You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2014/07/16 20:14:25 UTC
svn commit: r1611122 - in /axis/axis2/java/rampart/trunk/modules:
rampart-core/src/main/java/org/apache/rampart/
rampart-core/src/main/java/org/apache/rampart/util/ rampart-integration/
rampart-integration/src/test/java/org/apache/rampart/ rampart-inte...
Author: veithen
Date: Wed Jul 16 18:14:24 2014
New Revision: 1611122
URL: http://svn.apache.org/r1611122
Log:
RAMPART-415: Applied Detelin Yordanov's patch to restore support for UsernameToken assertions with no password requirement.
Added:
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml (with props)
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml (with props)
Modified:
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
Modified: axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java?rev=1611122&r1=1611121&r2=1611122&view=diff
==============================================================================
--- axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java (original)
+++ axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java Wed Jul 16 18:14:24 2014
@@ -32,6 +32,7 @@ import org.apache.rampart.saml.SAMLAsser
import org.apache.rampart.util.Axis2Util;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.WSSPolicyException;
+import org.apache.ws.secpolicy.model.UsernameToken;
import org.apache.ws.security.*;
import org.apache.ws.security.components.crypto.Crypto;
@@ -117,6 +118,19 @@ public class RampartEngine {
t0 = System.currentTimeMillis();
}
+ //wss4j does not allow username tokens with no password per default, see https://issues.apache.org/jira/browse/WSS-420
+ //configure it to allow them explicitly if at least one username token assertion with no password requirement is found
+ if (!rmd.isInitiator()) {
+ Collection<UsernameToken> usernameTokens = RampartUtil.getUsernameTokens(rpd);
+ for (UsernameToken usernameTok : usernameTokens) {
+ if (usernameTok.isNoPassword()) {
+ log.debug("Found UsernameToken with no password assertion in policy, configuring ws security processing to allow username tokens without password." );
+ engine.getWssConfig().setAllowUsernameTokenNoPassword(true);
+ break;
+ }
+ }
+ }
+
String actorValue = secHeader.getAttributeValue(new QName(rmd
.getSoapConstants().getEnvelopeURI(), "actor"));
Modified: axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?rev=1611122&r1=1611121&r2=1611122&view=diff
==============================================================================
--- axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java (original)
+++ axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java Wed Jul 16 18:14:24 2014
@@ -1929,4 +1929,60 @@ public class RampartUtil {
QName value = code.getValueAsQName();
return value == null ? false : value.getNamespaceURI().equals(WSConstants.WSSE_NS);
}
+
+ /**
+ * @param rpd Rampart policy data instance. Must not be null.
+ * @return A collection of all {@link UsernameToken} supporting token assertions in the specified Rampart policy instance. The method will check the following lists:
+ * <ul>
+ * <li>{@link RampartPolicyData#getSupportingTokensList()}</li>
+ * <li>{@link RampartPolicyData#getSignedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getSignedEndorsingSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getEndorsingSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getEncryptedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getSignedEncryptedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getEndorsingEncryptedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getSignedEndorsingEncryptedSupportingTokens()}</li>
+ * </ul>
+ */
+ public static Collection<UsernameToken> getUsernameTokens(RampartPolicyData rpd) {
+ Collection<UsernameToken> usernameTokens = new ArrayList<UsernameToken>();
+
+ List<SupportingToken> supportingToks = rpd.getSupportingTokensList();
+ for (SupportingToken suppTok : supportingToks) {
+ usernameTokens.addAll(getUsernameTokens(suppTok));
+ }
+
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedEndorsingSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getEndorsingSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getEncryptedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedEncryptedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getEndorsingEncryptedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedEndorsingEncryptedSupportingTokens()));
+
+ return usernameTokens;
+ }
+
+ /**
+ * @param suppTok The {@link SupportingToken} assertion to check for username tokens.
+ * @return A collection of all tokens in the specified <code>suppTok</code> SupportingToken assertion which are instances of {@link UsernameToken}.
+ * If the specified <code>suppTok</code> SupportingToken assertion is <code>null</code>, an empty collection will be returned.
