Author: dkulp Date: Tue Mar 9 02:49:59 2010 New Revision: 920630 URL: http://svn.apache.org/viewvc?rev=920630&view=rev Log: Merged revisions 920627 via svnmerge from https://svn.apache.org/repos/asf/cxf/trunk ........ r920627 | dkulp | 2010-03-08 21:31:58 -0500 (Mon, 08 Mar 2010) | 2 lines [CXF-2655] Fix problem with token protection Patch from David Valeri applied ........ Added: cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref.xml - copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref.xml cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref_complement.xml - copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_direct_ref_complement.xml cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial.xml - copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial.xml cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial_complement.xml - copied unchanged from r920627, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/protect_token_policy_asym_x509_issuer_serial_complement.xml Modified: cxf/branches/2.2.x-fixes/ (props changed) cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java Propchange: cxf/branches/2.2.x-fixes/ ------------------------------------------------------------------------------ Binary property 'svnmerge-integrated' - no diff available. Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=920630&r1=920629&r2=920630&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original) +++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Tue Mar 9 02:49:59 2010 @@ -1661,6 +1661,8 @@ public abstract class AbstractBindingBui * @throws IllegalArgumentException * if an element in {@code signedParts} contains a {@code * WSEncryptionPart} with a {@code null} {@code id} value + * and the {@code WSEncryptionPart} {@code name} value is not + * "Token" */ public void handleEncryptedSignedHeaders(Vector encryptedParts, Vector signedParts) { @@ -1671,7 +1673,13 @@ public abstract class AbstractBindingBui final Iterator signedPartsIt = signedParts.iterator(); while (signedPartsIt.hasNext()) { WSEncryptionPart signedPart = signedPartsIt.next(); - if (signedPart.getId() == null) { + // Everything has to be ID based except for the case of a part + // indicating "Token" as the element name. This name is a flag + // for WSS4J to sign the initiator token used in the signature. + // Since the encryption happened before the signature creation, + // this element can't possibly be encrypted so we can safely ignore + // if it were ever to be set before this method is called. + if (signedPart.getId() == null && !"Token".equals(signedPart.getName())) { throw new IllegalArgumentException( "WSEncryptionPart must be ID based but no id was found."); } else if (encryptedPart.getEncModifier().equals("Element") Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=920630&r1=920629&r2=920630&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original) +++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Tue Mar 9 02:49:59 2010 @@ -386,17 +386,23 @@ public class AsymmetricBindingHandler ex } else { WSSecSignature sig = getSignatureBuider(wrapper, sigToken, false); sig.prependBSTElementToHeader(secHeader); + insertBeforeBottomUp(sig.getSignatureElement()); - if (abinding.isTokenProtection() - && sig.getBSTTokenId() != null) { - sigParts.add(new WSEncryptionPart(sig.getBSTTokenId())); + if (abinding.isTokenProtection()) { + // Special flag telling WSS4J to sign the initiator token. + // Use this instead of the BST ID so that we don't + // have to deal with maintaining such logic here. + sigParts.add(new WSEncryptionPart("Token", null, + "Element", WSConstants.PART_TYPE_ELEMENT)); } + + sig.prependBSTElementToHeader(secHeader); sig.addReferencesToSign(sigParts, secHeader); sig.computeSignature(); signatures.add(sig.getSignatureValue()); - insertBeforeBottomUp(sig.getSignatureElement()); + mainSigId = addWsuIdToElement(sig.getSignatureElement()); } } Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=920630&r1=920629&r2=920630&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java (original) +++ cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java Tue Mar 9 02:49:59 2010 @@ -462,6 +462,118 @@ public class PolicyBasedWss4JInOutTest e CoverageType.SIGNED)); } + @Test + public void testProtectTokenAssertion() throws Exception { + + // //////////////////////////////////////////////////// + // x509 Direct Ref Tests + + /* REVISIT + No inbound validation is available for the PROTECT_TOKENS assertion. + We cannot yet test inbound in the standard manner. Since we can't + test inbound, we can't test reound trip either and thus must take + a different approach for now. + + this.runInInterceptorAndValidate( + "signed_x509_direct_ref_token_prot.xml", + "protect_token_policy_asym_x509_direct_ref.xml", + SP12Constants.PROTECT_TOKENS, + null, + CoverageType.SIGNED); + + this.runInInterceptorAndValidate( + "signed_x509_direct_ref.xml", + "protect_token_policy_asym_x509_direct_ref.xml", + null, + SP12Constants.PROTECT_TOKENS, + CoverageType.SIGNED); + + this.runAndValidate( + "wsse-request-clean.xml", + "protect_token_policy_asym_x509_direct_ref.xml", + null, + null, + Arrays.asList(new QName[] {SP12Constants.PROTECT_TOKENS }), + null, + Arrays.asList(new CoverageType[] {CoverageType.SIGNED })); + */ + + // REVISIT + // We test using a policy