You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/12/08 14:29:05 UTC
svn commit: r1211875 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/
...
Author: coheigea
Date: Thu Dec 8 13:29:05 2011
New Revision: 1211875
URL: http://svn.apache.org/viewvc?rev=1211875&view=rev
Log:
[WSS-3960] - Patch for InitiatorSignatureToken Support in WS-Policy definition
- Patch applied (with some minor modifications), thanks.
- I added a systest.
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java Thu Dec 8 13:29:05 2011
@@ -177,6 +177,9 @@ public final class SP11Constants extends
public static final QName INITIATOR_TOKEN = new QName(SP11Constants.SP_NS,
SPConstants.INITIATOR_TOKEN , SP11Constants.SP_PREFIX);
+
+ public static final QName INITIATOR_SIGNATURE_TOKEN = new QName(SP11Constants.SP_NS,
+ SPConstants.INITIATOR_SIGNATURE_TOKEN , SP11Constants.SP_PREFIX);
public static final QName RECIPIENT_TOKEN = new QName(SP11Constants.SP_NS,
SPConstants.RECIPIENT_TOKEN , SP11Constants.SP_PREFIX);
@@ -342,6 +345,9 @@ public final class SP11Constants extends
public QName getInitiatorToken() {
return INITIATOR_TOKEN;
}
+ public QName getInitiatorSignatureToken() {
+ return INITIATOR_SIGNATURE_TOKEN;
+ }
public QName getIssuedToken() {
return ISSUED_TOKEN;
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java Thu Dec 8 13:29:05 2011
@@ -213,7 +213,10 @@ public final class SP12Constants extends
public static final QName INITIATOR_TOKEN = new QName(SP12Constants.SP_NS,
SPConstants.INITIATOR_TOKEN , SP12Constants.SP_PREFIX);
-
+
+ public static final QName INITIATOR_SIGNATURE_TOKEN = new QName(SP12Constants.SP_NS,
+ SPConstants.INITIATOR_SIGNATURE_TOKEN , SP12Constants.SP_PREFIX);
+
public static final QName RECIPIENT_TOKEN = new QName(SP12Constants.SP_NS,
SPConstants.RECIPIENT_TOKEN , SP12Constants.SP_PREFIX);
@@ -401,6 +404,9 @@ public final class SP12Constants extends
public QName getInitiatorToken() {
return INITIATOR_TOKEN;
}
+ public QName getInitiatorSignatureToken() {
+ return INITIATOR_SIGNATURE_TOKEN;
+ }
public QName getIssuedToken() {
return ISSUED_TOKEN;
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java Thu Dec 8 13:29:05 2011
@@ -171,9 +171,9 @@ public abstract class SPConstants {
public static final String INITIATOR_TOKEN = "InitiatorToken";
- public static final String RECIPIENT_TOKEN = "RecipientToken";
-
+ public static final String INITIATOR_SIGNATURE_TOKEN = "InitiatorSignatureToken";
+ public static final String RECIPIENT_TOKEN = "RecipientToken";
public static final String SUPPORTING_TOKENS = "SupportingTokens";
@@ -439,6 +439,7 @@ public abstract class SPConstants {
public abstract QName getEncryptionToken();
public abstract QName getHttpsToken();
public abstract QName getInitiatorToken();
+ public abstract QName getInitiatorSignatureToken();
public abstract QName getIssuedToken();
public abstract QName getIncludeToken();
public abstract QName getLayout();
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java Thu Dec 8 13:29:05 2011
@@ -38,6 +38,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.builders.EncryptedElementsBuilder;
import org.apache.cxf.ws.security.policy.builders.EncryptedPartsBuilder;
import org.apache.cxf.ws.security.policy.builders.HttpsTokenBuilder;
+import org.apache.cxf.ws.security.policy.builders.InitiatorSignatureTokenBuilder;
import org.apache.cxf.ws.security.policy.builders.InitiatorTokenBuilder;
import org.apache.cxf.ws.security.policy.builders.IssuedTokenBuilder;
import org.apache.cxf.ws.security.policy.builders.KerberosTokenBuilder;
@@ -100,6 +101,7 @@ public final class WSSecurityPolicyLoade
reg.registerBuilder(new EncryptedPartsBuilder());
reg.registerBuilder(new HttpsTokenBuilder(pbuild));
reg.registerBuilder(new InitiatorTokenBuilder(pbuild));
+ reg.registerBuilder(new InitiatorSignatureTokenBuilder(pbuild));
reg.registerBuilder(new IssuedTokenBuilder(pbuild));
reg.registerBuilder(new LayoutBuilder());
reg.registerBuilder(new ProtectionTokenBuilder(pbuild));
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java Thu Dec 8 13:29:05 2011
