You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2009/03/09 22:03:29 UTC
svn commit: r751832 - in /cxf/trunk:
api/src/main/java/org/apache/cxf/ws/policy/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/
rt/ws/security/src/main/java/org/apache/c...
Author: dkulp
Date: Mon Mar 9 21:03:28 2009
New Revision: 751832
URL: http://svn.apache.org/viewvc?rev=751832&view=rev
Log:
Start progressing toward a cancel operation
Make some things optional if they are marked optional
Modified:
cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/PolicyConstants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorTokenBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/IssuedTokenBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KeyValueTokenBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SecureConversationTokenBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/UsernameTokenBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/X509TokenBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Modified: cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/PolicyConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/PolicyConstants.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/PolicyConstants.java (original)
+++ cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/PolicyConstants.java Mon Mar 9 21:03:28 2009
@@ -120,7 +120,14 @@
}
}
-
+ public static boolean isOptional(Element e) {
+ Attr at = findOptionalAttribute(e);
+ if (at != null) {
+ String v = at.getValue();
+ return "true".equalsIgnoreCase(v) || "1".equals(v);
+ }
+ return false;
+ }
public static Attr findOptionalAttribute(Element e) {
NamedNodeMap atts = e.getAttributes();
for (int x = 0; x < atts.getLength(); x++) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java Mon Mar 9 21:03:28 2009
@@ -59,6 +59,7 @@
public static final String STS_TOKEN_USERNAME = "ws-security.sts.token.username";
+ public static final String STS_TOKEN_CONTEXT_TOKEN = "ws-security.sts.token.context.token";
public static final Set<String> ALL_PROPERTIES;
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/HttpsTokenBuilder.java Mon Mar 9 21:03:28 2009
@@ -68,7 +68,8 @@
HttpsToken httpsToken = new HttpsToken(consts);
-
+ httpsToken.setOptional(PolicyConstants.isOptional(element));
+
if (consts.getVersion() == SPConstants.Version.SP_V11) {
String attr = DOMUtils.getAttribute(element,
SPConstants.REQUIRE_CLIENT_CERTIFICATE);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorTokenBuilder.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorTokenBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorTokenBuilder.java Mon Mar 9 21:03:28 2009
@@ -30,6 +30,7 @@
import org.apache.cxf.ws.policy.AssertionBuilder;
import org.apache.cxf.ws.policy.PolicyAssertion;
import org.apache.cxf.ws.policy.PolicyBuilder;
+import org.apache.cxf.ws.policy.PolicyConstants;
import org.apache.cxf.ws.security.policy.SP11Constants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
@@ -58,6 +59,7 @@
? SP11Constants.INSTANCE : SP12Constants.INSTANCE;
InitiatorToken initiatorToken = new InitiatorToken(consts);
+ initiatorToken.setOptional(PolicyConstants.isOptional(element));
Policy policy = builder.getPolicy(DOMUtils.getFirstElement(element));
policy = (Policy)policy.normalize(false);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/IssuedTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/IssuedTokenBuilder.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/IssuedTokenBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/IssuedTokenBuilder.java Mon Mar 9 21:03:28 2009
@@ -30,6 +30,7 @@
import org.apache.cxf.ws.policy.AssertionBuilder;
import org.apache.cxf.ws.policy.PolicyAssertion;
import org.apache.cxf.ws.policy.PolicyBuilder;
+import org.apache.cxf.ws.policy.PolicyConstants;
import org.apache.cxf.ws.security.policy.SP11Constants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
@@ -62,6 +63,7 @@
IssuedToken issuedToken = new IssuedToken(consts);
