cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r889428 - in /cxf/branches/2.2.x-fixes: ./ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/ systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security...
Date Thu, 10 Dec 2009 21:26:48 GMT
Author: dkulp
Date: Thu Dec 10 21:26:48 2009
New Revision: 889428

URL: http://svn.apache.org/viewvc?rev=889428&view=rev
Log:
Merged revisions 889426 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r889426 | dkulp | 2009-12-10 16:24:32 -0500 (Thu, 10 Dec 2009) | 2 lines
  
  [CXF-2150] If service is configured for Digest, make sure a digest is
  sent in.   For WS-SecPol, make sure what came in matches the policy.
........

Modified:
    cxf/branches/2.2.x-fixes/   (props changed)
    cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/WSSecurityClientTest.java
    cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/server.xml
    cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/test-data/UsernameTokenRequest.xml

Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
    svn:mergeinfo = /cxf/trunk:889426

Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=889428&r1=889427&r2=889428&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Thu Dec 10 21:26:48 2009
@@ -71,11 +71,14 @@
 import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
 import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
 import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.UsernameToken;
 import org.apache.cxf.ws.security.policy.model.Wss11;
 import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDataRef;
 import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.WSUsernameTokenPrincipal;
 import org.apache.ws.security.handler.RequestData;
 import org.apache.ws.security.handler.WSHandlerConstants;
 
@@ -495,7 +498,9 @@
     }
     
     protected void doResults(SoapMessage msg, String actor, 
-                             SOAPMessage doc, Vector results) throws SOAPException, XMLStreamException
{
+                             SOAPMessage doc, Vector results) 
+        throws SOAPException, XMLStreamException, WSSecurityException {
+        
         AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
         Collection<WSDataRef> signed = new HashSet<WSDataRef>();
         Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
@@ -535,7 +540,20 @@
                 }
                 break;
             case WSConstants.UT:
-                assertPolicy(aim, SP12Constants.USERNAME_TOKEN);
+                Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
+                if (ais != null) {
+                    for (AssertionInfo ai : ais) {
+                        ai.setAsserted(true);
+                    }
+                    WSUsernameTokenPrincipal princ 
+                        = (WSUsernameTokenPrincipal)wser.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                    for (AssertionInfo ai : ais) {
+                        UsernameToken tok = (UsernameToken)ai.getAssertion();
+                        if (tok.isHashPassword() != princ.isPasswordDigest()) {
+                            ai.setNotAsserted("Password hashing policy not enforced");
+                        }
+                    }
+                }
                 break;
             case WSConstants.TS:
                 assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=889428&r1=889427&r2=889428&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Thu Dec 10 21:26:48 2009
@@ -61,6 +61,7 @@
 import org.apache.ws.security.WSSecurityEngine;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.WSUsernameTokenPrincipal;
 import org.apache.ws.security.handler.RequestData;
 import org.apache.ws.security.handler.WSHandlerConstants;
 import org.apache.ws.security.handler.WSHandlerResult;
@@ -328,7 +329,7 @@
         
     }
     protected void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult)
-        throws SOAPException, XMLStreamException {
+        throws SOAPException, XMLStreamException, WSSecurityException {
         /*
          * All ok up to this point. Now construct and setup the security result
          * structure. The service may fetch this and check it.
@@ -353,6 +354,21 @@
             i++;
         }
         msg.setContent(XMLStreamReader.class, reader);
+        String pwType = (String)getProperty(msg, "passwordType");
+        if ("PasswordDigest".equals(pwType)) {
+            //CXF-2150 - we need to check the UsernameTokens
+            for (WSSecurityEngineResult o : CastUtils.cast(wsResult, WSSecurityEngineResult.class))
{
+                Integer actInt = (Integer)o.get(WSSecurityEngineResult.TAG_ACTION);
+                if (actInt == WSConstants.UT) {
+                    WSUsernameTokenPrincipal princ 
+                        = (WSUsernameTokenPrincipal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+                    if (!princ.isPasswordDigest()) {
+                        LOG.warning("Non-digest UsernameToken found, but digest required");
+                        throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
+                    }
+                }
+            }            
+        }
         
         for (WSSecurityEngineResult o : CastUtils.cast(wsResult, WSSecurityEngineResult.class))
{
             final Principal p = (Principal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);

