } else if (prots == Protections.SIGN_ENCRYPT) {
- ai.setNotAsserted("Not encrypted before signed");
- return false;
- }
- } else if (prots == Protections.ENCRYPT_SIGN) {
- ai.setNotAsserted("Not signed before encrypted");
- return false;
- }
-
- AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
- if (!algorithmValidator.validatePolicy(ai, abinding.getAlgorithmSuite())) {
- return false;
- }
-
- if (abinding.getInitiatorToken() != null) {
- assertPolicy(aim, abinding.getInitiatorToken());
- assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
- }
- if (abinding.getRecipientToken() != null) {
- assertPolicy(aim, abinding.getRecipientToken());
- assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
- }
- }
- return true;
- }
-
private boolean isTransportBinding(AssertionInfoMap aim) {
Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
if (ais != null && ais.size() > 0) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java Wed Oct 26 18:06:32 2011
@@ -25,10 +25,22 @@ import java.util.List;
import javax.xml.namespace.QName;
+import org.w3c.dom.Element;
+
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.EncryptionToken;
+import org.apache.cxf.ws.security.policy.model.Layout;
+import org.apache.cxf.ws.security.policy.model.ProtectionToken;
+import org.apache.cxf.ws.security.policy.model.SignatureToken;
+import org.apache.cxf.ws.security.policy.model.SymmetricAsymmetricBindingBase;
+import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.TokenWrapper;
+import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.neethi.Assertion;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
@@ -41,11 +53,14 @@ import org.apache.ws.security.util.WSSec
*/
public abstract class AbstractBindingPolicyValidator {
+ private static final QName SIG_QNAME = new QName(WSConstants.SIG_NS, WSConstants.SIG_LN);
+
+ protected List<WSSecurityEngineResult> results;
+
/**
* Validate a Timestamp
* @param includeTimestamp whether a Timestamp must be included or not
* @param transportBinding whether the Transport binding is in use or not
- * @param results the results list
* @param signedResults the signed results list
* @param message the Message object
* @return whether the Timestamp policy is valid or not
@@ -53,7 +68,6 @@ public abstract class AbstractBindingPol
protected boolean validateTimestamp(
boolean includeTimestamp,
boolean transportBinding,
- List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults,
Message message
) {
@@ -79,7 +93,7 @@ public abstract class AbstractBindingPol
List<WSDataRef> dataRefs =
CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
for (WSDataRef dataRef : dataRefs) {
- if (timestamp == dataRef.getProtectedElement()) {
+ if (timestamp.getElement() == dataRef.getProtectedElement()) {
return true;
}
}
@@ -95,21 +109,17 @@ public abstract class AbstractBindingPol
protected boolean validateEntireHeaderAndBodySignatures(
List<WSSecurityEngineResult> signedResults
) {
- if (signedResults.isEmpty()) {
- return false;
- }
for (WSSecurityEngineResult signedResult : signedResults) {
List<WSDataRef> dataRefs =
CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
for (WSDataRef dataRef : dataRefs) {
String xpath = dataRef.getXpath();
String[] nodes = xpath.split("/");
- // envelope/Body || envelope/Header/header
- if (nodes.length == 2 || nodes.length == 3) {
- return true;
- // envelope/Header/wsse:Security/header
- } else if (nodes.length == 4 && nodes[2].contains("Security")) {
- return true;
+ // envelope/Body || envelope/Header/header || envelope/Header/wsse:Security/header
+ if (nodes.length == 5 && nodes[3].contains("Security")) {
+ continue;
+ } else if (nodes.length < 3 || nodes.length > 4) {
+ return false;
}
}
}
@@ -120,7 +130,6 @@ public abstract class AbstractBindingPol
* Validate the layout assertion. It just checks the LaxTsFirst and LaxTsLast properties
*/
protected boolean validateLayout(
- List<WSSecurityEngineResult> results,
boolean laxTimestampFirst,
boolean laxTimestampLast
) {
@@ -146,6 +155,198 @@ public abstract class AbstractBindingPol
}
+ /**
+ * Check various properties set in the policy of the binding
+ */
+ protected boolean checkProperties(
+ SymmetricAsymmetricBindingBase binding,
+ AssertionInfo ai,
+ AssertionInfoMap aim,
+ List<WSSecurityEngineResult> signedResults,
+ Message message
+ ) {
+ // Check the AlgorithmSuite
+ AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
+ if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) {
+ return false;
+ }
+
+ // Check the IncludeTimestamp
+ if (!validateTimestamp(binding.isIncludeTimestamp(), false, signedResults, message)) {
+ String error = "Received Timestamp does not match the requirements";
+ notAssertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP, error);
+ ai.setNotAsserted(error);
+ return false;
+ }
+ assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
+
+ // Check the Layout
+ Layout layout = binding.getLayout();
+ boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTimestampFirst;
+ boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTimestampLast;
+ if (!validateLayout(timestampFirst, timestampLast)) {