@@ -32,6 +32,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.cxf.ws.security.policy.model.InitiatorSignatureToken;
import org.apache.cxf.ws.security.policy.model.InitiatorToken;
import org.apache.cxf.ws.security.policy.model.Layout;
import org.apache.cxf.ws.security.policy.model.RecipientToken;
@@ -93,7 +94,10 @@ public class AsymmetricBindingBuilder im
if (SPConstants.INITIATOR_TOKEN.equals(name.getLocalPart())) {
asymmetricBinding.setInitiatorToken((InitiatorToken)assertion);
-
+
+ } else if (SPConstants.INITIATOR_SIGNATURE_TOKEN.equals(name.getLocalPart())) {
+ asymmetricBinding.setInitiatorSignatureToken((InitiatorSignatureToken)assertion);
+
} else if (SPConstants.RECIPIENT_TOKEN.equals(name.getLocalPart())) {
asymmetricBinding.setRecipientToken((RecipientToken)assertion);
Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java?rev=1211875&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java Thu Dec 8 13:29:05 2011
@@ -0,0 +1,85 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.policy.builders;
+
+import java.util.Iterator;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.ws.policy.PolicyBuilder;
+import org.apache.cxf.ws.policy.PolicyConstants;
+import org.apache.cxf.ws.security.policy.SP11Constants;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.InitiatorSignatureToken;
+import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.neethi.Assertion;
+import org.apache.neethi.AssertionBuilderFactory;
+import org.apache.neethi.Policy;
+import org.apache.neethi.builders.AssertionBuilder;
+
+public class InitiatorSignatureTokenBuilder implements AssertionBuilder<Element> {
+
+ PolicyBuilder builder;
+ public InitiatorSignatureTokenBuilder(PolicyBuilder b) {
+ builder = b;
+ }
+ public QName[] getKnownElements() {
+ return new QName[]{SP11Constants.INITIATOR_SIGNATURE_TOKEN, SP12Constants.INITIATOR_SIGNATURE_TOKEN};
+ }
+
+ public Assertion build(Element element, AssertionBuilderFactory factory)
+ throws IllegalArgumentException {
+
+ SPConstants consts = SP11Constants.SP_NS.equals(element.getNamespaceURI())
+ ? SP11Constants.INSTANCE : SP12Constants.INSTANCE;
+
+ InitiatorSignatureToken initiatorToken = new InitiatorSignatureToken(consts, builder);
+ initiatorToken.setOptional(PolicyConstants.isOptional(element));
+ initiatorToken.setIgnorable(PolicyConstants.isIgnorable(element));
+
+ Policy policy = builder.getPolicy(DOMUtils.getFirstElement(element));
+ policy = (Policy)policy.normalize(builder.getPolicyRegistry(), false);
+
+ for (Iterator iterator = policy.getAlternatives(); iterator.hasNext();) {
+ processAlternative((List)iterator.next(), initiatorToken);
+ break; // TODO process all the token that must be set ..
+ }
+
+ return initiatorToken;
+ }
+
+ private void processAlternative(List assertions, InitiatorSignatureToken parent) {
+
+ Object token;
+
+ for (Iterator iterator = assertions.iterator(); iterator.hasNext();) {
+ token = iterator.next();
+
+ if (token instanceof Token) {
+ parent.setInitiatorSignatureToken((Token)token);
+ }
+ }
+ }
+
+}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java Thu Dec 8 13:29:05 2011
@@ -48,6 +48,7 @@ public class WSSecurityPolicyInterceptor
ASSERTION_TYPES.add(SP12Constants.SIGNATURE_TOKEN);
ASSERTION_TYPES.add(SP12Constants.TRANSPORT_TOKEN);
ASSERTION_TYPES.add(SP12Constants.INITIATOR_TOKEN);
+ ASSERTION_TYPES.add(SP12Constants.INITIATOR_SIGNATURE_TOKEN);
ASSERTION_TYPES.add(SP12Constants.RECIPIENT_TOKEN);
ASSERTION_TYPES.add(SP12Constants.SIGNED_PARTS);
ASSERTION_TYPES.add(SP12Constants.REQUIRED_PARTS);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java Thu Dec 8 13:29:05 2011
@@ -35,6 +35,8 @@ import org.apache.neethi.PolicyComponent
public class AsymmetricBinding extends SymmetricAsymmetricBindingBase {
private InitiatorToken initiatorToken;
+
+ private InitiatorSignatureToken initiatorSignatureToken;
private RecipientToken recipientToken;
@@ -55,6 +57,20 @@ public class AsymmetricBinding extends S
public void setInitiatorToken(InitiatorToken initiatorToken) {
this.initiatorToken = initiatorToken;
}
+
+ /**
+ * @return Returns the initiatorToken.
