You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/03/14 13:44:24 UTC
[2/2] cxf git commit: An initial refactor about how policies are
asserted
An initial refactor about how policies are asserted
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a2e5fae3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a2e5fae3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a2e5fae3
Branch: refs/heads/master
Commit: a2e5fae3a093965b75361210ef475abb9e6abf56
Parents: 08f376b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Sat Mar 14 12:43:35 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Sat Mar 14 12:43:35 2015 +0000
----------------------------------------------------------------------
.../cxf/ws/security/policy/PolicyUtils.java | 111 +++++++++++
.../HttpsTokenInterceptorProvider.java | 23 +--
.../IssuedTokenInterceptorProvider.java | 9 +-
.../KerberosTokenInterceptorProvider.java | 19 +-
.../policy/interceptors/NegotiationUtils.java | 90 +--------
.../SecureConversationInInterceptor.java | 25 +--
.../SecureConversationOutInterceptor.java | 7 +-
.../SecurityVerificationOutInterceptor.java | 17 +-
.../SpnegoContextTokenInInterceptor.java | 5 +-
.../SpnegoContextTokenOutInterceptor.java | 3 +-
.../wss4j/AbstractTokenInterceptor.java | 54 +-----
.../wss4j/AlgorithmSuiteTranslater.java | 78 +++-----
.../wss4j/KerberosTokenInterceptor.java | 5 +-
.../wss4j/PolicyBasedWSS4JInInterceptor.java | 67 +++----
.../wss4j/PolicyBasedWSS4JOutInterceptor.java | 189 +++++++++----------
.../ws/security/wss4j/SamlTokenInterceptor.java | 20 +-
.../wss4j/UsernameTokenInterceptor.java | 37 ++--
.../cxf/ws/security/wss4j/WSS4JUtils.java | 2 +-
.../policyhandlers/AbstractBindingBuilder.java | 19 +-
.../AbstractCommonBindingHandler.java | 58 +-----
.../AbstractStaxBindingHandler.java | 23 ++-
.../StaxTransportBindingHandler.java | 21 ++-
.../AbstractBindingPolicyValidator.java | 72 +------
.../AbstractTokenPolicyValidator.java | 52 -----
.../AlgorithmSuitePolicyValidator.java | 5 +-
.../AsymmetricBindingPolicyValidator.java | 21 ++-
.../ConcreteSupportingTokenPolicyValidator.java | 4 +-
.../EncryptedTokenPolicyValidator.java | 4 +-
.../EndorsingEncryptedTokenPolicyValidator.java | 3 +-
.../EndorsingTokenPolicyValidator.java | 3 +-
.../IssuedTokenPolicyValidator.java | 9 +-
.../KerberosTokenPolicyValidator.java | 14 +-
.../policyvalidators/LayoutPolicyValidator.java | 12 +-
.../SamlTokenPolicyValidator.java | 11 +-
.../SecurityContextTokenPolicyValidator.java | 10 +-
.../SignedEncryptedTokenPolicyValidator.java | 3 +-
...dEndorsingEncryptedTokenPolicyValidator.java | 3 +-
.../SignedEndorsingTokenPolicyValidator.java | 3 +-
.../SignedTokenPolicyValidator.java | 3 +-
.../SymmetricBindingPolicyValidator.java | 29 +--
.../TransportBindingPolicyValidator.java | 17 +-
.../UsernameTokenPolicyValidator.java | 17 +-
.../policyvalidators/WSS11PolicyValidator.java | 19 +-
.../X509TokenPolicyValidator.java | 24 +--
44 files changed, 519 insertions(+), 701 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
new file mode 100644
index 0000000..b8cf971
--- /dev/null
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
@@ -0,0 +1,111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.policy;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+
+/**
+ * Some common functionality that can be shared for working with policies
+ */
+public final class PolicyUtils {
+
+ private PolicyUtils() {
+ // complete
+ }
+
+ public static Collection<AssertionInfo> getAllAssertionsByLocalname(
+ AssertionInfoMap aim, String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ Collection<AssertionInfo> ais = new HashSet<>();
+ if (sp11Ais != null) {
+ ais.addAll(sp11Ais);
+ }
+ if (sp12Ais != null) {
+ ais.addAll(sp12Ais);
+ }
+ return ais;
+ }
+
+ return Collections.emptySet();
+ }
+
+ public static boolean assertPolicy(AssertionInfoMap aim, QName name) {
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
+ if (ais != null && !ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
+ public static boolean assertPolicy(AssertionInfoMap aim, String localname) {
+ Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return true;
+ }
+ return false;
+ }
+
+ public static AssertionInfo getFirstAssertionByLocalname(
+ AssertionInfoMap aim, String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ if (sp11Ais != null && !sp11Ais.isEmpty()) {
+ return sp11Ais.iterator().next();
+ }
+
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+ if (sp12Ais != null && !sp12Ais.isEmpty()) {
+ return sp12Ais.iterator().next();
+ }
+
+ return null;
+ }
+
+ public static boolean isThereAnAssertionByLocalname(
+ AssertionInfoMap aim, String localname
+ ) {
+ Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+ Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+ if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+ return true;
+ }
+
