You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/02/29 21:54:56 UTC
svn commit: r1295267 [1/11] - in /webservices/wss4j/branches/swssf:
rampart-policy/src/main/java/org/apache/ws/secpolicy/builders/
streaming-ws-policy/src/main/java/org/swssf/policy/
streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ s...
Author: giger
Date: Wed Feb 29 20:54:51 2012
New Revision: 1295267
URL: http://svn.apache.org/viewvc?rev=1295267&view=rev
Log:
A lot of work on the policy verification code
Added:
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyUtils.java (with props)
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java (contents, props changed)
- copied, changed from r1235883, webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java (with props)
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/OperationInputProcessor.java (with props)
Modified:
webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/builders/SignedElementsBuilder.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/Assertable.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyConstants.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcerFactory.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyInputProcessor.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ContentEncryptedElementsAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedElementsAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedPartsAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ProtectionOrderAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredElementsAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredPartsAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignatureProtectionAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedElementsAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedPartsAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AsymmetricBindingIntegrationTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AsymmetricBindingTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/ContentEncryptedElementsTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/EncryptedElementsTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/EncryptedPartsTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/HttpsTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/IssuedTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KerberosTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/LayoutTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/RelTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/RequiredElementsTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/RequiredPartsTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SamlTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SecureConversationTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SecurityContextTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SignedElementsTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SignedPartsTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SpnegoContextTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SymmetricBindingTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/TransportBindingIntegrationTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/TransportBindingTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/UsernameTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/X509TokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/InboundWSSec.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/OutboundWSSec.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSConstants.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityContext.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSDocumentContextImpl.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/BinarySecurityTokenInputHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DecryptInputProcessor.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DerivedKeyTokenInputHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/EncryptedKeyInputHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SAMLTokenInputHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SecurityContextTokenInputHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SecurityTokenReferenceInputHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureInputHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/SignatureReferenceVerifyInputProcessor.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/UsernameTokenInputHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/BinarySecurityTokenOutputProcessor.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/DerivedKeyTokenOutputProcessor.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/EncryptOutputProcessor.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/EncryptedKeyOutputProcessor.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SAMLTokenOutputProcessor.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SecurityContextTokenOutputProcessor.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/SignatureConfirmationOutputProcessor.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/output/UsernameTokenOutputProcessor.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/OpenSAMLBootstrap.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/OpenSAMLUtil.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/SAMLAssertionWrapper.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/SAMLCallback.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/bean/ActionBean.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/bean/AttributeBean.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/bean/AttributeStatementBean.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/bean/AuthDecisionStatementBean.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/bean/AuthenticationStatementBean.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/bean/ConditionsBean.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/bean/KeyInfoBean.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/bean/SubjectBean.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/bean/SubjectLocalityBean.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/builder/SAML1ComponentBuilder.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/builder/SAML1Constants.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/builder/SAML2ComponentBuilder.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/saml/builder/SAML2Constants.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/AbstractSecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/HttpsSecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/SAMLSecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/SecureConversationSecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/SecurityTokenFactoryImpl.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/SecurityTokenReference.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/ThumbprintSHA1SecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/UsernameSecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/X509DataSecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/X509DefaultSecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/X509PKIPathv1SecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/X509SecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/X509SubjectKeyIdentifierSecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/securityToken/X509_V3SecurityToken.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/ContentEncryptedElementSecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/EncryptedElementSecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/EncryptedPartSecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/HttpsTokenSecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/OperationSecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/RequiredElementSecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/RequiredPartSecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/SecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/SignedElementSecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/SignedPartSecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/TokenSecurityEvent.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/AbstractTestBase.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/CallbackHandlerImpl.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/DerivedKeyTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/InteroperabilityTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/PerformanceMemoryTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/PerformanceTimingTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/SignatureConfirmationTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/VulnerabliltyVectorsTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/saml/AbstractSAMLCallbackHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/saml/SAML1AuthnHOKHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/saml/SAML1CallbackHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/saml/SAML2CallbackHandler.