+ String error = "Layout does not match the requirements";
+ notAssertPolicy(aim, SP12Constants.LAYOUT, error);
+ ai.setNotAsserted(error);
+ return false;
+ }
+ assertPolicy(aim, SP12Constants.LAYOUT);
+
+ // Check the EntireHeaderAndBodySignatures property
+ if (binding.isEntireHeadersAndBodySignatures()
+ && !validateEntireHeaderAndBodySignatures(signedResults)) {
+ String error = "OnlySignEntireHeadersAndBody does not match the requirements";
+ ai.setNotAsserted(error);
+ return false;
+ }
+
+ // Check whether the signatures were encrypted or not
+ if (binding.isSignatureProtection() && !isSignatureEncrypted()) {
+ ai.setNotAsserted("The signature is not protected");
+ return false;
+ }
+
+ return true;
+ }
+
+ /**
+ * Check the Protection Order of the binding
+ */
+ protected boolean checkProtectionOrder(SymmetricAsymmetricBindingBase binding, AssertionInfo ai) {
+ if (binding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
+ if (!binding.isSignatureProtection() && isSignedBeforeEncrypted()) {
+ ai.setNotAsserted("Not encrypted before signed");
+ return false;
+ }
+ } else if (isEncryptedBeforeSigned()) {
+ ai.setNotAsserted("Not signed before encrypted");
+ return false;
+ }
+ return true;
+ }
+
+ /**
+ * Check to see if a signature was applied before encryption.
+ * Note that results are stored in the reverse order.
+ */
+ private boolean isSignedBeforeEncrypted() {
+ boolean signed = false;
+ for (WSSecurityEngineResult result : results) {
+ Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ List<WSDataRef> el =
+ CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+
+ // Don't count an endorsing signature
+ if (actInt.intValue() == WSConstants.SIGN && el != null
+ && !(el.size() == 1 && el.get(0).getName().equals(SIG_QNAME))) {
+ signed = true;
+ }
+ if (actInt.intValue() == WSConstants.ENCR && el != null) {
+ if (signed) {
+ return true;
+ }
+ return false;
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Check to see if encryption was applied before signature.
+ * Note that results are stored in the reverse order.
+ */
+ private boolean isEncryptedBeforeSigned() {
+ boolean encrypted = false;
+ for (WSSecurityEngineResult result : results) {
+ Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ List<WSDataRef> el =
+ CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+
+ if (actInt.intValue() == WSConstants.ENCR && el != null) {
+ encrypted = true;
+ }
+ // Don't count an endorsing signature
+ if (actInt.intValue() == WSConstants.SIGN && el != null
+ && !(el.size() == 1 && el.get(0).getName().equals(SIG_QNAME))) {
+ if (encrypted) {
+ return true;
+ }
+ return false;
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Check the derived key requirement.
+ */
+ protected boolean checkDerivedKeys(
+ TokenWrapper tokenWrapper,
+ boolean hasDerivedKeys,
+ List<WSSecurityEngineResult> signedResults,
+ List<WSSecurityEngineResult> encryptedResults
+ ) {
+ Token token = tokenWrapper.getToken();
+ // If derived keys are not required then just return
+ if (!(token instanceof X509Token && token.isDerivedKeys())) {
+ return true;
+ }
+ if (tokenWrapper instanceof EncryptionToken
+ && !hasDerivedKeys && !encryptedResults.isEmpty()) {
+ return false;
+ } else if (tokenWrapper instanceof SignatureToken
+ && !hasDerivedKeys && !signedResults.isEmpty()) {
+ return false;
+ } else if (tokenWrapper instanceof ProtectionToken
+ && !hasDerivedKeys && !(signedResults.isEmpty() || encryptedResults.isEmpty())) {
+ return false;
+ }
+ return true;
+ }
+
+ /**
+ * Check whether all Signature (and SignatureConfirmation) elements were encrypted
+ */
+ protected boolean isSignatureEncrypted() {
+ for (WSSecurityEngineResult result : results) {
+ Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.SIGN) {
+ // TODO || actInt.intValue() == WSConstants.SC) {
+ String sigId = (String)result.get(WSSecurityEngineResult.TAG_ID);
+ if (sigId == null || !isIdEncrypted(sigId)) {
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+ /**
+ * Return true if the given id was encrypted
+ */
+ private boolean isIdEncrypted(String sigId) {
+ for (WSSecurityEngineResult wser : results) {
+ Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.ENCR) {
+ List<WSDataRef> el =
+ CastUtils.cast((List<?>)wser.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ if (el != null) {
+ for (WSDataRef r : el) {
+ Element protectedElement = r.getProtectedElement();
+ if (protectedElement != null) {
+ String id = protectedElement.getAttribute("Id");
+ String wsuId = protectedElement.getAttributeNS(WSConstants.WSU_NS, "Id");
+ if (sigId.equals(id) || sigId.equals(wsuId)) {
+ return true;
+ }
+ }
+ }
+ }
+ }
+ }
+ return false;
+ }
+
protected void assertPolicy(AssertionInfoMap aim, Assertion token) {
Collection<AssertionInfo> ais = aim.get(token.getName());
if (ais != null && !ais.isEmpty()) {
Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java?rev=1189352&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java Wed Oct 26 18:06:32 2011
@@ -0,0 +1,126 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate an AsymmetricBinding policy.
