cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r924117 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws...
Date Wed, 17 Mar 2010 02:55:58 GMT
Author: dkulp
Date: Wed Mar 17 02:55:57 2010
New Revision: 924117

URL: http://svn.apache.org/viewvc?rev=924117&view=rev
Log:
Optimize the UsernameToken only case where there isn't any type of
policy defining a Binding.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java
      - copied, changed from r923895, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
    cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client.xml
    cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml
    cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server.xml
    cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
    cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10.wsdl
    cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy.wsdl
    cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy_restricted.wsdl
    cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_restricted.wsdl

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
Wed Mar 17 02:55:57 2010
@@ -19,6 +19,11 @@
 
 package org.apache.cxf.ws.security.policy;
 
+import java.util.Arrays;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
 import org.apache.cxf.Bus;
 import org.apache.cxf.common.injection.NoJSR250Annotations;
 import org.apache.cxf.ws.policy.AssertionBuilderLoader;
@@ -26,6 +31,7 @@ import org.apache.cxf.ws.policy.Assertio
 import org.apache.cxf.ws.policy.PolicyBuilder;
 import org.apache.cxf.ws.policy.PolicyInterceptorProviderLoader;
 import org.apache.cxf.ws.policy.PolicyInterceptorProviderRegistry;
+import org.apache.cxf.ws.policy.builder.xml.XMLPrimitiveAssertionBuilder;
 import org.apache.cxf.ws.security.policy.builders.AlgorithmSuiteBuilder;
 import org.apache.cxf.ws.security.policy.builders.AsymmetricBindingBuilder;
 import org.apache.cxf.ws.security.policy.builders.ContentEncryptedElementsBuilder;
@@ -58,6 +64,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider;
 import org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider;
 import org.apache.cxf.ws.security.policy.interceptors.SecureConversationTokenInterceptorProvider;
+import org.apache.cxf.ws.security.policy.interceptors.UsernameTokenInterceptorProvider;
 import org.apache.cxf.ws.security.policy.interceptors.WSSecurityInterceptorProvider;
 import org.apache.cxf.ws.security.policy.interceptors.WSSecurityPolicyInterceptorProvider;
 
@@ -112,6 +119,33 @@ public final class WSSecurityPolicyLoade
         reg.register(new WSS10Builder());
         reg.register(new WSS11Builder());
         reg.register(new X509TokenBuilder(pbuild));
+        
+        //add generic assertions for these known things to prevent warnings
+        List<QName> others = Arrays.asList(new QName[] {
+            SP12Constants.INCLUDE_TIMESTAMP, SP11Constants.INCLUDE_TIMESTAMP,
+            SP12Constants.ENCRYPT_SIGNATURE, SP11Constants.ENCRYPT_SIGNATURE,
+            SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY, 
+            new QName(SP11Constants.SP_NS, SP11Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY),
+            SP12Constants.WSS_X509_V1_TOKEN_10,
+            SP12Constants.WSS_X509_V1_TOKEN_11,
+            SP12Constants.WSS_X509_V3_TOKEN_10,
+            SP12Constants.WSS_X509_V3_TOKEN_11,
+            SP11Constants.WSS_X509_V1_TOKEN_10,
+            SP11Constants.WSS_X509_V1_TOKEN_11,
+            SP11Constants.WSS_X509_V3_TOKEN_10,
+            SP11Constants.WSS_X509_V3_TOKEN_11,
+            SP12Constants.WSS_X509_PKCS7_TOKEN_11,
+            SP12Constants.WSS_X509_PKI_PATH_V1_TOKEN_11,
+            SP11Constants.WSS_X509_PKCS7_TOKEN_11,
+            SP11Constants.WSS_X509_PKI_PATH_V1_TOKEN_11,
+            SP12Constants.REQUIRE_THUMBPRINT_REFERENCE,
+            SP11Constants.REQUIRE_THUMBPRINT_REFERENCE,
+            SP12Constants.REQUIRE_DERIVED_KEYS,
+            SP11Constants.REQUIRE_DERIVED_KEYS,
+            new QName(SP12Constants.SP_NS, SP12Constants.ENCRYPT_BEFORE_SIGNING),
+            new QName(SP11Constants.SP_NS, SP11Constants.ENCRYPT_BEFORE_SIGNING),
+        });
+        reg.register(new XMLPrimitiveAssertionBuilder(others));
     }
     
