You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/04/04 09:15:37 UTC
[1/3] cxf git commit: Recording .gitmergeinfo Changes
Repository: cxf
Updated Branches:
refs/heads/3.1.x-fixes 03f4a105f -> e2fd91591
Recording .gitmergeinfo Changes
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/50e08ec3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/50e08ec3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/50e08ec3
Branch: refs/heads/3.1.x-fixes
Commit: 50e08ec3ade636a5d66eee5c1c41d7fb57df1c5f
Parents: 786604c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Apr 4 08:37:18 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Apr 4 08:37:18 2017 +0100
----------------------------------------------------------------------
.gitmergeinfo | 1 +
1 file changed, 1 insertion(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/50e08ec3/.gitmergeinfo
----------------------------------------------------------------------
diff --git a/.gitmergeinfo b/.gitmergeinfo
index d47a8e0..986ccaf 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -485,6 +485,7 @@ M b418fd7952dc36f1a3e577e457833588a2056104
M b433c753d44350daff5a40ff8eb5a149cf557a68
M b49075882641fcebbbdf1ed8d84247fcf80aa558
M b624c034c5682b54b9faf3d3e90eb0c23cde1a5b
+M b77e43f19d631d94032740eff6e58f49e0532d29
M be2bf8d644887fc1853210b9b82db897c4d73dd0
M c01c68ddda10ec6db492b86d818498bec0bf4228
M c212240f696e3387df19bbcf22d1851aff320078
[3/3] cxf git commit: Fixing merge
Posted by co...@apache.org.
Fixing merge
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e2fd9159
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e2fd9159
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e2fd9159
Branch: refs/heads/3.1.x-fixes
Commit: e2fd915910e19bcc71d722e688e14a94ccae7d90
Parents: 50e08ec
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Apr 4 09:30:43 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Apr 4 09:30:43 2017 +0100
----------------------------------------------------------------------
.../org/apache/cxf/rt/security/SecurityConstants.java | 6 +-----
.../apache/cxf/rt/security/utils/SecurityUtils.java | 8 --------
.../wss4j/DefaultWSS4JSecurityContextCreator.java | 14 +-------------
.../wss4j/StaxSecurityContextInInterceptor.java | 12 +-----------
4 files changed, 3 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/e2fd9159/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
index 80cf1bd..aa0106d 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
@@ -159,7 +159,7 @@ public class SecurityConstants {
/**
* Whether to allow UsernameTokens with no password to be used as SecurityContext Principals.
- * The default is false.
+ * The default is true.
*/
public static final String ENABLE_UT_NOPASSWORD_PRINCIPAL =
"security.enable.ut-no-password.principal";
@@ -352,12 +352,8 @@ public class SecurityConstants {
CALLBACK_HANDLER, SAML_CALLBACK_HANDLER, SIGNATURE_PROPERTIES,
SIGNATURE_CRYPTO, ENCRYPT_PROPERTIES, ENCRYPT_CRYPTO, ENCRYPT_CERT,
ENABLE_REVOCATION, SUBJECT_CERT_CONSTRAINTS, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
-<<<<<<< HEAD
- AUDIENCE_RESTRICTION_VALIDATION, SAML_ROLE_ATTRIBUTENAME,
-=======
ENABLE_UT_NOPASSWORD_PRINCIPAL,
AUDIENCE_RESTRICTION_VALIDATION, SAML_ROLE_ATTRIBUTENAME,
->>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal
ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, SC_FROM_JAAS_SUBJECT,
STS_TOKEN_USE_CERT_FOR_KEYINFO, STS_TOKEN_DO_CANCEL, CACHE_ISSUED_TOKEN_IN_ENDPOINT,
DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO,
http://git-wip-us.apache.org/repos/asf/cxf/blob/e2fd9159/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
index a0419de..f14b14c 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
@@ -183,16 +183,8 @@ public final class SecurityUtils {
* values. If none is configured, then the defaultValue parameter is returned.
