cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r1035302 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/ syste...
Date Mon, 15 Nov 2010 15:26:53 GMT
Author: dkulp
Date: Mon Nov 15 15:26:52 2010
New Revision: 1035302

URL: http://svn.apache.org/viewvc?rev=1035302&view=rev
Log:
[CXF-3041, CXF-3042] Cleanup to checks for various request only or
response only security cases

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
    cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
    cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1035302&r1=1035301&r2=1035302&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Mon Nov 15 15:26:52 2010
@@ -192,7 +192,11 @@ public class PolicyBasedWSS4JInIntercept
         }
         return false;
     }
-    private void assertPolicy(AssertionInfoMap aim, Token token, boolean derived) {
+    private void assertPolicy(AssertionInfoMap aim, Token token, Boolean derived) {
+        if (derived == null) {
+            //no keys were needed for anything
+            return;
+        }
         if (!derived && token instanceof X509Token && token.isDerivedKeys())
{
             notAssertPolicy(aim, token, "No derived keys found.");
         }
@@ -461,7 +465,7 @@ public class PolicyBasedWSS4JInIntercept
         AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
         Collection<WSDataRef> signed = new HashSet<WSDataRef>();
         Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
-        boolean hasDerivedKeys = false;
+        Boolean hasDerivedKeys = null;
         boolean hasEndorsement = false;
         Protections prots = Protections.NONE;
         
@@ -471,6 +475,9 @@ public class PolicyBasedWSS4JInIntercept
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             switch (actInt.intValue()) {                    
             case WSConstants.SIGN:
+                if (hasDerivedKeys == null) {
+                    hasDerivedKeys = Boolean.FALSE;
+                }
                 List<WSDataRef> sl = CastUtils.cast((List<?>)wser
                                                        .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
                 if (sl != null) {
@@ -487,6 +494,9 @@ public class PolicyBasedWSS4JInIntercept
                 }
                 break;
             case WSConstants.ENCR:
+                if (hasDerivedKeys == null) {
+                    hasDerivedKeys = Boolean.FALSE;
+                }
                 List<WSDataRef> el = CastUtils.cast((List<?>)wser
                                                        .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
                 if (el != null) {
@@ -519,7 +529,7 @@ public class PolicyBasedWSS4JInIntercept
                 assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
                 break;
             case WSConstants.DKT:
-                hasDerivedKeys = true;
+                hasDerivedKeys = Boolean.TRUE;
                 break;
             case WSConstants.SC:
                 assertPolicy(aim, SP12Constants.WSS11);
@@ -611,7 +621,7 @@ public class PolicyBasedWSS4JInIntercept
                                            SoapMessage message,
                                            SOAPMessage doc,
                                            Protections prots,
-                                           boolean derived) {
+                                           Boolean derived) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
         if (ais == null) {
             return true;
@@ -652,7 +662,7 @@ public class PolicyBasedWSS4JInIntercept
                                            SoapMessage message,
                                            SOAPMessage doc,
                                            Protections prots,
-                                           boolean derived) {
+                                           Boolean derived) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
         if (ais == null) {                       
             return true;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1035302&r1=1035301&r2=1035302&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Mon Nov 15 15:26:52 2010
@@ -348,7 +348,10 @@ public class AsymmetricBindingHandler ex
             assertUnusedTokens(abinding.getInitiatorToken());
         }
         sigToken = wrapper.getToken();
-
+        sigParts.addAll(this.getSignedParts());
+        if (sigParts.isEmpty()) {
+            return;
+        }
         if (sigToken.isDerivedKeys()) {
             // Set up the encrypted key to use
             setupEncryptedKey(wrapper, sigToken);
@@ -388,6 +391,7 @@ public class AsymmetricBindingHandler ex
                 e.printStackTrace();
             }
         } else {
+            
             WSSecSignature sig = getSignatureBuider(wrapper, sigToken, false);
                       
             // This action must occur before sig.prependBSTElementToHeader
@@ -398,7 +402,6 @@ public class AsymmetricBindingHandler ex
 
             sig.prependBSTElementToHeader(secHeader);
             insertBeforeBottomUp(sig.getSignatureElement());
-            sigParts.addAll(this.getSignedParts());
             
             sig.addReferencesToSign(sigParts, secHeader);
             sig.computeSignature();

