cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r920630 - in /cxf/branches/2.2.x-fixes: ./ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/
Date Tue, 09 Mar 2010 02:49:59 GMT
Author: dkulp
Date: Tue Mar  9 02:49:59 2010
New Revision: 920630

URL: http://svn.apache.org/viewvc?rev=920630&view=rev
Log:
Merged revisions 920627 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r920627 | dkulp | 2010-03-08 21:31:58 -0500 (Mon, 08 Mar 2010) | 2 lines
  
  [CXF-2655] Fix problem with token protection
  Patch from David Valeri  applied
........

Added:
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref.xml
      - copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref.xml
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref_complement.xml
      - copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref_complement.xml
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial.xml
      - copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial.xml
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial_complement.xml
      - copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial_complement.xml
Modified:
    cxf/branches/2.2.x-fixes/   (props changed)
    cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java

Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=920630&r1=920629&r2=920630&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Tue Mar  9 02:49:59 2010
@@ -1661,6 +1661,8 @@ public abstract class AbstractBindingBui
      * @throws IllegalArgumentException
      *             if an element in {@code signedParts} contains a {@code
      *             WSEncryptionPart} with a {@code null} {@code id} value
+     *             and the {@code WSEncryptionPart} {@code name} value is not
+     *             "Token"
      */
     public void handleEncryptedSignedHeaders(Vector<WSEncryptionPart> encryptedParts,

                                              Vector<WSEncryptionPart> signedParts)
{
@@ -1671,7 +1673,13 @@ public abstract class AbstractBindingBui
             final Iterator<WSEncryptionPart> signedPartsIt = signedParts.iterator();
             while (signedPartsIt.hasNext()) {
                 WSEncryptionPart signedPart = signedPartsIt.next();
-                if (signedPart.getId() == null) {
+                // Everything has to be ID based except for the case of a part
+                // indicating "Token" as the element name.  This name is a flag
+                // for WSS4J to sign the initiator token used in the signature.
+                // Since the encryption happened before the signature creation,
+                // this element can't possibly be encrypted so we can safely ignore
+                // if it were ever to be set before this method is called.
+                if (signedPart.getId() == null && !"Token".equals(signedPart.getName()))
{
                     throw new IllegalArgumentException(
                             "WSEncryptionPart must be ID based but no id was found.");
                 } else if (encryptedPart.getEncModifier().equals("Element")

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=920630&r1=920629&r2=920630&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Tue Mar  9 02:49:59 2010
@@ -386,17 +386,23 @@ public class AsymmetricBindingHandler ex
         } else {
             WSSecSignature sig = getSignatureBuider(wrapper, sigToken, false);
             sig.prependBSTElementToHeader(secHeader);
+            insertBeforeBottomUp(sig.getSignatureElement());
             
-            if (abinding.isTokenProtection()
-                    && sig.getBSTTokenId() != null) {
-                sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
+            if (abinding.isTokenProtection()) {                
+                // Special flag telling WSS4J to sign the initiator token.
+                // Use this instead of the BST ID so that we don't
+                // have to deal with maintaining such logic here.
+                sigParts.add(new WSEncryptionPart("Token", null, 
+                        "Element", WSConstants.PART_TYPE_ELEMENT));
             }
+                    
+            sig.prependBSTElementToHeader(secHeader);
 
             sig.addReferencesToSign(sigParts, secHeader);
             sig.computeSignature();
             signatures.add(sig.getSignatureValue());
 
-            insertBeforeBottomUp(sig.getSignatureElement());            
+                        
             mainSigId = addWsuIdToElement(sig.getSignatureElement());
         }
     }

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=920630&r1=920629&r2=920630&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Tue Mar  9 02:49:59 2010
@@ -462,6 +462,118 @@ public class PolicyBasedWss4JInOutTest e
                         CoverageType.SIGNED));
     }
     