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/saml/SAMLTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/utils/SOAPUtil.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/crypto/Crypto.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/crypto/CryptoBase.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/crypto/CryptoType.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/crypto/DERDecoder.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/crypto/Loader.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/crypto/Merlin.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/crypto/MerlinBase.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/crypto/X509SubjectPublicKeyInfo.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/ext/AbstractInputSecurityHeaderHandler.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/ext/DocumentContext.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/ext/SecurityContext.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/ext/SecurityToken.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/ext/SecurityTokenProvider.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/DocumentContextImpl.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/SecurityContextImpl.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/algorithms/ECDSAUtils.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/algorithms/PKISignatureAlgorithm.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/processor/input/AbstractDecryptInputProcessor.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/processor/input/AbstractSignatureInputHandler.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/processor/output/AbstractSignatureEndingOutputProcessor.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/securityToken/SecurityTokenFactory.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/securityToken/SecurityTokenFactoryImpl.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/test/java/org/swssf/xmlsec/test/Canonicalizer11Test.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/test/java/org/swssf/xmlsec/test/Canonicalizer20010315ExclusiveTest.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/test/java/org/swssf/xmlsec/test/Canonicalizer20010315Test.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/test/java/org/swssf/xmlsec/test/Santuario191Test.java
Modified: webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/builders/SignedElementsBuilder.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/builders/SignedElementsBuilder.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/builders/SignedElementsBuilder.java (original)
+++ webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/builders/SignedElementsBuilder.java Wed Feb 29 20:54:51 2012
@@ -66,7 +66,7 @@ public class SignedElementsBuilder imple
&& spVersion.getSPConstants().getXPathExpression().getNamespaceURI().equals(child.getNamespaceURI())) {
Map<String, String> declaredNamespaces = new HashMap<String, String>();
addDeclaredNamespaces(child, declaredNamespaces);
- xPaths.add(new XPath(child.getTextContent(), XPath.Version.V1, null, declaredNamespaces));
+ xPaths.add(new XPath(child.getTextContent().trim(), XPath.Version.V1, null, declaredNamespaces));
}
child = SPUtils.getNextSiblingElement(child);
}
@@ -86,7 +86,7 @@ public class SignedElementsBuilder imple
if (StringUtils.isEmpty(filter)) {
throw new IllegalArgumentException(SPConstants.ERR_INVALID_POLICY);
}
- xPaths.add(new XPath(child.getTextContent(), XPath.Version.V2, filter, declaredNamespaces));
+ xPaths.add(new XPath(child.getTextContent().trim(), XPath.Version.V2, filter, declaredNamespaces));
}
child = SPUtils.getNextSiblingElement(child);
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/Assertable.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/Assertable.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/Assertable.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/Assertable.java Wed Feb 29 20:54:51 2012
@@ -20,6 +20,7 @@ package org.swssf.policy;
import org.apache.ws.secpolicy.WSSPolicyException;
import org.swssf.wss.securityEvent.SecurityEvent;
+import org.swssf.xmlsec.ext.XMLSecurityException;
/**
* @author $Author: giger $
@@ -29,7 +30,7 @@ public interface Assertable {
SecurityEvent.Event[] getSecurityEventType();
- boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException;
+ boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException, XMLSecurityException;
boolean isAsserted();
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyConstants.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyConstants.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyConstants.java Wed Feb 29 20:54:51 2012
@@ -18,20 +18,9 @@
*/
package org.swssf.policy;
-import javax.xml.namespace.QName;
-
/**
* @author $Author$
* @version $Revision$ $Date$
*/
public class PolicyConstants {
-
- public static final String NS_SOAP11 = "http://schemas.xmlsoap.org/soap/envelope/";
- public static final String NS_SOAP12 = "http://www.w3.org/2003/05/soap-envelope";
-
- public static final String PREFIX_SOAPENV = "env";
- public static final String TAG_soap_Body_LocalName = "Body";
-
- public static final QName TAG_soap11_Body = new QName(NS_SOAP11, TAG_soap_Body_LocalName, PREFIX_SOAPENV);
- public static final QName TAG_soap12_Body = new QName(NS_SOAP12, TAG_soap_Body_LocalName, PREFIX_SOAPENV);
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java Wed Feb 29 20:54:51 2012
@@ -26,10 +26,11 @@ import org.apache.ws.secpolicy.WSSPolicy
import org.apache.ws.secpolicy.model.*;
import org.swssf.policy.assertionStates.*;
import org.swssf.wss.ext.WSSConstants;
-import org.swssf.wss.ext.WSSUtils;
import org.swssf.wss.ext.WSSecurityException;
-import org.swssf.wss.securityEvent.*;
-import org.swssf.xmlsec.ext.SecurityToken;
+import org.swssf.wss.securityEvent.OperationSecurityEvent;
+import org.swssf.wss.securityEvent.SecurityEvent;
+import org.swssf.wss.securityEvent.SecurityEventListener;
+import org.swssf.xmlsec.ext.XMLSecurityException;
import javax.xml.namespace.QName;
import java.util.*;
@@ -52,22 +53,22 @@ public class PolicyEnforcer implements S
// finishing Layout
// HttpsToken Algorithms
//ProtectionOrder
- //Derived Keys property
+ //unused tokens must be checked (algorithms etc)
protected static final transient Log log = LogFactory.getLog(PolicyEnforcer.class);
private List<OperationPolicy> operationPolicies;
private OperationPolicy effectivePolicy;
private List<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> assertionStateMap;
- //securityEventQueue can probably be eliminated if we queue the events in the streaming-ws-security framework and
- //the first emitted event will be the operation event!
+ private List<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> failedAssertionStateMap;
+
private Deque<SecurityEvent> securityEventQueue = new LinkedList<SecurityEvent>();
- private boolean transportSecurityActive = false;
private boolean operationSecurityEventOccured = false;
public PolicyEnforcer(List<OperationPolicy> operationPolicies, String soapAction) throws WSSPolicyException {
this.operationPolicies = operationPolicies;
- assertionStateMap = new ArrayList<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>>();
+ assertionStateMap = new LinkedList<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>>();
+ failedAssertionStateMap = new LinkedList<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>>();
if (soapAction != null && !soapAction.equals("")) {
effectivePolicy = findPolicyBySOAPAction(operationPolicies, soapAction);
@@ -78,8 +79,9 @@ public class PolicyEnforcer implements S
}
private OperationPolicy findPolicyBySOAPAction(List<OperationPolicy> operationPolicies, String soapAction) {
- for (int i = 0; i < operationPolicies.size(); i++) {
- OperationPolicy operationPolicy = operationPolicies.get(i);
+ Iterator<OperationPolicy> operationPolicyIterator = operationPolicies.iterator();
+ while (operationPolicyIterator.hasNext()) {
+ OperationPolicy operationPolicy = operationPolicyIterator.next();
if (soapAction.equals(operationPolicy.getOperationAction())) {
return operationPolicy;
}
@@ -88,8 +90,9 @@ public class PolicyEnforcer implements S
}
private OperationPolicy findPolicyBySOAPOperationName(List<OperationPolicy> operationPolicies, String soapOperationName) {
- for (int i = 0; i < operationPolicies.size(); i++) {
- OperationPolicy operationPolicy = operationPolicies.get(i);
