cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1099501 - /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
Date Wed, 04 May 2011 16:06:17 GMT
Author: coheigea
Date: Wed May  4 16:06:17 2011
New Revision: 1099501

URL: http://svn.apache.org/viewvc?rev=1099501&view=rev
Log:
[CXF-3461] - EndorsingSupportingTokens policy reports not satisfied when using TLS with signed
timestamp

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1099501&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
Wed May  4 16:06:17 2011
@@ -0,0 +1,133 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.security.cert.Certificate;
+import java.util.Collection;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.security.transport.TLSSessionInfo;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate an EndorsingSupportingToken policy. 
+ */
+public class EndorsingTokenPolicyValidator {
+    
+    private List<WSSecurityEngineResult> signedResults;
+    private Message message;
+
+    public EndorsingTokenPolicyValidator(
+        List<WSSecurityEngineResult> signedResults,
+        Message message
+    ) {
+        this.signedResults = signedResults;
+        this.message = message;
+    }
+    
+    public boolean validatePolicy(
+        AssertionInfoMap aim
+    ) {
+        Collection<AssertionInfo> endorsingAis = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
+        if (endorsingAis != null && !endorsingAis.isEmpty()) {
+            for (AssertionInfo ai : endorsingAis) {
+                ai.setAsserted(true);
+                
+                TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+                Certificate[] tlsCerts = null;
+                if (tlsInfo != null) {
+                    tlsCerts = tlsInfo.getPeerCertificates();
+                }
+                if (!checkEndorsed(tlsCerts)) {
+                    ai.setNotAsserted("Message fails endorsing supporting tokens requirements");
+                    return false;
+                }
+            }
+        }
+        
+        return true;
+    }
+    
+    /**
+     * Check the endorsing supporting token policy. If we're using the Transport Binding
then
+     * check that the Timestamp is signed. Otherwise, check that the signature is signed.
+     * @param tlsCerts
+     * @return true if the endorsed supporting token policy is correct
+     */
+    private boolean checkEndorsed(Certificate[] tlsCerts) {
+        if (tlsCerts != null && tlsCerts.length > 0) {
+            return checkTimestampIsSigned();
+        }
+        return checkSignatureIsSigned();
+    }
+    
+    /**
+     * Return true if the Timestamp is signed
+     * @return true if the Timestamp is signed
+     */
+    private boolean checkTimestampIsSigned() {
+        for (WSSecurityEngineResult signedResult : signedResults) {
+            List<WSDataRef> sl =
+                CastUtils.cast((List<?>)signedResult.get(
+                    WSSecurityEngineResult.TAG_DATA_REF_URIS
+                ));
+            if (sl != null) {
+                for (WSDataRef dataRef : sl) {
+                    QName signedQName = dataRef.getName();
+                    if (WSSecurityEngine.TIMESTAMP.equals(signedQName)) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+    
+    /**
+     * Return true if the Signature is itself signed
+     * @return true if the Signature is itself signed
+     */
+    private boolean checkSignatureIsSigned() {
+        for (WSSecurityEngineResult signedResult : signedResults) {
+            List<WSDataRef> sl =
+                CastUtils.cast((List<?>)signedResult.get(
+                    WSSecurityEngineResult.TAG_DATA_REF_URIS
+                ));
+            if (sl != null) {
+                for (WSDataRef dataRef : sl) {
+                    QName signedQName = dataRef.getName();
+                    if (WSSecurityEngine.SIGNATURE.equals(signedQName)) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+}



Mime
View raw message