*/
public static boolean getSecurityPropertyBoolean(String property, Message message, boolean defaultValue) {
-<<<<<<< HEAD
- Object value = message.getContextualProperty(property);
- if (value == null) {
- value = message.getContextualProperty("ws-" + property);
- }
-
-=======
Object value = getSecurityPropertyValue(property, message);
->>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal
if (value != null) {
return PropertyUtils.isTrue(value);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/e2fd9159/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
index cd15d46..7855d0e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
@@ -66,29 +66,17 @@ public class DefaultWSS4JSecurityContextCreator implements WSS4JSecurityContextC
* Create a SecurityContext and store it on the SoapMessage parameter
*/
public void createSecurityContext(SoapMessage msg, WSHandlerResult handlerResult) {
-<<<<<<< HEAD
-
- String allowUnsigned =
- (String)SecurityUtils.getSecurityPropertyValue(
- SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg
- );
- boolean allowUnsignedSamlPrincipals = Boolean.parseBoolean(allowUnsigned);
- boolean useJAASSubject = true;
- String useJAASSubjectStr =
-=======
-
boolean allowUnsignedSamlPrincipals =
SecurityUtils.getSecurityPropertyBoolean(
SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg, false
);
boolean allowUTNoPassword =
SecurityUtils.getSecurityPropertyBoolean(
- SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, false
+ SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, true
);
boolean useJAASSubject = true;
String useJAASSubjectStr =
->>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal
(String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SC_FROM_JAAS_SUBJECT, msg);
if (useJAASSubjectStr != null) {
useJAASSubject = Boolean.parseBoolean(useJAASSubjectStr);
http://git-wip-us.apache.org/repos/asf/cxf/blob/e2fd9159/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
index 82cc6a1..b5a7e77 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
@@ -212,15 +212,6 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S
return token.getPublicKey() != null
|| (token.getX509Certificates() != null && token.getX509Certificates().length > 0);
}
-<<<<<<< HEAD
-
- private boolean isSamlEventSigned(SamlTokenSecurityEvent event) {
- if (event == null) {
- return false;
- }
-
- return event.getSecurityToken() != null
-=======
private boolean isSamlEventAllowed(SamlTokenSecurityEvent event, Message msg) {
if (event == null) {
@@ -234,7 +225,6 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S
// The SAML Assertion must be signed by default
return event.getSecurityToken() != null
->>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal
&& event.getSecurityToken().getSamlAssertionWrapper() != null
&& (allowUnsignedSamlPrincipals || event.getSecurityToken().getSamlAssertionWrapper().isSigned());
}
@@ -246,7 +236,7 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S
boolean allowUTNoPassword =
SecurityUtils.getSecurityPropertyBoolean(
- SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, false
+ SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, true
);
// The "no password" case is not allowed by default
[2/3] cxf git commit: Disable taking a UsernameToken with no password
as the security context principal
Posted by co...@apache.org.
Disable taking a UsernameToken with no password as the security context principal
# Conflicts:
# rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
# rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
# rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
# rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/786604cf
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/786604cf
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/786604cf
Branch: refs/heads/3.1.x-fixes
Commit: 786604cf247878b8625b51d62e749caaf1559006
Parents: 03f4a10
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Apr 4 08:36:35 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Apr 4 08:37:18 2017 +0100
----------------------------------------------------------------------
.../cxf/rt/security/SecurityConstants.java | 12 ++++++
.../cxf/rt/security/utils/SecurityUtils.java | 5 +++
.../DefaultWSS4JSecurityContextCreator.java | 18 +++++++-
.../wss4j/StaxSecurityContextInInterceptor.java | 44 +++++++++++++++++---
.../cxf/systest/wssec/examples/ut/server.xml | 1 +
.../systest/wssec/examples/ut/stax-server.xml | 1 +
.../apache/cxf/systest/ws/ut/server-derived.xml | 7 ++++
.../org/apache/cxf/systest/ws/ut/server.xml | 1 +
.../apache/cxf/systest/ws/ut/stax-server.xml | 1 +
9 files changed, 84 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/786604cf/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
index 5ee526b..80cf1bd 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
@@ -158,6 +158,13 @@ public class SecurityConstants {
"security.enable.unsigned-saml-assertion.principal";
/**
+ * Whether to allow UsernameTokens with no password to be used as SecurityContext Principals.
+ * The default is false.
+ */
+ public static final String ENABLE_UT_NOPASSWORD_PRINCIPAL =
+ "security.enable.ut-no-password.principal";
+
+ /**
* Whether to validate the SubjectConfirmation requirements of a received SAML Token
* (sender-vouches or holder-of-key). The default is true.