+ Iterator<OperationPolicy> operationPolicyIterator = operationPolicies.iterator();
+ while (operationPolicyIterator.hasNext()) {
+ OperationPolicy operationPolicy = operationPolicyIterator.next();
if (soapOperationName.equals(operationPolicy.getOperationName())) {
return operationPolicy;
}
@@ -107,8 +110,9 @@ public class PolicyEnforcer implements S
PolicyOperator policyOperator = (PolicyOperator) policyComponent;
List<PolicyComponent> policyComponents = policyOperator.getPolicyComponents();
int alternative = 0;
- for (int i = 0; i < policyComponents.size(); i++) {
- PolicyComponent curPolicyComponent = policyComponents.get(i);
+ Iterator<PolicyComponent> policyComponentIterator = policyComponents.iterator();
+ while (policyComponentIterator.hasNext()) {
+ PolicyComponent curPolicyComponent = policyComponentIterator.next();
if (policyOperator instanceof ExactlyOne) {
assertionStateMap.add(new HashMap<SecurityEvent.Event, Map<Assertion, List<Assertable>>>());
buildAssertionStateMap(curPolicyComponent, assertionStateMap, alternative++);
@@ -127,15 +131,17 @@ public class PolicyEnforcer implements S
if (policyComponent instanceof PolicyOperator) {
PolicyOperator policyOperator = (PolicyOperator) policyComponent;
List<PolicyComponent> policyComponents = policyOperator.getPolicyComponents();
- for (int i = 0; i < policyComponents.size(); i++) {
- PolicyComponent curPolicyComponent = policyComponents.get(i);
+ Iterator<PolicyComponent> policyComponentIterator = policyComponents.iterator();
+ while (policyComponentIterator.hasNext()) {
+ PolicyComponent curPolicyComponent = policyComponentIterator.next();
buildAssertionStateMap(curPolicyComponent, assertionStateMap, alternative);
}
} else if (policyComponent instanceof AbstractSecurityAssertion) {
AbstractSecurityAssertion abstractSecurityAssertion = (AbstractSecurityAssertion) policyComponent;
List<Assertable> assertablesList = getAssertableForAssertion(abstractSecurityAssertion);
- for (int i = 0; i < assertablesList.size(); i++) {
- Assertable assertable = assertablesList.get(i);
+ Iterator<Assertable> assertableIterator = assertablesList.iterator();
+ while (assertableIterator.hasNext()) {
+ Assertable assertable = assertableIterator.next();
final Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>> map = assertionStateMap.get(alternative);
final SecurityEvent.Event[] securityEventType = assertable.getSecurityEventType();
for (int j = 0; j < securityEventType.length; j++) {
@@ -161,14 +167,14 @@ public class PolicyEnforcer implements S
private void addAssertionState(Map<Assertion, List<Assertable>> assertables, Assertion keyAssertion, Assertable assertable) {
List<Assertable> assertableList = assertables.get(keyAssertion);
if (assertableList == null) {
- assertableList = new ArrayList<Assertable>();
+ assertableList = new LinkedList<Assertable>();
assertables.put(keyAssertion, assertableList);
}
assertableList.add(assertable);
}
protected List<Assertable> getAssertableForAssertion(AbstractSecurityAssertion abstractSecurityAssertion) throws WSSPolicyException {
- List<Assertable> assertableList = new ArrayList<Assertable>();
+ List<Assertable> assertableList = new LinkedList<Assertable>();
if (abstractSecurityAssertion instanceof ContentEncryptedElements) {
assertableList.add(new ContentEncryptedElementsAssertionState(abstractSecurityAssertion, true));
} else if (abstractSecurityAssertion instanceof EncryptedParts) {
@@ -223,18 +229,19 @@ public class PolicyEnforcer implements S
assertableList.add(new SignatureProtectionAssertionState(abstractSymmetricAsymmetricBinding, true));
assertableList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion, false));
//todo token protection
- } else if (abstractSecurityAssertion instanceof TransportBinding) {
- if (abstractBinding.isIncludeTimestamp()) {
- RequiredElementsAssertionState requiredElementsAssertionState = new RequiredElementsAssertionState(abstractBinding, false);
- requiredElementsAssertionState.addElement(WSSConstants.TAG_wsu_Timestamp);
- assertableList.add(requiredElementsAssertionState);
- }
}
assertableList.add(new IncludeTimeStampAssertionState(abstractBinding, true));
if (abstractBinding.isIncludeTimestamp()) {
+ RequiredElementsAssertionState requiredElementsAssertionState = new RequiredElementsAssertionState(abstractBinding, false);
+ List<QName> timestampElementPath = new LinkedList<QName>();
+ timestampElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+ timestampElementPath.add(WSSConstants.TAG_wsu_Timestamp);
+ requiredElementsAssertionState.addElement(timestampElementPath);
+ assertableList.add(requiredElementsAssertionState);
+
SignedElementsAssertionState signedElementsAssertionState = new SignedElementsAssertionState(abstractSecurityAssertion, true);
- signedElementsAssertionState.addElement(WSSConstants.TAG_wsu_Timestamp);
+ signedElementsAssertionState.addElement(timestampElementPath);
assertableList.add(signedElementsAssertionState);
}
} else if (abstractSecurityAssertion instanceof AbstractToken) {
@@ -248,7 +255,10 @@ public class PolicyEnforcer implements S
assertableList.add(signedElementsAssertionState);
//todo the other tokens?
if (abstractToken instanceof UsernameToken) {
- signedElementsAssertionState.addElement(WSSConstants.TAG_wsse_UsernameToken);
+ List<QName> usernameTokenElementPath = new LinkedList<QName>();
+ usernameTokenElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+ usernameTokenElementPath.add(WSSConstants.TAG_wsse_UsernameToken);
+ signedElementsAssertionState.addElement(usernameTokenElementPath);
}
}
}
@@ -263,34 +273,64 @@ public class PolicyEnforcer implements S
* @param securityEvent
* @throws WSSPolicyException
*/
- private void verifyPolicy(SecurityEvent securityEvent) throws WSSPolicyException {
- int notAssertedCount = 0;
- alternative:
- for (int i = 0; i < assertionStateMap.size(); i++) {
- Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>> map = assertionStateMap.get(i);
-
- //every list entry counts as an alternative...
- Map<Assertion, List<Assertable>> assertionListMap = map.get(securityEvent.getSecurityEventType());
- if (assertionListMap != null && assertionListMap.size() > 0) {
-
- for (Iterator<Map.Entry<Assertion, List<Assertable>>> assertionStateIterator = assertionListMap.entrySet().iterator(); assertionStateIterator.hasNext(); ) {
- Map.Entry<Assertion, List<Assertable>> assertionStateEntry = assertionStateIterator.next();
- List<Assertable> assertionStates = assertionStateEntry.getValue();
- for (int j = 0; j < assertionStates.size(); j++) {
- Assertable assertable = assertionStates.get(j);
- boolean asserted = assertable.assertEvent(securityEvent);
- //...so if one fails, continue with the next map entry and increment the notAssertedCount
- if (!asserted) {
- notAssertedCount++;
- continue alternative;
+ private void verifyPolicy(SecurityEvent securityEvent) throws WSSPolicyException, XMLSecurityException {
+ {
+ //first check the remaining alternatives...
+ Iterator<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> assertionStateMapIterator = this.assertionStateMap.iterator();
+ alternative:
+ while (assertionStateMapIterator.hasNext()) {
+ Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>> map = assertionStateMapIterator.next();
+ //every list entry counts as an alternative...
+ Map<Assertion, List<Assertable>> assertionListMap = map.get(securityEvent.getSecurityEventType());
+ if (assertionListMap != null && assertionListMap.size() > 0) {
+ Iterator<Map.Entry<Assertion, List<Assertable>>> assertionStateIterator = assertionListMap.entrySet().iterator();
+ while (assertionStateIterator.hasNext()) {
+ Map.Entry<Assertion, List<Assertable>> assertionStateEntry = assertionStateIterator.next();
+ List<Assertable> assertionStates = assertionStateEntry.getValue();
+ Iterator<Assertable> assertableIterator = assertionStates.iterator();
+ while (assertableIterator.hasNext()) {
+ Assertable assertable = assertableIterator.next();
+ boolean asserted = assertable.assertEvent(securityEvent);
+ //...so if one fails, continue with the next map entry and increment the notAssertedCount
+ if (!asserted) {
+ failedAssertionStateMap.add(map);
+ assertionStateMapIterator.remove();
+ continue alternative;
+ }
}
}
}
}
}
- //if the notAssertedCount equals the size of the list (the size of the list is equal to the alternatives)
+ {
+ //...then also we have to check the failed assertions for logging purposes!
+ Iterator<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> assertionStateMapIterator = this.failedAssertionStateMap.iterator();
+ alternative:
+ while (assertionStateMapIterator.hasNext()) {
+ Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>> map = assertionStateMapIterator.next();
+ //every list entry counts as an alternative...