+ return false;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
index 55bca22..5d6ebae 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
@@ -50,6 +50,7 @@ import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor;
import org.apache.neethi.Assertion;
import org.apache.wss4j.policy.SP11Constants;
@@ -127,7 +128,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -171,7 +172,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
}
};
message.put(MessageTrustDecider.class, trust);
- NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
}
if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpBasicAuthentication) {
List<String> auth = headers.get("Authorization");
@@ -179,7 +180,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
|| !auth.get(0).startsWith("Basic")) {
ai.setNotAsserted("HttpBasicAuthentication is set, but not being used");
} else {
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
}
}
if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpDigestAuthentication) {
@@ -188,7 +189,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
|| !auth.get(0).startsWith("Digest")) {
ai.setNotAsserted("HttpDigestAuthentication is set, but not being used");
} else {
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
}
}
} else {
@@ -213,7 +214,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
boolean requestor = isRequestor(message);
if (ais.isEmpty()) {
if (!requestor) {
@@ -252,9 +253,9 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
ai.setAsserted(true);
}
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
- NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
}
}
}
@@ -287,7 +288,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
new HttpsSecurityTokenImpl(true, policy.getUserName());
httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
}
}
if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpDigestAuthentication) {
@@ -303,7 +304,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
new HttpsSecurityTokenImpl(false, policy.getUserName());
httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
- NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+ PolicyUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
}
}
@@ -315,7 +316,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
|| tlsInfo.getPeerCertificates().length == 0) {
asserted = false;
} else {
- NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
+ PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
index 20249be..5e5b0d1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
@@ -45,6 +45,7 @@ import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.trust.STSClient;
@@ -149,7 +150,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -196,7 +197,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
private Trust10 getTrust10(AssertionInfoMap aim) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
if (ais.isEmpty()) {
return null;
}
@@ -204,7 +205,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
}
private Trust13 getTrust13(AssertionInfoMap aim) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
if (ais.isEmpty()) {
return null;
}
@@ -550,7 +551,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
if (ais.isEmpty()) {
return;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
index 1907276..6083f66 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
@@ -43,6 +43,7 @@ import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.kerberos.KerberosClient;
import org.apache.cxf.ws.security.kerberos.KerberosUtils;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.wss4j.KerberosTokenInterceptor;
@@ -112,7 +113,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -150,8 +151,8 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
}
}
- NegotiationUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
- NegotiationUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
}
}
@@ -172,7 +173,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
MessageUtils.isTrue(message.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
if (aim != null && !enableStax) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -189,8 +190,8 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
}
}
- NegotiationUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
- NegotiationUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
}
}
@@ -252,7 +253,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
MessageUtils.isTrue(message.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
if (aim != null && enableStax) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -275,8 +276,8 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
}
}
- NegotiationUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
- NegotiationUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
index 68c05b8..5283822 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
@@ -20,12 +20,9 @@
package org.apache.cxf.ws.security.policy.interceptors;
