You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by bi...@apache.org on 2020/04/15 16:08:48 UTC
[axis-axis2-java-rampart] 05/18: RAMPART-278: Merged r1052172 and
r1052173 to the 1.5 branch.
This is an automated email from the ASF dual-hosted git repository.
billblough pushed a commit to branch 1_5_x
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit 2b0e5e8f30bcfd051294efec65f227376de806b2
Author: Andreas Veithen <ve...@apache.org>
AuthorDate: Tue Oct 18 22:04:37 2011 +0000
RAMPART-278: Merged r1052172 and r1052173 to the 1.5 branch.
---
.../rampart/PolicyBasedResultsValidator.java | 46 ++++++---
.../java/org/apache/rampart/util/Axis2Util.java | 4 +-
modules/rampart-integration/pom.xml | 6 ++
.../test/java/org/apache/rampart/RampartTest.java | 15 ++-
.../src/test/resources/rampart/policy/31.xml | 75 ++++++++++++++
.../src/test/resources/rampart/services-31.xml | 111 +++++++++++++++++++++
6 files changed, 241 insertions(+), 16 deletions(-)
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
index 4cc430b..24db745 100644
--- a/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
@@ -31,6 +31,7 @@ import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
import org.jaxen.XPath;
import org.jaxen.JaxenException;
@@ -555,16 +556,34 @@ public class PolicyBasedResultsValidator implements PolicyValidatorCallbackHandl
Vector actuallySigned = new Vector();
if (actionResults != null) {
for (int j = 0; j < actionResults.length; j++) {
+
WSSecurityEngineResult actionResult = actionResults[j];
- Set signedIDs = (Set) actionResult
- .get(WSSecurityEngineResult.TAG_SIGNED_ELEMENT_IDS);
- for (Iterator i = signedIDs.iterator(); i.hasNext();) {
- String e = (String) i.next();
-
- Element element = WSSecurityUtil.findElementById(envelope, e,
- WSConstants.WSU_NS);
- actuallySigned.add(element);
+ List wsDataRefs = (List)actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
+
+ // if header was encrypted before it was signed, protected
+ // element is 'EncryptedHeader.' the actual element is
+ // first child element
+
+ for (Iterator k = wsDataRefs.iterator(); k.hasNext();) {
+ WSDataRef wsDataRef = (WSDataRef)k.next();
+ Element protectedElement = wsDataRef.getProtectedElement();
+ if (protectedElement.getLocalName().equals("EncryptedHeader")) {
+ NodeList nodeList = protectedElement.getChildNodes();
+ for (int x = 0; x < nodeList.getLength(); x++) {
+ if (nodeList.item(x).getNodeType() == Node.ELEMENT_NODE) {
+ String ns = ((Element)nodeList.item(x)).getNamespaceURI();
+ String ln = ((Element)nodeList.item(x)).getLocalName();
+ actuallySigned.add(new QName(ns,ln));
+ break;
+ }
+ }
+ } else {
+ String ns = protectedElement.getNamespaceURI();
+ String ln = protectedElement.getLocalName();
+ actuallySigned.add(new QName(ns,ln));
+ }
}
+
}
}
@@ -573,15 +592,15 @@ public class PolicyBasedResultsValidator implements PolicyValidatorCallbackHandl
if (wsep.getType() == WSConstants.PART_TYPE_BODY) {
- Element body;
+ QName bodyQName;
if (WSConstants.URI_SOAP11_ENV.equals(envelope.getNamespaceURI())) {
- body = WSSecurityUtil.findBodyElement(rmd.getDocument(), new SOAP11Constants());
+ bodyQName = new SOAP11Constants().getBodyQName();
} else {
- body = WSSecurityUtil.findBodyElement(rmd.getDocument(), new SOAP12Constants());
+ bodyQName = new SOAP12Constants().getBodyQName();
}
- if (!actuallySigned.contains(body) && !rmd.getPolicyData().isSignBodyOptional()) {
+ if (!actuallySigned.contains(bodyQName) && !rmd.getPolicyData().isSignBodyOptional()) {
// soap body is not signed
throw new RampartException("bodyNotSigned");
}
@@ -591,6 +610,7 @@ public class PolicyBasedResultsValidator implements PolicyValidatorCallbackHandl
