You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/10/23 15:50:48 UTC
svn commit: r1535031 -
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
Author: coheigea
Date: Wed Oct 23 13:50:47 2013
New Revision: 1535031
URL: http://svn.apache.org/r1535031
Log:
Asserting more security policies on the outbound side
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Wed Oct 23 13:50:47 2013
@@ -417,6 +417,7 @@ public abstract class AbstractBindingBui
|| token instanceof SecureConversationToken
|| token instanceof SecurityContextToken
|| token instanceof KerberosToken)) {
+ assertToken(token);
//ws-trust/ws-sc stuff.......
SecurityToken secToken = getSecurityToken();
if (secToken == null) {
@@ -482,6 +483,7 @@ public abstract class AbstractBindingBui
} else if (token instanceof X509Token) {
//We have to use a cert
//Prepare X509 signature
+ assertToken(token);
WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
Element bstElem = sig.getBinarySecurityTokenElement();
if (bstElem != null) {
@@ -493,6 +495,7 @@ public abstract class AbstractBindingBui
}
ret.put(token, sig);
} else if (token instanceof KeyValueToken) {
+ assertToken(token);
WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
if (suppTokens.isEncryptedToken()) {
WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
@@ -693,16 +696,9 @@ public abstract class AbstractBindingBui
}
protected WSSecUsernameToken addUsernameToken(UsernameToken token) {
- AssertionInfo info = null;
- Collection<AssertionInfo> ais = aim.getAssertionInfo(token.getName());
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == token) {
- info = ai;
- if (!isRequestor()) {
- info.setAsserted(true);
- return null;
- }
- }
+ assertToken(token);
+ if (!isRequestor()) {
+ return null;
}
String userName = (String)message.getContextualProperty(SecurityConstants.USERNAME);
@@ -746,7 +742,6 @@ public abstract class AbstractBindingBui
assertPolicy(SP13Constants.NONCE);
}
- info.setAsserted(true);
assertPolicy(
new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN10));
assertPolicy(
@@ -759,16 +754,9 @@ public abstract class AbstractBindingBui
}
protected WSSecUsernameToken addDKUsernameToken(UsernameToken token, boolean useMac) {
- AssertionInfo info = null;
- Collection<AssertionInfo> ais = aim.getAssertionInfo(token.getName());
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == token) {
- info = ai;
- if (!isRequestor()) {
- info.setAsserted(true);
- return null;
- }
- }
+ assertToken(token);
+ if (!isRequestor()) {
+ return null;
}
String userName = (String)message.getContextualProperty(SecurityConstants.USERNAME);
@@ -790,7 +778,6 @@ public abstract class AbstractBindingBui
return null;
}
- info.setAsserted(true);
assertPolicy(
new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN10));
assertPolicy(
@@ -803,16 +790,9 @@ public abstract class AbstractBindingBui
}
protected SamlAssertionWrapper addSamlToken(SamlToken token) throws WSSecurityException {
- AssertionInfo info = null;
- Collection<AssertionInfo> ais = aim.getAssertionInfo(token.getName());
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == token) {
- info = ai;
- if (!isRequestor()) {
- info.setAsserted(true);
- return null;
- }
- }
+ assertToken(token);
+ if (!isRequestor()) {
+ return null;
}
//
@@ -851,8 +831,6 @@ public abstract class AbstractBindingBui
return null;
}
- info.setAsserted(true);
-
SAMLCallback samlCallback = new SAMLCallback();
SamlTokenType tokenType = token.getSamlTokenType();
if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java Wed Oct 23 13:50:47 2013
@@ -44,15 +44,28 @@ import org.apache.wss4j.common.ext.WSSec
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SP13Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.policy.model.HttpsToken;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SpnegoContextToken;
import org.apache.wss4j.policy.model.Trust10;
import org.apache.wss4j.policy.model.Trust13;
+import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.wss4j.policy.model.Wss10;
