You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2009/04/09 16:53:04 UTC
svn commit: r763672 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
systests/src/test/java/org/apache/cxf/systest/ws/security/
systests/src/test/resources/wsdl_systest/
Author: dkulp
Date: Thu Apr 9 14:53:04 2009
New Revision: 763672
URL: http://svn.apache.org/viewvc?rev=763672&view=rev
Log:
[CXF-2165] Fix problems validating messages that are only signed
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
cxf/trunk/systests/src/test/resources/wsdl_systest/DoubleIt.wsdl
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=763672&r1=763671&r2=763672&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Thu Apr 9 14:53:04 2009
@@ -473,13 +473,14 @@
ai.setAsserted(true);
if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
if (abinding.isSignatureProtection()) {
- if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
+ if (prots == Protections.ENCRYPT_SIGN
+ || prots == Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not encrypted before signed and then protected");
}
- } else if (prots != Protections.ENCRYPT_SIGN) {
+ } else if (prots != Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not encrypted before signed");
}
- } else if (prots != Protections.SIGN_ENCRYPT && prots != Protections.SIGN) {
+ } else if (prots == Protections.ENCRYPT_SIGN) {
ai.setNotAsserted("Not signed before encrypted");
}
@@ -512,13 +513,14 @@
ai.setAsserted(true);
if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
if (abinding.isSignatureProtection()) {
- if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
+ if (prots == Protections.ENCRYPT_SIGN
+ || prots == Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not encrypted before signed and then protected");
}
- } else if (prots != Protections.ENCRYPT_SIGN) {
+ } else if (prots == Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not encrypted before signed");
}
- } else if (prots != Protections.SIGN_ENCRYPT) {
+ } else if (prots == Protections.ENCRYPT_SIGN) {
ai.setNotAsserted("Not signed before encrypted");
}
assertPolicy(aim, abinding.getInitiatorToken());
Modified: cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=763672&r1=763671&r2=763672&view=diff
==============================================================================
--- cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java (original)
+++ cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java Thu Apr 9 14:53:04 2009
@@ -47,6 +47,7 @@
public static final String POLICY_HTTPS_ADDRESS = "https://localhost:9009/SecPolTest";
public static final String POLICY_ENCSIGN_ADDRESS = "http://localhost:9010/SecPolTestEncryptThenSign";
public static final String POLICY_SIGNENC_ADDRESS = "http://localhost:9010/SecPolTestSignThenEncrypt";
+ public static final String POLICY_SIGN_ADDRESS = "http://localhost:9010/SecPolTestSign";
public static class ServerPasswordCallback implements CallbackHandler {
@@ -81,7 +82,6 @@
new DoubleItImplEncryptThenSign());
EndpointInfo ei = ep.getServer().getEndpoint().getEndpointInfo();
- ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new ServerPasswordCallback());
ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
ei.setProperty(SecurityConstants.SIGNATURE_PROPERTIES,
SecurityPolicyTest.class.getResource("bob.properties").toString());
@@ -92,7 +92,15 @@
new DoubleItImplSignThenEncrypt());
ei = ep.getServer().getEndpoint().getEndpointInfo();
- ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new ServerPasswordCallback());
+ ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
+ ei.setProperty(SecurityConstants.SIGNATURE_PROPERTIES,
+ SecurityPolicyTest.class.getResource("bob.properties").toString());
+ ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES,
+ SecurityPolicyTest.class.getResource("alice.properties").toString());
+
+ ep = (EndpointImpl)Endpoint.publish(POLICY_SIGN_ADDRESS,
+ new DoubleItImplSign());
+ ei = ep.getServer().getEndpoint().getEndpointInfo();
ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
ei.setProperty(SecurityConstants.SIGNATURE_PROPERTIES,
SecurityPolicyTest.class.getResource("bob.properties").toString());
@@ -114,6 +122,15 @@
getClass().getResource("bob.properties"));
pt.doubleIt(BigInteger.valueOf(5));
+ pt = service.getDoubleItPortSign();
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
+ new KeystorePasswordCallback());
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+ getClass().getResource("alice.properties"));
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,
+ getClass().getResource("bob.properties"));
+ pt.doubleIt(BigInteger.valueOf(5));
+
pt = service.getDoubleItPortSignThenEncrypt();
((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
@@ -148,6 +165,7 @@
throw ex;
}
}
+
}
@@ -198,4 +216,15 @@
return numberToDouble.multiply(new BigInteger("2"));
}
}
+ @WebService(targetNamespace = "http://cxf.apache.org/policytest/DoubleIt",
+ portName = "DoubleItPortSign",
+ serviceName = "DoubleItService",
+ endpointInterface = "org.apache.cxf.policytest.doubleit.DoubleItPortType",
+ wsdlLocation = "classpath:/wsdl_systest/DoubleIt.wsdl")
+ public static class DoubleItImplSign implements DoubleItPortType {
+ /** {@inheritDoc}*/
+ public BigInteger doubleIt(BigInteger numberToDouble) {
+ return numberToDouble.multiply(new BigInteger("2"));
+ }
+ }
}
Modified: cxf/trunk/systests/src/test/resources/wsdl_systest/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/src/test/resources/wsdl_systest/DoubleIt.wsdl?rev=763672&r1=763671&r2=763672&view=diff
==============================================================================
--- cxf/trunk/systests/src/test/resources/wsdl_systest/DoubleIt.wsdl (original)
+++ cxf/trunk/systests/src/test/resources/wsdl_systest/DoubleIt.wsdl Thu Apr 9 14:53:04 2009
@@ -88,6 +88,16 @@
<wsdl:output><soap:body use="literal"/></wsdl:output>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItBindingSign" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItSignPolicy"/>
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction=""/>
+ <wsdl:input><soap:body use="literal"/></wsdl:input>
+ <wsdl:output><soap:body use="literal"/></wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItPortHttps" binding="tns:DoubleItBinding">
<soap:address
@@ -105,6 +115,10 @@
<soap:address
location="http://localhost:9010/SecPolTestSignThenEncrypt"/>
</wsdl:port>
+ <wsdl:port name="DoubleItPortSign" binding="tns:DoubleItBindingSign">
+ <soap:address
+ location="http://localhost:9010/SecPolTestSign"/>
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItBindingPolicy">
@@ -259,4 +273,55 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
+
+
+ <wsp:Policy wsu:Id="DoubleItSignPolicy"
+ xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient'>
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always'>
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Strict />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:OnlySignEntireHeadersAndBody />
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:Wss10 xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
+ <wsp:Policy>
+ <sp:MustSupportRefEmbeddedToken />
+ </wsp:Policy>
+ </sp:Wss10>
+ <sp:SignedParts xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>
+ <sp:Body />
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+</wsp:Policy>
+
</wsdl:definitions>