You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2009/11/13 17:48:47 UTC
svn commit: r835912 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/
systests/ws-specs/src/test/resources/wsdl_systest_wsspec/
Author: dkulp
Date: Fri Nov 13 16:48:46 2009
New Revision: 835912
URL: http://svn.apache.org/viewvc?rev=835912&view=rev
Log:
[CXF-2244] Fix problem of always asserting signed tokens
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=835912&r1=835911&r2=835912&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Fri Nov 13 16:48:46 2009
@@ -403,7 +403,6 @@
SignedEncryptedParts p = (SignedEncryptedParts)ai.getAssertion();
if (p.isBody() && !contains(signed, msg.getVersion().getBody())) {
ai.setNotAsserted(msg.getVersion().getBody() + " not " + type);
- return;
}
for (Header h : p.getHeaders()) {
if (!contains(signed, h.getQName())) {
@@ -419,11 +418,9 @@
}
if (found) {
ai.setNotAsserted(h.getQName() + " not + " + type);
- return;
}
}
}
-
}
}
}
@@ -700,6 +697,10 @@
return true;
}
private boolean assertTransportBinding(AssertionInfoMap aim) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
+ if (ais == null) {
+ return true;
+ }
assertPolicy(aim, SP12Constants.TRANSPORT_TOKEN);
assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
assertPolicy(aim, SP12Constants.SIGNED_PARTS);
Modified: cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=835912&r1=835911&r2=835912&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java (original)
+++ cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java Fri Nov 13 16:48:46 2009
@@ -67,6 +67,7 @@
= "http://localhost:9010/SecPolTestSignThenEncryptProvider";
public static final String POLICY_SIGN_ADDRESS = "http://localhost:9010/SecPolTestSign";
public static final String POLICY_XPATH_ADDRESS = "http://localhost:9010/SecPolTestXPath";
+ public static final String POLICY_SIGNONLY_ADDRESS = "http://localhost:9010/SecPolTestSignedOnly";
public static class ServerPasswordCallback implements CallbackHandler {
@@ -144,6 +145,15 @@
SecurityPolicyTest.class.getResource("bob.properties").toString());
ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES,
SecurityPolicyTest.class.getResource("alice.properties").toString());
+
+ ep = (EndpointImpl)Endpoint.publish(POLICY_SIGNONLY_ADDRESS,
+ new DoubleItImplSignOnly());
+ ei = ep.getServer().getEndpoint().getEndpointInfo();
+ ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
+ ei.setProperty(SecurityConstants.SIGNATURE_PROPERTIES,
+ SecurityPolicyTest.class.getResource("bob.properties").toString());
+ ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES,
+ SecurityPolicyTest.class.getResource("alice.properties").toString());
}
@Test
@@ -223,6 +233,37 @@
}
@Test
+ public void testSignedOnlyWithUnsignedMessage() throws Exception {
+ //CXF-2244
+ DoubleItService service = new DoubleItService();
+ DoubleItPortType pt;
+
+ pt = service.getDoubleItPortSignedOnly();
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
+ new KeystorePasswordCallback());
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+ getClass().getResource("alice.properties"));
+ ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,
+ getClass().getResource("bob.properties"));
+ //This should work as it should be properly signed.
+ assertEquals(BigInteger.valueOf(10), pt.doubleIt(BigInteger.valueOf(5)));
+
+ //Try sending a message with the "TimestampOnly" policy into affect to the
+ //service running the "signed only" policy. This SHOULD fail as the
+ //body is then not signed.
+ pt = service.getDoubleItPortTimestampOnly();
+ ((BindingProvider)pt).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
+ POLICY_SIGNONLY_ADDRESS);
+ try {
+ pt.doubleIt(BigInteger.valueOf(5));
+ fail("should have had a security/policy exception as the body wasn't signed");
+ } catch (Exception ex) {
+ assertTrue(ex.getMessage().contains("policy alternatives"));
+ }
+
+ }
+
+ @Test
public void testDispatchClient() throws Exception {
DoubleItService service = new DoubleItService();
Dispatch<Source> disp = service.createDispatch(DoubleItService.DoubleItPortEncryptThenSign,
@@ -321,6 +362,18 @@
return numberToDouble.multiply(new BigInteger("2"));
}
}
+
+ @WebService(targetNamespace = "http://cxf.apache.org/policytest/DoubleIt",
+ portName = "DoubleItPortSignedOnly",
+ serviceName = "DoubleItService",
+ endpointInterface = "org.apache.cxf.policytest.doubleit.DoubleItPortType",
+ wsdlLocation = "classpath:/wsdl_systest_wsspec/DoubleIt.wsdl")
+ public static class DoubleItImplSignOnly implements DoubleItPortType {
+ /** {@inheritDoc}*/
+ public BigInteger doubleIt(BigInteger numberToDouble) {
+ return numberToDouble.multiply(new BigInteger("2"));
+ }
+ }
@WebServiceProvider(targetNamespace = "http://cxf.apache.org/policytest/DoubleIt",
portName = "DoubleItPortSignThenEncrypt",
serviceName = "DoubleItService",
Modified: cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl?rev=835912&r1=835911&r2=835912&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl (original)
+++ cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl Fri Nov 13 16:48:46 2009
@@ -120,6 +120,35 @@
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItBindingSignedOnly" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItSignedOnlyPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <wsp:PolicyReference URI="#SignedOnlyMsgPolicy" />
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+ <wsdl:binding name="DoubleItBindingTimestampOnly" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItTimestampOnlyPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItPortHttps" binding="tns:DoubleItBinding">
<soap:address location="https://localhost:9009/SecPolTest" />
@@ -139,6 +168,12 @@
<wsdl:port name="DoubleItPortXPath" binding="tns:DoubleItBindingXPath">
<soap:address location="http://localhost:9010/SecPolTestXPath" />
</wsdl:port>
+ <wsdl:port name="DoubleItPortSignedOnly" binding="tns:DoubleItBindingSignedOnly">
+ <soap:address location="http://localhost:9010/SecPolTestSignedOnly" />
+ </wsdl:port>
+ <wsdl:port name="DoubleItPortTimestampOnly" binding="tns:DoubleItBindingTimestampOnly">
+ <soap:address location="http://localhost:9010/SecPolTestTimestampOnly" />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItBindingPolicy">
@@ -381,7 +416,7 @@
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
- <sp:Lax />
+ <sp:Lax />XPath
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
@@ -408,4 +443,104 @@
</wsp:ExactlyOne>
</wsp:Policy>
+
+
+ <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
+ xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
+ wsu:Id="DoubleItSignedOnlyPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireThumbprintReference/> <!-- needed for V1 certs -->
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireThumbprintReference/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:TripleDesRsa15 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Strict />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:OnlySignEntireHeadersAndBody />
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier />
+ <sp:MustSupportRefIssuerSerial />
+ </wsp:Policy>
+ </sp:Wss10>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
+ xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
+ wsu:Id="SignedOnlyMsgPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+ <sp:Body />
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
+ xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
+ wsu:Id="DoubleItTimestampOnlyPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:Wss10>
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier />
+ </wsp:Policy>
+ </sp:Wss10>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+
</wsdl:definitions>