cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1102804 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/interceptors/ wss4j/policyhandlers/ wss4j/policyvalidators/
Date Fri, 13 May 2011 16:14:57 GMT
Author: coheigea
Date: Fri May 13 16:14:57 2011
New Revision: 1102804

URL: http://svn.apache.org/viewvc?rev=1102804&view=rev
Log:
Made some improvements to how token inclusion types are handled inbound + outbound.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Fri May 13 16:14:57 2011
@@ -285,6 +285,7 @@ public class IssuedTokenInterceptorProvi
             } else if (assertionWrapper.getSaml2() != null) {
                 token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
             }
+            token.setToken(assertionWrapper.getElement());
             return token;
         }
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Fri May 13 16:14:57 2011
@@ -1615,11 +1615,7 @@ public abstract class AbstractBindingBui
                       
         //Check for whether the token is attached in the message or not
         boolean attached = false;
-        
-        if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == policyToken.getInclusion()
-            || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == policyToken.getInclusion()
-            || (isRequestor() && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

-                    == policyToken.getInclusion())) {
+        if (includeToken(policyToken.getInclusion())) {
             attached = true;
         }
         
@@ -1939,5 +1935,22 @@ public abstract class AbstractBindingBui
         return part;
     }
     
+    protected boolean includeToken(SPConstants.IncludeTokenType inclusion) {
+        if (inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
+            return true;
+        }
+        if (isRequestor()) {
+            if (inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

+                || inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE) {
+                return true;
+            }
+        } else {
+            if (inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR)
{
+                return true;
+            }
+        }
+        return false;
+    }
+    
     
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Fri May 13 16:14:57 2011
@@ -38,7 +38,6 @@ import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
 import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
 import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
 import org.apache.cxf.ws.security.policy.model.IssuedToken;
@@ -112,13 +111,7 @@ public class AsymmetricBindingHandler ex
                     } else {
                         policyAsserted(initiatorToken);
                         
-                        IncludeTokenType inclusion = initiatorToken.getInclusion();
-                        if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == inclusion
-                            || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == inclusion
-                            || (isRequestor() 
-                                && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

-                                    == inclusion)) {
-                            
+                        if (includeToken(initiatorToken.getInclusion())) {
                             Element el = secToken.getToken();
                             this.addEncryptedKeyElement(cloneElement(el));
                             attached = true;
@@ -202,13 +195,7 @@ public class AsymmetricBindingHandler ex
                 } else {
                     policyAsserted(initiatorToken);
                     
-                    IncludeTokenType inclusion = initiatorToken.getInclusion();
-                    if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == inclusion
-                        || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == inclusion
-                        || (isRequestor() 
-                            && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

-                                == inclusion)) {
-                        
+                    if (includeToken(initiatorToken.getInclusion())) {
                         Element el = secToken.getToken();
                         this.addEncryptedKeyElement(cloneElement(el));
                         attached = true;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Fri May 13 16:14:57 2011
@@ -178,12 +178,7 @@ public class SymmetricBindingHandler ext
     
                 boolean attached = false;
                 
-                if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == encryptionToken.getInclusion()
-                    || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == encryptionToken.getInclusion()
-                    || (isRequestor() 
-                        && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

-                            == encryptionToken.getInclusion())) {
-                    
+                if (includeToken(encryptionToken.getInclusion())) {
                     Element el = tok.getToken();
                     this.addEncryptedKeyElement(cloneElement(el));
                     attached = true;
@@ -298,21 +293,17 @@ public class SymmetricBindingHandler ext
             if (sigTok == null) {
                 //REVISIT - no token?
             }
+            
             boolean tokIncluded = true;
-            if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == sigToken.getInclusion()
-                || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == sigToken.getInclusion()
-                || (isRequestor() 
-                    && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

-                        == sigToken.getInclusion())) {
-                
+            if (includeToken(sigToken.getInclusion())) {
                 Element el = sigTok.getToken();
                 sigTokElem = cloneElement(el);
-                this.addEncryptedKeyElement((Element)sigTokElem);
+                this.addEncryptedKeyElement(sigTokElem);
             } else if (isRequestor() && sigToken instanceof X509Token) {
                 Element el = sigTok.getToken();
                 sigTokElem = (Element)secHeader.getSecurityHeader().getOwnerDocument()
                         .importNode(el, true);
-                this.addEncryptedKeyElement((Element)sigTokElem);
+                this.addEncryptedKeyElement(sigTokElem);
             } else {
                 tokIncluded = false;
             }
@@ -351,11 +342,7 @@ public class SymmetricBindingHandler ext
                 //REVISIT - issued token from trust? 
                 encrTok = tokenStore.getToken(encrTokId);
                 
-                if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == encrToken.getInclusion()
-                    || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == encrToken.getInclusion()
-                    || (isRequestor() 
-                            && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

-                            == encrToken.getInclusion())) {
+                if (includeToken(encrToken.getInclusion())) {
                     Element encrTokElem = (Element)encrTok.getToken();
                     