import org.apache.wss4j.policy.model.Wss11;
+import org.apache.wss4j.policy.model.X509Token;
import org.apache.xml.security.utils.Base64;
/**
@@ -108,6 +121,168 @@ public abstract class AbstractCommonBind
}
}
+ protected void assertTokenWrapper(AbstractTokenWrapper tokenWrapper) {
+ if (tokenWrapper == null) {
+ return;
+ }
+ assertPolicy(tokenWrapper.getName());
+ }
+
+ protected void assertToken(AbstractToken token) {
+ if (token == null) {
+ return;
+ }
+ assertPolicy(token.getName());
+
+ String namespace = token.getName().getNamespaceURI();
+ if (token instanceof X509Token) {
+ X509Token x509Token = (X509Token)token;
+ assertX509Token(x509Token);
+ } else if (token instanceof HttpsToken) {
+ HttpsToken httpsToken = (HttpsToken)token;
+ if (httpsToken.getAuthenticationType() != null) {
+ assertPolicy(new QName(namespace, httpsToken.getAuthenticationType().name()));
+ }
+ } else if (token instanceof KeyValueToken) {
+ KeyValueToken keyValueToken = (KeyValueToken)token;
+ if (keyValueToken.isRsaKeyValue()) {
+ assertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE));
+ }
+ } else if (token instanceof UsernameToken) {
+ UsernameToken usernameToken = (UsernameToken)token;
+ assertUsernameToken(usernameToken);
+ } else if (token instanceof SecureConversationToken) {
+ SecureConversationToken scToken = (SecureConversationToken)token;
+ assertSecureConversationToken(scToken);
+ } else if (token instanceof SecurityContextToken) {
+ SecurityContextToken scToken = (SecurityContextToken)token;
+ assertSecurityContextToken(scToken);
+ } else if (token instanceof SpnegoContextToken) {
+ SpnegoContextToken scToken = (SpnegoContextToken)token;
+ assertSpnegoContextToken(scToken);
+ } else if (token instanceof IssuedToken) {
+ IssuedToken issuedToken = (IssuedToken)token;
+ assertIssuedToken(issuedToken);
+ } else if (token instanceof KerberosToken) {
+ KerberosToken kerberosToken = (KerberosToken)token;
+ assertKerberosToken(kerberosToken);
+ } else if (token instanceof SamlToken) {
+ SamlToken samlToken = (SamlToken)token;
+ assertSamlToken(samlToken);
+ }
+ }
+
+ private void assertX509Token(X509Token token) {
+ String namespace = token.getName().getNamespaceURI();
+
+ if (token.isRequireEmbeddedTokenReference()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE));
+ }
+ if (token.isRequireIssuerSerialReference()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE));
+ }
+ if (token.isRequireKeyIdentifierReference()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+ }
+ if (token.isRequireThumbprintReference()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_THUMBPRINT_REFERENCE));
+ }
+ if (token.getTokenType() != null) {
+ assertPolicy(new QName(namespace, token.getTokenType().name()));
+ }
+ }
+
+ private void assertUsernameToken(UsernameToken token) {
+ String namespace = token.getName().getNamespaceURI();
+
+ if (token.getPasswordType() != null) {
+ assertPolicy(new QName(namespace, token.getPasswordType().name()));
+ }
+ if (token.getUsernameTokenType() != null) {
+ assertPolicy(new QName(namespace, token.getUsernameTokenType().name()));
+ }
+ if (token.isCreated()) {
+ assertPolicy(SP13Constants.CREATED);
+ }
+ if (token.isNonce()) {
+ assertPolicy(SP13Constants.NONCE);
+ }
+ }
+
+ private void assertSecurityContextToken(SecurityContextToken token) {
+ String namespace = token.getName().getNamespaceURI();
+ if (token.isRequireExternalUriReference()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE));
+ }
+ if (token.isSc10SecurityContextToken()) {
+ assertPolicy(new QName(namespace, SPConstants.SC10_SECURITY_CONTEXT_TOKEN));
+ }
+ if (token.isSc13SecurityContextToken()) {
+ assertPolicy(new QName(namespace, SPConstants.SC13_SECURITY_CONTEXT_TOKEN));
+ }
+ }
+
+ private void assertSecureConversationToken(SecureConversationToken token) {
+ assertSecurityContextToken(token);
+
+ String namespace = token.getName().getNamespaceURI();