import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
import java.util.List;
import javax.security.auth.callback.CallbackHandler;
-import javax.xml.namespace.QName;
import org.apache.cxf.Bus;
import org.apache.cxf.binding.soap.SoapMessage;
@@ -49,6 +46,7 @@ import org.apache.cxf.ws.policy.EndpointPolicy;
import org.apache.cxf.ws.policy.PolicyEngine;
import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.trust.STSUtils;
@@ -62,8 +60,6 @@ import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.SecurityContextToken;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AlgorithmSuite;
@@ -83,7 +79,7 @@ final class NegotiationUtils {
}
static Trust10 getTrust10(AssertionInfoMap aim) {
- AssertionInfo ai = getFirstAssertionByLocalname(aim, SPConstants.TRUST_10);
+ AssertionInfo ai = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.TRUST_10);
if (ai == null) {
return null;
}
@@ -91,7 +87,7 @@ final class NegotiationUtils {
}
static Trust13 getTrust13(AssertionInfoMap aim) {
- AssertionInfo ai = getFirstAssertionByLocalname(aim, SPConstants.TRUST_13);
+ AssertionInfo ai = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.TRUST_13);
if (ai == null) {
return null;
}
@@ -133,19 +129,19 @@ final class NegotiationUtils {
static AlgorithmSuite getAlgorithmSuite(AssertionInfoMap aim) {
AbstractBinding transport = null;
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
transport = (AbstractBinding)ai.getAssertion();
}
} else {
- ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
transport = (AbstractBinding)ai.getAssertion();
}
} else {
- ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
transport = (AbstractBinding)ai.getAssertion();
@@ -303,78 +299,4 @@ final class NegotiationUtils {
return handler;
}
- static boolean assertPolicy(AssertionInfoMap aim, QName name) {
- Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
- if (ais != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
- static boolean assertPolicy(AssertionInfoMap aim, String localname) {
- Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, localname);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
- static Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
-
- static AssertionInfo getFirstAssertionByLocalname(
- AssertionInfoMap aim, String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- if (sp11Ais != null && !sp11Ais.isEmpty()) {
- return sp11Ais.iterator().next();
- }
-
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
- if (sp12Ais != null && !sp12Ais.isEmpty()) {
- return sp12Ais.iterator().next();
- }
-
- return null;
- }
-
- static boolean isThereAnAssertionByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- return true;
- }
-
- return false;
- }
-
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
index b70f13a..ada01ef 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
@@ -47,6 +47,7 @@ import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider.HttpsTokenInInterceptor;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
@@ -84,15 +85,15 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
}
private AbstractBinding getBinding(AssertionInfoMap aim) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (!ais.isEmpty()) {
return (AbstractBinding)ais.iterator().next().getAssertion();
}
- ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (!ais.isEmpty()) {
return (AbstractBinding)ais.iterator().next().getAssertion();
}
- ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
if (!ais.isEmpty()) {
return (AbstractBinding)ais.iterator().next().getAssertion();
}
@@ -104,7 +105,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
// extract Assertion information
if (aim != null) {
final Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -255,7 +256,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
private SignedParts getSignedParts(AssertionInfoMap aim, String addNs) {
Collection<AssertionInfo> signedPartsAis =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
SignedParts signedParts = null;
if (!signedPartsAis.isEmpty()) {
signedParts = (SignedParts)signedPartsAis.iterator().next().getAssertion();
@@ -279,16 +280,16 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
}
private void assertPolicies(AssertionInfoMap aim) {
- NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
- NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_AMEND);
- NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_CANCEL);
- NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_RENEW);
+ PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_AMEND);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_CANCEL);
+ PolicyUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_RENEW);
QName oldCancelQName =
new QName(
"http://schemas.microsoft.com/ws/2005/07/securitypolicy",
SPConstants.MUST_NOT_SEND_CANCEL
);
- NegotiationUtils.assertPolicy(aim, oldCancelQName);
+ PolicyUtils.assertPolicy(aim, oldCancelQName);
}
