You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2014/07/04 17:44:01 UTC
svn commit: r1607879 - in
/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax:
./ assertionStates/
Author: coheigea
Date: Fri Jul 4 15:44:00 2014
New Revision: 1607879
URL: http://svn.apache.org/r1607879
Log:
More work on asserting policies directly in WSS4J
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java Fri Jul 4 15:44:00 2014
@@ -62,6 +62,8 @@ import org.apache.wss4j.policy.model.Sig
import org.apache.wss4j.policy.model.SignedParts;
import org.apache.wss4j.policy.model.SpnegoContextToken;
import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.wss4j.policy.model.Wss10;
import org.apache.wss4j.policy.model.X509Token;
@@ -325,7 +327,7 @@ public class PolicyEnforcer implements S
assertableList.add(new SamlTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof RelToken) {
assertableList.add(new RelTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
- } else if (abstractSecurityAssertion instanceof HttpsToken && !initiator) {
+ } else if (abstractSecurityAssertion instanceof HttpsToken) {
assertableList.add(new HttpsTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof KeyValueToken) {
assertableList.add(new KeyValueTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
@@ -419,6 +421,41 @@ public class PolicyEnforcer implements S
}
}
}
+ } else if (abstractSecurityAssertion instanceof Trust10) {
+ Trust10 trust10 = (Trust10)abstractSecurityAssertion;
+ String namespace = trust10.getName().getNamespaceURI();
+ policyAsserter.assertPolicy(abstractSecurityAssertion);
+
+ if (trust10.isMustSupportClientChallenge()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE));
+ }
+ if (trust10.isMustSupportIssuedTokens()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_ISSUED_TOKENS));
+ }
+ if (trust10.isMustSupportServerChallenge()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE));
+ }
+ if (trust10.isRequireClientEntropy()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_ENTROPY));
+ }
+ if (trust10.isRequireServerEntropy()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_SERVER_ENTROPY));
+ }
+ if (trust10 instanceof Trust13) {
+ Trust13 trust13 = (Trust13)trust10;
+ if (trust13.isMustSupportInteractiveChallenge()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_INTERACTIVE_CHALLENGE));
+ }
+ if (trust13.isRequireAppliesTo()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_APPLIES_TO));
+ }
+ if (trust13.isRequireRequestSecurityTokenCollection()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION));
+ }
+ if (trust13.isScopePolicy15()) {
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.SCOPE_POLICY_15));
+ }
+ }
} else {
policyAsserter.assertPolicy(abstractSecurityAssertion);
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java Fri Jul 4 15:44:00 2014
@@ -73,7 +73,7 @@ public class HttpsTokenAssertionState ex
getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
- if (httpsToken.getAuthenticationType() != null) {
+ if (!isInitiator() && httpsToken.getAuthenticationType() != null) {
String namespace = getAssertion().getName().getNamespaceURI();
switch (httpsToken.getAuthenticationType()) {
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java Fri Jul 4 15:44:00 2014
@@ -84,6 +84,7 @@ public class IssuedTokenAssertionState e
!issuedToken.getIssuerName().equals(issuedTokenSecurityEvent.getIssuerName())) {
setErrorMessage("IssuerName in Policy (" + issuedToken.getIssuerName() +
") didn't match with the one in the IssuedToken (" + issuedTokenSecurityEvent.getIssuerName() + ")");
+ getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
if (issuedToken.getRequestSecurityTokenTemplate() != null) {
@@ -92,6 +93,7 @@ public class IssuedTokenAssertionState e
String errorMsg = checkIssuedTokenTemplate(issuedToken.getRequestSecurityTokenTemplate(), samlTokenSecurityEvent);
if (errorMsg != null) {
setErrorMessage(errorMsg);
+ getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
} else if (issuedTokenSecurityEvent instanceof KerberosTokenSecurityEvent) {
@@ -99,6 +101,7 @@ public class IssuedTokenAssertionState e
String errorMsg = checkIssuedTokenTemplate(issuedToken.getRequestSecurityTokenTemplate(), kerberosTokenSecurityEvent);
if (errorMsg != null) {
setErrorMessage(errorMsg);
+ getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
}
@@ -110,15 +113,18 @@ public class IssuedTokenAssertionState e
validateClaims((Element) claims, (SamlTokenSecurityEvent)issuedTokenSecurityEvent);
if (errorMsg != null) {
setErrorMessage(errorMsg);
+ getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
}
} catch (XMLSecurityException e) {
+ getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
throw new WSSPolicyException(e.getMessage(), e);
}
//always return true to prevent false alarm in case additional tokens with the same usage
//appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+ getPolicyAsserter().assertPolicy(getAssertion());
return true;
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java Fri Jul 4 15:44:00 2014
@@ -38,6 +38,10 @@ public class SpnegoContextTokenAssertion
public SpnegoContextTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
PolicyAsserter policyAsserter, boolean initiator) {
super(assertion, asserted, policyAsserter, initiator);
+
+ if (asserted) {
+ getPolicyAsserter().assertPolicy(getAssertion());
+ }
}
@Override
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java Fri Jul 4 15:44:00 2014
@@ -285,4 +285,8 @@ public abstract class TokenAssertionStat
protected PolicyAsserter getPolicyAsserter() {
return policyAsserter;
}
+
+ protected boolean isInitiator() {
+ return initiator;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java Fri Jul 4 15:44:00 2014
@@ -93,9 +93,6 @@ public class TokenProtectionAssertionSta
AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding) getAssertion();
boolean protectTokens = abstractSymmetricAsymmetricBinding.isProtectTokens();
String namespace = getAssertion().getName().getNamespaceURI();
- if (protectTokens) {
- policyAsserter.assertPolicy(new QName(namespace, SPConstants.PROTECT_TOKENS));
- }
if (securityEvent instanceof SignedElementSecurityEvent) {
SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
@@ -151,6 +148,8 @@ public class TokenProtectionAssertionSta
}
}
}
+
+ policyAsserter.assertPolicy(new QName(namespace, SPConstants.PROTECT_TOKENS));
return true;
}