+    @Test
+    public void testProtectTokenAssertion() throws Exception {
+        
+        // ////////////////////////////////////////////////////
+        // x509 Direct Ref Tests
+        
+        /* REVISIT
+        No inbound validation is available for the PROTECT_TOKENS assertion.
+        We cannot yet test inbound in the standard manner.  Since we can't
+        test inbound, we can't test reound trip either and thus must take
+        a different approach for now.
+         
+        this.runInInterceptorAndValidate(
+                "signed_x509_direct_ref_token_prot.xml",
+                "protect_token_policy_asym_x509_direct_ref.xml",
+                SP12Constants.PROTECT_TOKENS,
+                null,
+                CoverageType.SIGNED);
+
+        this.runInInterceptorAndValidate(
+                "signed_x509_direct_ref.xml",
+                "protect_token_policy_asym_x509_direct_ref.xml",
+                null,
+                SP12Constants.PROTECT_TOKENS,
+                CoverageType.SIGNED);
+        
+        this.runAndValidate(
+                "wsse-request-clean.xml",
+                "protect_token_policy_asym_x509_direct_ref.xml",
+                null,
+                null,
+                Arrays.asList(new QName[] {SP12Constants.PROTECT_TOKENS }),
+                null,
+                Arrays.asList(new CoverageType[] {CoverageType.SIGNED }));
+        */
+        
+        // REVISIT
+        // We test using a policy with ProtectTokens enabled on
+        // the outbound but with a policy using a SignedElements policy
+        // on the inbound to validate that the correct thing got signed.
+        this.runAndValidate(
+                "wsse-request-clean.xml",
+                "protect_token_policy_asym_x509_direct_ref.xml",
+                "protect_token_policy_asym_x509_direct_ref_complement.xml",
+                new AssertionsHolder(
+                        Arrays.asList(new QName[] {SP12Constants.ASYMMETRIC_BINDING}),
+                        null),
+                new AssertionsHolder(
+                        Arrays.asList(new QName[] {SP12Constants.SIGNED_ELEMENTS}),
+                        null),
+                Arrays.asList(new CoverageType[] {CoverageType.SIGNED }));
+        
+        // ////////////////////////////////////////////////////
+        // x509 Issuer Serial Tests
+        
+        /* REVISIT
+        No inbound validation is available for the PROTECT_TOKENS assertion.
+        We cannot yet test inbound in the standard manner.  Since we can't
+        test inbound, we can't test reound trip either and thus must take
+        a different approach for now.
+        
+        this.runInInterceptorAndValidate(
+                "signed_x509_issuer_serial_token_prot.xml",
+                "protect_token_policy_asym_x509_issuer_serial.xml",
+                SP12Constants.PROTECT_TOKENS,
+                null,
+                CoverageType.SIGNED);
+
+        this.runInInterceptorAndValidate(
+                "signed_x509_issuer_serial.xml",
+                "protect_token_policy_asym_x509_issuer_serial.xml",
+                null,
+                SP12Constants.PROTECT_TOKENS,
+                CoverageType.SIGNED);
+
+        this.runAndValidate(
+                "wsse-request-clean.xml",
+                "protect_token_policy_asym_x509_issuer_serial.xml",
+                null,
+                null,
+                Arrays.asList(new QName[] { SP12Constants.PROTECT_TOKENS }),
+                null,
+                Arrays.asList(new CoverageType[] { CoverageType.SIGNED }));
+        */
+        
+        // REVISIT
+        // We test using a policy with ProtectTokens enabled on
+        // the outbound but with a policy using a SignedElements policy
+        // on the inbound to validate that the correct thing got signed.
+        this.runAndValidate(
+                "wsse-request-clean.xml",
+                "protect_token_policy_asym_x509_issuer_serial.xml",
+                "protect_token_policy_asym_x509_issuer_serial_complement.xml",
+                new AssertionsHolder(
+                        Arrays.asList(new QName[] {SP12Constants.ASYMMETRIC_BINDING}),
+                        null),
+                new AssertionsHolder(
+                        Arrays.asList(new QName[] {SP12Constants.SIGNED_ELEMENTS}),
+                        null),
+                Arrays.asList(new CoverageType[] {CoverageType.SIGNED }));
+
+        // ////////////////////////////////////////////////////
+        // x509 Key Identifier Tests
+
+        // TODO: Tests for Key Identifier are needed but require that the
+        // certificates used in the test cases be updated to version 3
+        // according to WSS4J.
+        
+        // TODO: Tests for derived keys.
+    }
+
+    
     protected Bus createBus() throws BusException {
         Bus b = super.createBus();
         this.policyBuilder = 
@@ -474,17 +586,39 @@ public class PolicyBasedWss4JInOutTest e
             List<QName> assertedInAssertions, List<QName> notAssertedInAssertions,
             List<CoverageType> types) throws Exception {
         