+ issuedToken.setOptional(PolicyConstants.isOptional(element));
String includeAttr = DOMUtils.getAttribute(element, consts.getIncludeToken());
if (includeAttr != null) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KeyValueTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KeyValueTokenBuilder.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KeyValueTokenBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/KeyValueTokenBuilder.java Mon Mar 9 21:03:28 2009
@@ -51,7 +51,8 @@
? SP11Constants.INSTANCE : SP12Constants.INSTANCE;
KeyValueToken token = new KeyValueToken(consts);
-
+ token.setOptional(PolicyConstants.isOptional(element));
+
String attribute = element.getAttributeNS(element.getNamespaceURI(), SPConstants.ATTR_INCLUDE_TOKEN);
if (StringUtils.isEmpty(attribute)) {
attribute = element.getAttributeNS(consts.getNamespace(), SPConstants.ATTR_INCLUDE_TOKEN);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SecureConversationTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SecureConversationTokenBuilder.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SecureConversationTokenBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SecureConversationTokenBuilder.java Mon Mar 9 21:03:28 2009
@@ -57,6 +57,7 @@
SecureConversationToken conversationToken = new SecureConversationToken(consts);
+ conversationToken.setOptional(PolicyConstants.isOptional(element));
String attribute = DOMUtils.getAttribute(element, consts.getIncludeToken());
if (attribute == null) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/UsernameTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/UsernameTokenBuilder.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/UsernameTokenBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/UsernameTokenBuilder.java Mon Mar 9 21:03:28 2009
@@ -51,6 +51,7 @@
? SP11Constants.INSTANCE : SP12Constants.INSTANCE;
UsernameToken usernameToken = new UsernameToken(consts);
+ usernameToken.setOptional(PolicyConstants.isOptional(element));
String attribute = element.getAttributeNS(element.getNamespaceURI(), SPConstants.ATTR_INCLUDE_TOKEN);
if (attribute != null) {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/X509TokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/X509TokenBuilder.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/X509TokenBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/X509TokenBuilder.java Mon Mar 9 21:03:28 2009
@@ -30,6 +30,7 @@
import org.apache.cxf.ws.policy.AssertionBuilder;
import org.apache.cxf.ws.policy.PolicyAssertion;
import org.apache.cxf.ws.policy.PolicyBuilder;
+import org.apache.cxf.ws.policy.PolicyConstants;
import org.apache.cxf.ws.security.policy.SP11Constants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
@@ -53,6 +54,7 @@
SPConstants consts = SP11Constants.SP_NS.equals(element.getNamespaceURI())
? SP11Constants.INSTANCE : SP12Constants.INSTANCE;
X509Token x509Token = new X509Token(consts);
+ x509Token.setOptional(PolicyConstants.isOptional(element));
Element policyElement = DOMUtils.getFirstElement(element);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java Mon Mar 9 21:03:28 2009
@@ -116,11 +116,10 @@
Policy policy;
String soapVersion = SoapBindingConstants.SOAP11_BINDING_ID;
int keySize = 256;
- Trust10 trust10;
- Trust13 trust13;
+ boolean requiresEntropy = true;
Element template;
AlgorithmSuite algorithmSuite;
- String namespace = STSUtils.WST_NS_05_02;
+ String namespace = STSUtils.WST_NS_05_12;
String addressingNamespace;
boolean isSecureConv;
@@ -178,15 +177,23 @@
public void setTrust(Trust10 trust) {
if (trust != null) {
namespace = STSUtils.WST_NS_05_02;
+ requiresEntropy = trust.isRequireClientEntropy();
}
- trust10 = trust;
}
public void setTrust(Trust13 trust) {
if (trust != null) {
namespace = STSUtils.WST_NS_05_12;
+ requiresEntropy = trust.isRequireClientEntropy();
}
- trust13 = trust;
}
+ public boolean isRequiresEntropy() {
+ return requiresEntropy;
+ }
+
+ public void setRequiresEntropy(boolean requiresEntropy) {