Modified: cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1035302&r1=1035301&r2=1035302&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
(original)
+++ cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
Mon Nov 15 15:26:52 2010
@@ -74,6 +74,9 @@ public class SecurityPolicyTest extends 
     public static final String POLICY_XPATH_ADDRESS = "http://localhost:" + PORT + "/SecPolTestXPath";
     public static final String POLICY_SIGNONLY_ADDRESS = "http://localhost:" + PORT + "/SecPolTestSignedOnly";
 
+    public static final String POLICY_CXF3041_ADDRESS = "http://localhost:" + PORT + "/SecPolTestCXF3041";
+    public static final String POLICY_CXF3042_ADDRESS = "http://localhost:" + PORT + "/SecPolTestCXF3042";
+
     
     public static class ServerPasswordCallback implements CallbackHandler {
         public void handle(Callback[] callbacks) throws IOException,
@@ -88,7 +91,8 @@ public class SecurityPolicyTest extends 
         }
     }
     
-    
+    private DoubleItService service = new DoubleItService();
+
     
     @BeforeClass 
     public static void init() throws Exception {
@@ -159,11 +163,30 @@ public class SecurityPolicyTest extends 
                        SecurityPolicyTest.class.getResource("bob.properties").toString());
         ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES, 
                        SecurityPolicyTest.class.getResource("alice.properties").toString());
+        
+        
+        ep = (EndpointImpl)Endpoint.publish(POLICY_CXF3041_ADDRESS,
+                                            new DoubleItImplCXF3041());
+        ei = ep.getServer().getEndpoint().getEndpointInfo(); 
+        ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
+        ei.setProperty(SecurityConstants.SIGNATURE_PROPERTIES, 
+                       SecurityPolicyTest.class.getResource("bob.properties").toString());
+        ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES, 
+                       SecurityPolicyTest.class.getResource("alice.properties").toString());
+        
+        ep = (EndpointImpl)Endpoint.publish(POLICY_CXF3042_ADDRESS,
+                                            new DoubleItImplCXF3042());
+        ei = ep.getServer().getEndpoint().getEndpointInfo(); 
+        ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
+        ei.setProperty(SecurityConstants.SIGNATURE_PROPERTIES, 
+                       SecurityPolicyTest.class.getResource("alice.properties").toString());
+        ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES, 
+                       SecurityPolicyTest.class.getResource("alice.properties").toString());
+        
     }
     
     @Test
     public void testPolicy() throws Exception {
-        DoubleItService service = new DoubleItService();
         DoubleItPortType pt;
 
         pt = service.getDoubleItPortXPath();
@@ -246,7 +269,6 @@ public class SecurityPolicyTest extends 
     @Test
     public void testSignedOnlyWithUnsignedMessage() throws Exception {
         //CXF-2244
-        DoubleItService service = new DoubleItService();
         DoubleItPortType pt;
 
         pt = service.getDoubleItPortSignedOnly();
@@ -277,7 +299,6 @@ public class SecurityPolicyTest extends 
     
     @Test
     public void testDispatchClient() throws Exception {
-        DoubleItService service = new DoubleItService();
         Dispatch<Source> disp = service.createDispatch(DoubleItService.DoubleItPortEncryptThenSign,

                                                        Source.class,
                                                        Mode.PAYLOAD);
@@ -418,4 +439,58 @@ public class SecurityPolicyTest extends 
         }
         
     }
+    
+    
+    
+    @WebService(targetNamespace = "http://cxf.apache.org/policytest/DoubleIt", 
+                portName = "DoubleItPortCXF3041",
+                serviceName = "DoubleItService", 
+                endpointInterface = "org.apache.cxf.policytest.doubleit.DoubleItPortType",
+                wsdlLocation = "classpath:/wsdl_systest_wsspec/DoubleIt.wsdl")
+    public static class DoubleItImplCXF3041 implements DoubleItPortType {
+        /** {@inheritDoc}*/
+        public BigInteger doubleIt(BigInteger numberToDouble) {
+            return numberToDouble.multiply(new BigInteger("2"));
+        }
+    }
+    @WebService(targetNamespace = "http://cxf.apache.org/policytest/DoubleIt", 
+                portName = "DoubleItPortCXF3042",
+                serviceName = "DoubleItService", 
+                endpointInterface = "org.apache.cxf.policytest.doubleit.DoubleItPortType",
+                wsdlLocation = "classpath:/wsdl_systest_wsspec/DoubleIt.wsdl")
+    public static class DoubleItImplCXF3042 implements DoubleItPortType {
+        /** {@inheritDoc}*/
+        public BigInteger doubleIt(BigInteger numberToDouble) {
+            return numberToDouble.multiply(new BigInteger("2"));
+        }
+    }
+    
+    @Test
+    public void testCXF3041() throws Exception {
+        DoubleItPortType pt;
+
+        pt = service.getDoubleItPortCXF3041();
+        updateAddressPort(pt, PORT);
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,