                     //Add the encrToken element before the sigToken element
@@ -569,11 +556,7 @@ public class SymmetricBindingHandler ext
         
         //Check for whether the token is attached in the message or not
         boolean attached = false;
-        
-        if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == policyToken.getInclusion()
-            || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == policyToken.getInclusion()
-            || (isRequestor() && SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

-                    == policyToken.getInclusion())) {
+        if (includeToken(policyToken.getInclusion())) {
             attached = true;
         }
         

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Fri May 13 16:14:57 2011
@@ -35,8 +35,6 @@ import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
 import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
 import org.apache.cxf.ws.security.policy.model.Header;
 import org.apache.cxf.ws.security.policy.model.IssuedToken;
@@ -94,13 +92,7 @@ public class TransportBindingHandler ext
             } else if (token instanceof IssuedToken) {
                 SecurityToken secTok = getSecurityToken();
                 
-                SPConstants.IncludeTokenType inclusion = token.getInclusion();
-                
-                if (inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS
-                    || ((inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

-                        || inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE)

-                        && isRequestor())) {
-                  
+                if (includeToken(token.getInclusion())) {
                     //Add the token
                     addEncryptedKeyElement(cloneElement(secTok.getToken()));
                 }
@@ -140,13 +132,7 @@ public class TransportBindingHandler ext
                         } else {
                             policyAsserted(transportToken);
                         }
-                        
-                        IncludeTokenType inclusion = transportToken.getInclusion();
-                        if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == inclusion
-                            || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == inclusion
-                            || (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

-                                == inclusion)) {
-                            
+                        if (includeToken(transportToken.getInclusion())) {
                             Element el = secToken.getToken();
                             addEncryptedKeyElement(cloneElement(el));
                         } 
@@ -339,15 +325,10 @@ public class TransportBindingHandler ext
             secTok = getSecurityToken();
         }
    
-        SPConstants.IncludeTokenType inclusion = token.getInclusion();
         boolean tokenIncluded = false;
         
         List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
-        if (inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS
-            || ((inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT

-                || inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE) 
-                && isRequestor())) {
-          
+        if (includeToken(token.getInclusion())) {
             //Add the token
             Element el = cloneElement(secTok.getToken());
             if (securityTok != null) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Fri May 13 16:14:57 2011
@@ -33,7 +33,7 @@ import org.apache.ws.security.saml.ext.O
 /**
  * Some abstract functionality for validating SAML Assertions
  */
-public abstract class AbstractSamlPolicyValidator {
+public abstract class AbstractSamlPolicyValidator extends AbstractTokenPolicyValidator {
     
     /**
      * Check the holder-of-key requirements against the received assertion. The subject

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java?rev=1102804&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
Fri May 13 16:14:57 2011
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
+import org.apache.cxf.ws.security.policy.model.Token;
+
+/**
+ * Some abstract functionality for validating a Security Token.
+ */
+public abstract class AbstractTokenPolicyValidator {
+    
+    /**
+     * Check to see if a token is required or not.
+     * @param token the token
+     * @param message The message
+     * @return true if the token is required
+     */
+    protected boolean isTokenRequired(
+        Token token,
+        Message message
+    ) {
+        IncludeTokenType inclusion = token.getInclusion();
+        if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
+            return false;
+        } else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
+            return true;
+        } else {
+            boolean initiator = MessageUtils.isRequestor(message);
+            if (initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR))
{
+                return true;
+            } else if (!initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ONCE
+                || inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT)) {
+                return true;
+            }
+            return false;
+        }
+    }
+    
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Fri May 13 16:14:57 2011
@@ -68,6 +68,18 @@ public class IssuedTokenPolicyValidator 
                 IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
                 ai.setAsserted(true);
                 
+                boolean tokenRequired = isTokenRequired(issuedToken, message);
+                if ((tokenRequired && assertionWrapper == null) 
+                    || (!tokenRequired && assertionWrapper != null)) {
+                    ai.setNotAsserted(
+                        "The received token does not match the token inclusion requirement"
+                    );
+                    return false;
+                }
+                if (!tokenRequired) {
+                    continue;
+                }
+                
                 Element template = issuedToken.getRstTemplate();
                 if (template != null && !checkIssuedTokenTemplate(template, assertionWrapper))
{
                     ai.setNotAsserted("Error in validating the IssuedToken policy");

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Fri May 13 16:14:57 2011
@@ -70,6 +70,18 @@ public class SamlTokenPolicyValidator ex
                     (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                 SamlToken samlToken = (SamlToken)ai.getAssertion();
                 ai.setAsserted(true);
+                
+                boolean tokenRequired = isTokenRequired(samlToken, message);
+                if ((tokenRequired && assertionWrapper == null) 
+                    || (!tokenRequired && assertionWrapper != null)) {
+                    ai.setNotAsserted(
+                        "The received token does not match the token inclusion requirement"
+                    );
+                    return false;
+                }
+                if (!tokenRequired) {
+                    continue;
+                }
 
                 if (!checkVersion(samlToken, assertionWrapper)) {
                     ai.setNotAsserted("Wrong SAML Version");



Mime
View raw message