private void unmapSecurityProps(Message message) {
@@ -473,7 +474,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -507,7 +508,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
return;
}
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
if (ais.isEmpty()) {
return;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
index cf67507..ee84f92 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
@@ -36,6 +36,7 @@ import org.apache.cxf.ws.addressing.AddressingProperties;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider.IssuedTokenOutInterceptor;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.trust.STSClient;
@@ -61,7 +62,7 @@ class SecureConversationOutInterceptor extends AbstractPhaseInterceptor<SoapMess
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -92,13 +93,13 @@ class SecureConversationOutInterceptor extends AbstractPhaseInterceptor<SoapMess
message.getExchange().put(SecurityConstants.TOKEN, tok);
NegotiationUtils.getTokenStore(message).add(tok);
}
- NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
+ PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
} else {
//server side should be checked on the way in
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
}
- NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
+ PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
index fe51e30..ff0bb03 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
@@ -31,6 +31,7 @@ import org.apache.cxf.phase.Phase;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
@@ -77,38 +78,38 @@ public class SecurityVerificationOutInterceptor extends AbstractPhaseInterceptor
private boolean isThereASecurityBinding(AssertionInfoMap aim) {
return
- NegotiationUtils.isThereAnAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING)
- || NegotiationUtils.isThereAnAssertionByLocalname(aim, SPConstants.ASYMMETRIC_BINDING)
- || NegotiationUtils.isThereAnAssertionByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ PolicyUtils.isThereAnAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING)
+ || PolicyUtils.isThereAnAssertionByLocalname(aim, SPConstants.ASYMMETRIC_BINDING)
+ || PolicyUtils.isThereAnAssertionByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
}
private AssertionInfo getSecuredPart(AssertionInfoMap aim) {
Collection<AssertionInfo> assertions =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
if (!assertions.isEmpty()) {
return assertions.iterator().next();
}
assertions =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
if (!assertions.isEmpty()) {
return assertions.iterator().next();
}
assertions =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
if (!assertions.isEmpty()) {
return assertions.iterator().next();
}
assertions =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
if (!assertions.isEmpty()) {
return assertions.iterator().next();
}
assertions =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
if (!assertions.isEmpty()) {
return assertions.iterator().next();
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
index 632ddea..e0be4e5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
@@ -42,6 +42,7 @@ import org.apache.cxf.ws.addressing.JAXWSAConstants;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider.HttpsTokenInInterceptor;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
@@ -74,7 +75,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
if (ais.isEmpty()) {
return;
}
@@ -375,7 +376,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
if (ais.isEmpty()) {
return;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
index 6daca9d..cdbac47 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
@@ -32,6 +32,7 @@ import org.apache.cxf.ws.addressing.AddressingProperties;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.cxf.ws.security.trust.STSUtils;
@@ -52,7 +53,7 @@ class SpnegoContextTokenOutInterceptor extends AbstractPhaseInterceptor<SoapMess
// extract Assertion information
if (aim != null) {
Collection<AssertionInfo> ais =
- NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
if (ais.isEmpty()) {
return;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
index c943b79..4895e68 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
@@ -21,7 +21,6 @@ package org.apache.cxf.ws.security.wss4j;
import java.util.Collection;
import java.util.Collections;
-import java.util.HashSet;
import java.util.Set;
import java.util.logging.Logger;
@@ -30,7 +29,6 @@ import javax.xml.namespace.QName;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-
import org.apache.cxf.binding.soap.SoapHeader;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
@@ -49,11 +47,10 @@ import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -118,62 +115,19 @@ public abstract class AbstractTokenInterceptor extends AbstractSoapInterceptor {
protected abstract AbstractToken assertTokens(SoapMessage message);
- protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