Modified: cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/WSSecurityClientTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/WSSecurityClientTest.java?rev=889428&r1=889427&r2=889428&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/WSSecurityClientTest.java
(original)
+++ cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/WSSecurityClientTest.java
Thu Dec 10 21:26:48 2009
@@ -20,7 +20,9 @@
 package org.apache.cxf.systest.ws.security;
 
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import javax.xml.namespace.QName;
 import javax.xml.transform.OutputKeys;
@@ -42,9 +44,12 @@
 
 import org.apache.cxf.BusFactory;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
 import org.apache.cxf.jaxws.DispatchImpl;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.cxf.transport.http.HTTPConduit;
+import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
 import org.apache.hello_world_soap_http.Greeter;
 
 import org.junit.BeforeClass;
@@ -95,6 +100,41 @@
             launchServer(Server.class, true)
         );
     }
+    
+    @Test
+    public void testUsernameToken() {
+        final javax.xml.ws.Service svc 
+            = javax.xml.ws.Service.create(WSDL_LOC, GREETER_SERVICE_QNAME);
+        final Greeter greeter = svc.getPort(USERNAME_TOKEN_PORT_QNAME, Greeter.class);
+        
+        Client client = ClientProxy.getClient(greeter);
+        Map<String, Object> props = new HashMap<String, Object>();
+        props.put("action", "UsernameToken");
+        props.put("user", "alice");
+        WSS4JOutInterceptor wss4jOut = new WSS4JOutInterceptor(props);
+        
+        client.getOutInterceptors().add(wss4jOut);
+
+        ((BindingProvider)greeter).getRequestContext().put("password", "password");
+        String s = greeter.greetMe("CXF");
+        assertEquals("Hello CXF", s);
+        
+        try {
+            ((BindingProvider)greeter).getRequestContext().put("password", "foo");
+            greeter.greetMe("CXF");
+            fail("should fail");
+        } catch (Exception ex) {
+            //expected
+        }
+        try {
+            props.put("passwordType", "PasswordText");
+            ((BindingProvider)greeter).getRequestContext().put("password", "password");
+            greeter.greetMe("CXF");
+            fail("should fail");
+        } catch (Exception ex) {
+            //expected
+        }
+    }
 
     @Test
     public void testTimestampSignEncrypt() {
@@ -222,11 +262,6 @@
         return createUsernameTokenDispatcher(false);
     }
     private static Dispatch<Source> createUsernameTokenDispatcher(boolean decoupled)
{
-        //
-        // Set up the client (stolen from JAX-RS system test)
-        //
-        // TODO This could really be done more simply with an HTTPURLConnection
-        //
         final Service service = Service.create(
             GREETER_SERVICE_QNAME
         );

Modified: cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/server.xml?rev=889428&r1=889427&r2=889428&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/server.xml
(original)
+++ cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/server.xml
Thu Dec 10 21:26:48 2009
@@ -72,7 +72,7 @@
         <constructor-arg>
             <map>
                 <entry key="action" value="UsernameToken"/> 
-                <!-- <entry key="passwordType" value="PasswordDigest"/> -->
+                <entry key="passwordType" value="PasswordDigest"/>
                 <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.security.KeystorePasswordCallback"/>

             </map>
         </constructor-arg>

Modified: cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/test-data/UsernameTokenRequest.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/test-data/UsernameTokenRequest.xml?rev=889428&r1=889427&r2=889428&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/test-data/UsernameTokenRequest.xml
(original)
+++ cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/test-data/UsernameTokenRequest.xml
Thu Dec 10 21:26:48 2009
@@ -3,10 +3,10 @@
     <wss:Security xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <wss:UsernameToken>
             <wss:Username>alice</wss:Username>
-            <wss:Password 
-                Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"
-            >password</wss:Password>
-         </wss:UsernameToken>
+            <wss:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">FPqPsaAp7hWASdknPsbfZxIoDVI=</wss:Password>
+            <wss:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">OJBNzEGDmTiD/lbeA+UDeg==</wss:Nonce>
+            <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-12-10T21:12:59.100Z</wsu:Created>
+        </wss:UsernameToken>
     </wss:Security>
   </soap:Header>
   <soap:Body>



Mime
View raw message