Element element = (Element) WSSecurityUtil.findElement(
envelope, wsep.getName(), wsep.getNamespace() );
+
if( element == null ) {
// The signedpart header or element we are checking is not present in
// soap envelope - this is allowed
@@ -598,7 +618,7 @@ public class PolicyBasedResultsValidator implements PolicyValidatorCallbackHandl
}
// header or the element present in soap envelope - verify that it is part of signature
- if( actuallySigned.contains( element) ) {
+ if( actuallySigned.contains( new QName(element.getNamespaceURI(), element.getLocalName())) ) {
continue;
}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java b/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java
index 2de1406..b974cdb 100644
--- a/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java
@@ -205,7 +205,9 @@ public class Axis2Util {
OMNamespace ns = (OMNamespace) nsIter.next();
header.declareNamespace(ns);
}
- Iterator children = element.getChildElements();
+ // retrieve all child nodes (including any text nodes)
+ // and re-attach to header block
+ Iterator children = element.getChildren();
while (children.hasNext()) {
OMNode child = (OMNode)children.next();
children.remove();
diff --git a/modules/rampart-integration/pom.xml b/modules/rampart-integration/pom.xml
index b465196..68b1e0d 100644
--- a/modules/rampart-integration/pom.xml
+++ b/modules/rampart-integration/pom.xml
@@ -249,6 +249,12 @@
<copy overwrite="yes" file="src/test/resources/rampart/services-30.xml" tofile="target/temp-ramp/META-INF/services.xml" />
<jar jarfile="target/test-resources/rampart_service_repo/services/SecureService30.aar" basedir="target/temp-ramp" />
+ <!-- Service 31 -->
+ <copy overwrite="yes"
+ file="src/test/resources/rampart/services-31.xml"
+ tofile="target/temp-ramp/META-INF/services.xml"/>
+ <jar jarfile="target/test-resources/rampart_service_repo/services/SecureService31.aar"
+ basedir="target/temp-ramp"/>
<!-- Service SC-1 -->
<copy overwrite="yes" file="src/test/resources/rampart/issuer.properties" tofile="target/temp-ramp/issuer.properties" />
diff --git a/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java b/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
index 8b0b84f..34c8f2b 100644
--- a/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
+++ b/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
@@ -21,6 +21,8 @@ import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
+import org.apache.axiom.om.util.AXIOMUtil;
+import org.apache.axiom.soap.SOAPHeaderBlock;
import org.apache.axis2.Constants;
import org.apache.axis2.AxisFault;
import org.apache.axis2.addressing.EndpointReference;
@@ -77,7 +79,7 @@ public class RampartTest extends TestCase {
"Unlimited Strength Jurisdiction Policy !!!");
}
- for (int i = 1; i <= 30; i++) { //<-The number of tests we have
+ for (int i = 1; i <= 31; i++) { //<-The number of tests we have
if(!basic256Supported && (i == 3 || i == 4 || i == 5)) {
//Skip the Basic256 tests
continue;
@@ -106,7 +108,16 @@ public class RampartTest extends TestCase {
context.setProperty(RampartMessageData.KEY_RAMPART_POLICY,
loadPolicy("/rampart/policy/" + i + ".xml"));
serviceClient.setOptions(options);
-
+
+ if (i == 31) {
+ OMNamespace omNamespace = OMAbstractFactory.getOMFactory().createOMNamespace(
+ "http://sample.com", "myNs");
+ SOAPHeaderBlock header = OMAbstractFactory.getSOAP12Factory()
+ .createSOAPHeaderBlock("VitalHeader", omNamespace);
+ header.addChild(AXIOMUtil.stringToOM("<foo>This is a sample Header</foo>"));
+ serviceClient.addHeader(header);
+ }
+
// Invoking the serive in the TestCase-28 should fail. So handling it differently..