- protected boolean assertPolicy(AssertionInfoMap aim, QName name) {
- Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
- if (ais != null && !ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- ai.setAsserted(true);
- }
- return true;
- }
- return false;
- }
-
- protected Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
-
protected AbstractToken assertTokens(SoapMessage message, String localname, boolean signed) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, localname);
AbstractToken tok = null;
for (AssertionInfo ai : ais) {
tok = (AbstractToken)ai.getAssertion();
ai.setAsserted(true);
}
- assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
+ PolicyUtils.assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
if (signed || isTLSInUse(message)) {
- assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+ PolicyUtils.assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
}
return tok;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
index aef7915..fac455b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
@@ -21,20 +21,15 @@ package org.apache.cxf.ws.security.wss4j;
import java.util.ArrayList;
import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
import java.util.List;
-import javax.xml.namespace.QName;
-
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.crypto.AlgorithmSuite;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.handler.RequestData;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
@@ -62,14 +57,14 @@ public final class AlgorithmSuiteTranslater {
}
// Now look for an AlgorithmSuite for a SAML Assertion
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
if (!ais.isEmpty()) {
- List<org.apache.wss4j.policy.model.AlgorithmSuite> samlAlgorithmSuites
- = new ArrayList<org.apache.wss4j.policy.model.AlgorithmSuite>();
+ List<org.apache.wss4j.policy.model.AlgorithmSuite> samlAlgorithmSuites = new ArrayList<>();
for (AssertionInfo ai : ais) {
SamlToken samlToken = (SamlToken)ai.getAssertion();
AbstractSecurityAssertion parentAssertion = samlToken.getParentAssertion();
- if ((parentAssertion instanceof SupportingTokens)
+ if (parentAssertion instanceof SupportingTokens
&& ((SupportingTokens)parentAssertion).getAlgorithmSuite() != null) {
samlAlgorithmSuites.add(((SupportingTokens)parentAssertion).getAlgorithmSuite());
}
@@ -89,8 +84,7 @@ public final class AlgorithmSuiteTranslater {
) {
AlgorithmSuite algorithmSuite = null;
- for (org.apache.wss4j.policy.model.AlgorithmSuite cxfAlgorithmSuite
- : algorithmSuites) {
+ for (org.apache.wss4j.policy.model.AlgorithmSuite cxfAlgorithmSuite : algorithmSuites) {
if (cxfAlgorithmSuite == null) {
continue;
}
@@ -151,28 +145,28 @@ public final class AlgorithmSuiteTranslater {
* Get all of the WS-SecurityPolicy Bindings that are in operation
*/
private List<AbstractBinding> getBindings(AssertionInfoMap aim) {
- List<AbstractBinding> bindings = new ArrayList<AbstractBinding>();
- if (aim != null) {
- Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- bindings.add((AbstractBinding)ai.getAssertion());
- }
+ List<AbstractBinding> bindings = new ArrayList<>();
+
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ bindings.add((AbstractBinding)ai.getAssertion());
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- bindings.add((AbstractBinding)ai.getAssertion());
- }
+ }
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ bindings.add((AbstractBinding)ai.getAssertion());
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- bindings.add((AbstractBinding)ai.getAssertion());
- }
+ }
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ for (AssertionInfo ai : ais) {
+ bindings.add((AbstractBinding)ai.getAssertion());
}
}
+
return bindings;
}
@@ -182,8 +176,7 @@ public final class AlgorithmSuiteTranslater {
private List<org.apache.wss4j.policy.model.AlgorithmSuite> getAlgorithmSuites(
List<AbstractBinding> bindings
) {
- List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites =
- new ArrayList<org.apache.wss4j.policy.model.AlgorithmSuite>();
+ List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites = new ArrayList<>();
for (AbstractBinding binding : bindings) {
if (binding.getAlgorithmSuite() != null) {
algorithmSuites.add(binding.getAlgorithmSuite());
@@ -192,25 +185,4 @@ public final class AlgorithmSuiteTranslater {
return algorithmSuites;
}
- private Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
-
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
index 5900c10..de83d7b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -38,8 +39,8 @@ public class KerberosTokenInterceptor extends BinarySecurityTokenInterceptor {
protected AbstractToken assertTokens(SoapMessage message) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- assertPolicy(aim, "WssKerberosV5ApReqToken11");
- assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+ PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
