You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/11/09 19:21:27 UTC
svn commit: r1199900 - in /cxf/branches/2.4.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/
systests/ws-security/src/test/resources/org/apache/c...
Author: coheigea
Date: Wed Nov 9 18:21:27 2011
New Revision: 1199900
URL: http://svn.apache.org/viewvc?rev=1199900&view=rev
Log:
Added policy validation for SecurityContextTokens as EndorsingSupportingTokens
- Added support for derived key policy validation as well for EndorsingSupportingTokens
Modified:
cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1199900&r1=1199899&r2=1199900&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java Wed Nov 9 18:21:27 2011
@@ -37,6 +37,7 @@ import org.apache.cxf.ws.policy.Assertio
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.KerberosToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.policy.model.X509Token;
@@ -100,12 +101,18 @@ public class EndorsingTokenPolicyValidat
if (!isTokenRequired(token, message)) {
continue;
}
- if (token instanceof KerberosToken && !processKerberosTokens()) {
+ boolean derived = token.isDerivedKeys();
+ if (token instanceof KerberosToken && !processKerberosTokens(derived)) {
ai.setNotAsserted(
"The received token does not match the supporting token requirement"
);
return false;
- } else if (token instanceof X509Token && !processX509Tokens()) {
+ } else if (token instanceof X509Token && !processX509Tokens(derived)) {
+ ai.setNotAsserted(
+ "The received token does not match the supporting token requirement"
+ );
+ return false;
+ } else if (token instanceof SecurityContextToken && !processSCTokens(derived)) {
ai.setNotAsserted(
"The received token does not match the supporting token requirement"
);
@@ -118,7 +125,7 @@ public class EndorsingTokenPolicyValidat
return true;
}
- private boolean processKerberosTokens() {
+ private boolean processKerberosTokens(boolean derived) {
List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
for (WSSecurityEngineResult wser : results) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
@@ -126,6 +133,13 @@ public class EndorsingTokenPolicyValidat
BinarySecurity binarySecurity =
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof KerberosSecurity) {
+ if (derived) {
+ byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+ WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
+ if (dktResult != null) {
+ tokenResults.add(dktResult);
+ }
+ }
tokenResults.add(wser);
}
}
@@ -138,7 +152,7 @@ public class EndorsingTokenPolicyValidat
return checkEndorsed(tokenResults, tls);
}
- private boolean processX509Tokens() {
+ private boolean processX509Tokens(boolean derived) {
List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
for (WSSecurityEngineResult wser : results) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
@@ -147,6 +161,12 @@ public class EndorsingTokenPolicyValidat
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof X509Security
|| binarySecurity instanceof PKIPathSecurity) {
+ if (derived) {
+ WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser);
+ if (resultToStore != null) {
+ tokenResults.add(resultToStore);
+ }
+ }
tokenResults.add(wser);
}
}
@@ -159,6 +179,77 @@ public class EndorsingTokenPolicyValidat
return checkEndorsed(tokenResults, tls);
}
+ private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result) {
+ X509Certificate cert =
+ (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert);
+ if (encrResult != null) {
+ byte[] secret = (byte[])encrResult.get(WSSecurityEngineResult.TAG_SECRET);
+ WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
+ if (dktResult != null) {
+ return dktResult;
+ }
+ }
+ return null;
+ }
+
+ private boolean processSCTokens(boolean derived) {
+ List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+ for (WSSecurityEngineResult wser : results) {
+ Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.SCT) {
+ if (derived) {
+ byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+ WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
+ if (dktResult != null) {
+ tokenResults.add(dktResult);
+ }
+ }
+ tokenResults.add(wser);
+ }
+ }
+
+ if (tokenResults.isEmpty()) {
+ return false;
+ }
+
+ return checkEndorsed(tokenResults, tls);
+ }
+
+ /**
+ * Get a security result representing a Derived Key that has a secret key that
+ * matches the parameter.
+ */
+ private WSSecurityEngineResult getMatchingDerivedKey(byte[] secret) {
+ for (WSSecurityEngineResult wser : results) {
+ Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.DKT) {
+ byte[] dktSecret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+ if (Arrays.equals(secret, dktSecret)) {
+ return wser;
+ }
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Get a security result representing an EncryptedKey that matches the parameter.
+ */
+ private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate cert) {
+ for (WSSecurityEngineResult wser : results) {
+ Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.ENCR) {
+ X509Certificate encrCert =
+ (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ if (cert.equals(encrCert)) {
+ return wser;
+ }
+ }
+ }
+ return null;
+ }
+
/**
* Check the endorsing supporting token policy. If we're using the Transport Binding then
* check that the Timestamp is signed. Otherwise, check that the signature is signed.