+ this.requiresEntropy = requiresEntropy;
+ }
+
public boolean isSecureConv() {
return isSecureConv;
}
@@ -328,8 +335,7 @@
writer.writeEndElement();
}
- if ((trust10 != null && trust10.isRequireClientEntropy())
- || (trust13 != null && trust13.isRequireClientEntropy())) {
+ if (requiresEntropy) {
writer.writeStartElement("wst", "Entropy", namespace);
writer.writeStartElement("wst", "BinarySecret", namespace);
writer.writeAttribute("Type", namespace + "/Nonce");
@@ -390,7 +396,34 @@
}
requestSecurityToken(tok.getIssuerAddress(), action, "/Renew", tok);
}
-
+ public void cancelSecurityToken(SecurityToken token) throws Exception {
+ createClient();
+
+ client.getRequestContext().putAll(ctx);
+ client.getRequestContext().put(SecurityConstants.STS_TOKEN_CONTEXT_TOKEN, token);
+ BindingOperationInfo boi = findOperation("/RST/Cancel");
+
+ W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
+ writer.writeStartElement("wst", "RequestSecurityToken", namespace);
+ writer.writeStartElement("wst", "RequestType", namespace);
+ writer.writeCharacters(namespace + "/Cancel");
+ writer.writeEndElement();
+
+ writer.writeStartElement("wst", "CancelTarget", namespace);
+ Element el = token.getUnattachedReference();
+ if (el == null) {
+ el = token.getAttachedReference();
+ }
+ StaxUtils.copy(el, writer);
+
+ writer.writeEndElement();
+ writer.writeEndElement();
+
+ Object obj[] = client.invoke(boi,
+ new DOMSource(writer.getDocument().getDocumentElement()));
+ System.out.println(obj);
+ }
+
private String writeKeyType(W3CDOMStreamWriter writer, String keyType) throws XMLStreamException {
if (isSecureConv) {
addLifetime(writer);
@@ -691,4 +724,5 @@
}
+
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java Mon Mar 9 21:03:28 2009
@@ -84,18 +84,9 @@
QName iName = new QName(ns, "SecurityTokenService");
si.setName(iName);
InterfaceInfo ii = new InterfaceInfo(si, iName);
- OperationInfo oi = ii.addOperation(new QName(ns, "RequestSecurityToken"));
- MessageInfo mii = oi.createMessage(new QName(ns, "RequestSecurityTokenMsg"),
- MessageInfo.Type.INPUT);
- oi.setInput("RequestSecurityTokenMsg", mii);
- MessagePartInfo mpi = mii.addMessagePart("request");
- mpi.setElementQName(new QName(namespace, "RequestSecurityToken"));
- MessageInfo mio = oi.createMessage(new QName(ns, "RequestSecurityTokenResponseMsg"),
- MessageInfo.Type.OUTPUT);
- oi.setOutput("RequestSecurityTokenResponseMsg", mio);
- mpi = mio.addMessagePart("response");
- mpi.setElementQName(new QName(namespace, "RequestSecurityTokenResponse"));
+ OperationInfo ioi = addIssueOperation(ii, namespace, ns);
+ OperationInfo coi = addCancelOperation(ii, namespace, ns);
si.setInterface(ii);
service = new ServiceImpl(si);
@@ -117,7 +108,7 @@
si.addEndpoint(ei);
ei.addExtensor(policy);
- BindingOperationInfo boi = bi.getOperation(oi);
+ BindingOperationInfo boi = bi.getOperation(ioi);
SoapOperationInfo soi = boi.getExtensor(SoapOperationInfo.class);
if (soi == null) {
soi = new SoapOperationInfo();
@@ -125,8 +116,51 @@
}
soi.setAction(namespace + "/RST/Issue");
-
+ boi = bi.getOperation(coi);
+ soi = boi.getExtensor(SoapOperationInfo.class);
+ if (soi == null) {
+ soi = new SoapOperationInfo();
+ boi.addExtensor(soi);
+ }
+ soi.setAction(namespace + "/RST/Cancel");
service.setDataBinding(new SourceDataBinding());
return new EndpointImpl(bus, service, ei);
}
+
+ private static OperationInfo addIssueOperation(InterfaceInfo ii,
+ String namespace,
+ String servNamespace) {
+ OperationInfo oi = ii.addOperation(new QName(servNamespace, "RequestSecurityToken"));
+ MessageInfo mii = oi.createMessage(new QName(servNamespace, "RequestSecurityTokenMsg"),
+ MessageInfo.Type.INPUT);
+ oi.setInput("RequestSecurityTokenMsg", mii);
+ MessagePartInfo mpi = mii.addMessagePart("request");
+ mpi.setElementQName(new QName(namespace, "RequestSecurityToken"));
+
+ MessageInfo mio = oi.createMessage(new QName(servNamespace,
+ "RequestSecurityTokenResponseMsg"),
+ MessageInfo.Type.OUTPUT);