with ProtectTokens enabled on + // the outbound but with a policy using a SignedElements policy + // on the inbound to validate that the correct thing got signed. + this.runAndValidate( + "wsse-request-clean.xml", + "protect_token_policy_asym_x509_direct_ref.xml", + "protect_token_policy_asym_x509_direct_ref_complement.xml", + new AssertionsHolder( + Arrays.asList(new QName[] {SP12Constants.ASYMMETRIC_BINDING}), + null), + new AssertionsHolder( + Arrays.asList(new QName[] {SP12Constants.SIGNED_ELEMENTS}), + null), + Arrays.asList(new CoverageType[] {CoverageType.SIGNED })); + + // //////////////////////////////////////////////////// + // x509 Issuer Serial Tests + + /* REVISIT + No inbound validation is available for the PROTECT_TOKENS assertion. + We cannot yet test inbound in the standard manner. Since we can't + test inbound, we can't test reound trip either and thus must take + a different approach for now. + + this.runInInterceptorAndValidate( + "signed_x509_issuer_serial_token_prot.xml", + "protect_token_policy_asym_x509_issuer_serial.xml", + SP12Constants.PROTECT_TOKENS, + null, + CoverageType.SIGNED); + + this.runInInterceptorAndValidate( + "signed_x509_issuer_serial.xml", + "protect_token_policy_asym_x509_issuer_serial.xml", + null, + SP12Constants.PROTECT_TOKENS, + CoverageType.SIGNED); + + this.runAndValidate( + "wsse-request-clean.xml", + "protect_token_policy_asym_x509_issuer_serial.xml", + null, + null, + Arrays.asList(new QName[] { SP12Constants.PROTECT_TOKENS }), + null, + Arrays.asList(new CoverageType[] { CoverageType.SIGNED })); + */ + + // REVISIT + // We test using a policy with ProtectTokens enabled on + // the outbound but with a policy using a SignedElements policy + // on the inbound to validate that the correct thing got signed. + this.runAndValidate( + "wsse-request-clean.xml", + "protect_token_policy_asym_x509_issuer_serial.xml", + "protect_token_policy_asym_x509_issuer_serial_complement.xml", + new AssertionsHolder( + Arrays.asList(new QName[] {SP12Constants.ASYMMETRIC_BINDING}), + null), + new AssertionsHolder( + Arrays.asList(new QName[] {SP12Constants.SIGNED_ELEMENTS}), + null), + Arrays.asList(new CoverageType[] {CoverageType.SIGNED })); + + // //////////////////////////////////////////////////// + // x509 Key Identifier Tests + + // TODO: Tests for Key Identifier are needed but require that the + // certificates used in the test cases be updated to version 3 + // according to WSS4J. + + // TODO: Tests for derived keys. + } + + protected Bus createBus() throws BusException { Bus b = super.createBus(); this.policyBuilder = @@ -474,17 +586,39 @@ public class PolicyBasedWss4JInOutTest e List assertedInAssertions, List notAssertedInAssertions, List types) throws Exception { - final Element policyElement = - this.readDocument(policyDocument).getDocumentElement(); + this.runAndValidate(document, policyDocument, null, + new AssertionsHolder(assertedOutAssertions, notAssertedOutAssertions), + new AssertionsHolder(assertedInAssertions, notAssertedInAssertions), + types); + } + + private void runAndValidate( + String document, + String outPolicyDocument, String inPolicyDocument, + AssertionsHolder outAssertions, + AssertionsHolder inAssertions, + List types) throws Exception { + + final Element outPolicyElement = this.readDocument(outPolicyDocument) + .getDocumentElement(); + final Element inPolicyElement; + + if (inPolicyDocument != null) { + inPolicyElement = this.readDocument(inPolicyDocument) + .getDocumentElement(); + } else { + inPolicyElement = outPolicyElement; + } + - final Policy outPolicy = this.policyBuilder.getPolicy(policyElement); - final Policy inPolicy = this.policyBuilder.getPolicy(policyElement); + final Policy outPolicy = this.policyBuilder.getPolicy(outPolicyElement); + final Policy inPolicy = this.policyBuilder.getPolicy(inPolicyElement); final Document originalDoc = this.readDocument(document); final Document inDoc = this.runOutInterceptorAndValidate( - originalDoc, outPolicy, assertedOutAssertions, - notAssertedOutAssertions); + originalDoc, outPolicy, outAssertions.getAssertedAssertions(), + outAssertions.getNotAssertedAssertions()); // Can't use this method if you want output that is not mangled. // Such is the case when you want to capture output to use @@ -500,8 +634,8 @@ public class PolicyBasedWss4JInOutTest e */ this.runInInterceptorAndValidate(inDoc, - inPolicy, assertedInAssertions, - assertedOutAssertions, types); + inPolicy, inAssertions.getAssertedAssertions(), + inAssertions.getNotAssertedAssertions(), types); } private void runInInterceptorAndValidate(String document, @@ -790,6 +924,28 @@ public class PolicyBasedWss4JInOutTest e public void setOutFaultObserver(MessageObserver observer) { } + } + + /** + * A simple container used to reduce argument numbers to satisfy + * project code conventions. + */ + private static final class AssertionsHolder { + private List assertedAssertions; + private List notAssertedAssertions; + + public AssertionsHolder(List assertedAssertions, + List notAssertedAssertions) { + super(); + this.assertedAssertions = assertedAssertions; + this.notAssertedAssertions = notAssertedAssertions; + } + public List getAssertedAssertions() { + return this.assertedAssertions; + } + public List getNotAssertedAssertions() { + return this.notAssertedAssertions; + } } }