cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r835918 - in /cxf/branches/2.2.x-fixes: ./ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/ systests/ws-specs/src/test/resources/wsdl_systest_wsspec/
Date Fri, 13 Nov 2009 16:54:23 GMT
Author: dkulp
Date: Fri Nov 13 16:54:22 2009
New Revision: 835918

URL: http://svn.apache.org/viewvc?rev=835918&view=rev
Log:
Merged revisions 835912 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r835912 | dkulp | 2009-11-13 11:48:46 -0500 (Fri, 13 Nov 2009) | 1 line
  
  [CXF-2244] Fix problem of always asserting signed tokens
........

Modified:
    cxf/branches/2.2.x-fixes/   (props changed)
    cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
    cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl

Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=835918&r1=835917&r2=835918&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Fri Nov 13 16:54:22 2009
@@ -403,7 +403,6 @@
                 SignedEncryptedParts p = (SignedEncryptedParts)ai.getAssertion();
                 if (p.isBody() && !contains(signed, msg.getVersion().getBody()))
{
                     ai.setNotAsserted(msg.getVersion().getBody() + " not " + type);
-                    return;
                 }
                 for (Header h : p.getHeaders()) {
                     if (!contains(signed, h.getQName())) {
@@ -419,11 +418,9 @@
                         }
                         if (found) {
                             ai.setNotAsserted(h.getQName() + " not + " + type);
-                            return;
                         }
                     }
                 }
-                
             }
         }
     }
@@ -700,6 +697,10 @@
         return true;
     }
     private boolean assertTransportBinding(AssertionInfoMap aim) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
+        if (ais == null) {                       
+            return true;
+        }
         assertPolicy(aim, SP12Constants.TRANSPORT_TOKEN);
         assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
         assertPolicy(aim, SP12Constants.SIGNED_PARTS);

Modified: cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=835918&r1=835917&r2=835918&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
(original)
+++ cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
Fri Nov 13 16:54:22 2009
@@ -67,6 +67,7 @@
         = "http://localhost:9010/SecPolTestSignThenEncryptProvider";
     public static final String POLICY_SIGN_ADDRESS = "http://localhost:9010/SecPolTestSign";
     public static final String POLICY_XPATH_ADDRESS = "http://localhost:9010/SecPolTestXPath";
+    public static final String POLICY_SIGNONLY_ADDRESS = "http://localhost:9010/SecPolTestSignedOnly";
 
     
     public static class ServerPasswordCallback implements CallbackHandler {
@@ -144,6 +145,15 @@
                        SecurityPolicyTest.class.getResource("bob.properties").toString());
         ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES, 
                        SecurityPolicyTest.class.getResource("alice.properties").toString());
+        
+        ep = (EndpointImpl)Endpoint.publish(POLICY_SIGNONLY_ADDRESS,
+                                            new DoubleItImplSignOnly());
+        ei = ep.getServer().getEndpoint().getEndpointInfo(); 
+        ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
+        ei.setProperty(SecurityConstants.SIGNATURE_PROPERTIES, 
+                       SecurityPolicyTest.class.getResource("bob.properties").toString());
+        ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES, 
+                       SecurityPolicyTest.class.getResource("alice.properties").toString());
     }
     
     @Test
@@ -223,6 +233,37 @@
     }
     
     @Test
+    public void testSignedOnlyWithUnsignedMessage() throws Exception {
+        //CXF-2244
+        DoubleItService service = new DoubleItService();
+        DoubleItPortType pt;
+
+        pt = service.getDoubleItPortSignedOnly();
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,

+                                                      new KeystorePasswordCallback());
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+                                                      getClass().getResource("alice.properties"));
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,