+ */
+ public InitiatorSignatureToken getInitiatorSignatureToken() {
+ return initiatorSignatureToken;
+ }
+
+ /**
+ * @param initiatorToken The initiatorToken to set.
+ */
+ public void setInitiatorSignatureToken(InitiatorSignatureToken initiatorSignatureToken) {
+ this.initiatorSignatureToken = initiatorSignatureToken;
+ }
/**
* @return Returns the recipientToken.
@@ -95,6 +111,9 @@ public class AsymmetricBinding extends S
if (getInitiatorToken() != null) {
all.addPolicyComponent(getInitiatorToken());
}
+ if (getInitiatorSignatureToken() != null) {
+ all.addPolicyComponent(getInitiatorSignatureToken());
+ }
if (getRecipientToken() != null) {
all.addPolicyComponent(getRecipientToken());
}
@@ -145,13 +164,22 @@ public class AsymmetricBinding extends S
writer.writeStartElement(pPrefix, SPConstants.POLICY.getLocalPart(), SPConstants.POLICY
.getNamespaceURI());
- if (initiatorToken == null) {
- throw new RuntimeException("InitiatorToken is not set");
+ if (initiatorToken == null && initiatorSignatureToken == null) {
+ throw new RuntimeException("InitiatorToken or InitiatorSignatureToken is not set");
}
- // <sp:InitiatorToken>
- initiatorToken.serialize(writer);
- // </sp:InitiatorToken>
+ if (initiatorToken != null) {
+ // <sp:InitiatorToken>
+ initiatorToken.serialize(writer);
+ // </sp:InitiatorToken>
+ }
+
+ if (initiatorSignatureToken != null) {
+ // <sp:InitiatorSignatureToken>
+ initiatorSignatureToken.serialize(writer);
+ // </sp:InitiatorSignatureToken>
+ }
+
if (recipientToken == null) {
throw new RuntimeException("RecipientToken is not set");
Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java?rev=1211875&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java Thu Dec 8 13:29:05 2011
@@ -0,0 +1,93 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.policy.model;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamWriter;
+
+import org.apache.cxf.ws.policy.PolicyBuilder;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+
+public class InitiatorSignatureToken extends TokenWrapper {
+
+ public InitiatorSignatureToken(SPConstants version, PolicyBuilder b) {
+ super(version, b);
+ }
+
+ /**
+ * @return Returns the initiatorToken.
+ */
+ public Token getInitiatorSignatureToken() {
+ return getToken();
+ }
+
+
+ /**
+ * @param initiatorToken The initiatorToken to set.