+ oi.setOutput("RequestSecurityTokenResponseMsg", mio);
+ mpi = mio.addMessagePart("response");
+ mpi.setElementQName(new QName(namespace, "RequestSecurityTokenResponse"));
+ return oi;
+ }
+ private static OperationInfo addCancelOperation(InterfaceInfo ii,
+ String namespace,
+ String servNamespace) {
+ OperationInfo oi = ii.addOperation(new QName(servNamespace, "CancelSecurityToken"));
+ MessageInfo mii = oi.createMessage(new QName(servNamespace, "CancelSecurityTokenMsg"),
+ MessageInfo.Type.INPUT);
+ oi.setInput("CancelSecurityTokenMsg", mii);
+ MessagePartInfo mpi = mii.addMessagePart("request");
+ mpi.setElementQName(new QName(namespace, "CancelSecurityToken"));
+
+ MessageInfo mio = oi.createMessage(new QName(servNamespace,
+ "CancelSecurityTokenResponseMsg"),
+ MessageInfo.Type.OUTPUT);
+ oi.setOutput("CancelSecurityTokenResponseMsg", mio);
+ mpi = mio.addMessagePart("response");
+ mpi.setElementQName(new QName(namespace, "CancelSecurityTokenResponse"));
+ return oi;
+ }
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Mon Mar 9 21:03:28 2009
@@ -267,7 +267,9 @@
}
}
}
- throw new PolicyException(new Message(reason, LOG));
+ if (!assertion.isOptional()) {
+ throw new PolicyException(new Message(reason, LOG));
+ }
}
protected void policyAsserted(PolicyAssertion assertion) {
if (assertion == null) {
@@ -1134,6 +1136,7 @@
}
if (StringUtils.isEmpty(user)) {
policyNotAsserted(token, "No " + type + " username found.");
+ return null;
}
String password = getPassword(user, token, WSPasswordCallback.SIGNATURE);
@@ -1156,8 +1159,8 @@
}
protected void doEndorsedSignatures(Map<Token, WSSecBase> tokenMap,
- boolean isTokenProtection,
- boolean isSigProtect) {
+ boolean isTokenProtection,
+ boolean isSigProtect) {
for (Map.Entry<Token, WSSecBase> ent : tokenMap.entrySet()) {
WSSecBase tempTok = ent.getValue();
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=751832&r1=751831&r2=751832&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Mon Mar 9 21:03:28 2009
@@ -27,12 +27,16 @@
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import com.ibm.wsdl.util.xml.DOMUtils;
+
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.SPConstants.SupportTokenType;
import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
import org.apache.cxf.ws.security.policy.model.Header;
import org.apache.cxf.ws.security.policy.model.IssuedToken;
@@ -101,7 +105,11 @@
}
}
-
+ private static void addSig(Vector<byte[]> signatureValues, byte[] val) {
+ if (val != null) {
+ signatureValues.add(val);
+ }
+ }
public void handleBinding() {
Collection<AssertionInfo> ais;
WSSecTimestamp timestamp = createTimestamp();
@@ -136,11 +144,14 @@
if (token instanceof IssuedToken
|| token instanceof SecureConversationToken
|| token instanceof KeyValueToken) {
- signatureValues.add(doIssuedTokenSignature(token, signdParts,
- sgndSuppTokens));
+ addSig(signatureValues, doIssuedTokenSignature(token, signdParts,
+ sgndSuppTokens,
+ null));
} else if (token instanceof X509Token
|| token instanceof KeyValueToken) {
- signatureValues.add(doX509TokenSignature(token, signdParts, sgndSuppTokens));
+ addSig(signatureValues, doX509TokenSignature(token,
+ signdParts,
+ sgndSuppTokens));
}
}
}
@@ -159,30 +170,62 @@
ais = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
if (ais != null) {
- SupportingToken sgndSuppTokens = null;
+ SupportingToken endSuppTokens = null;
for (AssertionInfo ai : ais) {
- sgndSuppTokens = (SupportingToken)ai.getAssertion();
+ endSuppTokens = (SupportingToken)ai.getAssertion();
ai.setAsserted(true);
}
- if (sgndSuppTokens != null) {
- for (Token token : sgndSuppTokens.getTokens()) {
+ if (endSuppTokens != null) {
+ for (Token token : endSuppTokens.getTokens()) {
if (token instanceof IssuedToken
|| token instanceof SecureConversationToken) {
- signatureValues.add(doIssuedTokenSignature(token,
- sgndSuppTokens.getSignedParts(),
- sgndSuppTokens));
+ addSig(signatureValues, doIssuedTokenSignature(token,
+ endSuppTokens
+ .getSignedParts(),
