You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/04/26 18:11:41 UTC
svn commit: r1476272 - in /cxf/branches/2.5.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/covera...
Author: coheigea
Date: Fri Apr 26 16:11:28 2013
New Revision: 1476272
URL: http://svn.apache.org/r1476272
Log:
Merged revisions 1476270 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes
........
r1476270 | coheigea | 2013-04-26 17:08:24 +0100 (Fri, 26 Apr 2013) | 18 lines
Merged revisions 1476267 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/branches/2.7.x-fixes
........
r1476267 | coheigea | 2013-04-26 17:04:32 +0100 (Fri, 26 Apr 2013) | 10 lines
Merged revisions 1476264 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1476264 | coheigea | 2013-04-26 17:02:05 +0100 (Fri, 26 Apr 2013) | 2 lines
[CXF-4954] - CryptoCoverageChecker prevents handling of SOAPFault-Responses
........
........
........
Modified:
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/DoubleItImpl.java
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java?rev=1476272&r1=1476271&r2=1476272&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java Fri Apr 26 16:11:28 2013
@@ -29,6 +29,7 @@ import java.util.Map;
import java.util.Vector;
import javax.xml.namespace.QName;
+import javax.xml.soap.SOAPEnvelope;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import javax.xml.xpath.XPath;
@@ -82,6 +83,8 @@ public class CryptoCoverageChecker exten
*/
protected Map<String, String> prefixMap = new HashMap<String, String>();
+ private boolean checkFaults = true;
+
/**
* Creates a new instance. See {@link #setPrefixes()} and {@link #setXpaths()}
* for providing configuration options.
@@ -119,6 +122,22 @@ public class CryptoCoverageChecker exten
* covered by the required cryptographic operation
*/
public void handleMessage(SoapMessage message) throws Fault {
+ if (this.xPaths == null || this.xPaths.isEmpty()) {
+ // return
+ }
+
+ Element documentElement = null;
+ try {
+ SOAPMessage saajDoc = message.getContent(SOAPMessage.class);
+ SOAPEnvelope envelope = saajDoc.getSOAPPart().getEnvelope();
+ if (!checkFaults && envelope.getBody().hasFault()) {
+ return;
+ }
+ documentElement = envelope;
+ } catch (SOAPException e) {
+ throw new SoapFault("Error obtaining SOAP document", Fault.FAULT_CODE_CLIENT);
+ }
+
final Collection<WSDataRef> signed = new HashSet<WSDataRef>();
final Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
@@ -167,55 +186,43 @@ public class CryptoCoverageChecker exten
}
CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
-
- if (this.xPaths != null && !this.xPaths.isEmpty()) {
- // XPathFactory and XPath are not thread-safe so we must recreate them
- // each request.
- final XPathFactory factory = XPathFactory.newInstance();
- final XPath xpath = factory.newXPath();
-
- if (this.prefixMap != null) {
- xpath.setNamespaceContext(new MapNamespaceContext(this.prefixMap));
- }
-
- for (XPathExpression xPathExpression : this.xPaths) {
- Collection<WSDataRef> refsToCheck = null;
-
- switch (xPathExpression.getType()) {
- case SIGNED:
- refsToCheck = signed;
- break;
- case ENCRYPTED:
- refsToCheck = encrypted;
- break;
- default:
- throw new IllegalStateException("Unexpected crypto type: "
- + xPathExpression.getType());
- }
-
- try {
- SOAPMessage saajDoc = message.getContent(SOAPMessage.class);
- Element documentElement = null;
- if (saajDoc != null && saajDoc.getSOAPPart() != null) {
- documentElement = saajDoc.getSOAPPart().getEnvelope();
- }
-
- CryptoCoverageUtil.checkCoverage(
- documentElement,
- refsToCheck,
- xpath,
- Arrays.asList(xPathExpression.getXPath()),
- xPathExpression.getType(),
- xPathExpression.getScope());
- } catch (WSSecurityException e) {
- throw new SoapFault("No " + xPathExpression.getType()
- + " element found matching XPath "
- + xPathExpression.getXPath(), Fault.FAULT_CODE_CLIENT);
- } catch (SOAPException e) {
- throw new SoapFault("No " + xPathExpression.getType()
- + " element found matching XPath "
- + xPathExpression.getXPath(), Fault.FAULT_CODE_CLIENT);
- }
+
+ // XPathFactory and XPath are not thread-safe so we must recreate them
+ // each request.