     public void registerProviders() {
@@ -124,6 +158,7 @@ public final class WSSecurityPolicyLoade
         reg.register(new WSSecurityInterceptorProvider());
         reg.register(new HttpsTokenInterceptorProvider());
         reg.register(new IssuedTokenInterceptorProvider());
+        reg.register(new UsernameTokenInterceptorProvider());
         reg.register(new SecureConversationTokenInterceptorProvider());
     }
 

Copied: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java
(from r923895, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java)
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java?p2=cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java&p1=cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java&r1=923895&r2=924117&rev=924117&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java
Wed Mar 17 02:55:57 2010
@@ -26,29 +26,23 @@ import javax.xml.namespace.QName;
 
 import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
 import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
-import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
+import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor;
 
 /**
  * 
  */
-public class WSSecurityInterceptorProvider extends AbstractPolicyInterceptorProvider {
+public class UsernameTokenInterceptorProvider extends AbstractPolicyInterceptorProvider {
     private static final Collection<QName> ASSERTION_TYPES;
     static {
         ASSERTION_TYPES = new ArrayList<QName>();
         
-        ASSERTION_TYPES.add(SP12Constants.TRANSPORT_BINDING);
-        ASSERTION_TYPES.add(SP12Constants.ASYMMETRIC_BINDING);
-        ASSERTION_TYPES.add(SP12Constants.SYMMETRIC_BINDING);
-        
         ASSERTION_TYPES.add(SP12Constants.USERNAME_TOKEN);
     }
 
-    public WSSecurityInterceptorProvider() {
+    public UsernameTokenInterceptorProvider() {
         super(ASSERTION_TYPES);
-        this.getOutInterceptors().add(new PolicyBasedWSS4JOutInterceptor());
-        this.getOutFaultInterceptors().add(new PolicyBasedWSS4JOutInterceptor());
-        this.getInInterceptors().add(new PolicyBasedWSS4JInInterceptor());
-        this.getInFaultInterceptors().add(new PolicyBasedWSS4JInInterceptor());
+        this.getOutInterceptors().add(new UsernameTokenInterceptor());
+        this.getInInterceptors().add(new UsernameTokenInterceptor());
+        //not needed on fault chains
     }
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
Wed Mar 17 02:55:57 2010
@@ -40,8 +40,6 @@ public class WSSecurityInterceptorProvid
         ASSERTION_TYPES.add(SP12Constants.TRANSPORT_BINDING);
         ASSERTION_TYPES.add(SP12Constants.ASYMMETRIC_BINDING);
         ASSERTION_TYPES.add(SP12Constants.SYMMETRIC_BINDING);
-        
-        ASSERTION_TYPES.add(SP12Constants.USERNAME_TOKEN);
     }
 
     public WSSecurityInterceptorProvider() {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
Wed Mar 17 02:55:57 2010
@@ -46,6 +46,8 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.ws.security.message.WSSecHeader;
 
 public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<SoapMessage>
{
+    public static final String SECURITY_PROCESSED = PolicyBasedWSS4JOutInterceptor.class.getName()
+ ".DONE";
+
     private PolicyBasedWSS4JOutInterceptorInternal ending;
     private SAAJOutInterceptor saajOut = new SAAJOutInterceptor();    
 
@@ -60,6 +62,7 @@ public class PolicyBasedWSS4JOutIntercep
         if (mc.getContent(SOAPMessage.class) == null) {
             saajOut.handleMessage(mc);
         }
+        mc.put(SECURITY_PROCESSED, Boolean.TRUE);
         mc.getInterceptorChain().add(ending);
     }    
     public void handleFault(SoapMessage message) {