*/
@@ -345,7 +352,12 @@ public class SecurityConstants {
CALLBACK_HANDLER, SAML_CALLBACK_HANDLER, SIGNATURE_PROPERTIES,
SIGNATURE_CRYPTO, ENCRYPT_PROPERTIES, ENCRYPT_CRYPTO, ENCRYPT_CERT,
ENABLE_REVOCATION, SUBJECT_CERT_CONSTRAINTS, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
+<<<<<<< HEAD
AUDIENCE_RESTRICTION_VALIDATION, SAML_ROLE_ATTRIBUTENAME,
+=======
+ ENABLE_UT_NOPASSWORD_PRINCIPAL,
+ AUDIENCE_RESTRICTION_VALIDATION, SAML_ROLE_ATTRIBUTENAME,
+>>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal
ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, SC_FROM_JAAS_SUBJECT,
STS_TOKEN_USE_CERT_FOR_KEYINFO, STS_TOKEN_DO_CANCEL, CACHE_ISSUED_TOKEN_IN_ENDPOINT,
DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO,
http://git-wip-us.apache.org/repos/asf/cxf/blob/786604cf/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
index b679edb..a0419de 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
@@ -183,11 +183,16 @@ public final class SecurityUtils {
* values. If none is configured, then the defaultValue parameter is returned.
*/
public static boolean getSecurityPropertyBoolean(String property, Message message, boolean defaultValue) {
+<<<<<<< HEAD
Object value = message.getContextualProperty(property);
if (value == null) {
value = message.getContextualProperty("ws-" + property);
}
+=======
+ Object value = getSecurityPropertyValue(property, message);
+
+>>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal
if (value != null) {
return PropertyUtils.isTrue(value);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/786604cf/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
index 5a832ef..cd15d46 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java
@@ -66,6 +66,7 @@ public class DefaultWSS4JSecurityContextCreator implements WSS4JSecurityContextC
* Create a SecurityContext and store it on the SoapMessage parameter
*/
public void createSecurityContext(SoapMessage msg, WSHandlerResult handlerResult) {
+<<<<<<< HEAD
String allowUnsigned =
(String)SecurityUtils.getSecurityPropertyValue(
@@ -74,6 +75,20 @@ public class DefaultWSS4JSecurityContextCreator implements WSS4JSecurityContextC
boolean allowUnsignedSamlPrincipals = Boolean.parseBoolean(allowUnsigned);
boolean useJAASSubject = true;
String useJAASSubjectStr =
+=======
+
+ boolean allowUnsignedSamlPrincipals =
+ SecurityUtils.getSecurityPropertyBoolean(
+ SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg, false
+ );
+ boolean allowUTNoPassword =
+ SecurityUtils.getSecurityPropertyBoolean(
+ SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, false
+ );
+
+ boolean useJAASSubject = true;
+ String useJAASSubjectStr =
+>>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal
(String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SC_FROM_JAAS_SUBJECT, msg);
if (useJAASSubjectStr != null) {
useJAASSubject = Boolean.parseBoolean(useJAASSubjectStr);
@@ -82,7 +97,8 @@ public class DefaultWSS4JSecurityContextCreator implements WSS4JSecurityContextC
// Now go through the results in a certain order to set up a security context. Highest priority is first.