return assertTokens(message, SPConstants.KERBEROS_TOKEN, false);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 116e2a0..abeb41c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -23,7 +23,6 @@ import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
-import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
@@ -56,6 +55,7 @@ import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
@@ -133,7 +133,8 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
private void handleWSS11(AssertionInfoMap aim, SoapMessage message) {
if (isRequestor(message)) {
message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
Wss11 wss11 = (Wss11)ai.getAssertion();
@@ -168,7 +169,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
private boolean assertPolicy(AssertionInfoMap aim, String localname) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, localname);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
@@ -178,32 +179,11 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
return false;
}
- private Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
-
private String checkAsymmetricBinding(
AssertionInfoMap aim, String action, SoapMessage message, RequestData data
) throws WSSecurityException {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (ais.isEmpty()) {
return action;
}
@@ -289,7 +269,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
if (aim != null) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
if (!ais.isEmpty()) {
return true;
@@ -307,7 +287,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
if (aim != null) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.INCLUDE_TIMESTAMP);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.INCLUDE_TIMESTAMP);
if (!ais.isEmpty()) {
return true;
@@ -325,7 +305,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
if (aim != null) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
if (!ais.isEmpty()) {
return true;
@@ -339,7 +319,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
AssertionInfoMap aim, SoapMessage message
) throws WSSecurityException {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
@@ -355,7 +335,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
AssertionInfoMap aim, String action, SoapMessage message, RequestData data
) throws WSSecurityException {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (ais.isEmpty()) {
return action;
}
@@ -505,7 +485,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
CoverageType type,
CoverageScope scope,
final XPath xpath) throws SOAPException {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, name);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, name);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
@@ -548,7 +528,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
Element soapHeader,
Element soapBody,
CoverageType type) throws SOAPException {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, name);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, name);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
@@ -654,7 +634,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
assertPolicy(aim, SPConstants.RSA_KEY_VALUE);
// WSS10
- ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS10);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
@@ -666,7 +646,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
// Trust 1.0
- ais = getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
boolean trust10Asserted = false;
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
@@ -681,7 +661,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
// Trust 1.3
- ais = getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
ai.setAsserted(true);
@@ -973,7 +953,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
private boolean assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header)
throws SOAPException {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
+ Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
RequiredParts rp = (RequiredParts)ai.getAssertion();
@@ -988,7 +968,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
if (!ais.isEmpty()) {
for (AssertionInfo ai : ais) {
RequiredElements rp = (RequiredElements)ai.getAssertion();
@@ -1025,17 +1005,17 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
private boolean isTransportBinding(AssertionInfoMap aim, SoapMessage message) {
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
if (ais.size() > 0) {
return false;
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
if (ais.size() > 0) {
return false;
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
if (ais.size() > 0) {
return true;
}
@@ -1055,15 +1035,16 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
}
private boolean containsXPathPolicy(AssertionInfoMap aim) {
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
if (ais.size() > 0) {
return true;
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