@@ -237,22 +328,24 @@ public class EndorsingTokenPolicyValidat
// Now see if the same credential exists in the tokenResult list
for (WSSecurityEngineResult token : tokenResult) {
- Integer actInt = (Integer)token.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.BST) {
- BinarySecurity binarySecurity =
- (BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- if (binarySecurity instanceof X509Security
- || binarySecurity instanceof PKIPathSecurity) {
- X509Certificate foundCert =
- (X509Certificate)token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
- if (foundCert.equals(cert)) {
- return true;
- }
- } else if (binarySecurity instanceof KerberosSecurity) {
- byte[] foundSecret = (byte[])token.get(WSSecurityEngineResult.TAG_SECRET);
- if (foundSecret != null && Arrays.equals(foundSecret, secret)) {
- return true;
- }
+ BinarySecurity binarySecurity =
+ (BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ if (binarySecurity instanceof X509Security
+ || binarySecurity instanceof PKIPathSecurity) {
+ X509Certificate foundCert =
+ (X509Certificate)token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ if (foundCert.equals(cert)) {
+ return true;
+ }
+ } else {
+ byte[] foundSecret = (byte[])token.get(WSSecurityEngineResult.TAG_SECRET);
+ if (foundSecret != null && Arrays.equals(foundSecret, secret)) {
+ return true;
+ }
+ byte[] derivedKey =
+ (byte[])token.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY);
+ if (derivedKey != null && Arrays.equals(derivedKey, secret)) {
+ return true;
}
}
}
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1199900&r1=1199899&r2=1199900&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Wed Nov 9 18:21:27 2011
@@ -41,6 +41,7 @@ import wssec.x509.DoubleItService;
*/
public class X509TokenTest extends AbstractBusClientServerTestBase {
static final String PORT = allocatePort(Server.class);
+ static final String PORT2 = allocatePort(Server.class, 2);
private boolean unrestrictedPoliciesInstalled = checkUnrestrictedPoliciesInstalled();
@@ -168,6 +169,25 @@ public class X509TokenTest extends Abstr
x509Port.doubleIt(BigInteger.valueOf(25));
}
+ @org.junit.Test
+ public void testTransportEndorsing() throws Exception {
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+ DoubleItPortType x509Port = service.getDoubleItTransportEndorsingPort();
+ updateAddressPort(x509Port, PORT2);
+ x509Port.doubleIt(BigInteger.valueOf(25));
+ }
+
private boolean checkUnrestrictedPoliciesInstalled() {
try {
byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1199900&r1=1199899&r2=1199900&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml Wed Nov 9 18:21:27 2011
@@ -103,4 +103,23 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://WSSec/x509}DoubleItTransportEndorsingPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
+
+ <http:conduit name="https://localhost:.*">
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+ </sec:trustManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+
</beans>
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1199900&r1=1199899&r2=1199900&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Wed Nov 9 18:21:27 2011
@@ -45,6 +45,29 @@
<cxf:logging/>
</cxf:features>
</cxf:bus>
+
+ <!-- -->
+ <!-- Any services listening on port 9009 must use the following -->
+ <!-- Transport Layer Security (TLS) settings -->
+ <!-- -->
+ <httpj:engine-factory id="tls-settings">
+ <httpj:engine port="${testutil.ports.Server.2}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_EXPORT_.*</sec:include>
+ <sec:include>.*_EXPORT1024_.*</sec:include>
+ <sec:include>.*_WITH_DES_.*</sec:include>
+ <sec:include>.*_WITH_AES_.*</sec:include>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ <sec:clientAuthentication want="true" required="false"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
<jaxws:endpoint
id="KeyIdentifier"
@@ -164,4 +187,21 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="TransportEndorsing"
+ address="https://localhost:${testutil.ports.Server.2}/DoubleItX509TransportEndorsing"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItTransportEndorsingPort"
+ xmlns:s="http://WSSec/x509"
+ implementor="org.apache.cxf.systest.ws.x509.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/x509/DoubleItX509.wsdl"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>
Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl?rev=1199900&r1=1199899&r2=1199900&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl (original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl Wed Nov 9 18:21:27 2011
@@ -187,6 +187,25 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItTransportEndorsingBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItTransportEndorsingPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItKeyIdentifierPort" binding="tns:DoubleItKeyIdentifierBinding">
@@ -210,6 +229,10 @@
binding="tns:DoubleItSymmetricProtectTokensBinding">
<soap:address location="http://localhost:9001/DoubleItX509SymmetricProtect" />
</wsdl:port>
+ <wsdl:port name="DoubleItTransportEndorsingPort"
+ binding="tns:DoubleItTransportEndorsingBinding">
+ <soap:address location="https://localhost:9002/DoubleItX509TransportEndorsing" />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy">
@@ -440,6 +463,43 @@
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItTransportEndorsingPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken RequireClientCertificate="false" />
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:EndorsingSupportingTokens>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:EndorsingSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>