+ */
+ public void setInitiatorSignatureToken(Token initiatorSignatureToken) {
+ setToken(initiatorSignatureToken);
+ }
+
+ public QName getRealName() {
+ return constants.getInitiatorSignatureToken();
+ }
+ public QName getName() {
+ return SP12Constants.INSTANCE.getInitiatorSignatureToken();
+ }
+
+ public void serialize(XMLStreamWriter writer) throws XMLStreamException {
+ String localName = getRealName().getLocalPart();
+ String namespaceURI = getRealName().getNamespaceURI();
+
+ String prefix = writer.getPrefix(namespaceURI);
+
+ if (prefix == null) {
+ prefix = getRealName().getPrefix();
+ writer.setPrefix(prefix, namespaceURI);
+ }
+
+ // <sp:InitiatorSignatureToken>
+ writer.writeStartElement(prefix, localName, namespaceURI);
+
+ String pPrefix = writer.getPrefix(SPConstants.POLICY.getNamespaceURI());
+ if (pPrefix == null) {
+ pPrefix = SPConstants.POLICY.getPrefix();
+ writer.setPrefix(pPrefix, SPConstants.POLICY.getNamespaceURI());
+ }
+
+ // <wsp:Policy>
+ writer.writeStartElement(pPrefix, SPConstants.POLICY.getLocalPart(), SPConstants.POLICY
+ .getNamespaceURI());
+
+ Token token = getInitiatorSignatureToken();
+ if (token == null) {
+ throw new RuntimeException("InitiatorSignatureToken doesn't contain any token assertions");
+ }
+ token.serialize(writer);
+
+ // </wsp:Policy>
+ writer.writeEndElement();
+
+ // </sp:InitiatorToken>
+ writer.writeEndElement();
+ }
+}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Thu Dec 8 13:29:05 2011
@@ -102,6 +102,9 @@ public class AsymmetricBindingHandler ex
private void doSignBeforeEncrypt() {
try {
TokenWrapper initiatorWrapper = abinding.getInitiatorToken();
+ if (initiatorWrapper == null) {
+ initiatorWrapper = abinding.getInitiatorSignatureToken();
+ }
boolean attached = false;
if (initiatorWrapper != null) {
Token initiatorToken = initiatorWrapper.getToken();
@@ -141,7 +144,7 @@ public class AsymmetricBindingHandler ex
}
addSupportingTokens(sigs);
- doSignature(sigs, attached);
+ doSignature(initiatorWrapper, sigs, attached);
doEndorse();
} else {
//confirm sig
@@ -153,9 +156,8 @@ public class AsymmetricBindingHandler ex
convertToEncryptionPart(timestampEl.getElement());
sigs.add(timestampPart);
}
-
addSignatureConfirmation(sigs);
- doSignature(sigs, attached);
+ doSignature(abinding.getRecipientToken(), sigs, attached);
}
List<WSEncryptionPart> enc = getEncryptedParts();
@@ -194,10 +196,16 @@ public class AsymmetricBindingHandler ex
wrapper = abinding.getRecipientToken();
} else {
wrapper = abinding.getInitiatorToken();
+ if (wrapper == null) {
+ wrapper = abinding.getInitiatorSignatureToken();
+ }
}
encryptionToken = wrapper.getToken();
TokenWrapper initiatorWrapper = abinding.getInitiatorToken();
+ if (initiatorWrapper == null) {
+ initiatorWrapper = abinding.getInitiatorSignatureToken();
+ }
boolean attached = false;
if (initiatorWrapper != null) {
Token initiatorToken = initiatorWrapper.getToken();
@@ -268,17 +276,16 @@ public class AsymmetricBindingHandler ex
addSignatureConfirmation(sigParts);
}
- if ((sigParts.size() > 0
- && isRequestor()
- && abinding.getInitiatorToken() != null)
- || (!isRequestor() && abinding.getRecipientToken() != null)) {
- try {
- doSignature(sigParts, attached);
- } catch (WSSecurityException ex) {
- throw new Fault(ex);
- } catch (SOAPException ex) {
- throw new Fault(ex);
+ try {
+ if ((sigParts.size() > 0) && initiatorWrapper != null && isRequestor()) {
+ doSignature(initiatorWrapper, sigParts, attached);
+ } else if (!isRequestor() && abinding.getRecipientToken() != null) {
+ doSignature(abinding.getRecipientToken(), sigParts, attached);
}
+ } catch (WSSecurityException ex) {
+ throw new Fault(ex);
+ } catch (SOAPException ex) {
+ throw new Fault(ex);
}
if (isRequestor()) {
@@ -412,31 +419,36 @@ public class AsymmetricBindingHandler ex
}
private void assertUnusedTokens(TokenWrapper wrapper) {
+ if (wrapper == null) {
+ return;
+ }
Collection<AssertionInfo> ais = aim.getAssertionInfo(wrapper.getName());
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == wrapper) {
- ai.setAsserted(true);
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ if (ai.getAssertion() == wrapper) {
+ ai.setAsserted(true);
+ }
}
}
ais = aim.getAssertionInfo(wrapper.getToken().getName());
- for (AssertionInfo ai : ais) {
- if (ai.getAssertion() == wrapper.getToken()) {
- ai.setAsserted(true);
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ if (ai.getAssertion() == wrapper.getToken()) {
+ ai.setAsserted(true);
+ }
}
}
}
- private void doSignature(List<WSEncryptionPart> sigParts, boolean attached)
+ private void doSignature(TokenWrapper wrapper, List<WSEncryptionPart> sigParts, boolean attached)
throws WSSecurityException, SOAPException {
- Token sigToken = null;
- TokenWrapper wrapper = null;
- if (isRequestor()) {
- wrapper = abinding.getInitiatorToken();
- } else {
- wrapper = abinding.getRecipientToken();