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java?rev=924117&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
Wed Mar 17 02:55:57 2010
@@ -0,0 +1,341 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j;
+
+import java.security.Principal;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.Vector;
+import java.util.logging.Logger;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.binding.soap.SoapHeader;
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.common.i18n.Message;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.headers.Header;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.UsernameToken;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.WSUsernameTokenPrincipal;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.processor.UsernameTokenProcessor;
+
+/**
+ * 
+ */
+public class UsernameTokenInterceptor extends AbstractSoapInterceptor {
+    private static final Logger LOG = LogUtils.getL7dLogger(UsernameTokenInterceptor.class);
+    private static final Set<QName> HEADERS = new HashSet<QName>();
+    static {
+        HEADERS.add(new QName(WSConstants.WSSE_NS, "Security"));
+        HEADERS.add(new QName(WSConstants.WSSE11_NS, "Security"));
+    }
+
+
+    /**
+     * @param p
+     */
+    public UsernameTokenInterceptor() {
+        super(Phase.PRE_PROTOCOL);
+        addAfter(PolicyBasedWSS4JInInterceptor.class.getName());
+        addAfter(PolicyBasedWSS4JOutInterceptor.class.getName());
+    }
+    public Set<QName> getUnderstoodHeaders() {
+        return HEADERS;
+    }
+
+
+    public void handleMessage(SoapMessage message) throws Fault {
+
+        boolean isReq = MessageUtils.isRequestor(message);
+        boolean isOut = MessageUtils.isOutbound(message);
+        if (isReq != isOut) {
+            //outbound on server side and inbound on client side doesn't need
+            //any username token stuff, assert policies and return
+            assertUsernameTokens(message, null);
+            return;
+        }
+        if (isReq) {
+            if (message.containsKey(PolicyBasedWSS4JOutInterceptor.SECURITY_PROCESSED)) {
+                //The full policy interceptors handled this
+                return;
+            }
+            addUsernameToken(message);
+        } else {
+            if (message.containsKey(WSS4JInInterceptor.SECURITY_PROCESSED)) {
+                //The full policy interceptors handled this
+                return;
+            }
+            processUsernameToken(message);
+        }
+    }
+
+
+    private void processUsernameToken(SoapMessage message) {
+        Header h = findSecurityHeader(message, false);
+        if (h == null) {
+            return;
+        }
+        Element el = (Element)h.getObject();
+        Element child = DOMUtils.getFirstElement(el);
+        while (child != null) {
+            if (SPConstants.USERNAME_TOKEN.equals(child.getLocalName())) {
+                UsernameTokenProcessor p = new UsernameTokenProcessor();
+                
+                try  {
+                    final WSUsernameTokenPrincipal princ = p.handleUsernameToken(child, 
+                                                                           getCallback(message));
+                    if (princ != null) {
+                        Vector<WSSecurityEngineResult>v = new Vector<WSSecurityEngineResult>();
+                        v.add(0, new WSSecurityEngineResult(WSConstants.UT, princ, null,
null, null));
+                        List<Object> results = CastUtils.cast((List)message
+                                                                  .get(WSHandlerConstants.RECV_RESULTS));
+                        if (results == null) {
+                            results = new Vector<Object>();
+                            message.put(WSHandlerConstants.RECV_RESULTS, results);
+                        }
+                        WSHandlerResult rResult = new WSHandlerResult(null, v);
+                        results.add(0, rResult);
+
+                        assertUsernameTokens(message, princ);
+                        message.put(WSS4JInInterceptor.PRINCIPAL_RESULT, princ);        
          