+ Map<Assertion, List<Assertable>> assertionListMap = map.get(securityEvent.getSecurityEventType());
+ if (assertionListMap != null && assertionListMap.size() > 0) {
+ Iterator<Map.Entry<Assertion, List<Assertable>>> assertionStateIterator = assertionListMap.entrySet().iterator();
+ while (assertionStateIterator.hasNext()) {
+ Map.Entry<Assertion, List<Assertable>> assertionStateEntry = assertionStateIterator.next();
+ List<Assertable> assertionStates = assertionStateEntry.getValue();
+ Iterator<Assertable> assertableIterator = assertionStates.iterator();
+ while (assertableIterator.hasNext()) {
+ Assertable assertable = assertableIterator.next();
+ boolean asserted = assertable.assertEvent(securityEvent);
+ //...so if one fails, continue with the next map entry and increment the notAssertedCount
+ if (!asserted) {
+ continue alternative;
+ }
+ }
+ }
+ }
+ }
+ }
+ //if the assertionStateMap is empty (the size of the list is equal to the alternatives)
//then we could not satisfy any alternative
- if (notAssertedCount == assertionStateMap.size()) {
+ if (assertionStateMap.isEmpty()) {
logFailedAssertions();
throw new PolicyViolationException("No policy alternative could be satisfied");
}
@@ -303,46 +343,51 @@ public class PolicyEnforcer implements S
* @throws PolicyViolationException thrown when no alternative could be satisifed
*/
private void verifyPolicy() throws WSSPolicyException {
- int notAsserted = 0;
+ Iterator<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> assertionStateMapIterator = this.assertionStateMap.iterator();
alternative:
- for (int i = 0; i < assertionStateMap.size(); i++) {
- Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>> map = assertionStateMap.get(i);
+ while (assertionStateMapIterator.hasNext()) {
+ Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>> map = assertionStateMapIterator.next();
Iterator<Map.Entry<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> iterator = map.entrySet().iterator();
while (iterator.hasNext()) {
Map.Entry<SecurityEvent.Event, Map<Assertion, List<Assertable>>> mapEntry = iterator.next();
- Iterator<Map.Entry<Assertion, List<Assertable>>> assertableIterator = mapEntry.getValue().entrySet().iterator();
- while (assertableIterator.hasNext()) {
- Map.Entry<Assertion, List<Assertable>> assertionListEntry = assertableIterator.next();
+ Iterator<Map.Entry<Assertion, List<Assertable>>> assertionStateIterator = mapEntry.getValue().entrySet().iterator();
+ while (assertionStateIterator.hasNext()) {
+ Map.Entry<Assertion, List<Assertable>> assertionListEntry = assertionStateIterator.next();
List<Assertable> assertableList = assertionListEntry.getValue();
- for (int j = 0; j < assertableList.size(); j++) {
- Assertable assertable = assertableList.get(j);
+ Iterator<Assertable> assertableIterator = assertableList.iterator();
+ while (assertableIterator.hasNext()) {
+ Assertable assertable = assertableIterator.next();
if (!assertable.isAsserted()) {
- notAsserted++;
+ failedAssertionStateMap.add(map);
+ assertionStateMapIterator.remove();
continue alternative;
}
}
}
}
}
- if (notAsserted == assertionStateMap.size()) {
+ if (assertionStateMap.isEmpty()) {
logFailedAssertions();
throw new WSSPolicyException("No policy alternative could be satisfied");
}
}
private void logFailedAssertions() {
- for (int i = 0; i < assertionStateMap.size(); i++) {
- Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>> map = assertionStateMap.get(i);
+ Iterator<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> assertionStateMapIterator = this.failedAssertionStateMap.iterator();
+ while (assertionStateMapIterator.hasNext()) {
+ Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>> map = assertionStateMapIterator.next();
Set<Map.Entry<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> entrySet = map.entrySet();
Iterator<Map.Entry<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> entryIterator = entrySet.iterator();
while (entryIterator.hasNext()) {
Map.Entry<SecurityEvent.Event, Map<Assertion, List<Assertable>>> eventCollectionEntry = entryIterator.next();
Map<Assertion, List<Assertable>> assertionListMap = eventCollectionEntry.getValue();
- for (Iterator<Map.Entry<Assertion, List<Assertable>>> assertionStateEntryIterator = assertionListMap.entrySet().iterator(); assertionStateEntryIterator.hasNext(); ) {
+ Iterator<Map.Entry<Assertion, List<Assertable>>> assertionStateEntryIterator = assertionListMap.entrySet().iterator();
+ while (assertionStateEntryIterator.hasNext()) {
Map.Entry<Assertion, List<Assertable>> entry = assertionStateEntryIterator.next();
List<Assertable> assertionStates = entry.getValue();
- for (int j = 0; j < assertionStates.size(); j++) {
- Assertable assertable = assertionStates.get(j);
+ Iterator<Assertable> assertableIterator = assertionStates.iterator();
+ while (assertableIterator.hasNext()) {
+ Assertable assertable = assertableIterator.next();
if (!assertable.isAsserted()) {
log.error(entry.getKey().getName() + " not satisfied: " + assertable.getErrorMessage());
}
@@ -355,27 +400,26 @@ public class PolicyEnforcer implements S
//multiple threads can call this method concurrently -> synchronize access
public synchronized void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
- if (securityEvent instanceof HttpsTokenSecurityEvent) {
- transportSecurityActive = true;
- }
-
if (operationSecurityEventOccured) {
try {
verifyPolicy(securityEvent);
} catch (WSSPolicyException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e);
+ } catch (XMLSecurityException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e);
}
}
- if (securityEvent.getSecurityEventType().equals(SecurityEvent.Event.Operation)) {
+ if (securityEvent.getSecurityEventType() == SecurityEvent.Event.Operation) {
operationSecurityEventOccured = true;
+ final OperationSecurityEvent operationSecurityEvent = (OperationSecurityEvent) securityEvent;
if (effectivePolicy != null) {
//soap-action spoofing detection
- if (!effectivePolicy.getOperationName().equals(((OperationSecurityEvent) securityEvent).getOperation().getLocalPart())) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, new WSSPolicyException("SOAPAction (" + effectivePolicy.getOperationName() + ") does not match with the current Operation: " + ((OperationSecurityEvent) securityEvent).getOperation()));
+ if (!effectivePolicy.getOperationName().equals(operationSecurityEvent.getOperation().getLocalPart())) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, new WSSPolicyException("SOAPAction (" + effectivePolicy.getOperationName() + ") does not match with the current Operation: " + operationSecurityEvent.getOperation()));
}
} else {
- effectivePolicy = findPolicyBySOAPOperationName(operationPolicies, ((OperationSecurityEvent) securityEvent).getOperation().getLocalPart());
+ effectivePolicy = findPolicyBySOAPOperationName(operationPolicies, operationSecurityEvent.getOperation().getLocalPart());
if (effectivePolicy == null) {
//no policy to the operation given
effectivePolicy = new OperationPolicy("NoPolicyFoundForOperation");
@@ -388,311 +432,25 @@ public class PolicyEnforcer implements S
}
}
- try {
- identifySecurityTokenDepenedenciesAndUsage(securityEventQueue);
- } catch (PolicyViolationException e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e);
- }
-
Iterator<SecurityEvent> securityEventIterator = securityEventQueue.descendingIterator();
while (securityEventIterator.hasNext()) {
SecurityEvent prevSecurityEvent = securityEventIterator.next();
try {
verifyPolicy(prevSecurityEvent);
} catch (WSSPolicyException e) {
- //todo better exceptions
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e);
+ } catch (XMLSecurityException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e);
}
}
securityEventQueue.clear();
+
+ return;
} else {
- //queue events until the operation security event occured
securityEventQueue.push(securityEvent);
}
}
- private void identifySecurityTokenDepenedenciesAndUsage(Deque<SecurityEvent> securityEventDeque) throws PolicyViolationException, WSSecurityException {
-
- List<TokenSecurityEvent> messageSignatureTokens = new ArrayList<TokenSecurityEvent>();
- List<TokenSecurityEvent> messageEncryptionTokens = new ArrayList<TokenSecurityEvent>();
- List<TokenSecurityEvent> supportingTokens = new ArrayList<TokenSecurityEvent>();
- List<TokenSecurityEvent> signedSupportingTokens = new ArrayList<TokenSecurityEvent>();
- List<TokenSecurityEvent> endorsingSupportingTokens = new ArrayList<TokenSecurityEvent>();
- List<TokenSecurityEvent> signedEndorsingSupportingTokens = new ArrayList<TokenSecurityEvent>();
- List<TokenSecurityEvent> signedEncryptedSupportingTokens = new ArrayList<TokenSecurityEvent>();
- List<TokenSecurityEvent> endorsingEncryptedSupportingTokens = new ArrayList<TokenSecurityEvent>();
- List<TokenSecurityEvent> signedEndorsingEncryptedSupportingTokens = new ArrayList<TokenSecurityEvent>();
-
- List<TokenSecurityEvent> tokenSecurityEvents = new LinkedList<TokenSecurityEvent>();
- for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
- SecurityEvent securityEvent = iterator.next();
- //todo it is probably better to use the EventType Enum instead of InstanceOf?