+
+ if (!isRequestor()) {
assertUnusedTokens(abinding.getInitiatorToken());
+ assertUnusedTokens(abinding.getInitiatorSignatureToken());
}
- sigToken = wrapper.getToken();
+
+ Token sigToken = wrapper.getToken();
sigParts.addAll(this.getSignedParts());
if (sigParts.isEmpty()) {
// Add the BST to the security header if required
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java Thu Dec 8 13:29:05 2011
@@ -123,6 +123,33 @@ public class AsymmetricBindingPolicyVali
return false;
}
}
+ if (binding.getInitiatorSignatureToken() != null) {
+ Token token = binding.getInitiatorSignatureToken().getToken();
+ if (token instanceof X509Token) {
+ boolean foundCert = false;
+ for (WSSecurityEngineResult result : signedResults) {
+ X509Certificate cert =
+ (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ if (cert != null) {
+ foundCert = true;
+ break;
+ }
+ }
+ if (!foundCert && !signedResults.isEmpty()) {
+ String error = "An X.509 certificate was not used for the initiator signature token";
+ notAssertPolicy(aim, binding.getInitiatorSignatureToken().getName(), error);
+ ai.setNotAsserted(error);
+ return false;
+ }
+ }
+ assertPolicy(aim, binding.getInitiatorSignatureToken());
+ if (!checkDerivedKeys(
+ binding.getInitiatorSignatureToken(), hasDerivedKeys, signedResults, encryptedResults
+ )) {
+ ai.setNotAsserted("Message fails the DerivedKeys requirement");
+ return false;
+ }
+ }
if (binding.getRecipientToken() != null) {
assertPolicy(aim, binding.getRecipientToken());
if (!checkDerivedKeys(
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Thu Dec 8 13:29:05 2011
@@ -278,6 +278,28 @@ public class X509TokenTest extends Abstr
x509Port.doubleIt(25);
}
+ @org.junit.Test
+ public void testAsymmetricSignature() throws Exception {
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = X509TokenTest.class.getResource("DoubleItX509Signature.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSignaturePort");
+ DoubleItPortType x509Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(x509Port, PORT);
+ x509Port.doubleIt(25);
+ }
+
private boolean checkUnrestrictedPoliciesInstalled() {
try {
byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl?rev=1211875&view=auto
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl (added)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl Thu Dec 8 13:29:05 2011
@@ -0,0 +1,124 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<wsdl:definitions name="DoubleIt"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+ xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://www.example.org/contract/DoubleIt"
+ targetNamespace="http://www.example.org/contract/DoubleIt"
+ xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsaws="http://www.w3.org/2005/08/addressing"
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
+ xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802">
+
+ <wsdl:import location="src/test/resources/DoubleItLogical.wsdl"
+ namespace="http://www.example.org/contract/DoubleIt"/>
+
+ <wsdl:binding name="DoubleItAsymmetricSignatureBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItAsymmetricSignaturePolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
+
+ <wsdl:service name="DoubleItService">
+ <wsdl:port name="DoubleItAsymmetricSignaturePort"
+ binding="tns:DoubleItAsymmetricSignatureBinding">
+ <soap:address location="http://localhost:9001/DoubleItX509AsymmetricSignature" />
+ </wsdl:port>
+ </wsdl:service>
+
+ <wsp:Policy wsu:Id="DoubleItAsymmetricSignaturePolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorSignatureToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorSignatureToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireIssuerSerialReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedParts>
+ <sp:Body/>
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedParts>
+ <sp:Body/>
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+</wsdl:definitions>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml Thu Dec 8 13:29:05 2011
@@ -80,6 +80,20 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricSignaturePort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
+
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricProtectTokensPort"
createdFromAPI="true">
<jaxws:properties>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Thu Dec 8 13:29:05 2011
@@ -142,6 +142,27 @@
</jaxws:endpoint>
<jaxws:endpoint
+ id="AsymmetricSignature"
+ address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricSignature"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItAsymmetricSignaturePort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.encryption.username" value="alice"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
+ <jaxws:endpoint
id="AsymmetricProtectTokens"
address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricProtect"
serviceName="s:DoubleItService"