You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/04/03 13:35:33 UTC
[2/4] cxf git commit: Another sweep of the policy validation code
Another sweep of the policy validation code
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2f164ec2
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2f164ec2
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2f164ec2
Branch: refs/heads/master
Commit: 2f164ec218a1e850d8cc4a6a9ffdb6dba248895f
Parents: f7a64ca
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Apr 3 00:39:02 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Apr 3 12:33:57 2015 +0100
----------------------------------------------------------------------
.../IssuedTokenInterceptorProvider.java | 4 +-
.../policy/interceptors/NegotiationUtils.java | 46 +++++-----
.../security/wss4j/CryptoCoverageChecker.java | 17 ++--
.../wss4j/PolicyBasedWSS4JInInterceptor.java | 10 +--
.../policyhandlers/AbstractBindingBuilder.java | 39 +++++----
.../policyhandlers/SymmetricBindingHandler.java | 12 +--
.../AbstractBindingPolicyValidator.java | 6 +-
.../AbstractSupportingTokenPolicyValidator.java | 91 +++++++++-----------
.../AlgorithmSuitePolicyValidator.java | 29 ++++---
.../KerberosTokenPolicyValidator.java | 9 +-
10 files changed, 130 insertions(+), 133 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
index c6f12b0..dd14252 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
@@ -179,9 +179,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
parameters.setMessage(message);
parameters.setResults(rResult);
- List<WSSecurityEngineResult> signedResults =
- rResult.getActionResults().get(WSConstants.SIGN);
- parameters.setSignedResults(signedResults);
+ parameters.setSignedResults(rResult.getActionResults().get(WSConstants.SIGN));
List<WSSecurityEngineResult> samlResults = new ArrayList<>();
if (rResult.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
index 6690523..2b0ca66 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
@@ -221,33 +221,31 @@ final class NegotiationUtils {
}
for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
+ List<WSSecurityEngineResult> sctResults =
+ rResult.getActionResults().get(WSConstants.SCT);
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.SCT) {
- SecurityContextToken tok =
- (SecurityContextToken)wser.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
- message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
-
- SecurityToken token = TokenStoreUtils.getTokenStore(message).getToken(tok.getIdentifier());
- if (token == null || token.isExpired()) {
- byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
- if (secret != null) {
- token = new SecurityToken(tok.getIdentifier());
- token.setToken(tok.getElement());
- token.setSecret(secret);
- token.setTokenType(tok.getTokenType());
- TokenStoreUtils.getTokenStore(message).add(token);
- }
+ for (WSSecurityEngineResult wser : sctResults) {
+ SecurityContextToken tok =
+ (SecurityContextToken)wser.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
+ message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
+
+ SecurityToken token = TokenStoreUtils.getTokenStore(message).getToken(tok.getIdentifier());
+ if (token == null || token.isExpired()) {
+ byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+ if (secret != null) {
+ token = new SecurityToken(tok.getIdentifier());
+ token.setToken(tok.getElement());
+ token.setSecret(secret);
+ token.setTokenType(tok.getTokenType());
+ TokenStoreUtils.getTokenStore(message).add(token);
}
- if (token != null) {
- final SecurityContext sc = token.getSecurityContext();
- if (sc != null) {
- message.put(SecurityContext.class, sc);
- }
- return true;
+ }
+ if (token != null) {
+ final SecurityContext sc = token.getSecurityContext();
+ if (sc != null) {
+ message.put(SecurityContext.class, sc);
}
+ return true;
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
index 9a71a9e..0b634d2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
@@ -139,11 +139,11 @@ public class CryptoCoverageChecker extends AbstractSoapInterceptor {
// Get all encrypted and signed references
for (WSHandlerResult wshr : results) {
- for (WSSecurityEngineResult result : wshr.getResults()) {
- Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt == WSConstants.SIGN) {
+ List<WSSecurityEngineResult> signedResults = wshr.getActionResults().get(WSConstants.SIGN);
+ if (signedResults != null) {
+ for (WSSecurityEngineResult signedResult : signedResults) {
List<WSDataRef> sl =
- CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (sl != null) {
if (sl.size() == 1
&& sl.get(0).getName().equals(new QName(WSConstants.SIG_NS, WSConstants.SIG_LN))) {
@@ -153,9 +153,14 @@ public class CryptoCoverageChecker extends AbstractSoapInterceptor {
signed.addAll(sl);
}
- } else if (actInt == WSConstants.ENCR) {
+ }
+ }
+
+ List<WSSecurityEngineResult> encryptedResults = wshr.getActionResults().get(WSConstants.ENCR);
+ if (encryptedResults != null) {
+ for (WSSecurityEngineResult encryptedResult : encryptedResults) {
List<WSDataRef> el =
- CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ CastUtils.cast((List<?>)encryptedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (el != null) {
encrypted.addAll(el);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 59c73f0..c4c8b37 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -429,7 +429,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
private boolean assertTokens(AssertionInfoMap aim,
String name,
- Collection<WSDataRef> signed,
+ Collection<WSDataRef> dataRefs,
SoapMessage msg,
Element soapHeader,
Element soapBody,
@@ -444,11 +444,11 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
try {
if (CoverageType.SIGNED.equals(type)) {
CryptoCoverageUtil.checkBodyCoverage(
- soapBody, signed, type, CoverageScope.ELEMENT