- if (securityEvent instanceof TokenSecurityEvent) {
- //iterator.remove();
- if (securityEvent instanceof HttpsTokenSecurityEvent) {
- HttpsTokenSecurityEvent httpsTokenSecurityEvent = (HttpsTokenSecurityEvent) securityEvent;
- httpsTokenSecurityEvent.setTokenUsage(TokenSecurityEvent.TokenUsage.MainSignature);
- messageSignatureTokens.add(httpsTokenSecurityEvent);
- HttpsTokenSecurityEvent clonedHttpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
- clonedHttpsTokenSecurityEvent.setAuthenticationType(httpsTokenSecurityEvent.getAuthenticationType());
- clonedHttpsTokenSecurityEvent.setIssuerName(httpsTokenSecurityEvent.getIssuerName());
- clonedHttpsTokenSecurityEvent.setSecurityToken(httpsTokenSecurityEvent.getSecurityToken());
- clonedHttpsTokenSecurityEvent.setTokenUsage(TokenSecurityEvent.TokenUsage.MainEncryption);
- messageEncryptionTokens.add(clonedHttpsTokenSecurityEvent);
- continue;
- }
- tokenSecurityEvents.add((TokenSecurityEvent) securityEvent);
- }
- }
-
- Iterator<TokenSecurityEvent> tokenSecurityEventIterator = tokenSecurityEvents.iterator();
- while (tokenSecurityEventIterator.hasNext()) {
- TokenSecurityEvent tokenSecurityEvent = tokenSecurityEventIterator.next();
- if (tokenSecurityEvent.getSecurityToken().getKeyWrappingToken() == null) {
- supportingTokens.add(tokenSecurityEvent);
- } else if (tokenSecurityEvent.getTokenUsage() == TokenSecurityEvent.TokenUsage.Encryption) {
- SecurityToken securityToken = tokenSecurityEvent.getSecurityToken();
- while (securityToken.getKeyWrappingToken() != null) {
- securityToken = securityToken.getKeyWrappingToken();
- }
- TokenSecurityEvent encTokenSecurityEvent = WSSUtils.createTokenSecurityEvent(securityToken);
- encTokenSecurityEvent.setTokenUsage(TokenSecurityEvent.TokenUsage.Encryption);
- //todo handle multiple encryption tokens
- messageEncryptionTokens.add(encTokenSecurityEvent);
- securityEventDeque.offer(encTokenSecurityEvent);
- }
- }
-
- Iterator<TokenSecurityEvent> supportingTokensIterator = supportingTokens.iterator();
- while (supportingTokensIterator.hasNext()) {
- TokenSecurityEvent tokenSecurityEvent = supportingTokensIterator.next();
- List<SecurityToken> signingSecurityTokens = isSignedToken(tokenSecurityEvent, securityEventDeque);
- boolean signsSignature = signsElement(tokenSecurityEvent, WSSConstants.TAG_dsig_Signature, securityEventDeque);
- boolean signsSignatureConfirmation = signsElement(tokenSecurityEvent, WSSConstants.TAG_wsse11_SignatureConfirmation, securityEventDeque);
- boolean signsTimestamp = signsElement(tokenSecurityEvent, WSSConstants.TAG_wsu_Timestamp, securityEventDeque);
- if (!this.transportSecurityActive && signsSignatureConfirmation && signsTimestamp) {
- supportingTokensIterator.remove();
- messageSignatureTokens.add(tokenSecurityEvent);
- } else if (!this.transportSecurityActive && signsSignatureConfirmation) {
- supportingTokensIterator.remove();
- messageSignatureTokens.add(tokenSecurityEvent);
- } else if (!this.transportSecurityActive && signsTimestamp) {
- supportingTokensIterator.remove();
- messageSignatureTokens.add(tokenSecurityEvent);
- } else if (signsSignature && signingSecurityTokens.size() > 0) {
- supportingTokensIterator.remove();
- signedEndorsingSupportingTokens.add(tokenSecurityEvent);
- } else if (signsSignature) {
- supportingTokensIterator.remove();
- endorsingSupportingTokens.add(tokenSecurityEvent);
- } else if (signingSecurityTokens.size() > 0) {
- supportingTokensIterator.remove();
- signedSupportingTokens.add(tokenSecurityEvent);
- }
- }
-
- if (messageSignatureTokens.size() == 0) {
- SecurityToken messageSignatureToken = getSupportingTokenSigningToken(
- signedSupportingTokens,
- signedEndorsingSupportingTokens,
- signedEncryptedSupportingTokens,
- signedEndorsingEncryptedSupportingTokens,
- securityEventDeque);
-
- TokenSecurityEvent tokenSecurityEvent = getTokenSecurityEvent(messageSignatureToken, tokenSecurityEvents);
- if (tokenSecurityEvent != null) {
- supportingTokens.remove(tokenSecurityEvent);
- signedSupportingTokens.remove(tokenSecurityEvent);
- endorsingSupportingTokens.remove(tokenSecurityEvent);
- signedEndorsingSupportingTokens.remove(tokenSecurityEvent);
- signedEncryptedSupportingTokens.remove(tokenSecurityEvent);
- endorsingEncryptedSupportingTokens.remove(tokenSecurityEvent);
- signedEndorsingEncryptedSupportingTokens.remove(tokenSecurityEvent);
- messageSignatureTokens.add(tokenSecurityEvent);
- }
- }
-
- if (messageSignatureTokens.size() == 0) {
- for (Iterator<TokenSecurityEvent> iterator = supportingTokens.iterator(); iterator.hasNext(); ) {
- TokenSecurityEvent supportingToken = iterator.next();
- if (supportingToken.getTokenUsage() == TokenSecurityEvent.TokenUsage.Signature) {
- iterator.remove();
- messageSignatureTokens.add(supportingToken);
- break;
- }
- }
- }
-
- if (messageEncryptionTokens.size() == 0) {
- for (Iterator<TokenSecurityEvent> iterator = supportingTokens.iterator(); iterator.hasNext(); ) {
- TokenSecurityEvent supportingToken = iterator.next();
- if (supportingToken.getTokenUsage() == TokenSecurityEvent.TokenUsage.Encryption) {
- iterator.remove();
- messageEncryptionTokens.add(supportingToken);
- break;
- }