-        final Element policyElement = 
-            this.readDocument(policyDocument).getDocumentElement();
+        this.runAndValidate(document, policyDocument, null,
+                new AssertionsHolder(assertedOutAssertions, notAssertedOutAssertions),
+                new AssertionsHolder(assertedInAssertions, notAssertedInAssertions),
+                types);
+    }
+    
+    private void runAndValidate(
+            String document,
+            String outPolicyDocument, String inPolicyDocument,
+            AssertionsHolder outAssertions,
+            AssertionsHolder inAssertions,
+            List<CoverageType> types) throws Exception {
+        
+        final Element outPolicyElement = this.readDocument(outPolicyDocument)
+                .getDocumentElement();
+        final Element inPolicyElement;
+
+        if (inPolicyDocument != null) {
+            inPolicyElement = this.readDocument(inPolicyDocument)
+                    .getDocumentElement();
+        } else {
+            inPolicyElement = outPolicyElement;
+        }
+            
         
-        final Policy outPolicy = this.policyBuilder.getPolicy(policyElement);
-        final Policy inPolicy = this.policyBuilder.getPolicy(policyElement);
+        final Policy outPolicy = this.policyBuilder.getPolicy(outPolicyElement);
+        final Policy inPolicy = this.policyBuilder.getPolicy(inPolicyElement);
         
         final Document originalDoc = this.readDocument(document);
         
         final Document inDoc = this.runOutInterceptorAndValidate(
-                originalDoc, outPolicy, assertedOutAssertions,
-                notAssertedOutAssertions);
+                originalDoc, outPolicy, outAssertions.getAssertedAssertions(),
+                outAssertions.getNotAssertedAssertions());
         
         // Can't use this method if you want output that is not mangled.
         // Such is the case when you want to capture output to use
@@ -500,8 +634,8 @@ public class PolicyBasedWss4JInOutTest e
         */
         
         this.runInInterceptorAndValidate(inDoc,
-                inPolicy, assertedInAssertions,
-                assertedOutAssertions, types);
+                inPolicy, inAssertions.getAssertedAssertions(),
+                inAssertions.getNotAssertedAssertions(), types);
     }
     
     private void runInInterceptorAndValidate(String document,
@@ -790,6 +924,28 @@ public class PolicyBasedWss4JInOutTest e
 
         public void setOutFaultObserver(MessageObserver observer) {            
         }
+    }
+    
+    /**
+     * A simple container used to reduce argument numbers to satisfy
+     * project code conventions.
+     */
+    private static final class AssertionsHolder {
+        private List<QName> assertedAssertions;
+        private List<QName> notAssertedAssertions;
+        
+        public AssertionsHolder(List<QName> assertedAssertions,
+                List<QName> notAssertedAssertions) {
+            super();
+            this.assertedAssertions = assertedAssertions;
+            this.notAssertedAssertions = notAssertedAssertions;
+        }
         
+        public List<QName> getAssertedAssertions() {
+            return this.assertedAssertions;
+        }
+        public List<QName> getNotAssertedAssertions() {
+            return this.notAssertedAssertions;
+        }
     }
 }



Mime
View raw message