cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1079911 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/interceptors/ wss4j/ wss4j/policyhandlers/
Date Wed, 09 Mar 2011 17:58:40 GMT
Author: coheigea
Date: Wed Mar  9 17:58:40 2011
New Revision: 1079911

URL: http://svn.apache.org/viewvc?rev=1079911&view=rev
Log:
[CXF-2657] - Support for issued tokens using the Asymmetric Binding.

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java?rev=1079911&r1=1079910&r2=1079911&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
Wed Mar  9 17:58:40 2011
@@ -47,6 +47,8 @@ public class WSSecurityPolicyInterceptor
         ASSERTION_TYPES.add(SP12Constants.ENCRYPTION_TOKEN);
         ASSERTION_TYPES.add(SP12Constants.SIGNATURE_TOKEN);
         ASSERTION_TYPES.add(SP12Constants.TRANSPORT_TOKEN);            
+        ASSERTION_TYPES.add(SP12Constants.INITIATOR_TOKEN);
+        ASSERTION_TYPES.add(SP12Constants.RECIPIENT_TOKEN);   
         ASSERTION_TYPES.add(SP12Constants.SIGNED_PARTS);
         ASSERTION_TYPES.add(SP12Constants.REQUIRED_PARTS);
         ASSERTION_TYPES.add(SP12Constants.REQUIRED_ELEMENTS);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1079911&r1=1079910&r2=1079911&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Wed Mar  9 17:58:40 2011
@@ -726,10 +726,14 @@ public class PolicyBasedWSS4JInIntercept
             } else if (prots == Protections.ENCRYPT_SIGN) {
                 ai.setNotAsserted("Not signed before encrypted");                       
            
             }
-            assertPolicy(aim, abinding.getInitiatorToken());
-            assertPolicy(aim, abinding.getRecipientToken());
-            assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
-            assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
+            if (abinding.getInitiatorToken() != null) {
+                assertPolicy(aim, abinding.getInitiatorToken());
+                assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
+            }
+            if (abinding.getRecipientToken() != null) {
+                assertPolicy(aim, abinding.getRecipientToken());
+                assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
+            }
         }
         return true;
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1079911&r1=1079910&r2=1079911&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Wed Mar  9 17:58:40 2011
@@ -1280,10 +1280,53 @@ public abstract class AbstractBindingBui
         }
     }
     
-    protected WSSecSignature getSignatureBuilder(TokenWrapper wrapper, Token token, boolean
endorse) {
+    protected WSSecSignature getSignatureBuilder(
+        TokenWrapper wrapper, Token token, boolean endorse
+    ) {
+        return getSignatureBuilder(wrapper, token, false, endorse);
+    }
+    
+    protected WSSecSignature getSignatureBuilder(
+        TokenWrapper wrapper, Token token, boolean attached, boolean endorse
+    ) {
         WSSecSignature sig = new WSSecSignature();
-        checkForX509PkiPath(sig, token);        
-        setKeyIdentifierType(sig, wrapper, token);
+        checkForX509PkiPath(sig, token);
+        if (token instanceof IssuedToken) {
+            policyAsserted(token);
+            policyAsserted(wrapper);
+            SecurityToken securityToken = getSecurityToken();
+            String tokenType = securityToken.getTokenType();
+            
+            int type = attached ? WSConstants.CUSTOM_SYMM_SIGNING 
+                : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
+            if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
+                sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
+                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+            } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)) {
+                sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
+                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+            } else {
+                sig.setCustomTokenValueType(tokenType);
+                sig.setKeyIdentifierType(type);
+            }
+            
+            String sigTokId;
+            if (attached) {
+                sigTokId = securityToken.getWsuId();
+                if (sigTokId == null) {
+                    sigTokId = securityToken.getId();                    
+                }
+                if (sigTokId.startsWith("#")) {
+                    sigTokId = sigTokId.substring(1);
+                }
+            } else {
+                sigTokId = securityToken.getId();
+            }
+            
+            sig.setCustomTokenId(sigTokId);
+        } else {
+            setKeyIdentifierType(sig, wrapper, token);
+        }
         
         boolean encryptCrypto = false;
         String userNameKey = SecurityConstants.SIGNATURE_USERNAME;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1079911&r1=1079910&r2=1079911&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Wed Mar  9 17:58:40 2011
@@ -38,11 +38,14 @@ import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
 import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
 import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.cxf.ws.security.policy.model.IssuedToken;
 import org.apache.cxf.ws.security.policy.model.RecipientToken;
 import org.apache.cxf.ws.security.policy.model.Token;
 import org.apache.cxf.ws.security.policy.model.TokenWrapper;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSEncryptionPart;
 import org.apache.ws.security.WSSecurityEngineResult;
@@ -95,6 +98,33 @@ public class AsymmetricBindingHandler ex
 
     private void doSignBeforeEncrypt() {
         try {
+            TokenWrapper initiatorWrapper = abinding.getInitiatorToken();
+            boolean attached = false;
+            if (initiatorWrapper != null) {
+                Token initiatorToken = initiatorWrapper.getToken();
+                if (initiatorToken instanceof IssuedToken) {
+                    SecurityToken secToken = getSecurityToken();
+                    if (secToken == null) {
+                        policyNotAsserted(initiatorToken, "No intiator token id");
+                        return;
+                    } else {
+                        policyAsserted(initiatorToken);
+                        
+                        IncludeTokenType inclusion = initiatorToken.getInclusion();
+                        if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == inclusion
+                            || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == inclusion
+                            || (isRequestor() 
+                                && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