+ if (token.isMustNotSendAmend()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_AMEND));
+ }
+ if (token.isMustNotSendCancel()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_CANCEL));
+ }
+ if (token.isMustNotSendRenew()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_RENEW));
+ }
+ }
+
+ private void assertSpnegoContextToken(SpnegoContextToken token) {
+ String namespace = token.getName().getNamespaceURI();
+ if (token.isMustNotSendAmend()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_AMEND));
+ }
+ if (token.isMustNotSendCancel()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_CANCEL));
+ }
+ if (token.isMustNotSendRenew()) {
+ assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_RENEW));
+ }
+ }
+
+ private void assertIssuedToken(IssuedToken token) {
+ String namespace = token.getName().getNamespaceURI();
+
+ if (token.isRequireExternalReference()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_EXTERNAL_REFERENCE));
+ }
+ if (token.isRequireInternalReference()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_INTERNAL_REFERENCE));
+ }
+ }
+
+ private void assertKerberosToken(KerberosToken token) {
+ String namespace = token.getName().getNamespaceURI();
+
+ if (token.isRequireKeyIdentifierReference()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+ }
+ if (token.getApReqTokenType() != null) {
+ assertPolicy(new QName(namespace, token.getApReqTokenType().name()));
+ }
+ }
+
+ private void assertSamlToken(SamlToken token) {
+ String namespace = token.getName().getNamespaceURI();
+
+ if (token.isRequireKeyIdentifierReference()) {
+ assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+ }
+ if (token.getSamlTokenType() != null) {
+ assertPolicy(new QName(namespace, token.getSamlTokenType().name()));
+ }
+ }
+
protected void assertAlgorithmSuite(AlgorithmSuite algorithmSuite) {
if (algorithmSuite == null) {
return;
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java Wed Oct 23 13:50:47 2013
@@ -130,6 +130,7 @@ public abstract class AbstractStaxBindin
}
protected SecurePart addUsernameToken(UsernameToken usernameToken) {
+ assertToken(usernameToken);
IncludeTokenType includeToken = usernameToken.getIncludeTokenType();
if (!isTokenRequired(includeToken)) {
return null;
@@ -206,6 +207,7 @@ public abstract class AbstractStaxBindin
protected SecurePart addKerberosToken(
KerberosToken token, boolean signed, boolean endorsing, boolean encrypting
) throws WSSecurityException {
+ assertToken(token);
IncludeTokenType includeToken = token.getIncludeTokenType();
if (!isTokenRequired(includeToken)) {
return null;
@@ -285,6 +287,7 @@ public abstract class AbstractStaxBindin
boolean signed,
boolean endorsing
) throws WSSecurityException {
+ assertToken(token);
IncludeTokenType includeToken = token.getIncludeTokenType();
if (!isTokenRequired(includeToken)) {
return null;
@@ -338,6 +341,7 @@ public abstract class AbstractStaxBindin
protected SecurePart addIssuedToken(IssuedToken token, SecurityToken secToken,
boolean signed, boolean endorsing) {
+ assertToken(token);
if (isTokenRequired(token.getIncludeTokenType())) {
final Element el = secToken.getToken();
@@ -500,6 +504,9 @@ public abstract class AbstractStaxBindin
}
ai.setAsserted(true);
}
+ if (layout != null && layout.getLayoutType() != null) {
+ assertPolicy(new QName(layout.getName().getNamespaceURI(), layout.getLayoutType().name()));
+ }
if (!timestampAdded) {
return;
@@ -519,8 +526,7 @@ public abstract class AbstractStaxBindin
action + " " + ConfigurationConstants.TIMESTAMP);
}
} else {
- config.put(ConfigurationConstants.ACTION,
- ConfigurationConstants.TIMESTAMP);
+ config.put(ConfigurationConstants.ACTION, ConfigurationConstants.TIMESTAMP);
}
}
@@ -739,6 +745,7 @@ public abstract class AbstractStaxBindin
}
}
} else if (token instanceof X509Token || token instanceof KeyValueToken) {
+ assertToken(token);
configureSignature(suppTokens, token, false);
if (suppTokens.isEncryptedToken()) {
SecurePart part =