+ final XPathFactory factory = XPathFactory.newInstance();
+ final XPath xpath = factory.newXPath();
+
+ if (this.prefixMap != null) {
+ xpath.setNamespaceContext(new MapNamespaceContext(this.prefixMap));
+ }
+
+ for (XPathExpression xPathExpression : this.xPaths) {
+ Collection<WSDataRef> refsToCheck = null;
+
+ switch (xPathExpression.getType()) {
+ case SIGNED:
+ refsToCheck = signed;
+ break;
+ case ENCRYPTED:
+ refsToCheck = encrypted;
+ break;
+ default:
+ throw new IllegalStateException("Unexpected crypto type: "
+ + xPathExpression.getType());
+ }
+
+ try {
+ CryptoCoverageUtil.checkCoverage(
+ documentElement,
+ refsToCheck,
+ xpath,
+ Arrays.asList(xPathExpression.getXPath()),
+ xPathExpression.getType(),
+ xPathExpression.getScope());
+ } catch (WSSecurityException e) {
+ throw new SoapFault("No " + xPathExpression.getType()
+ + " element found matching XPath "
+ + xPathExpression.getXPath(), Fault.FAULT_CODE_CLIENT);
}
}
}
@@ -270,6 +277,14 @@ public class CryptoCoverageChecker exten
}
}
+ public boolean isCheckFaults() {
+ return checkFaults;
+ }
+
+ public void setCheckFaults(boolean checkFaults) {
+ this.checkFaults = checkFaults;
+ }
+
/**
* A simple wrapper for an XPath expression and coverage type / scope
* indicating how the XPath expression should be enforced as a cryptographic
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/DoubleItImpl.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/DoubleItImpl.java?rev=1476272&r1=1476271&r2=1476272&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/DoubleItImpl.java (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/DoubleItImpl.java Fri Apr 26 16:11:28 2013
@@ -31,6 +31,9 @@ import org.example.contract.doubleit.Dou
public class DoubleItImpl implements DoubleItPortType {
public int doubleIt(int numberToDouble) throws DoubleItFault {
+ if (numberToDouble == 0) {
+ throw new DoubleItFault("0 can't be doubled!");
+ }
return numberToDouble * 2;
}
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java?rev=1476272&r1=1476271&r2=1476272&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java Fri Apr 26 16:11:28 2013
@@ -430,4 +430,36 @@ public class DefaultCryptoCoverageChecke
bus.shutdown(true);
}
+ // Here the service is sending an secured message back to the client. For a server Fault
+ // message it returns the original fault, as the CryptoCoverageChecker is configured not
+ // to check a fault (see CXF-4954)
+ @org.junit.Test
+ public void testClientChecker() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = DefaultCryptoCoverageCheckerTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = DefaultCryptoCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItClientCheckerPort");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, PORT);
+
+ port.doubleIt(25);
+
+ // Now try with a message that will create a Fault in the SEI
+ try {
+ port.doubleIt(0);
+ fail("Failure expected on trying to double 0");
+ } catch (Exception ex) {
+ assertTrue(ex.getMessage().contains("0 can't be doubled"));
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
}
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl?rev=1476272&r1=1476271&r2=1476272&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl Fri Apr 26 16:11:28 2013
@@ -77,6 +77,9 @@
<wsdl:port name="DoubleItWSAPort" binding="tns:DoubleItSoapBinding">
<soap:address location="http://localhost:9001/DoubleItWSA" />
</wsdl:port>
+ <wsdl:port name="DoubleItClientCheckerPort" binding="tns:DoubleItSoapBinding">
+ <soap:address location="http://localhost:9001/DoubleItClientChecker" />
+ </wsdl:port>
</wsdl:service>
</wsdl:definitions>
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml?rev=1476272&r1=1476271&r2=1476272&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml Fri Apr 26 16:11:28 2013
@@ -58,4 +58,23 @@
</jaxws:features>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItClientCheckerPort"
+ createdFromAPI="true">
+ <jaxws:inInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Signature"/>
+ <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="passwordCallbackClass"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ <bean class="org.apache.cxf.ws.security.wss4j.DefaultCryptoCoverageChecker">
+ <property name="checkFaults" value="false"/>
+ </bean>
+ </jaxws:inInterceptors>
+ </jaxws:client>
+
</beans>
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml?rev=1476272&r1=1476271&r2=1476272&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml Fri Apr 26 16:11:28 2013
@@ -149,5 +149,28 @@
<wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
</jaxws:features>
</jaxws:endpoint>
+
+ <jaxws:endpoint
+ id="ClientChecker"
+ address="http://localhost:${testutil.ports.Server}/DoubleItClientChecker"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItClientCheckerPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl">
+ <jaxws:outInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Signature"/>
+ <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="passwordCallbackClass"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="user" value="alice"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:outInterceptors>
+ </jaxws:endpoint>
</beans>