+                        SecurityContext sc = message.get(SecurityContext.class);
+                        if (sc == null || sc.getUserPrincipal() == null) {
+                            SecurityContext c = new SecurityContext() {
+                                public Principal getUserPrincipal() {
+                                    return princ;
+                                }
+                                public boolean isUserInRole(String role) {
+                                    return false;
+                                }
+                            };
+                            message.put(SecurityContext.class, c);
+                        }
+
+                    }
+                } catch (WSSecurityException ex) {
+                    throw new Fault(ex);
+                }
+            }
+            child = DOMUtils.getNextElement(child);
+        }
+    }
+
+    private UsernameToken assertUsernameTokens(SoapMessage message, WSUsernameTokenPrincipal
princ) {
+        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+        Collection<AssertionInfo> ais = aim.getAssertionInfo(SP12Constants.USERNAME_TOKEN);
+        UsernameToken tok = null;
+        for (AssertionInfo ai : ais) {
+            tok = (UsernameToken)ai.getAssertion();
+            if (princ != null && tok.isHashPassword() != princ.isPasswordDigest())
{
+                ai.setNotAsserted("Password hashing policy not enforced");
+            } else {
+                ai.setAsserted(true);                
+            }
+        }
+        ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
+        for (AssertionInfo ai : ais) {
+            ai.setAsserted(true);
+        }
+        ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+        for (AssertionInfo ai : ais) {
+            ai.setAsserted(true);
+        }
+        return tok;
+    }
+
+    private void addUsernameToken(SoapMessage message) {
+        UsernameToken tok = assertUsernameTokens(message, null);
+
+        Header h = findSecurityHeader(message, true);
+        WSSecUsernameToken utBuilder = 
+            addUsernameToken(message, tok);
+        if (utBuilder == null) {
+            AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+            Collection<AssertionInfo> ais = aim.getAssertionInfo(SP12Constants.USERNAME_TOKEN);
+            for (AssertionInfo ai : ais) {
+                if (ai.isAsserted()) {
+                    ai.setAsserted(false);
+                }
+            }
+            return;
+        }
+        Element el = (Element)h.getObject();
+        utBuilder.prepare(el.getOwnerDocument());
+        el.appendChild(utBuilder.getUsernameTokenElement());
+    }
+
+
+    private Header findSecurityHeader(SoapMessage message, boolean create) {
+        for (Header h : message.getHeaders()) {
+            QName n = h.getName();
+            if (n.getLocalPart().equals("Security")
+                && (n.getNamespaceURI().equals(WSConstants.WSSE_NS) 
+                    || n.getNamespaceURI().equals(WSConstants.WSSE11_NS))) {
+                return h;
+            }
+        }
+        if (!create) {
+            return null;
+        }
+        Document doc = DOMUtils.createDocument();
+        Element el = doc.createElementNS(WSConstants.WSSE_NS, "wsse:Security");
+        el.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:wsse", WSConstants.WSSE_NS);
+        SoapHeader sh = new SoapHeader(new QName(WSConstants.WSSE_NS, "Security"), el);
+        sh.setMustUnderstand(true);
+        message.getHeaders().add(sh);
+        return sh;
+    }
+    protected WSSecUsernameToken addUsernameToken(SoapMessage message, UsernameToken token)
{
+        String userName = (String)message.getContextualProperty(SecurityConstants.USERNAME);
+        
+        if (!StringUtils.isEmpty(userName)) {
+            // If NoPassword property is set we don't need to set the password
+            if (token.isNoPassword()) {
+                WSSecUsernameToken utBuilder = new WSSecUsernameToken();
+                utBuilder.setUserInfo(userName, null);
+                utBuilder.setPasswordType(null);
+                return utBuilder;
+            }
+            
+            String password = (String)message.getContextualProperty(SecurityConstants.PASSWORD);
+            if (StringUtils.isEmpty(password)) {
+                password = getPassword(userName, token, WSPasswordCallback.USERNAME_TOKEN,
message);
+            }
+            
+            if (!StringUtils.isEmpty(password)) {
+                //If the password is available then build the token
+                WSSecUsernameToken utBuilder = new WSSecUsernameToken();
+                if (token.isHashPassword()) {
+                    utBuilder.setPasswordType(WSConstants.PASSWORD_DIGEST);  
+                } else {
+                    utBuilder.setPasswordType(WSConstants.PASSWORD_TEXT);
+                }
+                
+                utBuilder.setUserInfo(userName, password);
+                return utBuilder;
+            } else {
+                policyNotAsserted(token, "No username available", message);
+            }
+        } else {
+            policyNotAsserted(token, "No username available", message);
+        }
+        return null;
+    }
+    private CallbackHandler getCallback(SoapMessage message) {
+        //Then try to get the password from the given callback handler
+        Object o = message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER);
+    
+        CallbackHandler handler = null;
+        if (o instanceof CallbackHandler) {
+            handler = (CallbackHandler)o;
+        } else if (o instanceof String) {
+            try {
+                handler = (CallbackHandler)ClassLoaderUtils
+                    .loadClass((String)o, this.getClass()).newInstance();
+            } catch (Exception e) {
+                handler = null;
+            }
+        }
+        return handler;
+    }
+    public String getPassword(String userName, UsernameToken info, int type, SoapMessage
message) {
+        //Then try to get the password from the given callback handler
+    
+        CallbackHandler handler = getCallback(message);
+        if (handler == null) {
+            policyNotAsserted(info, "No callback handler and no password available", message);
+            return null;
+        }
+        
+        WSPasswordCallback[] cb = {new WSPasswordCallback(userName,
+                                                          type)};
+        try {
+            handler.handle(cb);
+        } catch (Exception e) {
+            policyNotAsserted(info, e, message);
+        }
+        
+        //get the password
+        return cb[0].getPassword();
+    }
+    protected void policyNotAsserted(UsernameToken assertion, String reason, SoapMessage
message) {
+        if (assertion == null) {
+            return;
+        }
+        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+
+        Collection<AssertionInfo> ais;
+        ais = aim.get(assertion.getName());
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                if (ai.getAssertion() == assertion) {
+                    ai.setNotAsserted(reason);
+                }
+            }
+        }
+        if (!assertion.isOptional()) {
+            throw new PolicyException(new Message(reason, LOG));
+        }
+    }
+    protected void policyNotAsserted(UsernameToken assertion, Exception reason, SoapMessage
message) {
+        if (assertion == null) {
+            return;
+        }
+        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+        Collection<AssertionInfo> ais;
+        ais = aim.get(assertion.getName());
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                if (ai.getAssertion() == assertion) {
+                    ai.setNotAsserted(reason.getMessage());
+                }
+            }
+        }
+        throw new PolicyException(reason);
+    }
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Wed Mar 17 02:55:57 2010
@@ -82,7 +82,7 @@ public class WSS4JInInterceptor extends 
     public static final String PRINCIPAL_RESULT = "wss4j.principal.result";
     public static final String PROCESSOR_MAP = "wss4j.processor.map";
 