+                                    == inclusion)) {
+                            
+                            Element el = secToken.getToken();
+                            this.addEncyptedKeyElement(cloneElement(el));
+                            attached = true;
+                        } 
+                    }
+                }
+            }
+            
             List<WSEncryptionPart> sigs = new ArrayList<WSEncryptionPart>();
             if (isRequestor()) {
                 //Add timestamp
@@ -105,7 +135,7 @@ public class AsymmetricBindingHandler ex
                 }
 
                 addSupportingTokens(sigs);
-                doSignature(sigs);
+                doSignature(sigs, attached);
                 doEndorse();
             } else {
                 //confirm sig
@@ -119,7 +149,7 @@ public class AsymmetricBindingHandler ex
                 }
 
                 addSignatureConfirmation(sigs);
-                doSignature(sigs);
+                doSignature(sigs, attached);
             }
 
             List<WSEncryptionPart> enc = getEncryptedParts();
@@ -157,6 +187,34 @@ public class AsymmetricBindingHandler ex
             wrapper = abinding.getInitiatorToken();
         }
         encryptionToken = wrapper.getToken();
+        
+        TokenWrapper initiatorWrapper = abinding.getInitiatorToken();
+        boolean attached = false;
+        if (initiatorWrapper != null) {
+            Token initiatorToken = initiatorWrapper.getToken();
+            if (initiatorToken instanceof IssuedToken) {
+                SecurityToken secToken = getSecurityToken();
+                if (secToken == null) {
+                    policyNotAsserted(initiatorToken, "No intiator token id");
+                    return;
+                } else {
+                    policyAsserted(initiatorToken);
+                    
+                    IncludeTokenType inclusion = initiatorToken.getInclusion();
+                    if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == inclusion
+                        || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == inclusion
+                        || (isRequestor() 
+                            && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

+                                == inclusion)) {
+                        
+                        Element el = secToken.getToken();
+                        this.addEncyptedKeyElement(cloneElement(el));
+                        attached = true;
+                    } 
+                }
+            }
+        }
+        
         List<WSEncryptionPart> encrParts = null;
         List<WSEncryptionPart> sigParts = null;
         try {
@@ -194,7 +252,7 @@ public class AsymmetricBindingHandler ex
                     && abinding.getInitiatorToken() != null) 
                 || (!isRequestor() && abinding.getRecipientToken() != null)) {
                 try {
-                    doSignature(sigParts);
+                    doSignature(sigParts, attached);
                 } catch (WSSecurityException e) {
                     //REVISIT - exception
                     e.printStackTrace();
@@ -287,11 +345,21 @@ public class AsymmetricBindingHandler ex
                 try {
                     WSSecEncrypt encr = new WSSecEncrypt();
                     
-                    setKeyIdentifierType(encr, recToken, encrToken);
-                    
                     encr.setDocument(saaj.getSOAPPart());
                     Crypto crypto = getEncryptionCrypto(recToken);
-                    setEncryptionUser(encr, recToken, false, crypto);
+                    
+                    SecurityToken securityToken = getSecurityToken();
+                    setKeyIdentifierType(encr, recToken, encrToken);
+                    //
+                    // Using a stored cert is only suitable for the Issued Token case, where
+                    // we're extracting the cert from a SAML Assertion on the provider side
+                    //
+                    if (!isRequestor() && securityToken != null 
+                        && securityToken.getX509Certificate() != null) {
+                        encr.setUseThisCert(securityToken.getX509Certificate());
+                    } else {
+                        setEncryptionUser(encr, recToken, false, crypto);
+                    }
                     encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
                     encr.setKeyEncAlgo(algorithmSuite.getAsymmetricKeyWrap());
                     
@@ -338,7 +406,8 @@ public class AsymmetricBindingHandler ex
         }
     }
     
-    private void doSignature(List<WSEncryptionPart> sigParts) throws WSSecurityException,
SOAPException {
+    private void doSignature(List<WSEncryptionPart> sigParts, boolean attached) 
+        throws WSSecurityException, SOAPException {
         Token sigToken = null;
         TokenWrapper wrapper = null;
         if (isRequestor()) {
@@ -399,7 +468,7 @@ public class AsymmetricBindingHandler ex
                 e.printStackTrace();
             }
         } else {
-            WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, false);
+            WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, attached, false);
                       
             // This action must occur before sig.prependBSTElementToHeader
             if (abinding.isTokenProtection()

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1079911&r1=1079910&r2=1079911&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Wed Mar  9 17:58:40 2011
@@ -606,8 +606,7 @@ public class SymmetricBindingHandler ext
         dkSign.setDerivedKeyLength(sbinding.getAlgorithmSuite().getSignatureDerivedKeyLength()
/ 8);
         if (tok.getSHA1() != null) {
             //Set the value type of the reference
-            dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
-                + WSConstants.ENC_KEY_VALUE_TYPE);
+            dkSign.setCustomValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
         } else {
             dkSign.setCustomValueType(tok.getTokenType());
         }



Mime
View raw message