+ soapBody, dataRefs, type, CoverageScope.ELEMENT
);
} else {
CryptoCoverageUtil.checkBodyCoverage(
- soapBody, signed, type, CoverageScope.CONTENT
+ soapBody, dataRefs, type, CoverageScope.CONTENT
);
}
} catch (WSSecurityException e) {
@@ -459,7 +459,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
for (Header h : p.getHeaders()) {
try {
- CryptoCoverageUtil.checkHeaderCoverage(soapHeader, signed, h
+ CryptoCoverageUtil.checkHeaderCoverage(soapHeader, dataRefs, h
.getNamespace(), h.getName(), type,
CoverageScope.ELEMENT);
} catch (WSSecurityException e) {
@@ -474,7 +474,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
if (attachments.isContentSignatureTransform()) {
scope = CoverageScope.CONTENT;
}
- CryptoCoverageUtil.checkAttachmentsCoverage(msg.getAttachments(), signed,
+ CryptoCoverageUtil.checkAttachmentsCoverage(msg.getAttachments(), dataRefs,
type, scope);
} catch (WSSecurityException e) {
ai.setNotAsserted("An attachment was not signed/encrypted");
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index a866496..306dafd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -1581,16 +1581,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
* receiving Actor and the sending Actor match.
*/
for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
- /*
- * Scan the results for the first Signature action. Use the
- * certificate of this Signature to set the certificate for the
- * encryption action :-).
- */
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.SIGN) {
- return (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ List<WSSecurityEngineResult> signedResults =
+ rResult.getActionResults().get(WSConstants.SIGN);
+ if (signedResults != null) {
+ /*
+ * Scan the results for the first Signature action. Use the
+ * certificate of this Signature to set the certificate for the
+ * encryption action :-).
+ */
+ for (WSSecurityEngineResult signedResult : signedResults) {
+ if (signedResult.containsKey(WSSecurityEngineResult.TAG_X509_CERTIFICATE)) {
+ return (X509Certificate)signedResult.get(
+ WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ }
}
}
}
@@ -1634,15 +1637,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
.get(WSHandlerConstants.RECV_RESULTS));
for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
-
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- String encryptedKeyID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
- if (actInt.intValue() == WSConstants.ENCR
- && encryptedKeyID != null
- && encryptedKeyID.length() != 0) {
- return wser;
+ List<WSSecurityEngineResult> encryptedResults = rResult.getResults();
+ if (encryptedResults != null) {
+ for (WSSecurityEngineResult wser : encryptedResults) {
+ String encryptedKeyID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
+ if (encryptedKeyID != null && encryptedKeyID.length() != 0) {
+ return wser;
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index 65d4a2f..bfc67e0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -950,12 +950,12 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
.get(WSHandlerConstants.RECV_RESULTS));
for (WSHandlerResult rResult : results) {
- List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
+ List<WSSecurityEngineResult> wsSecEngineResults =
+ rResult.getActionResults().get(WSConstants.UT_NOPASSWORD);
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- String utID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
- if (actInt.intValue() == WSConstants.UT_NOPASSWORD) {
+ if (wsSecEngineResults != null) {
+ for (WSSecurityEngineResult wser : wsSecEngineResults) {
+ String utID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
if (utID == null || utID.length() == 0) {
utID = wssConfig.getIdAllocator().createId("UsernameToken-", null);
}
@@ -963,7 +963,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
Date expires = new Date();
expires.setTime(created.getTime() + 300000);
SecurityToken tempTok = new SecurityToken(utID, created, expires);
-
+
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
tempTok.setSecret(secret);
tokenStore.add(tempTok);
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index d79470f..55a00b5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -310,12 +310,10 @@ public abstract class AbstractBindingPolicyValidator implements SecurityPolicyVa
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
) {
- for (int i = 0; i < signedResults.size(); i++) {
- WSSecurityEngineResult result = signedResults.get(i);
+ for (WSSecurityEngineResult result : signedResults) {
// Get the Token result that was used for the signature
- WSSecurityEngineResult tokenResult =
- findCorrespondingToken(result, results);
+ WSSecurityEngineResult tokenResult = findCorrespondingToken(result, results);
if (tokenResult == null) {
return false;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index 74cf2c0..ad0c835 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -39,7 +39,6 @@ import javax.xml.xpath.XPathFactory;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
-
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
@@ -57,6 +56,7 @@ import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
@@ -109,12 +109,12 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
return false;
}
- if (derived) {
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
for (WSSecurityEngineResult wser : parameters.getUsernameTokenResults()) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
if (secret != null) {
WSSecurityEngineResult dktResult =
- getMatchingDerivedKey(secret, parameters.getResults().getResults());
+ getMatchingDerivedKey(secret, parameters.getResults());
if (dktResult != null) {
tokenResults.add(dktResult);
}
@@ -173,10 +173,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* Process Kerberos Tokens.