-    private static final String SECURITY_PROCESSED = WSS4JInInterceptor.class.getName() +
".DONE";
+    public static final String SECURITY_PROCESSED = WSS4JInInterceptor.class.getName() +
".DONE";
     
     private static final Logger LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class);
     private static final Logger TIME_LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class,

Modified: cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
(original)
+++ cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
Wed Mar 17 02:55:57 2010
@@ -65,6 +65,7 @@ public class WSSecurity10Test extends Ab
     public void testClientServer() {
 
         String[] argv = new String[] {
+            "UserName",
             "UserNameOverTransport",
             "MutualCertificate10SignEncrypt",
             "MutualCertificate10SignEncryptRsa15TripleDes"
@@ -102,6 +103,8 @@ public class WSSecurity10Test extends Ab
         try {
             if ("UserNameOverTransport".equals(portPrefix)) {
                 return new URL("https://localhost:9001/" + portPrefix + "?wsdl");
+            } else if ("UserName".equals(portPrefix)) {
+                return new URL("http://localhost:9003/" + portPrefix + "?wsdl");
             } else if ("MutualCertificate10SignEncrypt".equals(portPrefix)) {
                 return new URL("http://localhost:9002/" + portPrefix + "?wsdl");
             } else if ("MutualCertificate10SignEncryptRsa15TripleDes".equals(portPrefix))
{

