cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dval...@apache.org
Subject svn commit: r980898 - in /cxf/trunk/rt/ws/security/src: main/java/org/apache/cxf/ws/security/wss4j/ test/java/org/apache/cxf/ws/security/wss4j/
Date Fri, 30 Jul 2010 17:53:49 GMT
Author: dvaleri
Date: Fri Jul 30 17:53:49 2010
New Revision: 980898

URL: http://svn.apache.org/viewvc?rev=980898&view=rev
Log:
[CXF-2921] Changed interceptor behavior for case where there is no WS-S header.  Now allows
for policy interceptor to process results even when there is no header.

Added:
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml
  (with props)
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=980898&r1=980897&r2=980898&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Fri Jul 30 17:53:49 2010
@@ -217,27 +217,39 @@ public class WSS4JInInterceptor extends 
                 t2 = System.currentTimeMillis();
             }
 
-            if (wsResult == null) { // no security header found
-                if (doAction == WSConstants.NO_SECURITY) {
-                    return;
-                } else if (doc.getSOAPPart().getEnvelope().getBody().hasFault()) {
-                    LOG.warning("Request does not contain required Security header, " 
+            if (wsResult != null) { // security header found
+                if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
+                    checkSignatureConfirmation(reqData, wsResult);
+                }
+
+                checkSignatures(msg, reqData, wsResult);
+                checkTimestamps(msg, reqData, wsResult);
+                checkActions(msg, reqData, wsResult, actions);
+                doResults(msg, actor, doc, wsResult);
+            } else { // no security header found
+                // Create an empty result vector to pass into the required validation
+                // methods.
+                wsResult = new Vector<Object>();
+                
+                if (doc.getSOAPPart().getEnvelope().getBody().hasFault()) {
+                    LOG.warning("Request does not contain Security header, " 
                                 + "but it's a fault.");
-                    return;
+                    // We allow lax action matching here for backwards compatibility
+                    // with manually configured WSS4JInInterceptors that previously
+                    // allowed faults to pass through even if their actions aren't
+                    // a strict match against those configured.  In the WS-SP case,
+                    // we will want to still call doResults as it handles asserting
+                    // certain assertions that do not require a WS-S header such as
+                    // a sp:TransportBinding assertion.  In the case of WS-SP,
+                    // the unasserted assertions will provide confirmation that
+                    // security was not sufficient.
+                    // checkActions(msg, reqData, wsResult, actions);
+                    doResults(msg, actor, doc, wsResult);
                 } else {
-                    LOG.warning("Request does not contain required Security header");
-                    throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
+                    checkActions(msg, reqData, wsResult, actions);
+                    doResults(msg, actor, doc, wsResult);
                 }
             }
-            if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
-                checkSignatureConfirmation(reqData, wsResult);
-            }
-
-            checkSignatures(msg, reqData, wsResult);
-            checkTimestamps(msg, reqData, wsResult);
-            checkActions(msg, reqData, wsResult, actions);
-            
-            doResults(msg, actor, doc, wsResult);
 
             if (doTimeLog) {
                 t3 = System.currentTimeMillis();

Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=980898&r1=980897&r2=980898&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
(original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Fri Jul 30 17:53:49 2010
@@ -19,6 +19,7 @@
 package org.apache.cxf.ws.security.wss4j;
 
 
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
@@ -101,6 +102,27 @@ public class PolicyBasedWss4JInOutTest e
                 null,
                 Arrays.asList(CoverageType.SIGNED));
     }
+    
+    @Test
+    public void testTransportBinding() throws Exception {
+        this.runInInterceptorAndValidate(
+                "wsse-request-clean.xml",
+                "transport_binding_policy.xml",
+                Arrays.asList(SP12Constants.TRANSPORT_BINDING,
+                              SP12Constants.TRANSPORT_TOKEN),
+                null,
+                new ArrayList<CoverageType>());
+        
+        this.runAndValidate(
+                "wsse-request-clean.xml",
+                "transport_binding_policy.xml",
+                Arrays.asList(SP12Constants.TRANSPORT_BINDING),
+                null,
+                Arrays.asList(SP12Constants.TRANSPORT_BINDING,
+                              SP12Constants.TRANSPORT_TOKEN),
+                null,
+                new ArrayList<CoverageType>());
+    }
 
     // TODO this test does not follow the traditional pattern as no server-side enforcement
     // of algorithm suites yet exists.  This support is blocked on WSS4J patches.  In the
interim
@@ -621,6 +643,7 @@ public class PolicyBasedWss4JInOutTest e
         t.transform(new DOMSource(inDoc), new StreamResult(System.out));
         */
         
+        
         this.runInInterceptorAndValidate(inDoc,
                 inPolicy, inAssertions.getAssertedAssertions(),
                 inAssertions.getNotAssertedAssertions(), types);

Added: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml?rev=980898&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml
(added)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml
Fri Jul 30 17:53:49 2010
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<wsp:Policy 
+    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
+    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
+    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <wsp:ExactlyOne>
+    <wsp:All>
+      <wsp:Policy>
+        <sp:TransportBinding>
+          <wsp:Policy>
+            <sp:TransportToken>
+              <wsp:Policy>
+                <sp:HttpsToken>
+                  <wsp:Policy>
+                    <sp:RequireClientCertificate/>
+                  </wsp:Policy>
+                </sp:HttpsToken>
+              </wsp:Policy>
+            </sp:TransportToken>
+          </wsp:Policy>
+        </sp:TransportBinding>
+      </wsp:Policy>
+    </wsp:All>
+  </wsp:ExactlyOne>
+</wsp:Policy>

Propchange: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message