*/
protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean derived) {
- List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
- for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.BST) {
+ List<WSSecurityEngineResult> tokenResults = null;
+ if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
+ tokenResults = new ArrayList<>();
+ for (WSSecurityEngineResult wser
+ : parameters.getResults().getActionResults().get(WSConstants.BST)) {
BinarySecurity binarySecurity =
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof KerberosSecurity) {
@@ -185,7 +186,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
}
}
- if (tokenResults.isEmpty()) {
+ if (tokenResults == null || tokenResults.isEmpty()) {
return false;
}
@@ -199,12 +200,12 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
return false;
}
- if (derived) {
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult =
- getMatchingDerivedKey(secret, parameters.getResults().getResults());
+ getMatchingDerivedKey(secret, parameters.getResults());
if (dktResult != null) {
dktResults.add(dktResult);
}
@@ -231,10 +232,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* Process X509 Tokens.
*/
protected boolean processX509Tokens(PolicyValidatorParameters parameters, boolean derived) {
- List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
- for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.BST) {
+ List<WSSecurityEngineResult> tokenResults = null;
+ if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
+ tokenResults = new ArrayList<>();
+ for (WSSecurityEngineResult wser
+ : parameters.getResults().getActionResults().get(WSConstants.BST)) {
BinarySecurity binarySecurity =
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof X509Security
@@ -244,7 +246,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
}
}
- if (tokenResults.isEmpty()) {
+ if (tokenResults == null || tokenResults.isEmpty()) {
return false;
}
@@ -258,11 +260,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
return false;
}
- if (derived) {
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
WSSecurityEngineResult resultToStore =
- processX509DerivedTokenResult(wser, parameters.getResults().getResults());
+ processX509DerivedTokenResult(wser, parameters.getResults());
if (resultToStore != null) {
dktResults.add(resultToStore);
}
@@ -289,16 +291,19 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* Process KeyValue Tokens.
*/
protected boolean processKeyValueTokens(PolicyValidatorParameters parameters) {
- List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
- for (WSSecurityEngineResult wser : parameters.getSignedResults()) {
- PublicKey publicKey =
- (PublicKey)wser.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
- if (publicKey != null) {
- tokenResults.add(wser);
+ List<WSSecurityEngineResult> tokenResults = null;
+ if (parameters.getSignedResults() != null && !parameters.getSignedResults().isEmpty()) {
+ tokenResults = new ArrayList<>();
+ for (WSSecurityEngineResult wser : parameters.getSignedResults()) {
+ PublicKey publicKey =
+ (PublicKey)wser.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+ if (publicKey != null) {
+ tokenResults.add(wser);
+ }
}
}
- if (tokenResults.isEmpty()) {
+ if (tokenResults == null || tokenResults.isEmpty()) {
return false;
}
@@ -359,17 +364,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* Process Security Context Tokens.
*/
protected boolean processSCTokens(PolicyValidatorParameters parameters, boolean derived) {
- List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
- for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.SCT) {
- tokenResults.add(wser);
- }
- }
-
- if (tokenResults.isEmpty()) {
+ if (!parameters.getResults().getActionResults().containsKey(WSConstants.SCT)) {
return false;
}
+ List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
+ tokenResults.addAll(parameters.getResults().getActionResults().get(WSConstants.SCT));
if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(),
parameters.getEncryptedResults(),
@@ -381,12 +380,12 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
return false;
}
- if (derived) {
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
for (WSSecurityEngineResult wser : tokenResults) {
byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
WSSecurityEngineResult dktResult =
- getMatchingDerivedKey(secret, parameters.getResults().getResults());
+ getMatchingDerivedKey(secret, parameters.getResults());
if (dktResult != null) {
dktResults.add(dktResult);
}
@@ -414,7 +413,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* find a DerivedKey element that matches that EncryptedKey element.