Map<Integer, List<WSSecurityEngineResult>> actionResults = handlerResult.getActionResults();
for (Integer resultPriority : securityPriorities) {
- if (resultPriority == WSConstants.ST_UNSIGNED && !allowUnsignedSamlPrincipals) {
+ if ((resultPriority == WSConstants.ST_UNSIGNED && !allowUnsignedSamlPrincipals)
+ || (resultPriority == WSConstants.UT_NOPASSWORD && !allowUTNoPassword)) {
continue;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/786604cf/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
index c20105a..82cc6a1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
@@ -31,6 +31,7 @@ import org.apache.cxf.binding.soap.SoapVersion;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.security.DefaultSecurityContext;
import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl;
+import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.rt.security.claims.ClaimCollection;
@@ -101,7 +102,7 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S
for (Event desiredEvent : desiredSecurityEvents) {
SubjectAndPrincipalSecurityToken token = null;
try {
- token = getSubjectPrincipalToken(incomingSecurityEventList, desiredEvent);
+ token = getSubjectPrincipalToken(incomingSecurityEventList, desiredEvent, msg);
} catch (XMLSecurityException ex) {
// proceed
}
@@ -159,13 +160,15 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S
}
private SubjectAndPrincipalSecurityToken getSubjectPrincipalToken(List<SecurityEvent> incomingSecurityEventList,
- Event desiredEvent) throws XMLSecurityException {
+ Event desiredEvent,
+ Message msg) throws XMLSecurityException {
for (SecurityEvent event : incomingSecurityEventList) {
if (desiredEvent == event.getSecurityEventType()) {
- if (event.getSecurityEventType() == WSSecurityEventConstants.USERNAME_TOKEN) {
+ if (event.getSecurityEventType() == WSSecurityEventConstants.USERNAME_TOKEN
+ && isUsernameTokenEventAllowed((UsernameTokenSecurityEvent)event, msg)) {
return ((UsernameTokenSecurityEvent)event).getSecurityToken();
} else if (event.getSecurityEventType() == WSSecurityEventConstants.SAML_TOKEN
- && isSamlEventSigned((SamlTokenSecurityEvent)event)) {
+ && isSamlEventAllowed((SamlTokenSecurityEvent)event, msg)) {
return ((SamlTokenSecurityEvent)event).getSecurityToken();
} else if (event.getSecurityEventType() == WSSecurityEventConstants.X509Token
&& isUsedForPublicKeySignature(((X509TokenSecurityEvent)event).getSecurityToken())) {
@@ -209,6 +212,7 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S
return token.getPublicKey() != null
|| (token.getX509Certificates() != null && token.getX509Certificates().length > 0);
}
+<<<<<<< HEAD
private boolean isSamlEventSigned(SamlTokenSecurityEvent event) {
if (event == null) {
@@ -216,8 +220,38 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S
}
return event.getSecurityToken() != null
+=======
+
+ private boolean isSamlEventAllowed(SamlTokenSecurityEvent event, Message msg) {
+ if (event == null) {
+ return false;
+ }
+
+ boolean allowUnsignedSamlPrincipals =
+ SecurityUtils.getSecurityPropertyBoolean(
+ SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg, false
+ );
+
+ // The SAML Assertion must be signed by default
+ return event.getSecurityToken() != null
+>>>>>>> b77e43f... Disable taking a UsernameToken with no password as the security context principal
&& event.getSecurityToken().getSamlAssertionWrapper() != null
- && event.getSecurityToken().getSamlAssertionWrapper().isSigned();
+ && (allowUnsignedSamlPrincipals || event.getSecurityToken().getSamlAssertionWrapper().isSigned());
+ }
+
+ private boolean isUsernameTokenEventAllowed(UsernameTokenSecurityEvent event, Message msg) {
+ if (event == null) {
+ return false;
+ }
+
+ boolean allowUTNoPassword =
+ SecurityUtils.getSecurityPropertyBoolean(
+ SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, false
+ );
+
+ // The "no password" case is not allowed by default
+ return event.getSecurityToken() != null
+ && (allowUTNoPassword || event.getSecurityToken().getPassword() != null);
}
private SecurityContext createSecurityContext(final Principal p) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/786604cf/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server.xml b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server.xml
index 0c6a11e..3491d4d 100644
--- a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server.xml
+++ b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server.xml
@@ -32,6 +32,7 @@
</jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="PlaintextNoPassword" address="http://localhost:${testutil.ports.ut.Server}/DoubleItUTPlaintextNoPassword" serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextNoPasswordPort" implementor="org.apache.cxf.systest.wssec.examples.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl">
<jaxws:properties>
+ <entry key="security.enable.ut-no-password.principal" value="true"/>
<entry key="security.callback-handler" value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
</jaxws:properties>
</jaxws:endpoint>
http://git-wip-us.apache.org/repos/asf/cxf/blob/786604cf/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/stax-server.xml b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/stax-server.xml
index aa64f48..2d258d2 100644
--- a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/stax-server.xml
+++ b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/stax-server.xml
@@ -33,6 +33,7 @@
</jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="PlaintextNoPassword" address="http://localhost:${testutil.ports.ut.StaxServer}/DoubleItUTPlaintextNoPassword" serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextNoPasswordPort" implementor="org.apache.cxf.systest.wssec.examples.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl">