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Wed Oct 23 13:50:47 2013
@@ -97,6 +97,7 @@ public class AsymmetricBindingHandler ex
public void handleBinding() {
WSSecTimestamp timestamp = createTimestamp();
handleLayout(timestamp);
+ assertPolicy(abinding.getName());
if (abinding.getProtectionOrder()
== AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
@@ -122,6 +123,7 @@ public class AsymmetricBindingHandler ex
if (initiatorWrapper == null) {
initiatorWrapper = abinding.getInitiatorToken();
}
+ assertTokenWrapper(initiatorWrapper);
boolean attached = false;
if (initiatorWrapper != null) {
AbstractToken initiatorToken = initiatorWrapper.getToken();
@@ -155,6 +157,7 @@ public class AsymmetricBindingHandler ex
return;
}
}
+ assertToken(initiatorToken);
}
// Add timestamp
@@ -178,6 +181,8 @@ public class AsymmetricBindingHandler ex
recipientSignatureToken = abinding.getRecipientToken();
}
if (recipientSignatureToken != null) {
+ assertTokenWrapper(recipientSignatureToken);
+ assertToken(recipientSignatureToken.getToken());
doSignature(recipientSignatureToken, sigs, attached);
}
}
@@ -213,6 +218,10 @@ public class AsymmetricBindingHandler ex
}
}
doEncryption(encToken, enc, false);
+ if (encToken != null) {
+ assertTokenWrapper(encToken);
+ assertToken(encToken.getToken());
+ }
} catch (Exception e) {
String reason = e.getMessage();
@@ -222,9 +231,8 @@ public class AsymmetricBindingHandler ex
}
}
- private void doEncryptBeforeSign() {
+ private AbstractTokenWrapper getEncryptBeforeSignWrapper() {
AbstractTokenWrapper wrapper;
- AbstractToken encryptionToken = null;
if (isRequestor()) {
wrapper = abinding.getRecipientEncryptionToken();
if (wrapper == null) {
@@ -236,12 +244,21 @@ public class AsymmetricBindingHandler ex
wrapper = abinding.getInitiatorToken();
}
}
- encryptionToken = wrapper.getToken();
+ assertTokenWrapper(wrapper);
+
+ return wrapper;
+ }
+
+ private void doEncryptBeforeSign() {
+ AbstractTokenWrapper wrapper = getEncryptBeforeSignWrapper();
+ AbstractToken encryptionToken = wrapper.getToken();
+ assertToken(encryptionToken);
AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
if (initiatorWrapper == null) {
initiatorWrapper = abinding.getInitiatorToken();
}
+ assertTokenWrapper(initiatorWrapper);
boolean attached = false;
if (initiatorWrapper != null) {
@@ -283,6 +300,7 @@ public class AsymmetricBindingHandler ex
return;
}
}
+ assertToken(initiatorToken);
}
List<WSEncryptionPart> encrParts = null;
@@ -297,10 +315,6 @@ public class AsymmetricBindingHandler ex
throw new Fault(ex);
}
- //if (encryptionToken == null && encrParts.size() > 0) {
- //REVISIT - no token to encrypt with
- //}
-
WSSecBase encrBase = null;
if (encryptionToken != null && encrParts.size() > 0) {
encrBase = doEncryption(wrapper, encrParts, true);
@@ -335,6 +349,8 @@ public class AsymmetricBindingHandler ex
recipientSignatureToken = abinding.getRecipientToken();
}
if (recipientSignatureToken != null) {
+ assertTokenWrapper(recipientSignatureToken);
+ assertToken(recipientSignatureToken.getToken());
doSignature(recipientSignatureToken, sigParts, attached);
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java Wed Oct 23 13:50:47 2013
@@ -81,6 +81,7 @@ public class StaxAsymmetricBindingHandle
AssertionInfoMap aim = getMessage().get(AssertionInfoMap.class);
configureTimestamp(aim);
abinding = (AsymmetricBinding)getBinding(aim);
+ assertPolicy(abinding.getName());
String asymSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
@@ -105,6 +106,10 @@ public class StaxAsymmetricBindingHandle
assertTrustProperties(abinding.getName().getNamespaceURI());
assertPolicy(
new QName(abinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
+ if (abinding.isProtectTokens()) {
+ assertPolicy(
+ new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
+ }
}
private void doSignBeforeEncrypt() {
@@ -114,6 +119,7 @@ public class StaxAsymmetricBindingHandle
initiatorWrapper = abinding.getInitiatorToken();
}
if (initiatorWrapper != null) {