*/
private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result,
- List<WSSecurityEngineResult> results) {
+ WSHandlerResult results) {
X509Certificate cert =
(X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert, results);
@@ -433,14 +432,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* matches the parameter.
*/
private WSSecurityEngineResult getMatchingDerivedKey(byte[] secret,
- List<WSSecurityEngineResult> results) {
- for (WSSecurityEngineResult wser : results) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.DKT) {
- byte[] dktSecret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
- if (Arrays.equals(secret, dktSecret)) {
- return wser;
- }
+ WSHandlerResult results) {
+ for (WSSecurityEngineResult wser : results.getActionResults().get(WSConstants.DKT)) {
+ byte[] dktSecret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+ if (Arrays.equals(secret, dktSecret)) {
+ return wser;
}
}
return null;
@@ -450,10 +446,9 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
* Get a security result representing an EncryptedKey that matches the parameter.
*/
private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate cert,
- List<WSSecurityEngineResult> results) {
- for (WSSecurityEngineResult wser : results) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.ENCR) {
+ WSHandlerResult results) {
+ if (results.getActionResults().containsKey(WSConstants.ENCR)) {
+ for (WSSecurityEngineResult wser : results.getActionResults().get(WSConstants.ENCR)) {
X509Certificate encrCert =
(X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (cert.equals(encrCert)) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index 706e0a5..3add3ed 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -35,7 +35,6 @@ import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.transform.STRTransform;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
@@ -70,7 +69,8 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
AlgorithmSuite algorithmSuite = (AlgorithmSuite)ai.getAssertion();
ai.setAsserted(true);
- boolean valid = validatePolicy(ai, algorithmSuite, parameters.getResults());
+ boolean valid = validatePolicy(ai, algorithmSuite, parameters.getSignedResults(),
+ parameters.getEncryptedResults());
if (valid) {
String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
String name = algorithmSuite.getAlgorithmSuiteType().getName();
@@ -88,20 +88,23 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
}
private boolean validatePolicy(
- AssertionInfo ai, AlgorithmSuite algorithmPolicy, WSHandlerResult results
+ AssertionInfo ai, AlgorithmSuite algorithmPolicy,
+ List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult> encryptedResults
) {
- boolean success = true;
- for (WSSecurityEngineResult result : results.getResults()) {
- Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
- if (WSConstants.SIGN == actInt
- && !checkSignatureAlgorithms(result, algorithmPolicy, ai)) {
- success = false;
- } else if (WSConstants.ENCR == actInt
- && !checkEncryptionAlgorithms(result, algorithmPolicy, ai)) {
- success = false;
+ for (WSSecurityEngineResult signedResult : signedResults) {
+ if (!checkSignatureAlgorithms(signedResult, algorithmPolicy, ai)) {
+ return false;
}
}
- return success;
+ if (encryptedResults != null) {
+ for (WSSecurityEngineResult encryptedResult : encryptedResults) {
+ if (!checkEncryptionAlgorithms(encryptedResult, algorithmPolicy, ai)) {
+ return false;
+ }
+ }
+ }
+
+ return true;
}
/**
http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
index 6c05801..e8cb852 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
@@ -69,7 +69,7 @@ public class KerberosTokenPolicyValidator extends AbstractSecurityPolicyValidato
*/
public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
List<WSSecurityEngineResult> kerberosResults =
- findKerberosResults(parameters.getResults().getResults());
+ findKerberosResults(parameters.getResults().getActionResults().get(WSConstants.BST));
for (WSSecurityEngineResult kerberosResult : kerberosResults) {
KerberosSecurity kerberosToken =
@@ -146,11 +146,10 @@ public class KerberosTokenPolicyValidator extends AbstractSecurityPolicyValidato
return false;
}
- private List<WSSecurityEngineResult> findKerberosResults(List<WSSecurityEngineResult> wsSecEngineResults) {
+ private List<WSSecurityEngineResult> findKerberosResults(List<WSSecurityEngineResult> bstResults) {
List<WSSecurityEngineResult> results = new ArrayList<>();
- for (WSSecurityEngineResult wser : wsSecEngineResults) {
- Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt.intValue() == WSConstants.BST) {
+ if (bstResults != null) {
+ for (WSSecurityEngineResult wser : bstResults) {
BinarySecurity binarySecurity =
(BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof KerberosSecurity) {