+                                                      getClass().getResource("bob.properties"));
+        //This should work as it should be properly signed.
+        assertEquals(BigInteger.valueOf(10), pt.doubleIt(BigInteger.valueOf(5)));
+        
+        //Try sending a message with the "TimestampOnly" policy into affect to the 
+        //service running the "signed only" policy.  This SHOULD fail as the
+        //body is then not signed.
+        pt = service.getDoubleItPortTimestampOnly();
+        ((BindingProvider)pt).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
+                                                      POLICY_SIGNONLY_ADDRESS);
+        try {
+            pt.doubleIt(BigInteger.valueOf(5));
+            fail("should have had a security/policy exception as the body wasn't signed");
+        } catch (Exception ex) {
+            assertTrue(ex.getMessage().contains("policy alternatives"));
+        }
+        
+    }
+    
+    @Test
     public void testDispatchClient() throws Exception {
         DoubleItService service = new DoubleItService();
         Dispatch<Source> disp = service.createDispatch(DoubleItService.DoubleItPortEncryptThenSign,

@@ -321,6 +362,18 @@
             return numberToDouble.multiply(new BigInteger("2"));
         }
     }
+    
+    @WebService(targetNamespace = "http://cxf.apache.org/policytest/DoubleIt", 
+                portName = "DoubleItPortSignedOnly",
+                serviceName = "DoubleItService", 
+                endpointInterface = "org.apache.cxf.policytest.doubleit.DoubleItPortType",
+                wsdlLocation = "classpath:/wsdl_systest_wsspec/DoubleIt.wsdl")
+    public static class DoubleItImplSignOnly implements DoubleItPortType {
+        /** {@inheritDoc}*/
+        public BigInteger doubleIt(BigInteger numberToDouble) {
+            return numberToDouble.multiply(new BigInteger("2"));
+        }
+    }
     @WebServiceProvider(targetNamespace = "http://cxf.apache.org/policytest/DoubleIt", 
                         portName = "DoubleItPortSignThenEncrypt",
                         serviceName = "DoubleItService", 

Modified: cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl?rev=835918&r1=835917&r2=835918&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl
(original)
+++ cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl
Fri Nov 13 16:54:22 2009
@@ -120,6 +120,35 @@
 			</wsdl:output>
 		</wsdl:operation>
 	</wsdl:binding>
+	<wsdl:binding name="DoubleItBindingSignedOnly" type="tns:DoubleItPortType">
+		<wsp:PolicyReference URI="#DoubleItSignedOnlyPolicy" />
+		<soap:binding style="document"
+			transport="http://schemas.xmlsoap.org/soap/http" />
+		<wsdl:operation name="DoubleIt">
+			<soap:operation soapAction="" />
+			<wsdl:input>
+				<wsp:PolicyReference URI="#SignedOnlyMsgPolicy" />
+				<soap:body use="literal" />
+			</wsdl:input>
+			<wsdl:output>
+				<soap:body use="literal" />
+			</wsdl:output>
+		</wsdl:operation>
+	</wsdl:binding>
+	<wsdl:binding name="DoubleItBindingTimestampOnly" type="tns:DoubleItPortType">
+		<wsp:PolicyReference URI="#DoubleItTimestampOnlyPolicy" />
+		<soap:binding style="document"
+			transport="http://schemas.xmlsoap.org/soap/http" />
+		<wsdl:operation name="DoubleIt">
+			<soap:operation soapAction="" />
+			<wsdl:input>
+				<soap:body use="literal" />
+			</wsdl:input>
+			<wsdl:output>
+				<soap:body use="literal" />
+			</wsdl:output>
+		</wsdl:operation>
+	</wsdl:binding>
 	<wsdl:service name="DoubleItService">
 		<wsdl:port name="DoubleItPortHttps" binding="tns:DoubleItBinding">
 			<soap:address location="https://localhost:9009/SecPolTest" />
@@ -139,6 +168,12 @@
 		<wsdl:port name="DoubleItPortXPath" binding="tns:DoubleItBindingXPath">
 			<soap:address location="http://localhost:9010/SecPolTestXPath" />
 		</wsdl:port>
+		<wsdl:port name="DoubleItPortSignedOnly" binding="tns:DoubleItBindingSignedOnly">
+			<soap:address location="http://localhost:9010/SecPolTestSignedOnly" />
+		</wsdl:port>
+		<wsdl:port name="DoubleItPortTimestampOnly" binding="tns:DoubleItBindingTimestampOnly">
+			<soap:address location="http://localhost:9010/SecPolTestTimestampOnly" />
+		</wsdl:port>
 	</wsdl:service>
 
