cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1099502 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j: PolicyBasedWSS4JInInterceptor.java policyvalidators/EndorsingTokenPolicyValidator.java
Date Wed, 04 May 2011 16:06:49 GMT
Author: coheigea
Date: Wed May  4 16:06:49 2011
New Revision: 1099502

URL: http://svn.apache.org/viewvc?rev=1099502&view=rev
Log:
[CXF-3461] - EndorsingSupportingTokens policy reports not satisfied when using TLS with signed
timestamp

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1099502&r1=1099501&r2=1099502&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Wed May  4 16:06:49 2011
@@ -74,6 +74,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.neethi.Assertion;
 import org.apache.ws.security.WSConstants;
@@ -540,7 +541,6 @@ public class PolicyBasedWSS4JInIntercept
                         && sl.get(0).getName().equals(new QName(WSConstants.SIG_NS,
WSConstants.SIG_LN))) {
                         //endorsing the signature
                         hasEndorsement = true;
-                        break;
                     }
                     for (WSDataRef r : sl) {
                         signed.add(r);
@@ -621,18 +621,24 @@ public class PolicyBasedWSS4JInIntercept
         assertSymetricBinding(aim, msg, prots, hasDerivedKeys);
         assertTransportBinding(aim);
         
-        
         //REVISIT - probably can verify some of these like if UT is encrypted and/or signed,
etc...
         assertPolicy(aim, SP12Constants.SIGNED_SUPPORTING_TOKENS);
         assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
         assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
         assertPolicy(aim, SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
         if (hasEndorsement || isRequestor(msg)) {
-            assertPolicy(aim, SP12Constants.ENDORSING_SUPPORTING_TOKENS);
             assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
             assertPolicy(aim, SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
             assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         }
+        if (isRequestor(msg)) {
+            assertPolicy(aim, SP12Constants.ENDORSING_SUPPORTING_TOKENS);
+        } else {
+            // TODO need to revisit all of the other endorsed policies
+            EndorsingTokenPolicyValidator endorsingValidator = 
+                new EndorsingTokenPolicyValidator(signedResults, msg);
+            endorsingValidator.validatePolicy(aim);
+        }
         super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
     }
     private void assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header)


Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1099502&r1=1099501&r2=1099502&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
Wed May  4 16:06:49 2011
@@ -19,7 +19,6 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
-import java.security.cert.Certificate;
 import java.util.Collection;
 import java.util.List;
 
@@ -60,11 +59,11 @@ public class EndorsingTokenPolicyValidat
                 ai.setAsserted(true);
                 
                 TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
-                Certificate[] tlsCerts = null;
+                boolean transport = false;
                 if (tlsInfo != null) {
-                    tlsCerts = tlsInfo.getPeerCertificates();
+                    transport = true;
                 }
-                if (!checkEndorsed(tlsCerts)) {
+                if (!checkEndorsed(transport)) {
                     ai.setNotAsserted("Message fails endorsing supporting tokens requirements");
                     return false;
                 }
@@ -77,11 +76,11 @@ public class EndorsingTokenPolicyValidat
     /**
      * Check the endorsing supporting token policy. If we're using the Transport Binding
then
      * check that the Timestamp is signed. Otherwise, check that the signature is signed.
-     * @param tlsCerts
+     * @param transport
      * @return true if the endorsed supporting token policy is correct
      */
-    private boolean checkEndorsed(Certificate[] tlsCerts) {
-        if (tlsCerts != null && tlsCerts.length > 0) {
+    private boolean checkEndorsed(boolean transport) {
+        if (transport) {
             return checkTimestampIsSigned();
         }
         return checkSignatureIsSigned();



Mime
View raw message