- }
- }
-
- setTokenUsage(messageSignatureTokens, TokenSecurityEvent.TokenUsage.MainSignature);
- setTokenUsage(messageEncryptionTokens, TokenSecurityEvent.TokenUsage.MainEncryption);
- setTokenUsage(supportingTokens, TokenSecurityEvent.TokenUsage.SupportingToken);
- setTokenUsage(signedSupportingTokens, TokenSecurityEvent.TokenUsage.SignedSupportingTokens);
- setTokenUsage(endorsingSupportingTokens, TokenSecurityEvent.TokenUsage.EndorsingSupportingTokens);
- setTokenUsage(signedEndorsingSupportingTokens, TokenSecurityEvent.TokenUsage.SignedEndorsingSupportingTokens);
- setTokenUsage(signedEncryptedSupportingTokens, TokenSecurityEvent.TokenUsage.SignedEncryptedSupportingTokens);
- setTokenUsage(endorsingEncryptedSupportingTokens, TokenSecurityEvent.TokenUsage.EndorsingEncryptedSupportingTokens);
- setTokenUsage(signedEndorsingEncryptedSupportingTokens, TokenSecurityEvent.TokenUsage.SignedEndorsingEncryptedSupportingTokens);
- }
-
- private TokenSecurityEvent getTokenSecurityEvent(SecurityToken securityToken, List<TokenSecurityEvent> tokenSecurityEvents) {
- for (int i = 0; i < tokenSecurityEvents.size(); i++) {
- TokenSecurityEvent tokenSecurityEvent = tokenSecurityEvents.get(i);
- if (tokenSecurityEvent.getSecurityToken() == securityToken) {
- return tokenSecurityEvent;
- }
- }
- return null;
- }
-
- private SecurityToken getSupportingTokenSigningToken(
- List<TokenSecurityEvent> signedSupportingTokens,
- List<TokenSecurityEvent> signedEndorsingSupportingTokens,
- List<TokenSecurityEvent> signedEncryptedSupportingTokens,
- List<TokenSecurityEvent> signedEndorsingEncryptedSupportingTokens,
- Deque<SecurityEvent> securityEventDeque
- ) {
-
- //todo we have to check if the signingTokens also cover the other supporting tokens!
- for (int i = 0; i < signedSupportingTokens.size(); i++) {
- TokenSecurityEvent tokenSecurityEvent = signedSupportingTokens.get(i);
- List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
- if (signingSecurityTokens.size() == 1) {
- return signingSecurityTokens.get(0);
- }
- }
- for (int i = 0; i < signedEndorsingSupportingTokens.size(); i++) {
- TokenSecurityEvent tokenSecurityEvent = signedEndorsingSupportingTokens.get(i);
- List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
- if (signingSecurityTokens.size() == 1) {
- return signingSecurityTokens.get(0);
- }
- }
- for (int i = 0; i < signedEncryptedSupportingTokens.size(); i++) {
- TokenSecurityEvent tokenSecurityEvent = signedEncryptedSupportingTokens.get(i);
- List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
- if (signingSecurityTokens.size() == 1) {
- return signingSecurityTokens.get(0);
- }
- }
- for (int i = 0; i < signedEndorsingEncryptedSupportingTokens.size(); i++) {
- TokenSecurityEvent tokenSecurityEvent = signedEndorsingEncryptedSupportingTokens.get(i);
- List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
- if (signingSecurityTokens.size() == 1) {
- return signingSecurityTokens.get(0);
- }
- }
- return null;
- }
-
- private List<SecurityToken> getSigningToken(TokenSecurityEvent tokenSecurityEvent, Deque<SecurityEvent> securityEventDeque) {
- QName elementName = null;
- //todo element name in security Token?
- //todo the element name equality must be checked more precisely (inkl. path)!
- switch (tokenSecurityEvent.getSecurityEventType()) {
- case UsernameToken:
- elementName = WSSConstants.TAG_wsse_UsernameToken;
- break;
- case X509Token:
- //todo not always correct:
- elementName = WSSConstants.TAG_wsse_BinarySecurityToken;
- break;
- }
- if (elementName == null) {
- throw new RuntimeException("todo other token types...");
- }
-
- List<SecurityToken> signingSecurityTokens = new ArrayList<SecurityToken>();
-
- for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
- SecurityEvent securityEvent = iterator.next();
- if (securityEvent instanceof SignedElementSecurityEvent) {
- SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
- if (signedElementSecurityEvent.isSigned()
- && signedElementSecurityEvent.getElement().equals(elementName)) {
- signingSecurityTokens.add(signedElementSecurityEvent.getSecurityToken());
- }
- }
- }
- return signingSecurityTokens;
- }
-
- //todo overall linked-list and iterate with an iterator
- private void setTokenUsage(List<TokenSecurityEvent> tokenSecurityEvents, TokenSecurityEvent.TokenUsage tokenUsage) {
- for (int i = 0; i < tokenSecurityEvents.size(); i++) {
- TokenSecurityEvent tokenSecurityEvent = tokenSecurityEvents.get(i);
- tokenSecurityEvent.setTokenUsage(tokenUsage);
- }
- }
-
- private List<SecurityToken> isSignedToken(TokenSecurityEvent tokenSecurityEvent, Deque<SecurityEvent> securityEventDeque) {
- List<SecurityToken> securityTokenList = new ArrayList<SecurityToken>();
- for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
- SecurityEvent securityEvent = iterator.next();
- //todo it is probably better to use the EventType Enum instead of InstanceOf?
- if (securityEvent instanceof SignedElementSecurityEvent) {
- SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
- //todo the element name equality must be checked more precisely (inkl. path)!
- if (signedElementSecurityEvent.isSigned()
- //todo element name in security Tokem?