+ */
+public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValidator {
+
+ private List<WSSecurityEngineResult> signedResults;
+ private List<WSSecurityEngineResult> encryptedResults;
+ private Message message;
+ private boolean hasDerivedKeys;
+
+ public AsymmetricBindingPolicyValidator(
+ Message message,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ ) {
+ this.message = message;
+ this.results = results;
+ this.signedResults = signedResults;
+
+ // Store the encryption results and whether we have any derived key results
+ encryptedResults = new ArrayList<WSSecurityEngineResult>();
+ for (WSSecurityEngineResult result : results) {
+ Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.DKT) {
+ hasDerivedKeys = true;
+ } else if (actInt.intValue() == WSConstants.ENCR) {
+ encryptedResults.add(result);
+ }
+ }
+ }
+
+ public boolean validatePolicy(
+ AssertionInfoMap aim
+ ) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
+ if (ais == null || ais.isEmpty()) {
+ return true;
+ }
+
+ for (AssertionInfo ai : ais) {
+ AsymmetricBinding binding = (AsymmetricBinding)ai.getAssertion();
+ ai.setAsserted(true);
+
+ // Check the protection order
+ if (!checkProtectionOrder(binding, ai)) {
+ return false;
+ }
+
+ // Check various properties of the binding
+ if (!checkProperties(binding, ai, aim, signedResults, message)) {
+ return false;
+ }
+
+ // Check various tokens of the binding
+ if (!checkTokens(binding, ai, aim)) {
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+ /**
+ * Check various tokens of the binding
+ */
+ private boolean checkTokens(
+ AsymmetricBinding binding,
+ AssertionInfo ai,
+ AssertionInfoMap aim
+ ) {
+ if (binding.getInitiatorToken() != null) {
+ assertPolicy(aim, binding.getInitiatorToken());
+ if (!checkDerivedKeys(
+ binding.getInitiatorToken(), hasDerivedKeys, signedResults, encryptedResults
+ )) {
+ ai.setNotAsserted("Message fails the DerivedKeys requirement");
+ return false;
+ }
+ }
+ if (binding.getRecipientToken() != null) {
+ assertPolicy(aim, binding.getRecipientToken());
+ if (!checkDerivedKeys(
+ binding.getRecipientToken(), hasDerivedKeys, signedResults, encryptedResults
+ )) {
+ ai.setNotAsserted("Message fails the DerivedKeys requirement");
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+}
Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java?rev=1189352&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java Wed Oct 26 18:06:32 2011
@@ -0,0 +1,137 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate a SymmetricBinding policy.