if (ais.size() > 0) {
return true;
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
if (ais.size() > 0) {
return true;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
index 54faf7e..b73cd6c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
@@ -21,16 +21,13 @@ package org.apache.cxf.ws.security.wss4j;
import java.security.Provider;
import java.util.Collection;
import java.util.Collections;
-import java.util.HashSet;
import java.util.Set;
import java.util.logging.Logger;
-import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.w3c.dom.Element;
-
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor;
@@ -45,6 +42,7 @@ import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler;
import org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler;
import org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler;
@@ -54,8 +52,6 @@ import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.message.WSSecHeader;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AsymmetricBinding;
@@ -120,6 +116,11 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa
}
private void handleMessageInternal(SoapMessage message) throws Fault {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ if (aim == null) {
+ // no policies available
+ return;
+ }
SOAPMessage saaj = message.getContent(SOAPMessage.class);
boolean mustUnderstand =
@@ -128,91 +129,100 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa
);
String actor = (String)message.getContextualProperty(SecurityConstants.ACTOR);
- AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
- if (aim != null) {
- AbstractBinding transport = null;
- Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- transport = (AbstractBinding)ai.getAssertion();
- ai.setAsserted(true);
- }
+ AbstractBinding binding = getSecurityBinding(aim);
+
+ if (binding == null && isRequestor(message)) {
+ Policy policy = new Policy();
+ binding = new TransportBinding(org.apache.wss4j.policy.SPConstants.SPVersion.SP11,
+ policy);
+ }
+
+ if (binding != null) {
+ WSSecHeader secHeader = new WSSecHeader(actor, mustUnderstand);
+ Element el = null;
+ try {
+ el = secHeader.insertSecurityHeader(saaj.getSOAPPart());
+ } catch (WSSecurityException e) {
+ throw new SoapFault(
+ new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
+ );
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- transport = (AbstractBinding)ai.getAssertion();
- ai.setAsserted(true);
- }
+ try {
+ //move to end
+ SAAJUtils.getHeader(saaj).removeChild(el);
+ SAAJUtils.getHeader(saaj).appendChild(el);
+ } catch (SOAPException e) {
+ //ignore
}
- ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
- if (!ais.isEmpty()) {
- for (AssertionInfo ai : ais) {
- transport = (AbstractBinding)ai.getAssertion();
- ai.setAsserted(true);
- }
+
+ WSSConfig config = (WSSConfig)message.getContextualProperty(WSSConfig.class.getName());
+ if (config == null) {
+ config = WSSConfig.getNewInstance();
}
+ translateProperties(message);
- if (transport == null && isRequestor(message)) {
- Policy policy = new Policy();
- transport = new TransportBinding(org.apache.wss4j.policy.SPConstants.SPVersion.SP11,
- policy);
+ String asymSignatureAlgorithm =
+ (String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
+ if (asymSignatureAlgorithm != null && binding.getAlgorithmSuite() != null) {
+ binding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
}
-
- if (transport != null) {
- WSSecHeader secHeader = new WSSecHeader(actor, mustUnderstand);
- Element el = null;
- try {
- el = secHeader.insertSecurityHeader(saaj.getSOAPPart());
- } catch (WSSecurityException e) {
- throw new SoapFault(
- new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
- );
- }
- try {
- //move to end
- SAAJUtils.getHeader(saaj).removeChild(el);
- SAAJUtils.getHeader(saaj).appendChild(el);
- } catch (SOAPException e) {
- //ignore
- }
-
- WSSConfig config = (WSSConfig)message.getContextualProperty(WSSConfig.class.getName());
- if (config == null) {
- config = WSSConfig.getNewInstance();
- }
- translateProperties(message);
-
- String asymSignatureAlgorithm =
- (String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
- if (asymSignatureAlgorithm != null && transport.getAlgorithmSuite() != null) {
- transport.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
- }
- try {
- if (transport instanceof TransportBinding) {
- new TransportBindingHandler(config, (TransportBinding)transport, saaj,
- secHeader, aim, message).handleBinding();
- } else if (transport instanceof SymmetricBinding) {
- new SymmetricBindingHandler(config, (SymmetricBinding)transport, saaj,
- secHeader, aim, message).handleBinding();
- } else {
- new AsymmetricBindingHandler(config, (AsymmetricBinding)transport, saaj,
- secHeader, aim, message).handleBinding();
- }
- } catch (SOAPException e) {
- throw new SoapFault(
- new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
- );