 	<wsp:Policy wsu:Id="DoubleItBindingPolicy">
@@ -381,7 +416,7 @@
 						</sp:AlgorithmSuite>
 						<sp:Layout>
 							<wsp:Policy>
-								<sp:Lax />
+								<sp:Lax />XPath
 							</wsp:Policy>
 						</sp:Layout>
 						<sp:IncludeTimestamp />
@@ -408,4 +443,104 @@
 		</wsp:ExactlyOne>
 	</wsp:Policy>
 
+
+
+   <wsp:Policy  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

+             xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
+             xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
+             wsu:Id="DoubleItSignedOnlyPolicy">
+    <wsp:ExactlyOne>
+      <wsp:All>
+      <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+           <wsp:Policy>
+             <sp:InitiatorToken>
+               <wsp:Policy>
+                 <sp:X509Token
+                   sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
+                   <wsp:Policy>
+                     <sp:WssX509V3Token10 />
+                     <sp:RequireThumbprintReference/> <!-- needed for V1 certs -->
+                   </wsp:Policy>
+                 </sp:X509Token>
+               </wsp:Policy>
+             </sp:InitiatorToken>
+             <sp:RecipientToken>
+               <wsp:Policy>
+                 <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
+                   <wsp:Policy>
+                     <sp:WssX509V3Token10 />
+                     <sp:RequireThumbprintReference/>
+                   </wsp:Policy>
+                 </sp:X509Token>
+               </wsp:Policy>
+             </sp:RecipientToken>
+             <sp:AlgorithmSuite>
+               <wsp:Policy>
+                 <sp:TripleDesRsa15 />
+               </wsp:Policy>
+             </sp:AlgorithmSuite>
+             <sp:Layout>
+               <wsp:Policy>
+                 <sp:Strict />
+               </wsp:Policy>
+             </sp:Layout>
+             <sp:IncludeTimestamp />
+             <sp:OnlySignEntireHeadersAndBody /> 
+           </wsp:Policy>
+         </sp:AsymmetricBinding>
+         <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+           <wsp:Policy>
+             <sp:MustSupportRefKeyIdentifier />
+             <sp:MustSupportRefIssuerSerial />
+           </wsp:Policy>
+         </sp:Wss10>
+      </wsp:All>
+    </wsp:ExactlyOne>
+  </wsp:Policy>
+
+   <wsp:Policy
+   	  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+   	  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
+   	  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
+   	  wsu:Id="SignedOnlyMsgPolicy">
+   	  <wsp:ExactlyOne>
+   	    <wsp:All>
+   	       <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+   		      <sp:Body />
+   	       </sp:SignedParts>
+   	    </wsp:All>
+   	  </wsp:ExactlyOne>
+   </wsp:Policy>
+   <wsp:Policy  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

+             xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
+             xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
+             wsu:Id="DoubleItTimestampOnlyPolicy">
+		<wsp:ExactlyOne>
+			<wsp:All>
+				<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
+				<sp:TransportBinding>
+					<wsp:Policy>
+						<sp:Layout>
+							<wsp:Policy>
+								<sp:Lax />
+							</wsp:Policy>
+						</sp:Layout>
+						<sp:IncludeTimestamp />
+						<sp:AlgorithmSuite>
+							<wsp:Policy>
+								<sp:Basic128 />
+							</wsp:Policy>
+						</sp:AlgorithmSuite>
+					</wsp:Policy>
+				</sp:TransportBinding>
+				<sp:Wss10>
+					<wsp:Policy>
+						<sp:MustSupportRefKeyIdentifier />
+					</wsp:Policy>
+				</sp:Wss10>
+			</wsp:All>
+		</wsp:ExactlyOne>
+	</wsp:Policy>
+  
+  
 </wsdl:definitions>



Mime
View raw message