- && tokenSecurityEvent instanceof UsernameTokenSecurityEvent
- && WSSConstants.TAG_wsse_UsernameToken.equals(signedElementSecurityEvent.getElement())) {
-
- if (!securityTokenList.contains(signedElementSecurityEvent.getSecurityToken())) {
- securityTokenList.add(signedElementSecurityEvent.getSecurityToken());
- }
- }
- }
- }
- return securityTokenList;
- }
-
- private List<SecurityToken> getElementSigningToken(QName element, Deque<SecurityEvent> securityEventDeque) {
- List<SecurityToken> securityTokenList = new ArrayList<SecurityToken>();
- for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
- SecurityEvent securityEvent = iterator.next();
- //todo it is probably better to use the EventType Enum instead of InstanceOf?
- if (securityEvent instanceof SignedElementSecurityEvent) {
- SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
- //todo the element name equality must be checked more precisely (inkl. path)!
- if (signedElementSecurityEvent.isSigned()
- && element.equals(signedElementSecurityEvent.getElement())) {
- if (!securityTokenList.contains(signedElementSecurityEvent.getSecurityToken())) {
- securityTokenList.add(signedElementSecurityEvent.getSecurityToken());
- }
- }
- }
- }
- return securityTokenList;
- }
-
- private boolean signsElement(TokenSecurityEvent tokenSecurityEvent, QName element, Deque<SecurityEvent> securityEventDeque) {
- for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
- SecurityEvent securityEvent = iterator.next();
- //todo it is probably better to use the EventType Enum instead of InstanceOf?
- if (securityEvent instanceof SignedElementSecurityEvent) {
- SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
- //todo the element name equality must be checked more precisely (inkl. path)!
- if (signedElementSecurityEvent.isSigned()
- && signedElementSecurityEvent.getSecurityToken() == tokenSecurityEvent.getSecurityToken()
- && element.equals(signedElementSecurityEvent.getElement())) {
- return true;
- }
- }
- }
- return false;
- }
-
/**
* the final Policy validation to find a satisfied alternative
*
@@ -701,8 +459,4 @@ public class PolicyEnforcer implements S
public void doFinal() throws WSSPolicyException {
verifyPolicy();
}
-
- public boolean isTransportSecurityActive() {
- return transportSecurityActive;
- }
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcerFactory.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcerFactory.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcerFactory.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcerFactory.java Wed Feb 29 20:54:51 2012
@@ -18,30 +18,6 @@
*/
package org.swssf.policy;
-import java.net.URL;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-
-import javax.wsdl.Binding;
-import javax.wsdl.BindingOperation;
-import javax.wsdl.Definition;
-import javax.wsdl.Operation;
-import javax.wsdl.Port;
-import javax.wsdl.PortType;
-import javax.wsdl.Service;
-import javax.wsdl.WSDLElement;
-import javax.wsdl.WSDLException;
-import javax.wsdl.extensions.ExtensibilityElement;
-import javax.wsdl.extensions.UnknownExtensibilityElement;
-import javax.wsdl.extensions.soap.SOAPOperation;
-import javax.wsdl.extensions.soap12.SOAP12Operation;
-import javax.wsdl.factory.WSDLFactory;
-import javax.wsdl.xml.WSDLReader;
-import javax.xml.namespace.QName;
-
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.neethi.Policy;
@@ -52,6 +28,17 @@ import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
+import javax.wsdl.*;
+import javax.wsdl.extensions.ExtensibilityElement;
+import javax.wsdl.extensions.UnknownExtensibilityElement;
+import javax.wsdl.extensions.soap.SOAPOperation;
+import javax.wsdl.extensions.soap12.SOAP12Operation;
+import javax.wsdl.factory.WSDLFactory;
+import javax.wsdl.xml.WSDLReader;
+import javax.xml.namespace.QName;
+import java.net.URL;
+import java.util.*;
+
/**
* PolicyEnforcerFactory builds a map of all the possible effective Policies
* and caches them for reuse
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyInputProcessor.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyInputProcessor.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyInputProcessor.java Wed Feb 29 20:54:51 2012
@@ -41,8 +41,6 @@ import javax.xml.stream.events.XMLEvent;
public class PolicyInputProcessor extends AbstractInputProcessor {
private PolicyEnforcer policyEnforcer;
- private boolean firstHeaderCall = true;
- private boolean firstBodyCall = true;
public PolicyInputProcessor(PolicyEnforcer policyEnforcer, XMLSecurityProperties securityProperties) {
super(securityProperties);
@@ -53,29 +51,25 @@ public class PolicyInputProcessor extend
@Override
public XMLEvent processNextHeaderEvent(InputProcessorChain inputProcessorChain) throws XMLStreamException, XMLSecurityException {
- if (firstHeaderCall) {
- firstHeaderCall = false;
- if (policyEnforcer.isTransportSecurityActive()) {
- inputProcessorChain.getDocumentContext().setIsInEncryptedContent();
- inputProcessorChain.getDocumentContext().setIsInSignedContent();
- }
- }
XMLEvent xmlEvent = inputProcessorChain.processHeaderEvent();
//test if non encrypted element have to be encrypted per policy
- if (!inputProcessorChain.getDocumentContext().isInEncryptedContent() && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSecurityHeader()) {
+ boolean transportSecurityActive = Boolean.TRUE == inputProcessorChain.getSecurityContext().get(WSSConstants.TRANSPORT_SECURITY_ACTIVE);
+ if (!transportSecurityActive
+ && !inputProcessorChain.getDocumentContext().isInEncryptedContent()
+ && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSecurityHeader()) {
testEncryptionPolicy(xmlEvent, inputProcessorChain);
}
if (xmlEvent.isStartElement() && inputProcessorChain.getDocumentContext().getDocumentLevel() == 3 && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPHeader()) {
RequiredPartSecurityEvent requiredPartSecurityEvent = new RequiredPartSecurityEvent();
- requiredPartSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+ requiredPartSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
policyEnforcer.registerSecurityEvent(requiredPartSecurityEvent);
RequiredElementSecurityEvent requiredElementSecurityEvent = new RequiredElementSecurityEvent();
- requiredElementSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+ requiredElementSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
policyEnforcer.registerSecurityEvent(requiredElementSecurityEvent);
} else if (xmlEvent.isStartElement() && inputProcessorChain.getDocumentContext().getDocumentLevel() > 3) {
//test for required elements
RequiredElementSecurityEvent requiredElementSecurityEvent = new RequiredElementSecurityEvent();
- requiredElementSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+ requiredElementSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
policyEnforcer.registerSecurityEvent(requiredElementSecurityEvent);
}
return xmlEvent;
@@ -83,22 +77,9 @@ public class PolicyInputProcessor extend
@Override
public XMLEvent processNextEvent(InputProcessorChain inputProcessorChain) throws XMLStreamException, XMLSecurityException {
- if (firstBodyCall) {
- firstBodyCall = false;
- if (policyEnforcer.isTransportSecurityActive()) {
- inputProcessorChain.getDocumentContext().setIsInEncryptedContent();
- inputProcessorChain.getDocumentContext().setIsInSignedContent();
- }
- }
XMLEvent xmlEvent = inputProcessorChain.processEvent();
- if (xmlEvent.isStartElement()) {
- if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 3 && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPBody()) {
- OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
- operationSecurityEvent.setOperation(xmlEvent.asStartElement().getName());
- policyEnforcer.registerSecurityEvent(operationSecurityEvent);
- }
- } else if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 0
+ if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 0
&& xmlEvent.isEndElement()
//ns mismatch should be detected by the xml parser so a local-name equality check should be enough