+                                                      new KeystorePasswordCallback());
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+                                                      getClass().getResource("alice.properties"));
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,

+                                                      getClass().getResource("bob.properties"));
+        assertEquals(BigInteger.valueOf(10), pt.doubleIt(BigInteger.valueOf(5)));
+    }
+
+    @Test
+    public void testCXF3042() throws Exception {
+        DoubleItPortType pt;
+        pt = service.getDoubleItPortCXF3042();
+        updateAddressPort(pt, PORT);
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,

+                                                      new KeystorePasswordCallback());
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+                                                      getClass().getResource("alice.properties"));
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,

+                                                      getClass().getResource("alice.properties"));
+        assertEquals(BigInteger.valueOf(10), pt.doubleIt(BigInteger.valueOf(5)));
+    }
 }

Modified: cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl?rev=1035302&r1=1035301&r2=1035302&view=diff
==============================================================================
--- cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl (original)
+++ cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl Mon Nov
15 15:26:52 2010
@@ -149,6 +149,39 @@
 			</wsdl:output>
 		</wsdl:operation>
 	</wsdl:binding>
+
+    <wsdl:binding name="DoubleItBindingCXF3041" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#CXF3041"/>
+        <soap:binding style="document"
+			transport="http://schemas.xmlsoap.org/soap/http" />
+		<wsdl:operation name="DoubleIt">
+			<soap:operation soapAction="" />
+			<wsdl:input>
+				<soap:body use="literal" />
+			</wsdl:input>
+			<wsdl:output>
+                <wsp:PolicyReference URI="#SignBody"/>
+				<soap:body use="literal" />
+			</wsdl:output>
+		</wsdl:operation>
+	</wsdl:binding>
+    <wsdl:binding name="DoubleItBindingCXF3042" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#CXF3042"/>
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <wsp:PolicyReference URI="#EncrBody"/>
+                <soap:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+            </wsdl:output>
+        </wsdl:operation>
+    </wsdl:binding>
+
+
 	<wsdl:service name="DoubleItService">
 		<wsdl:port name="DoubleItPortHttps" binding="tns:DoubleItBinding">
 			<soap:address location="https://localhost:9009/SecPolTest" />
@@ -174,6 +207,12 @@
 		<wsdl:port name="DoubleItPortTimestampOnly" binding="tns:DoubleItBindingTimestampOnly">
 			<soap:address location="http://localhost:9010/SecPolTestTimestampOnly" />
 		</wsdl:port>
+        <wsdl:port name="DoubleItPortCXF3041" binding="tns:DoubleItBindingCXF3041">
+            <soap:address location="http://localhost:9010/SecPolTestCXF3041" />
+        </wsdl:port>
+        <wsdl:port name="DoubleItPortCXF3042" binding="tns:DoubleItBindingCXF3042">
+            <soap:address location="http://localhost:9010/SecPolTestCXF3042" />
+        </wsdl:port>
 	</wsdl:service>
 
 	<wsp:Policy wsu:Id="DoubleItBindingPolicy">
@@ -542,5 +581,133 @@
 		</wsp:ExactlyOne>
 	</wsp:Policy>
   
