You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/03/09 18:58:40 UTC
svn commit: r1079911 - in
/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security:
policy/interceptors/ wss4j/ wss4j/policyhandlers/
Author: coheigea
Date: Wed Mar 9 17:58:40 2011
New Revision: 1079911
URL: http://svn.apache.org/viewvc?rev=1079911&view=rev
Log:
[CXF-2657] - Support for issued tokens using the Asymmetric Binding.
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java?rev=1079911&r1=1079910&r2=1079911&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java Wed Mar 9 17:58:40 2011
@@ -47,6 +47,8 @@ public class WSSecurityPolicyInterceptor
ASSERTION_TYPES.add(SP12Constants.ENCRYPTION_TOKEN);
ASSERTION_TYPES.add(SP12Constants.SIGNATURE_TOKEN);
ASSERTION_TYPES.add(SP12Constants.TRANSPORT_TOKEN);
+ ASSERTION_TYPES.add(SP12Constants.INITIATOR_TOKEN);
+ ASSERTION_TYPES.add(SP12Constants.RECIPIENT_TOKEN);
ASSERTION_TYPES.add(SP12Constants.SIGNED_PARTS);
ASSERTION_TYPES.add(SP12Constants.REQUIRED_PARTS);
ASSERTION_TYPES.add(SP12Constants.REQUIRED_ELEMENTS);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1079911&r1=1079910&r2=1079911&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Wed Mar 9 17:58:40 2011
@@ -726,10 +726,14 @@ public class PolicyBasedWSS4JInIntercept
} else if (prots == Protections.ENCRYPT_SIGN) {
ai.setNotAsserted("Not signed before encrypted");
}
- assertPolicy(aim, abinding.getInitiatorToken());
- assertPolicy(aim, abinding.getRecipientToken());
- assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
- assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
+ if (abinding.getInitiatorToken() != null) {
+ assertPolicy(aim, abinding.getInitiatorToken());
+ assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
+ }
+ if (abinding.getRecipientToken() != null) {
+ assertPolicy(aim, abinding.getRecipientToken());
+ assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
+ }
}
return true;
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1079911&r1=1079910&r2=1079911&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Wed Mar 9 17:58:40 2011
@@ -1280,10 +1280,53 @@ public abstract class AbstractBindingBui
}
}
- protected WSSecSignature getSignatureBuilder(TokenWrapper wrapper, Token token, boolean endorse) {
+ protected WSSecSignature getSignatureBuilder(
+ TokenWrapper wrapper, Token token, boolean endorse
+ ) {
+ return getSignatureBuilder(wrapper, token, false, endorse);
+ }
+
+ protected WSSecSignature getSignatureBuilder(
+ TokenWrapper wrapper, Token token, boolean attached, boolean endorse
+ ) {
WSSecSignature sig = new WSSecSignature();
- checkForX509PkiPath(sig, token);
- setKeyIdentifierType(sig, wrapper, token);
+ checkForX509PkiPath(sig, token);
+ if (token instanceof IssuedToken) {
+ policyAsserted(token);
+ policyAsserted(wrapper);
+ SecurityToken securityToken = getSecurityToken();
+ String tokenType = securityToken.getTokenType();
+
+ int type = attached ? WSConstants.CUSTOM_SYMM_SIGNING
+ : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
+ if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
+ sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
+ sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)) {
+ sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
+ sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ } else {
+ sig.setCustomTokenValueType(tokenType);
+ sig.setKeyIdentifierType(type);
+ }
+
+ String sigTokId;
+ if (attached) {
+ sigTokId = securityToken.getWsuId();
+ if (sigTokId == null) {
+ sigTokId = securityToken.getId();
+ }
+ if (sigTokId.startsWith("#")) {
+ sigTokId = sigTokId.substring(1);
+ }
+ } else {
+ sigTokId = securityToken.getId();
+ }
+
+ sig.setCustomTokenId(sigTokId);
+ } else {
+ setKeyIdentifierType(sig, wrapper, token);
+ }
boolean encryptCrypto = false;
String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1079911&r1=1079910&r2=1079911&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Wed Mar 9 17:58:40 2011
@@ -38,11 +38,14 @@ import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.cxf.ws.security.policy.model.IssuedToken;
import org.apache.cxf.ws.security.policy.model.RecipientToken;
import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.policy.model.TokenWrapper;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityEngineResult;
@@ -95,6 +98,33 @@ public class AsymmetricBindingHandler ex
private void doSignBeforeEncrypt() {
try {
+ TokenWrapper initiatorWrapper = abinding.getInitiatorToken();
+ boolean attached = false;
+ if (initiatorWrapper != null) {
+ Token initiatorToken = initiatorWrapper.getToken();
+ if (initiatorToken instanceof IssuedToken) {