+ */
+ public static Collection<UsernameToken> getUsernameTokens(SupportingToken suppTok) {
+
+ if (suppTok == null) {
+ return new ArrayList<UsernameToken>();
+ }
+
+ Collection<UsernameToken> usernameTokens = new ArrayList<UsernameToken>();
+ ArrayList tokens = suppTok.getTokens();
+ for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+ org.apache.ws.secpolicy.model.Token token = (org.apache.ws.secpolicy.model.Token) iter.next();
+ if (token instanceof UsernameToken) {
+ usernameTokens.add((UsernameToken)token);
+ }
+ }
+
+ return usernameTokens;
+ }
}
Modified: axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml?rev=1611122&r1=1611121&r2=1611122&view=diff
==============================================================================
--- axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml (original)
+++ axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml Wed Jul 16 18:14:24 2014
@@ -284,6 +284,10 @@
<!-- Service 34 -->
<copy overwrite="yes" file="src/test/resources/rampart/services-34.xml" tofile="target/temp-ramp/META-INF/services.xml" />
<jar jarfile="target/test-resources/rampart_service_repo/services/SecureService34.aar" basedir="target/temp-ramp" />
+
+ <!-- Service 35 -->
+ <copy overwrite="yes" file="src/test/resources/rampart/services-35.xml" tofile="target/temp-ramp/META-INF/services.xml" />
+ <jar jarfile="target/test-resources/rampart_service_repo/services/SecureService35.aar" basedir="target/temp-ramp" />
<!-- Service SC-1 -->
Modified: axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java?rev=1611122&r1=1611121&r2=1611122&view=diff
==============================================================================
--- axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java (original)
+++ axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java Wed Jul 16 18:14:24 2014
@@ -96,7 +96,7 @@ public class RampartTest extends TestCas
}
//for (int i = 34; i <= 34; i++) { //<-The number of tests we have
- for (int i = 1; i <= 34; i++) { //<-The number of tests we have
+ for (int i = 1; i <= 35; i++) { //<-The number of tests we have
if(!basic256Supported && (i == 3 || i == 4 || i == 5)) {
//Skip the Basic256 tests
continue;
Added: axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml?rev=1611122&view=auto
==============================================================================
--- axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml (added)
+++ axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml Wed Jul 16 18:14:24 2014
@@ -0,0 +1,76 @@
+<wsp:Policy wsu:Id="EncrSupTokensUTNoPasswd"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
+ xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SymmetricBinding>
+ <wsp:Policy>
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:RequireThumbprintReference />
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:OnlySignEntireHeadersAndBody />
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+ <sp:EncryptedParts>
+ <sp:Body />
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body />
+ </sp:SignedParts>
+ <sp:EncryptedSupportingTokens>
+ <wsp:Policy>
+ <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:WssUsernameToken11 />
+ <sp:NoPassword />
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:EncryptedSupportingTokens>
+
+ <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
+ <ramp:user>alice</ramp:user>
+ <ramp:encryptionUser>bob</ramp:encryptionUser>
+ <ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass>
+
+ <ramp:signatureCrypto>
+ <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+ </ramp:crypto>
+ </ramp:signatureCrypto>
+ <ramp:encryptionCypto>
+ <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+ </ramp:crypto>
+ </ramp:encryptionCypto>
+ </ramp:RampartConfig>
+ </wsp:All>
+ </wsp:ExactlyOne>
+</wsp:Policy>
Propchange: axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml
------------------------------------------------------------------------------
svn:eol-style = native
Added: axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml?rev=1611122&view=auto
==============================================================================
--- axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml (added)
+++ axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml Wed Jul 16 18:14:24 2014
@@ -0,0 +1,94 @@
+<service name="SecureService35">
+
+ <module ref="addressing"/>
+ <module ref="rampart"/>
+
+ <parameter locked="false" name="ServiceClass">org.apache.rampart.Service</parameter>
+
+ <operation name="echo">
+ <messageReceiver class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
+ <actionMapping>urn:echo</actionMapping>
+ </operation>
+
+ <operation name="returnError">
+ <messageReceiver class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
+ <actionMapping>urn:returnError</actionMapping>
+ </operation>
+
+ <wsp:Policy wsu:Id="EncrSupTokensUTNoPasswd"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
+ xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SymmetricBinding>
+ <wsp:Policy>
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:RequireThumbprintReference />
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:OnlySignEntireHeadersAndBody />
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+ <sp:EncryptedParts>
+ <sp:Body />
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body />
+ </sp:SignedParts>
+ <sp:EncryptedSupportingTokens>
+ <wsp:Policy>
+ <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:WssUsernameToken11 />
+ <sp:NoPassword />
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:EncryptedSupportingTokens>
+
+ <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
+ <ramp:user>bob</ramp:user>
+ <ramp:encryptionUser>alice</ramp:encryptionUser>
+ <ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass>
+
+ <ramp:signatureCrypto>
+ <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+ </ramp:crypto>
+ </ramp:signatureCrypto>
+ <ramp:encryptionCypto>
+ <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+ </ramp:crypto>
+ </ramp:encryptionCypto>
+ </ramp:RampartConfig>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+</service>
Propchange: axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml
------------------------------------------------------------------------------
svn:eol-style = native