+
+
+  <!-- Policy for asymmetric binding with the certificate included in the message from
+   client to server but only a thumbprint on messages from the server to the client. -->
+  <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu=
+      "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+      xmlns:wsp="http://www.w3.org/ns/ws-policy"
+      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+    <sp:AsymmetricBinding>
+      <wsp:Policy>
+        <sp:InitiatorToken>
+          <wsp:Policy>
+            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+              <wsp:Policy>
+                <sp:RequireThumbprintReference/>
+              </wsp:Policy>
+            </sp:X509Token>
+          </wsp:Policy>
+        </sp:InitiatorToken>
+        <sp:RecipientToken>
+          <wsp:Policy>
+            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+              <wsp:Policy>
+                <sp:RequireThumbprintReference/>
+              </wsp:Policy>
+            </sp:X509Token>
+          </wsp:Policy>
+        </sp:RecipientToken>
+        <sp:AlgorithmSuite>
+          <wsp:Policy>
+            <sp:Basic128Rsa15/>
+          </wsp:Policy>
+        </sp:AlgorithmSuite>
+      </wsp:Policy>
+    </sp:AsymmetricBinding>
+  </wsp:Policy>
   
+  <!-- Policy for signing the message body. -->
+  <wsp:Policy wsu:Id="SignBody" xmlns:wsu=
+      "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+      xmlns:wsp="http://www.w3.org/ns/ws-policy"
+      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+    <sp:SignedParts>
+      <sp:Body/>
+    </sp:SignedParts>
+  </wsp:Policy>
+  <!-- Policy for encrypting the message body. -->
+  <wsp:Policy wsu:Id="EncrBody" xmlns:wsu=
+      "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+      xmlns:wsp="http://www.w3.org/ns/ws-policy"
+      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+    <sp:EncryptedParts>
+      <sp:Body/>
+    </sp:EncryptedParts>
+  </wsp:Policy>
+
+  <!-- Policy for asymmetric binding with the certificate included in the message from
+   client to server but only a thumbprint on messages from the server to the client. -->
+  <wsp:Policy wsu:Id="CXF3041" xmlns:wsu=
+      "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+      xmlns:wsp="http://www.w3.org/ns/ws-policy"
+      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+    <sp:AsymmetricBinding>
+      <wsp:Policy>
+        <sp:InitiatorToken>
+          <wsp:Policy>
+            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+              <wsp:Policy>
+                <sp:RequireThumbprintReference/>
+              </wsp:Policy>
+            </sp:X509Token>
+          </wsp:Policy>
+        </sp:InitiatorToken>
+        <sp:RecipientToken>
+          <wsp:Policy>
+            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+              <wsp:Policy>
+                <sp:RequireThumbprintReference/>
+              </wsp:Policy>
+            </sp:X509Token>
+          </wsp:Policy>
+        </sp:RecipientToken>
+        <sp:AlgorithmSuite>
+          <wsp:Policy>
+            <sp:Basic128Rsa15/>
+          </wsp:Policy>
+        </sp:AlgorithmSuite>
+      </wsp:Policy>
+    </sp:AsymmetricBinding>
+  </wsp:Policy>
+
+
+
+    <!-- Policy for symmetric binding, using an ephemeral key generated by the client
and
+   sent to the server as part of the request, using asymmetric encryption with the server
+   public key to secure the symmetric key. -->
+  <wsp:Policy wsu:Id="CXF3042"
+      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
+      xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
+      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+    <sp:SymmetricBinding>
+      <wsp:Policy>
+        <sp:ProtectionToken>
+          <wsp:Policy>
+            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+              <wsp:Policy>
+                <sp:RequireDerivedKeys/>
+                <sp:RequireThumbprintReference/>
+                <sp:WssX509V3Token10/>
+              </wsp:Policy>
+            </sp:X509Token>
+          </wsp:Policy>
+        </sp:ProtectionToken>
+        <sp:AlgorithmSuite>
+          <wsp:Policy>
+            <sp:Basic128Rsa15/>
+          </wsp:Policy>
+        </sp:AlgorithmSuite>
+        <sp:OnlySignEntireHeadersAndBody/>
+      </wsp:Policy>
+    </sp:SymmetricBinding>
+    <sp:Wss11>
+      <wsp:Policy>
+        <sp:MustSupportRefKeyIdentifier/>
+        <sp:MustSupportRefThumbprint/>
+        <sp:MustSupportRefEncryptedKey/>
+      </wsp:Policy>
+    </sp:Wss11>
+  </wsp:Policy>
 </wsdl:definitions>



Mime
View raw message