+ SecurityToken secToken = getSecurityToken();
+ if (secToken == null) {
+ policyNotAsserted(initiatorToken, "No intiator token id");
+ return;
+ } else {
+ policyAsserted(initiatorToken);
+
+ IncludeTokenType inclusion = initiatorToken.getInclusion();
+ if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == inclusion
+ || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == inclusion
+ || (isRequestor()
+ && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
+ == inclusion)) {
+
+ Element el = secToken.getToken();
+ this.addEncyptedKeyElement(cloneElement(el));
+ attached = true;
+ }
+ }
+ }
+ }
+
List<WSEncryptionPart> sigs = new ArrayList<WSEncryptionPart>();
if (isRequestor()) {
//Add timestamp
@@ -105,7 +135,7 @@ public class AsymmetricBindingHandler ex
}
addSupportingTokens(sigs);
- doSignature(sigs);
+ doSignature(sigs, attached);
doEndorse();
} else {
//confirm sig
@@ -119,7 +149,7 @@ public class AsymmetricBindingHandler ex
}
addSignatureConfirmation(sigs);
- doSignature(sigs);
+ doSignature(sigs, attached);
}
List<WSEncryptionPart> enc = getEncryptedParts();
@@ -157,6 +187,34 @@ public class AsymmetricBindingHandler ex
wrapper = abinding.getInitiatorToken();
}
encryptionToken = wrapper.getToken();
+
+ TokenWrapper initiatorWrapper = abinding.getInitiatorToken();
+ boolean attached = false;
+ if (initiatorWrapper != null) {
+ Token initiatorToken = initiatorWrapper.getToken();
+ if (initiatorToken instanceof IssuedToken) {
+ SecurityToken secToken = getSecurityToken();
+ if (secToken == null) {
+ policyNotAsserted(initiatorToken, "No intiator token id");
+ return;
+ } else {
+ policyAsserted(initiatorToken);
+
+ IncludeTokenType inclusion = initiatorToken.getInclusion();
+ if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == inclusion
+ || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == inclusion
+ || (isRequestor()
+ && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
+ == inclusion)) {
+
+ Element el = secToken.getToken();
+ this.addEncyptedKeyElement(cloneElement(el));
+ attached = true;
+ }
+ }
+ }
+ }
+
List<WSEncryptionPart> encrParts = null;
List<WSEncryptionPart> sigParts = null;
try {
@@ -194,7 +252,7 @@ public class AsymmetricBindingHandler ex
&& abinding.getInitiatorToken() != null)
|| (!isRequestor() && abinding.getRecipientToken() != null)) {
try {
- doSignature(sigParts);
+ doSignature(sigParts, attached);
} catch (WSSecurityException e) {
//REVISIT - exception
e.printStackTrace();
@@ -287,11 +345,21 @@ public class AsymmetricBindingHandler ex
try {
WSSecEncrypt encr = new WSSecEncrypt();
- setKeyIdentifierType(encr, recToken, encrToken);
-
encr.setDocument(saaj.getSOAPPart());
Crypto crypto = getEncryptionCrypto(recToken);
- setEncryptionUser(encr, recToken, false, crypto);
+
+ SecurityToken securityToken = getSecurityToken();
+ setKeyIdentifierType(encr, recToken, encrToken);
+ //
+ // Using a stored cert is only suitable for the Issued Token case, where
+ // we're extracting the cert from a SAML Assertion on the provider side
+ //
+ if (!isRequestor() && securityToken != null
+ && securityToken.getX509Certificate() != null) {
+ encr.setUseThisCert(securityToken.getX509Certificate());
+ } else {
+ setEncryptionUser(encr, recToken, false, crypto);
+ }
encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
encr.setKeyEncAlgo(algorithmSuite.getAsymmetricKeyWrap());
@@ -338,7 +406,8 @@ public class AsymmetricBindingHandler ex
}
}
- private void doSignature(List<WSEncryptionPart> sigParts) throws WSSecurityException, SOAPException {
+ private void doSignature(List<WSEncryptionPart> sigParts, boolean attached)
+ throws WSSecurityException, SOAPException {
Token sigToken = null;
TokenWrapper wrapper = null;
if (isRequestor()) {
@@ -399,7 +468,7 @@ public class AsymmetricBindingHandler ex
e.printStackTrace();
}
} else {
- WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, false);
+ WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, attached, false);
// This action must occur before sig.prependBSTElementToHeader
if (abinding.isTokenProtection()
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1079911&r1=1079910&r2=1079911&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Wed Mar 9 17:58:40 2011
@@ -606,8 +606,7 @@ public class SymmetricBindingHandler ext
dkSign.setDerivedKeyLength(sbinding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
if (tok.getSHA1() != null) {
//Set the value type of the reference
- dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
- + WSConstants.ENC_KEY_VALUE_TYPE);
+ dkSign.setCustomValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
} else {
dkSign.setCustomValueType(tok.getTokenType());
}