+ endSuppTokens,
+ null));
} else if (token instanceof X509Token
|| token instanceof KeyValueToken) {
- signatureValues.add(doX509TokenSignature(token,
- sgndSuppTokens.getSignedParts(),
- sgndSuppTokens));
+ addSig(signatureValues, doX509TokenSignature(token,
+ endSuppTokens.getSignedParts(),
+ endSuppTokens));
}
}
}
-
}
-
+ SecurityToken token = (SecurityToken)message
+ .getContextualProperty(SecurityConstants.STS_TOKEN_CONTEXT_TOKEN);
+ if (token != null) {
+ SupportingToken endSuppTokens
+ = new SupportingToken(SupportTokenType.SUPPORTING_TOKEN_ENDORSING,
+ SP12Constants.INSTANCE);
+ SignedEncryptedParts signedParts = new SignedEncryptedParts(true,
+ SP12Constants.INSTANCE);
+ signedParts.setBody(true);
+ endSuppTokens.setSignedParts(signedParts);
+ //need to endorse everything
+ Element el = DOMUtils.getFirstChildElement(saaj.getSOAPHeader());
+ while (el != null) {
+ if (el != this.secHeader.getSecurityHeader()) {
+ signedParts.addHeader(new Header(el.getLocalName(),
+ el.getNamespaceURI()));
+ }
+ el = DOMUtils.getNextSiblingElement(el);
+ }
+ el = DOMUtils.getFirstChildElement(secHeader.getSecurityHeader());
+ while (el != null) {
+ if (timestamp != null && el != timestamp.getElement()) {
+ signedParts.addHeader(new Header(el.getLocalName(),
+ el.getNamespaceURI()));
+ }
+ el = DOMUtils.getNextSiblingElement(el);
+ }
+ addSig(signatureValues, doIssuedTokenSignature(new IssuedToken(SP12Constants.INSTANCE),
+ endSuppTokens.getSignedParts(),
+ endSuppTokens,
+ token));
+ }
ais = aim.get(SP12Constants.SUPPORTING_TOKENS);
if (ais != null) {
SupportingToken suppTokens = null;
@@ -265,38 +308,53 @@
return dkSig.getSignatureValue();
} else {
WSSecSignature sig = getSignatureBuider(wrapper, token, false);
- sig.prependBSTElementToHeader(secHeader);
+ if (sig != null) {
+ sig.prependBSTElementToHeader(secHeader);
- sig.addReferencesToSign(sigParts, secHeader);
- insertBeforeBottomUp(sig.getSignatureElement());
+ sig.addReferencesToSign(sigParts, secHeader);
+ insertBeforeBottomUp(sig.getSignatureElement());
- sig.computeSignature();
+ sig.computeSignature();
- return sig.getSignatureValue();
+ return sig.getSignatureValue();
+ } else {
+ return null;
+ }
}
}
- private byte[] doIssuedTokenSignature(Token token, SignedEncryptedParts signdParts,
- TokenWrapper wrapper) throws Exception {
+ private byte[] doIssuedTokenSignature(Token token,
+ SignedEncryptedParts signdParts,
+ TokenWrapper wrapper,
+ SecurityToken securityTok) throws Exception {
Document doc = saaj.getSOAPPart();
//Get the issued token
- SecurityToken secTok = getSecurityToken();
+ SecurityToken secTok = securityTok;
+ if (secTok == null) {
+ secTok = getSecurityToken();
+ }
SPConstants.IncludeTokenType inclusion = token.getInclusion();
boolean tokenIncluded = false;
+ Vector<WSEncryptionPart> sigParts = new Vector<WSEncryptionPart>();
if (inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS
|| ((inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
|| inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE)
&& isRequestor())) {
//Add the token
- addEncyptedKeyElement(cloneElement(secTok.getToken()));
+ Element el = cloneElement(secTok.getToken());
+ if (securityTok != null) {
+ //do we need to sign this as well?
+ //String id = addWsuIdToElement(el);
+ //sigParts.add(new WSEncryptionPart(id));
+ }
+
+ addEncyptedKeyElement(el);
tokenIncluded = true;
}
-
- Vector<WSEncryptionPart> sigParts = new Vector<WSEncryptionPart>();
if (timestampEl != null) {
sigParts.add(new WSEncryptionPart(timestampEl.getId()));
@@ -306,7 +364,8 @@
if (signdParts.isBody()) {
sigParts.add(new WSEncryptionPart(addWsuIdToElement(saaj.getSOAPBody())));
}
- if (secTok.getX509Certificate() != null) {
+ if (secTok.getX509Certificate() != null
+ || securityTok != null) {
//the "getX509Certificate" this is to workaround an issue in WCF
//In WCF, for TransportBinding, in most cases, it doesn't wan't any of
//the headers signed even if the policy sais so. HOWEVER, for KeyValue