Modified: cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client.xml?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client.xml
(original)
+++ cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client.xml
Wed Mar 17 02:55:57 2010
@@ -49,6 +49,12 @@
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
         </jaxws:properties>
     </jaxws:client>
+    <jaxws:client name="{http://WSSec/wssec10}UserName_IPingService" createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="Alice"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+        </jaxws:properties>
+    </jaxws:client>
     <http:conduit name="https://.*/UserNameOverTransport.*">
         <http:tlsClientParameters disableCNCheck="true">
             <sec:keyManagers keyPassword="password">

Modified: cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml
(original)
+++ cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml
Wed Mar 17 02:55:57 2010
@@ -49,6 +49,12 @@
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
         </jaxws:properties>
     </jaxws:client>
+    <jaxws:client name="{http://WSSec/wssec10}UserName_IPingService" createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="Alice"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+        </jaxws:properties>
+    </jaxws:client>
     <http:conduit name="https://.*/UserNameOverTransport.*">
         <http:tlsClientParameters disableCNCheck="true">
             <sec:keyManagers keyPassword="password">

Modified: cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server.xml?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server.xml
(original)
+++ cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server.xml
Wed Mar 17 02:55:57 2010
@@ -90,7 +90,19 @@
         </jaxws:properties> 
      
     </jaxws:endpoint> 
-    
+    <jaxws:endpoint 
+       id="UserName"
+       address="http://localhost:9003/UserName" 
+       serviceName="interop:PingService"
+       endpointName="interop:UserName_IPingService"
+       implementor="org.apache.cxf.systest.ws.wssec10.server.UserNameOverTransport">
+        
+       <jaxws:properties>
+            <entry key="ws-security.username" value="Alice"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
+        </jaxws:properties> 
+     
+    </jaxws:endpoint> 
 
     <!-- -->
     <!-- Scenario 3.3 -->

Modified: cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
(original)
+++ cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
Wed Mar 17 02:55:57 2010
@@ -90,6 +90,20 @@
         </jaxws:properties> 
      
     </jaxws:endpoint> 
+    <jaxws:endpoint 
+       id="UserName"
+       address="https://localhost:9003/UserName" 
+       serviceName="interop:PingService"
+       endpointName="interop:UserName_IPingService"
+       implementor="org.apache.cxf.systest.ws.wssec10.server.UserNameOverTransportRestricted"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+            <entry key="ws-security.username" value="Alice"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
+        </jaxws:properties> 
+     
+    </jaxws:endpoint> 
     
 
     <!-- -->

Modified: cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10.wsdl?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10.wsdl
(original)
+++ cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10.wsdl
Wed Mar 17 02:55:57 2010
@@ -74,6 +74,9 @@
 		<wsdl:port name="UserNameOverTransport_IPingService" binding="wssec10test:UserNameOverTransport_IPingService">
 			<soap:address location="https://localhost:9001/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/UserNameOverTransport"/>
 		</wsdl:port>
+        <wsdl:port name="UserName_IPingService" binding="wssec10test:UserName_IPingService">
+            <soap:address location="https://localhost:9003/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/UserName"/>
+        </wsdl:port>
 		<wsdl:port name="MutualCertificate10SignEncrypt_IPingService" binding="wssec10test:MutualCertificate10SignEncrypt_IPingService">
 			<soap:address location="http://localhost:9002/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/MutualCertificate10SignEncrypt"/>
 		</wsdl:port>