&& xmlEvent.asEndElement().getName().getLocalPart().equals(WSSConstants.TAG_soap_Envelope_LocalName)) {
@@ -112,17 +93,22 @@ public class PolicyInputProcessor extend
//test for required elements
if (xmlEvent.isStartElement() && inputProcessorChain.getDocumentContext().getDocumentLevel() > 3) {
RequiredElementSecurityEvent requiredElementSecurityEvent = new RequiredElementSecurityEvent();
- requiredElementSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+ requiredElementSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
policyEnforcer.registerSecurityEvent(requiredElementSecurityEvent);
}
+ boolean transportSecurityActive = Boolean.TRUE == inputProcessorChain.getSecurityContext().get(WSSConstants.TRANSPORT_SECURITY_ACTIVE);
+
//test if non encrypted element have to be encrypted per policy
- if (!inputProcessorChain.getDocumentContext().isInEncryptedContent() && !((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSecurityHeader()) {
+ if (!transportSecurityActive
+ && !inputProcessorChain.getDocumentContext().isInEncryptedContent()
+ && !((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSecurityHeader()) {
testEncryptionPolicy(xmlEvent, inputProcessorChain);
}
//test if non signed element have to be signed per policy
- if (!inputProcessorChain.getDocumentContext().isInSignedContent()) {
+ if (!transportSecurityActive
+ && !inputProcessorChain.getDocumentContext().isInSignedContent()) {
testSignaturePolicy(inputProcessorChain, xmlEvent);
}
return xmlEvent;
@@ -131,17 +117,19 @@ public class PolicyInputProcessor extend
private void testSignaturePolicy(InputProcessorChain inputProcessorChain, XMLEvent xmlEvent) throws WSSecurityException {
if (xmlEvent.isStartElement()) {
- if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 3 && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPHeader()) {
+ if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 3
+ && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPHeader()) {
SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, false);
- signedPartSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+ signedPartSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
- } else if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 2 && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPBody()) {
+ } else if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 2
+ && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPBody()) {
SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, false);
- signedPartSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+ signedPartSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
} else if (inputProcessorChain.getDocumentContext().getDocumentLevel() > 3) {
SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(null, false);
- signedElementSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+ signedElementSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
}
}
@@ -151,29 +139,36 @@ public class PolicyInputProcessor extend
//the following events are only interesting for policy verification. So call directly the policyEnforcer for these
if (xmlEvent.isStartElement()) {
- if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 3 && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPHeader()) {
- EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, false, inputProcessorChain.getDocumentContext().isInSignedContent());
- encryptedPartSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+ if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 3
+ && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPHeader()) {
+ EncryptedPartSecurityEvent encryptedPartSecurityEvent
+ = new EncryptedPartSecurityEvent(null, false, inputProcessorChain.getDocumentContext().isInSignedContent());
+ encryptedPartSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
- } else if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 3 && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPBody()) {
- EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, false, inputProcessorChain.getDocumentContext().isInSignedContent());
- encryptedPartSecurityEvent.setElement(inputProcessorChain.getDocumentContext().getParentElement(xmlEvent.getEventType()));
+ } else if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 3
+ && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPBody()) {
+ EncryptedPartSecurityEvent encryptedPartSecurityEvent
+ = new EncryptedPartSecurityEvent(null, false, inputProcessorChain.getDocumentContext().isInSignedContent());
+ encryptedPartSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
} else if (inputProcessorChain.getDocumentContext().getDocumentLevel() > 3) {
- EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, false, inputProcessorChain.getDocumentContext().isInSignedContent());
- encryptedElementSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+ EncryptedElementSecurityEvent encryptedElementSecurityEvent
+ = new EncryptedElementSecurityEvent(null, false, inputProcessorChain.getDocumentContext().isInSignedContent());
+ encryptedElementSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
//... or it could be a contentEncryption too...
- ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = new ContentEncryptedElementSecurityEvent(null, false, inputProcessorChain.getDocumentContext().isInSignedContent());
- contentEncryptedElementSecurityEvent.setElement(inputProcessorChain.getDocumentContext().getParentElement(xmlEvent.getEventType()));
+ ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent
+ = new ContentEncryptedElementSecurityEvent(null, false, inputProcessorChain.getDocumentContext().isInSignedContent());
+ contentEncryptedElementSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getParentElementPath(xmlEvent.getEventType()));
policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
}
} else if (xmlEvent.isCharacters() || xmlEvent.isEntityReference() || xmlEvent.isProcessingInstruction()) {
//can only be a content encryption
- ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = new ContentEncryptedElementSecurityEvent(null, false, inputProcessorChain.getDocumentContext().isInSignedContent());
- contentEncryptedElementSecurityEvent.setElement(inputProcessorChain.getDocumentContext().getParentElement(xmlEvent.getEventType()));
+ ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent
+ = new ContentEncryptedElementSecurityEvent(null, false, inputProcessorChain.getDocumentContext().isInSignedContent());
+ contentEncryptedElementSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getParentElementPath(xmlEvent.getEventType()));
policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
}
}
Added: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyUtils.java?rev=1295267&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyUtils.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyUtils.java Wed Feb 29 20:54:51 2012
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.swssf.policy;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.ws.secpolicy.model.XPath;
+
+import javax.xml.namespace.QName;
+import java.util.LinkedList;
+import java.util.List;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class PolicyUtils {
+
+ public static List<QName> getElementPath(XPath xPath) {
+ List<QName> elements = new LinkedList<QName>();
+ String[] xPathElements = xPath.getXPath().split("/");
+ for (int j = 0; j < xPathElements.length; j++) {
+ String xPathElement = xPathElements[j];
+ if (StringUtils.isEmpty(xPathElement)) {
+ continue;
+ }
+ String[] elementParts = xPathElement.split(":");
+ if (elementParts.length == 2) {
+ String ns = xPath.getPrefixNamespaceMap().get(elementParts[0]);
+ if (ns == null) {
+ throw new IllegalArgumentException("Namespace not declared");
+ }
+ elements.add(new QName(ns, elementParts[1]));
+ } else {
+ elements.add(new QName(elementParts[0]));
+ }
+ }
+ return elements;
+ }
+}
Propchange: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyUtils.java
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision