You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/08/03 18:25:18 UTC
svn commit: r1369087 - in /cxf/branches/2.4.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_che...
Author: coheigea
Date: Fri Aug 3 16:25:18 2012
New Revision: 1369087
URL: http://svn.apache.org/viewvc?rev=1369087&view=rev
Log:
Merged revisions 1369083 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/branches/2.5.x-fixes
........
r1369083 | coheigea | 2012-08-03 17:21:16 +0100 (Fri, 03 Aug 2012) | 18 lines
Merged revisions 1369079 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes
........
r1369079 | coheigea | 2012-08-03 17:16:41 +0100 (Fri, 03 Aug 2012) | 10 lines
Merged revisions 1369075 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1369075 | coheigea | 2012-08-03 17:14:34 +0100 (Fri, 03 Aug 2012) | 2 lines
[CXF-4453] - Add in default signature verification of WS-Addressing ReplyTo and FaultTo headers
........
........
........
Modified:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java
cxf/branches/2.4.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java?rev=1369087&r1=1369086&r2=1369087&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java Fri Aug 3 16:25:18 2012
@@ -19,14 +19,18 @@
package org.apache.cxf.ws.security.wss4j;
+import org.apache.cxf.ws.addressing.Names;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
import org.apache.ws.security.WSConstants;
/**
* This utility extends the CryptoCoverageChecker to provide an easy way to check to see
- * if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, and if the Timestamp was signed.
- * The default configuration is that the SOAP Body and Timestamp must be signed.
+ * if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, if the Timestamp was signed,
+ * and if the WS-Addressing ReplyTo and FaultTo headers were signed.
+ *
+ * The default configuration is that the SOAP Body, Timestamp must be signed, and WS-Addressing
+ * ReplyTo and FaultTo headers must be signed (if they exist in the message payload).
*/
public class DefaultCryptoCoverageChecker extends CryptoCoverageChecker {
@@ -34,14 +38,16 @@ public class DefaultCryptoCoverageChecke
public static final String SOAP12_NS = WSConstants.URI_SOAP12_ENV;
public static final String WSU_NS = WSConstants.WSU_NS;
public static final String WSSE_NS = WSConstants.WSSE_NS;
+ public static final String WSA_NS = Names.WSA_NAMESPACE_NAME;
private boolean signBody;
private boolean signTimestamp;
private boolean encryptBody;
+ private boolean signAddressingHeaders;
/**
- * Creates a new instance. Enforces that the SOAP Body and Timestamp must be signed
- * (if they exist in the message body).
+ * Creates a new instance. Enforces that the SOAP Body, Timestamp, and WS-Addressing
+ * ReplyTo and FaultTo headers must be signed (if they exist in the message payload).
*/
public DefaultCryptoCoverageChecker() {
super(null, null);
@@ -50,12 +56,16 @@ public class DefaultCryptoCoverageChecke
prefixMap.put("soapenv12", SOAP12_NS);
prefixMap.put("wsu", WSU_NS);
prefixMap.put("wsse", WSSE_NS);
+ prefixMap.put("wsa", WSA_NS);
// Sign SOAP Body
setSignBody(true);
// Sign Timestamp
setSignTimestamp(true);
+
+ // Sign Addressing Headers
+ setSignAddressingHeaders(true);
}
public boolean isSignBody() {
@@ -152,5 +162,62 @@ public class DefaultCryptoCoverageChecke
}
}
}
+
+ public boolean isSignAddressingHeaders() {
+ return signAddressingHeaders;
+ }
+
+ public final void setSignAddressingHeaders(boolean signAddressingHeaders) {
+ this.signAddressingHeaders = signAddressingHeaders;
+
+ XPathExpression soap11Expression =
+ new XPathExpression(
+ "/soapenv:Envelope/soapenv:Header/wsa:ReplyTo",
+ CoverageType.SIGNED
+ );
+ XPathExpression soap11Expression2 =
+ new XPathExpression(
+ "/soapenv:Envelope/soapenv:Header/wsa:FaultTo",
+ CoverageType.SIGNED
+ );
+ XPathExpression soap12Expression =
+ new XPathExpression(
+ "/soapenv12:Envelope/soapenv12:Header/wsa:ReplyTo",
+ CoverageType.SIGNED
+ );
+ XPathExpression soap12Expression2 =
+ new XPathExpression(
+ "/soapenv12:Envelope/soapenv12:Header/wsa:FaultTo",
+ CoverageType.SIGNED
+ );
+
+ if (signAddressingHeaders) {
+ if (!xPaths.contains(soap11Expression)) {
+ xPaths.add(soap11Expression);
+ }
+ if (!xPaths.contains(soap11Expression2)) {
+ xPaths.add(soap11Expression2);
+ }
+ if (!xPaths.contains(soap12Expression)) {
+ xPaths.add(soap12Expression);
+ }
+ if (!xPaths.contains(soap12Expression2)) {
+ xPaths.add(soap12Expression2);
+ }
+ } else {
+ if (xPaths.contains(soap11Expression)) {
+ xPaths.remove(soap11Expression);
+ }
+ if (xPaths.contains(soap11Expression2)) {
+ xPaths.remove(soap11Expression2);
+ }
+ if (xPaths.contains(soap12Expression)) {
+ xPaths.remove(soap12Expression);
+ }
+ if (xPaths.contains(soap12Expression2)) {
+ xPaths.remove(soap12Expression2);
+ }
+ }
+ }
}
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java?rev=1369087&r1=1369086&r2=1369087&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java Fri Aug 3 16:25:18 2012
@@ -37,8 +37,8 @@ import org.junit.Test;
/**
* Test the DefaultCryptoCoverageChecker, which extends the CryptoCoverageChecker to provide
- * an easier way to check to see if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, and
- * if the Timestamp was signed.
+ * an easier way to check to see if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, if
+ * the Timestamp was signed, and if the WS-Addressing ReplyTo and FaultTo headers were signed.
*/
public class DefaultCryptoCoverageCheckerTest extends AbstractSecurityTest {
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java?rev=1369087&r1=1369086&r2=1369087&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java Fri Aug 3 16:25:18 2012
@@ -62,7 +62,7 @@ public class DefaultCryptoCoverageChecke
public static void cleanup() throws Exception {
stopAllServers();
}
-
+
@org.junit.Test
public void testSignedBodyTimestamp() throws Exception {
if (!unrestrictedPoliciesInstalled) {
@@ -401,6 +401,65 @@ public class DefaultCryptoCoverageChecke
bus.shutdown(true);
}
+ @org.junit.Test
+ public void testWSAddressing() throws Exception {
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = DefaultCryptoCoverageCheckerTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = DefaultCryptoCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItWSAPort");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, PORT);
+
+ Map<String, Object> outProps = new HashMap<String, Object>();
+ outProps.put("action", "Timestamp Signature");
+ outProps.put("signaturePropFile",
+ "org/apache/cxf/systest/ws/wssec10/client/alice.properties");
+ outProps.put("user", "alice");
+ outProps.put("passwordCallbackClass",
+ "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback");
+ outProps.put("signatureParts",
+ "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;"
+ + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-"
+ + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;");
+
+ WSS4JOutInterceptor wss4jOutInterceptor = new WSS4JOutInterceptor(outProps);
+ bus.getOutInterceptors().add(wss4jOutInterceptor);
+
+ try {
+ port.doubleIt(25);
+ fail("Failure expected on not signing the WS-Addressing headers");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ // Now sign the WS-Addressing headers
+ bus.getOutInterceptors().remove(wss4jOutInterceptor);
+
+ outProps.put("signatureParts",
+ "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;"
+ + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-"
+ + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"
+ + "{}{http://www.w3.org/2005/08/addressing}ReplyTo;");
+
+ wss4jOutInterceptor = new WSS4JOutInterceptor(outProps);
+ bus.getOutInterceptors().add(wss4jOutInterceptor);
+
+ port.doubleIt(25);
+
+ bus.shutdown(true);
+ }
+
private boolean checkUnrestrictedPoliciesInstalled() {
try {
byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl?rev=1369087&r1=1369086&r2=1369087&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl Fri Aug 3 16:25:18 2012
@@ -74,6 +74,9 @@
<wsdl:port name="DoubleItSignedEncryptedBodyPort" binding="tns:DoubleItSoapBinding">
<soap:address location="http://localhost:9001/DoubleItSignedEncrypted" />
</wsdl:port>
+ <wsdl:port name="DoubleItWSAPort" binding="tns:DoubleItSoapBinding">
+ <soap:address location="http://localhost:9001/DoubleItWSA" />
+ </wsdl:port>
</wsdl:service>
</wsdl:definitions>
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml?rev=1369087&r1=1369086&r2=1369087&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml Fri Aug 3 16:25:18 2012
@@ -51,4 +51,11 @@
createdFromAPI="true">
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItWSAPort"
+ createdFromAPI="true">
+ <jaxws:features>
+ <wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
+ </jaxws:features>
+ </jaxws:client>
+
</beans>
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml?rev=1369087&r1=1369086&r2=1369087&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml Fri Aug 3 16:25:18 2012
@@ -122,5 +122,32 @@
</bean>
</jaxws:inInterceptors>
</jaxws:endpoint>
+
+ <jaxws:endpoint
+ id="WSA"
+ address="http://localhost:${testutil.ports.Server}/DoubleItWSA"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItWSAPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl">
+
+ <jaxws:inInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Signature Timestamp"/>
+ <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="passwordCallbackClass"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ <bean class="org.apache.cxf.ws.security.wss4j.DefaultCryptoCoverageChecker"/>
+ </jaxws:inInterceptors>
+ <jaxws:features>
+ <wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
+ </jaxws:features>
+ </jaxws:endpoint>
</beans>