Modified: cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy.wsdl?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy.wsdl
(original)
+++ cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy.wsdl
Wed Mar 17 02:55:57 2010
@@ -34,6 +34,21 @@
 	xmlns:wsa10="http://www.w3.org/2005/08/addressing" 
 	xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" 
 	targetNamespace="http://apache.cxf.org/">
+    <wsp:Policy wsu:Id="UserName_IPingService_policy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+                    <wsp:Policy>
+                        <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
+                            <wsp:Policy>
+                                <sp:WssUsernameToken10/>
+                            </wsp:Policy>
+                        </sp:UsernameToken>
+                    </wsp:Policy>
+                </sp:SupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
 	<wsp:Policy wsu:Id="UserNameOverTransport_IPingService_policy">
 		<wsp:ExactlyOne>
 			<wsp:All>
@@ -271,6 +286,21 @@
 	
 	<wsdl:import location="WsSecurity10.wsdl" namespace="http://WSSec/wssec10"/>
 	<wsdl:types/>
+    <wsdl:binding name="UserName_IPingService" type="wssec10test:IPingService">
+        <wsp:PolicyReference URI="#UserName_IPingService_policy"/>
+        <soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
+
+        <wsdl:operation name="echo">
+            <soap:operation soapAction="http://WSSec/wssec10/echo" style="document"/>
+            <wsdl:input>
+                <soap:body use="literal"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal"/>
+            </wsdl:output>
+        </wsdl:operation>
+
+    </wsdl:binding>
 	<wsdl:binding name="UserNameOverTransport_IPingService" type="wssec10test:IPingService">
 		<wsp:PolicyReference URI="#UserNameOverTransport_IPingService_policy"/>
 		<soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>

Modified: cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy_restricted.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy_restricted.wsdl?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy_restricted.wsdl
(original)
+++ cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy_restricted.wsdl
Wed Mar 17 02:55:57 2010
@@ -34,6 +34,21 @@
 	xmlns:wsa10="http://www.w3.org/2005/08/addressing" 
 	xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" 
 	targetNamespace="http://apache.cxf.org/">
+    <wsp:Policy wsu:Id="UserName_IPingService_policy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:SupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+                    <wsp:Policy>
+                        <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
+                            <wsp:Policy>
+                                <sp:WssUsernameToken10/>
+                            </wsp:Policy>
+                        </sp:UsernameToken>
+                    </wsp:Policy>
+                </sp:SupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
 	<wsp:Policy wsu:Id="UserNameOverTransport_IPingService_policy">
 		<wsp:ExactlyOne>
 			<wsp:All>
@@ -285,6 +300,21 @@
 		</wsdl:operation>
 		
 	</wsdl:binding>
+    <wsdl:binding name="UserName_IPingService" type="wssec10test:IPingService">
+        <wsp:PolicyReference URI="#UserName_IPingService_policy"/>
+        <soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
+
+        <wsdl:operation name="echo">
+            <soap:operation soapAction="http://WSSec/wssec10/echo" style="document"/>
+            <wsdl:input>
+                <soap:body use="literal"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal"/>
+            </wsdl:output>
+        </wsdl:operation>
+
+    </wsdl:binding>
 	<wsdl:binding name="MutualCertificate10SignEncrypt_IPingService" type="wssec10test:IPingService">
 		<wsp:PolicyReference URI="#MutualCertificate10SignEncrypt_IPingService_policy"/>
 		<soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>

Modified: cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_restricted.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_restricted.wsdl?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_restricted.wsdl
(original)
+++ cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_restricted.wsdl
Wed Mar 17 02:55:57 2010
@@ -74,6 +74,9 @@
 		<wsdl:port name="UserNameOverTransport_IPingService" binding="wssec10test:UserNameOverTransport_IPingService">
 			<soap:address location="https://localhost:9001/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/UserNameOverTransport"/>
 		</wsdl:port>
+        <wsdl:port name="UserName_IPingService" binding="wssec10test:UserName_IPingService">
+            <soap:address location="http://localhost:9003/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/UserName"/>
+        </wsdl:port>
 		<wsdl:port name="MutualCertificate10SignEncrypt_IPingService" binding="wssec10test:MutualCertificate10SignEncrypt_IPingService">
 			<soap:address location="http://localhost:9002/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/MutualCertificate10SignEncrypt"/>
 		</wsdl:port>



Mime
View raw message