+ assertTokenWrapper(initiatorWrapper);
AbstractToken initiatorToken = initiatorWrapper.getToken();
if (initiatorToken instanceof IssuedToken) {
SecurityToken sigTok = getSecurityToken();
@@ -134,6 +140,7 @@ public class StaxAsymmetricBindingHandle
} else if (initiatorToken instanceof SamlToken) {
addSamlToken((SamlToken)initiatorToken, false, true);
}
+ assertToken(initiatorToken);
}
// Add timestamp
@@ -156,6 +163,10 @@ public class StaxAsymmetricBindingHandle
if (recipientSignatureToken == null) {
recipientSignatureToken = abinding.getRecipientToken();
}
+ if (recipientSignatureToken != null) {
+ assertTokenWrapper(recipientSignatureToken);
+ assertToken(recipientSignatureToken.getToken());
+ }
if (recipientSignatureToken != null && sigs.size() > 0) {
doSignature(recipientSignatureToken, sigs);
}
@@ -202,7 +213,11 @@ public class StaxAsymmetricBindingHandle
if (encToken == null) {
encToken = abinding.getInitiatorToken();
}
- }
+ }
+ if (encToken != null) {
+ assertTokenWrapper(encToken);
+ assertToken(encToken.getToken());
+ }
doEncryption(encToken, enc, false);
} catch (Exception e) {
@@ -227,7 +242,9 @@ public class StaxAsymmetricBindingHandle
wrapper = abinding.getInitiatorToken();
}
}
+ assertTokenWrapper(wrapper);
encryptionToken = wrapper.getToken();
+ assertToken(encryptionToken);
AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
if (initiatorWrapper == null) {
@@ -235,6 +252,7 @@ public class StaxAsymmetricBindingHandle
}
if (initiatorWrapper != null) {
+ assertTokenWrapper(initiatorWrapper);
AbstractToken initiatorToken = initiatorWrapper.getToken();
if (initiatorToken instanceof IssuedToken) {
SecurityToken sigTok = getSecurityToken();
@@ -308,6 +326,8 @@ public class StaxAsymmetricBindingHandle
recipientSignatureToken = abinding.getRecipientToken();
}
if (recipientSignatureToken != null) {
+ assertTokenWrapper(recipientSignatureToken);
+ assertToken(recipientSignatureToken.getToken());
doSignature(recipientSignatureToken, sigParts);
}
}
@@ -438,11 +458,6 @@ public class StaxAsymmetricBindingHandle
config.put(ConfigurationConstants.INCLUDE_SIGNATURE_TOKEN, "false");
}
- if (abinding.isProtectTokens()) {
- assertPolicy(
- new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
- }
-
config.put(ConfigurationConstants.SIGNATURE_PARTS, parts);
config.put(ConfigurationConstants.OPTIONAL_SIGNATURE_PARTS, optionalParts);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java Wed Oct 23 13:50:47 2013
@@ -105,6 +105,7 @@ public class StaxSymmetricBindingHandler
AssertionInfoMap aim = getMessage().get(AssertionInfoMap.class);
configureTimestamp(aim);
sbinding = (SymmetricBinding)getBinding(aim);
+ assertPolicy(sbinding.getName());
String asymSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
@@ -142,11 +143,16 @@ public class StaxSymmetricBindingHandler
assertTrustProperties(sbinding.getName().getNamespaceURI());
assertPolicy(
new QName(sbinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
+ if (sbinding.isProtectTokens()) {
+ assertPolicy(
+ new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
+ }
}
private void doEncryptBeforeSign() {
try {
AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
+ assertTokenWrapper(encryptionWrapper);
AbstractToken encryptionToken = encryptionWrapper.getToken();
//The encryption token can be an IssuedToken or a
@@ -196,6 +202,7 @@ public class StaxSymmetricBindingHandler
policyNotAsserted(sbinding, "UsernameTokens not supported with Symmetric binding");
return;
}
+ assertToken(encryptionToken);
if (tok == null) {
if (tokenId != null && tokenId.startsWith("#")) {
tokenId = tokenId.substring(1);
@@ -270,6 +277,7 @@ public class StaxSymmetricBindingHandler
private void doSignBeforeEncrypt() {
AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
+ assertTokenWrapper(sigAbstractTokenWrapper);
AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
String sigTokId = null;
@@ -319,6 +327,7 @@ public class StaxSymmetricBindingHandler
