cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1090152 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/interceptors/ wss4j/policyvalidators/
Date Fri, 08 Apr 2011 07:52:34 GMT
Author: coheigea
Date: Fri Apr  8 07:52:34 2011
New Revision: 1090152

URL: http://svn.apache.org/viewvc?rev=1090152&view=rev
Log:
[CXF-3432] - Support WS-SecurityPolicy SamlToken expressions (Part V)
 - Added support for validating IssuedToken policies against received Assertions.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1090152&r1=1090151&r2=1090152&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Fri Apr  8 07:52:34 2011
@@ -48,6 +48,7 @@ import org.apache.cxf.ws.security.trust.
 import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.handler.WSHandlerConstants;
@@ -203,21 +204,22 @@ public class IssuedTokenInterceptorProvi
                     return;
                 }
                 if (!isRequestor(message)) {
-                    boolean found = false;
                     List<WSHandlerResult> results = 
                         CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
                     if (results != null) {
                         for (WSHandlerResult rResult : results) {
-                            SecurityToken token = findIssuedToken(rResult.getResults());
-                            if (token != null) {
-                                found = true;
+                            WSSecurityEngineResult wser = 
+                                findSecurityResult(rResult.getResults());
+                            if (wser != null) {
+                                IssuedTokenPolicyValidator issuedValidator = 
+                                    new IssuedTokenPolicyValidator();
+                                issuedValidator.validatePolicy(aim, wser);
+                                
+                                SecurityToken token = createSecurityToken(wser);
                                 message.getExchange().put(SecurityConstants.TOKEN, token);
                             }
                         }
                     }
-                    for (AssertionInfo inf : ais) {
-                        inf.setAsserted(found);
-                    }
                 } else {
                     //client side should be checked on the way out
                     for (AssertionInfo ai : ais) {
@@ -227,7 +229,7 @@ public class IssuedTokenInterceptorProvi
             }
         }
         
-        private SecurityToken findIssuedToken(
+        private WSSecurityEngineResult findSecurityResult(
             List<WSSecurityEngineResult> wsSecEngineResults
         ) {
             for (WSSecurityEngineResult wser : wsSecEngineResults) {
@@ -235,24 +237,33 @@ public class IssuedTokenInterceptorProvi
                 if (actInt.intValue() == WSConstants.ST_SIGNED) {
                     AssertionWrapper assertionWrapper = 
                         (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-                    SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
-                    if (subjectKeyInfo != null) {
-                        SecurityToken token = new SecurityToken(assertionWrapper.getId());
-                        token.setSecret(subjectKeyInfo.getSecret());
-                        X509Certificate[] certs = subjectKeyInfo.getCerts();
-                        if (certs != null && certs.length > 0) {
-                            token.setX509Certificate(certs[0], null);
-                        }
-                        if (assertionWrapper.getSaml1() != null) {
-                            token.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
-                        } else if (assertionWrapper.getSaml2() != null) {
-                            token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
-                        }
-                        return token;
+                    if (assertionWrapper.getSubjectKeyInfo() != null) {
+                        return wser;
                     }
                 }
             }
             return null;
         }
+        
+        private SecurityToken createSecurityToken(
+            WSSecurityEngineResult wser
+        ) {
+            AssertionWrapper assertionWrapper = 
+                (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
+            
+            SecurityToken token = new SecurityToken(assertionWrapper.getId());
+            token.setSecret(subjectKeyInfo.getSecret());
+            X509Certificate[] certs = subjectKeyInfo.getCerts();
+            if (certs != null && certs.length > 0) {
+                token.setX509Certificate(certs[0], null);
+            }
+            if (assertionWrapper.getSaml1() != null) {
+                token.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
+            } else if (assertionWrapper.getSaml2() != null) {
+                token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+            }
+            return token;
+        }
     }
 }

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1090152&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Fri Apr  8 07:52:34 2011
@@ -0,0 +1,101 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.Collection;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.IssuedToken;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+import org.opensaml.common.SAMLVersion;
+
+/**
+ * Validate a WSSecurityEngineResult corresponding to the processing of a SAML Assertion
+ * against an IssuedToken policy.
+ */
+public class IssuedTokenPolicyValidator {
+    
+    public boolean validatePolicy(
+        AssertionInfoMap aim,
+        WSSecurityEngineResult wser
+    ) {
+        Collection<AssertionInfo> issuedAis = aim.get(SP12Constants.ISSUED_TOKEN);
+        if (issuedAis != null && !issuedAis.isEmpty()) {
+            for (AssertionInfo ai : issuedAis) {
+                AssertionWrapper assertionWrapper = 
+                    (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
+                Element template = issuedToken.getRstTemplate();
+                if (template != null && !checkIssuedTokenTemplate(template, assertionWrapper))
{
+                    ai.setNotAsserted("Error in validating the IssuedToken policy");
+                    return false;
+                }
+
+                ai.setAsserted(true);
+            }
+        }
+        return true;
+    }
+    
+    /**
+     * Check the issued token template against the received assertion
+     */
+    private boolean checkIssuedTokenTemplate(Element template, AssertionWrapper assertionWrapper)
{
+        Element child = DOMUtils.getFirstElement(template);
+        while (child != null) {
+            if ("TokenType".equals(child.getLocalName())) {
+                String content = child.getTextContent();
+                if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(content) 
+                    && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11)
{
+                    return false;
+                } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(content) 
+                    && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20)
{
+                    return false;
+                }
+            } else if ("KeyType".equals(child.getLocalName())) {
+                String content = child.getTextContent();
+                if (content.endsWith("SymmetricKey")) {
+                    SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
+                    if (subjectKeyInfo == null || subjectKeyInfo.getSecret() == null) {
+                        return false;
+                    }
+                } else if (content.endsWith("PublicKey")) {
+                    SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
+                    if (subjectKeyInfo == null || (subjectKeyInfo.getPublicKey() == null
+                        && subjectKeyInfo.getCerts() == null)) {
+                        return false;
+                    }
+                }
+            }
+            child = DOMUtils.getNextElement(child);
+        }
+        return true;
+    }
+   
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1090152&r1=1090151&r2=1090152&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Fri Apr  8 07:52:34 2011
@@ -36,7 +36,7 @@ import org.opensaml.common.SAMLVersion;
  */
 public class SamlTokenPolicyValidator {
     
-    public void validatePolicy(
+    public boolean validatePolicy(
         AssertionInfoMap aim,
         WSSecurityEngineResult wser
     ) {
@@ -50,7 +50,7 @@ public class SamlTokenPolicyValidator {
 
                 if (!checkVersion(samlToken, assertionWrapper)) {
                     ai.setNotAsserted("Wrong SAML Version");
-                    return;
+                    return false;
                 }
                 /*
                 if (!checkIssuerName(samlToken, assertionWrapper)) {
@@ -59,6 +59,7 @@ public class SamlTokenPolicyValidator {
                 */
             }
         }
+        return true;
     }
     
     /**



Mime
View raw message