+ */
+public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValidator {
+
+ private List<WSSecurityEngineResult> signedResults;
+ private List<WSSecurityEngineResult> encryptedResults;
+ private Message message;
+ private boolean hasDerivedKeys;
+
+ public SymmetricBindingPolicyValidator(
+ Message message,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ ) {
+ this.message = message;
+ this.results = results;
+ this.signedResults = signedResults;
+
+ // Store the encryption results and whether we have any derived key results
+ encryptedResults = new ArrayList<WSSecurityEngineResult>();
+ for (WSSecurityEngineResult result : results) {
+ Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.DKT) {
+ hasDerivedKeys = true;
+ } else if (actInt.intValue() == WSConstants.ENCR) {
+ encryptedResults.add(result);
+ }
+ }
+ }
+
+ public boolean validatePolicy(
+ AssertionInfoMap aim
+ ) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
+ if (ais == null || ais.isEmpty()) {
+ return true;
+ }
+
+ for (AssertionInfo ai : ais) {
+ SymmetricBinding binding = (SymmetricBinding)ai.getAssertion();
+ ai.setAsserted(true);
+
+ // Check the protection order
+ if (!checkProtectionOrder(binding, ai)) {
+ return false;
+ }
+
+ // Check various properties of the binding
+ if (!checkProperties(binding, ai, aim, signedResults, message)) {
+ return false;
+ }
+
+ // Check various tokens of the binding
+ if (!checkTokens(binding, ai, aim)) {
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+ /**
+ * Check various tokens of the binding
+ */
+ private boolean checkTokens(
+ SymmetricBinding binding,
+ AssertionInfo ai,
+ AssertionInfoMap aim
+ ) {
+ if (binding.getEncryptionToken() != null) {
+ assertPolicy(aim, binding.getEncryptionToken());
+ if (!checkDerivedKeys(
+ binding.getEncryptionToken(), hasDerivedKeys, signedResults, encryptedResults
+ )) {
+ ai.setNotAsserted("Message fails the DerivedKeys requirement");
+ return false;
+ }
+ }
+
+ if (binding.getSignatureToken() != null) {
+ assertPolicy(aim, binding.getSignatureToken());
+ if (!checkDerivedKeys(
+ binding.getSignatureToken(), hasDerivedKeys, signedResults, encryptedResults
+ )) {
+ ai.setNotAsserted("Message fails the DerivedKeys requirement");
+ return false;
+ }
+ }
+
+ if (binding.getProtectionToken() != null) {
+ assertPolicy(aim, binding.getProtectionToken());
+ if (!checkDerivedKeys(
+ binding.getProtectionToken(), hasDerivedKeys, signedResults, encryptedResults
+ )) {
+ ai.setNotAsserted("Message fails the DerivedKeys requirement");
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java Wed Oct 26 18:06:32 2011
@@ -38,7 +38,6 @@ import org.apache.ws.security.WSSecurity
*/
public class TransportBindingPolicyValidator extends AbstractBindingPolicyValidator {
- private List<WSSecurityEngineResult> results;
private List<WSSecurityEngineResult> signedResults;
private Message message;
@@ -85,21 +84,25 @@ public class TransportBindingPolicyValid
}
// Check the IncludeTimestamp
- if (!validateTimestamp(binding.isIncludeTimestamp(), true, results, signedResults, message)) {
+ if (!validateTimestamp(binding.isIncludeTimestamp(), true, signedResults, message)) {
String error = "Received Timestamp does not match the requirements";
notAssertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP, error);
+ ai.setNotAsserted(error);
return false;
}
+ assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
// Check the Layout
Layout layout = binding.getLayout();
boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTimestampFirst;
boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTimestampLast;
- if (!validateLayout(results, timestampFirst, timestampLast)) {
+ if (!validateLayout(timestampFirst, timestampLast)) {
String error = "Layout does not match the requirements";
notAssertPolicy(aim, SP12Constants.LAYOUT, error);
+ ai.setNotAsserted(error);
return false;
}
+ assertPolicy(aim, SP12Constants.LAYOUT);
}
// We don't need to check these policies for the Transport binding
Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java (original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java Wed Oct 26 18:06:32 2011
@@ -61,7 +61,7 @@ public class SAMLTokenProvider implement
private List<AttributeStatementProvider> attributeStatementProviders;
private List<AuthenticationStatementProvider> authenticationStatementProviders;
- private List<AuthDecisionStatementProvider> authenticationDecisionStatementProviders;
+ private List<AuthDecisionStatementProvider> authDecisionStatementProviders;
private SubjectProvider subjectProvider = new DefaultSubjectProvider();
private ConditionsProvider conditionsProvider = new DefaultConditionsProvider();
private boolean signToken = true;
@@ -355,11 +355,11 @@ public class SAMLTokenProvider implement
// Parse the AuthDecisionStatements
List<AuthDecisionStatementBean> authDecisionBeanList = null;
- if (authenticationDecisionStatementProviders != null
- && authenticationDecisionStatementProviders.size() > 0) {
+ if (authDecisionStatementProviders != null
+ && authDecisionStatementProviders.size() > 0) {
authDecisionBeanList = new ArrayList<AuthDecisionStatementBean>();
for (AuthDecisionStatementProvider statementProvider
- : authenticationDecisionStatementProviders) {
+ : authDecisionStatementProviders) {
AuthDecisionStatementBean statementBean =
statementProvider.getStatement(tokenParameters);
if (statementBean != null) {
Modified: cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/DoubleIt.wsdl?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/DoubleIt.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/DoubleIt.wsdl Wed Oct 26 18:06:32 2011
@@ -538,7 +538,6 @@
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
- <sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EncryptedElements