- }
-
- if (el.getFirstChild() == null) {
- el.getParentNode().removeChild(el);
+ try {
+ if (binding instanceof TransportBinding) {
+ new TransportBindingHandler(config, (TransportBinding)binding, saaj,
+ secHeader, aim, message).handleBinding();
+ } else if (binding instanceof SymmetricBinding) {
+ new SymmetricBindingHandler(config, (SymmetricBinding)binding, saaj,
+ secHeader, aim, message).handleBinding();
+ } else {
+ new AsymmetricBindingHandler(config, (AsymmetricBinding)binding, saaj,
+ secHeader, aim, message).handleBinding();
}
+ } catch (SOAPException e) {
+ throw new SoapFault(
+ new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
+ );
+ }
+
+ if (el.getFirstChild() == null) {
+ el.getParentNode().removeChild(el);
+ }
+ }
+
+ }
+
+ private AbstractBinding getSecurityBinding(AssertionInfoMap aim) {
+ Collection<AssertionInfo> ais =
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+ if (!ais.isEmpty()) {
+ AbstractBinding binding = null;
+ for (AssertionInfo ai : ais) {
+ binding = (AbstractBinding)ai.getAssertion();
+ ai.setAsserted(true);
+ }
+ return binding;
+ }
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ AbstractBinding binding = null;
+ for (AssertionInfo ai : ais) {
+ binding = (AbstractBinding)ai.getAssertion();
+ ai.setAsserted(true);
+ }
+ return binding;
+ }
+ ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+ if (!ais.isEmpty()) {
+ AbstractBinding binding = null;
+ for (AssertionInfo ai : ais) {
+ binding = (AbstractBinding)ai.getAssertion();
+ ai.setAsserted(true);
}
+ return binding;
}
+ return null;
}
public Set<String> getAfter() {
@@ -247,26 +257,5 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa
msg.put(WSHandlerConstants.IS_BSP_COMPLIANT, bspCompliant);
}
}
-
- private Collection<AssertionInfo> getAllAssertionsByLocalname(
- AssertionInfoMap aim,
- String localname
- ) {
- Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
- Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
- if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
- Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
- if (sp11Ais != null) {
- ais.addAll(sp11Ais);
- }
- if (sp12Ais != null) {
- ais.addAll(sp12Ais);
- }
- return ais;
- }
-
- return Collections.emptySet();
- }
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
index ec2e51d..0d128d8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
@@ -44,6 +44,7 @@ import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.ext.WSPasswordCallback;
@@ -113,7 +114,8 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
// Check version against policy
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- for (AssertionInfo ai : getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN)) {
+ for (AssertionInfo ai
+ : PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN)) {
SamlToken samlToken = (SamlToken)ai.getAssertion();
for (WSSecurityEngineResult result : samlResults) {
SamlAssertionWrapper assertionWrapper =
@@ -175,9 +177,9 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
protected AbstractToken assertTokens(SoapMessage message) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
- assertPolicy(aim, "WssSamlV11Token10");
- assertPolicy(aim, "WssSamlV11Token11");
- assertPolicy(aim, "WssSamlV20Token11");
+ PolicyUtils.assertPolicy(aim, "WssSamlV11Token10");
+ PolicyUtils.assertPolicy(aim, "WssSamlV11Token11");
+ PolicyUtils.assertPolicy(aim, "WssSamlV20Token11");
return assertTokens(message, SPConstants.SAML_TOKEN, true);
}
@@ -191,7 +193,7 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
if (wrapper == null) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
Collection<AssertionInfo> ais =
- getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+ PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
for (AssertionInfo ai : ais) {
if (ai.isAsserted()) {
ai.setAsserted(false);
@@ -236,12 +238,12 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
SamlTokenType tokenType = token.getSamlTokenType();
if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) {
samlCallback.setSamlVersion(Version.SAML_11);
- assertPolicy(aim, "WssSamlV11Token10");
- assertPolicy(aim, "WssSamlV11Token11");
+ PolicyUtils.assertPolicy(aim, "WssSamlV11Token10");
+ PolicyUtils.assertPolicy(aim, "WssSamlV11Token11");
} else if (tokenType == SamlTokenType.WssSamlV20Token11) {
samlCallback.setSamlVersion(Version.SAML_20);
- assertPolicy(aim, "WssSamlV20Token11");
+ PolicyUtils.assertPolicy(aim, "WssSamlV20Token11");
}
SAMLUtil.doSAMLCallback(handler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
@@ -324,7 +326,7 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
&& assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
return false;
}
- assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), tokenType.name()));
+ PolicyUtils.assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), tokenType.name()));
return true;
}