policyNotAsserted(sbinding, "UsernameTokens not supported with Symmetric binding");
return;
}
+ assertToken(sigToken);
} else {
policyNotAsserted(sbinding, "No signature token");
return;
@@ -546,12 +555,8 @@ public class StaxSymmetricBindingHandler
}
AbstractToken sigToken = wrapper.getToken();
- if (sbinding.isProtectTokens()) {
- if ((sigToken instanceof X509Token) && isRequestor()) {
- parts += "{Element}{" + WSSConstants.NS_XMLENC + "}EncryptedKey;";
- }
- assertPolicy(
- new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
+ if (sbinding.isProtectTokens() && sigToken instanceof X509Token && isRequestor()) {
+ parts += "{Element}{" + WSSConstants.NS_XMLENC + "}EncryptedKey;";
}
config.put(ConfigurationConstants.SIGNATURE_PARTS, parts);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java Wed Oct 23 13:50:47 2013
@@ -81,6 +81,7 @@ public class StaxTransportBindingHandler
if (this.isRequestor()) {
tbinding = (TransportBinding)getBinding(aim);
if (tbinding != null) {
+ assertPolicy(tbinding.getName());
String asymSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && tbinding.getAlgorithmSuite() != null) {
@@ -96,6 +97,8 @@ public class StaxTransportBindingHandler
}
addIssuedToken((IssuedToken)token.getToken(), secToken, false, false);
}
+ assertToken(token.getToken());
+ assertTokenWrapper(token);
}
try {
@@ -106,6 +109,10 @@ public class StaxTransportBindingHandler
throw new Fault(e);
}
} else {
+ if (tbinding != null && tbinding.getTransportToken() != null) {
+ assertTokenWrapper(tbinding.getTransportToken());
+ assertToken(tbinding.getTransportToken().getToken());
+ }
addSignatureConfirmation(null);
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Wed Oct 23 13:50:47 2013
@@ -113,6 +113,7 @@ public class SymmetricBindingHandler ext
public void handleBinding() {
WSSecTimestamp timestamp = createTimestamp();
handleLayout(timestamp);
+ assertPolicy(sbinding.getName());
if (isRequestor()) {
//Setup required tokens
@@ -156,6 +157,7 @@ public class SymmetricBindingHandler ext
private void doEncryptBeforeSign() {
try {
AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
+ assertTokenWrapper(encryptionWrapper);
AbstractToken encryptionToken = encryptionWrapper.getToken();
List<WSEncryptionPart> encrParts = getEncryptedParts();
List<WSEncryptionPart> sigParts = getSignedParts();
@@ -188,6 +190,7 @@ public class SymmetricBindingHandler ext
tokenId = getUTDerivedKey();
}
}
+ assertToken(encryptionToken);
if (tok == null) {
//if (tokenId == null || tokenId.length() == 0) {
//REVISIT - no tokenId? Exception?
@@ -290,6 +293,7 @@ public class SymmetricBindingHandler ext
private void doSignBeforeEncrypt() {
AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
+ assertTokenWrapper(sigAbstractTokenWrapper);
AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
String sigTokId = null;
Element sigTokElem = null;
@@ -316,6 +320,7 @@ public class SymmetricBindingHandler ext
sigTokId = getUTDerivedKey();
}
}
+ assertToken(sigToken);
} else {
policyNotAsserted(sbinding, "No signature token");
return;
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Wed Oct 23 13:50:47 2013
@@ -147,6 +147,8 @@ public class TransportBindingHandler ext
addEncryptedKeyElement(cloneElement(el));
}
}
+ assertToken(transportToken);
+ assertTokenWrapper(transportTokenWrapper);
}
handleNonEndorsingSupportingTokens();
@@ -154,6 +156,10 @@ public class TransportBindingHandler ext
handleEndorsingSupportingTokens();
}
} else {
+ if (tbinding != null && tbinding.getTransportToken() != null) {
+ assertTokenWrapper(tbinding.getTransportToken());
+ assertToken(tbinding.getTransportToken().getToken());
+ }
addSignatureConfirmation(null);
}
} catch (Exception e) {
@@ -162,6 +168,7 @@ public class TransportBindingHandler ext
}
if (tbinding != null) {
+ assertPolicy(tbinding.getName());
assertAlgorithmSuite(tbinding.getAlgorithmSuite());
assertWSSProperties(tbinding.getName().getNamespaceURI());
assertTrustProperties(tbinding.getName().getNamespaceURI());