<jaxws:properties>
+ <entry key="security.enable.ut-no-password.principal" value="true"/>
<entry key="security.callback-handler" value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
<entry key="ws-security.enable.streaming" value="true"/>
</jaxws:properties>
http://git-wip-us.apache.org/repos/asf/cxf/blob/786604cf/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server-derived.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server-derived.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server-derived.xml
index c114b8e..12e6d69 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server-derived.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server-derived.xml
@@ -28,26 +28,31 @@
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricSignature" address="http://localhost:${testutil.ports.ut.ServerDerived}/DoubleItUTDerivedSymmetricProtectionSig" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricProtectionSigPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="security.enable.ut-no-password.principal" value="true"/>
</jaxws:properties>
</jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricSignatureDK" address="http://localhost:${testutil.ports.ut.ServerDerived}/DoubleItUTDerivedSymmetricProtectionSigDK" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricProtectionSigDKPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="security.enable.ut-no-password.principal" value="true"/>
</jaxws:properties>
</jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricEncryption" address="http://localhost:${testutil.ports.ut.ServerDerived}/DoubleItUTDerivedSymmetricProtectionEnc" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricProtectionEncPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="security.enable.ut-no-password.principal" value="true"/>
</jaxws:properties>
</jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="TransportEndorsing" address="https://localhost:${testutil.ports.ut.ServerDerived.2}/DoubleItUTDerivedTransportEndorsing" serviceName="s:DoubleItService" endpointName="s:DoubleItTransportEndorsingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" depends-on="tls-settings" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="security.enable.ut-no-password.principal" value="true"/>
</jaxws:properties>
</jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricSignedEndorsing" address="http://localhost:${testutil.ports.ut.ServerDerived}/DoubleItUTDerivedSymmetricSignedEndorsing" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricSignedEndorsingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="security.enable.ut-no-password.principal" value="true"/>
<entry key="security.signature.properties" value="bob.properties"/>
<entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/>
</jaxws:properties>
@@ -55,6 +60,7 @@
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricEndorsingEncrypted" address="http://localhost:${testutil.ports.ut.ServerDerived}/DoubleItUTDerivedSymmetricEndorsingEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricEndorsingEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="security.enable.ut-no-password.principal" value="true"/>
<entry key="security.signature.properties" value="bob.properties"/>
<entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/>
</jaxws:properties>
@@ -62,6 +68,7 @@
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricSignedEndorsingEncrypted" address="http://localhost:${testutil.ports.ut.ServerDerived}/DoubleItUTDerivedSymmetricSignedEndorsingEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricSignedEndorsingEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="security.enable.ut-no-password.principal" value="true"/>
<entry key="security.signature.properties" value="bob.properties"/>
<entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/>
</jaxws:properties>
http://git-wip-us.apache.org/repos/asf/cxf/blob/786604cf/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml
index 8084a66..0da6275 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml
@@ -70,6 +70,7 @@
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="NoPassword" address="https://localhost:${testutil.ports.ut.Server}/DoubleItUTNoPassword" serviceName="s:DoubleItService" endpointName="s:DoubleItNoPasswordPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl" depends-on="tls-settings">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="security.enable.ut-no-password.principal" value="true"/>
</jaxws:properties>
</jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SignedEndorsing" address="https://localhost:${testutil.ports.ut.Server}/DoubleItUTSignedEndorsing" serviceName="s:DoubleItService" endpointName="s:DoubleItSignedEndorsingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl" depends-on="tls-settings">
http://git-wip-us.apache.org/repos/asf/cxf/blob/786604cf/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml
index 3a32e5e..bb829a2 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml
@@ -75,6 +75,7 @@
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="NoPassword" address="https://localhost:${testutil.ports.ut.StaxServer}/DoubleItUTNoPassword" serviceName="s:DoubleItService" endpointName="s:DoubleItNoPasswordPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl" depends-on="tls-settings">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="security.enable.ut-no-password.principal" value="true"/>
<entry key="ws-security.enable.streaming" value="true"/>
</jaxws:properties>
</jaxws:endpoint>