if (i == 28) {
try {
diff --git a/modules/rampart-integration/src/test/resources/rampart/policy/31.xml b/modules/rampart-integration/src/test/resources/rampart/policy/31.xml
new file mode 100644
index 0000000..8559f1f
--- /dev/null
+++ b/modules/rampart-integration/src/test/resources/rampart/policy/31.xml
@@ -0,0 +1,75 @@
+<wsp:Policy wsu:Id="EncrSig" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Strict/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:EncryptBeforeSigning />
+ <sp:OnlySignEntireHeadersAndBody/>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier/>
+ <sp:MustSupportRefIssuerSerial/>
+ </wsp:Policy>
+ </sp:Wss10>
+ <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <sp:Body/>
+ <sp:Header Name="VitalHeader" Namespace="http://sample.com"/>
+ </sp:SignedParts>
+ <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <sp:Body/>
+ <sp:Header Name="VitalHeader" Namespace="http://sample.com"/>
+ </sp:EncryptedParts>
+ <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
+ <ramp:user>alice</ramp:user>
+ <ramp:encryptionUser>bob</ramp:encryptionUser>
+ <ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass>
+
+ <ramp:signatureCrypto>
+ <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+ </ramp:crypto>
+ </ramp:signatureCrypto>
+ <ramp:encryptionCypto>
+ <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+ </ramp:crypto>
+ </ramp:encryptionCypto>
+ </ramp:RampartConfig>
+ </wsp:All>
+ </wsp:ExactlyOne>
+</wsp:Policy>
diff --git a/modules/rampart-integration/src/test/resources/rampart/services-31.xml b/modules/rampart-integration/src/test/resources/rampart/services-31.xml
new file mode 100644
index 0000000..53bc982
--- /dev/null
+++ b/modules/rampart-integration/src/test/resources/rampart/services-31.xml
@@ -0,0 +1,111 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ !
+ ! Copyright 2006 The Apache Software Foundation.
+ !
+ ! Licensed under the Apache License, Version 2.0 (the "License");
+ ! you may not use this file except in compliance with the License.
+ ! You may obtain a copy of the License at
+ !
+ ! http://www.apache.org/licenses/LICENSE-2.0
+ !
+ ! Unless required by applicable law or agreed to in writing, software
+ ! distributed under the License is distributed on an "AS IS" BASIS,
+ ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ! See the License for the specific language governing permissions and
+ ! limitations under the License.
+ !-->
+<service name="SecureService31">
+
+ <module ref="addressing"/>
+ <module ref="rampart"/>
+
+ <parameter locked="false" name="ServiceClass">org.apache.rampart.Service</parameter>
+
+ <operation name="echo">
+ <messageReceiver class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
+ <actionMapping>urn:echo</actionMapping>
+ </operation>
+
+ <operation name="returnError">
+ <messageReceiver class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
+ <actionMapping>urn:returnError</actionMapping>
+ </operation>
+
+ <wsp:Policy wsu:Id="EncrSig" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Strict/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:EncryptBeforeSigning />
+ <sp:OnlySignEntireHeadersAndBody/>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier/>
+ <sp:MustSupportRefIssuerSerial/>
+ </wsp:Policy>
+ </sp:Wss10>
+ <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <sp:Body/>
+ <sp:Header Name="VitalHeader" Namespace="http://sample.com"/>
+ </sp:SignedParts>
+ <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <sp:Body/>
+ <sp:Header Name="VitalHeader" Namespace="http://sample.com"/>
+ </sp:EncryptedParts>
+
+ <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
+ <ramp:user>alice</ramp:user>
+ <ramp:encryptionUser>bob</ramp:encryptionUser>
+ <ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass>
+
+ <ramp:signatureCrypto>
+ <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+ </ramp:crypto>
+ </ramp:signatureCrypto>
+ <ramp:encryptionCypto>
+ <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+ <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+ </ramp:crypto>
+ </ramp:encryptionCypto>
+ </ramp:RampartConfig>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+</service>