cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1144404 - in /cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/interceptors/ wss4j/policyvalidators/
Date Fri, 08 Jul 2011 18:00:40 GMT
Author: coheigea
Date: Fri Jul  8 18:00:40 2011
New Revision: 1144404

URL: http://svn.apache.org/viewvc?rev=1144404&view=rev
Log:
[CXF-3624] - BinarySecurityToken validated by STSTokenValidator doesn't satisfy IssuedToken
policy

Modified:
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1144404&r1=1144403&r2=1144404&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Fri Jul  8 18:00:40 2011
@@ -54,6 +54,7 @@ import org.apache.ws.security.WSConstant
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.handler.WSHandlerConstants;
 import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.message.token.BinarySecurity;
 import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.apache.ws.security.util.WSSecurityUtil;
@@ -237,51 +238,69 @@ public class IssuedTokenInterceptorProvi
         ) {
             if (results != null) {
                 for (WSHandlerResult rResult : results) {
-                    WSSecurityEngineResult wser = 
-                        findSecurityResult(rResult.getResults());
-                    if (wser != null) {
-                        List<WSSecurityEngineResult> signedResults = 
-                            new ArrayList<WSSecurityEngineResult>();
-                        WSSecurityUtil.fetchAllActionResults(
-                            rResult.getResults(), WSConstants.SIGN, signedResults
-                        );
-                        
-                        //
-                        // Validate the Issued Token policy
-                        //
-                        IssuedTokenPolicyValidator issuedValidator = 
-                            new IssuedTokenPolicyValidator(signedResults, message);
-                        if (!issuedValidator.validatePolicy(aim, wser)) {
-                            break;
-                        }
-                        
-                        SecurityToken token = createSecurityToken(wser);
-                        message.getExchange().put(SecurityConstants.TOKEN, token);
+                    List<WSSecurityEngineResult> signedResults = 
+                        new ArrayList<WSSecurityEngineResult>();
+                    WSSecurityUtil.fetchAllActionResults(
+                        rResult.getResults(), WSConstants.SIGN, signedResults
+                    );
+                    IssuedTokenPolicyValidator issuedValidator = 
+                        new IssuedTokenPolicyValidator(signedResults, message);
+                    Collection<AssertionInfo> issuedAis = aim.get(SP12Constants.ISSUED_TOKEN);
+                    
+                    for (AssertionWrapper assertionWrapper 
+                        : findSamlTokenResults(rResult.getResults())) {
+                        boolean valid = issuedValidator.validatePolicy(issuedAis, assertionWrapper);
+                        if (valid) {
+                            SecurityToken token = createSecurityToken(assertionWrapper);
+                            message.getExchange().put(SecurityConstants.TOKEN, token);
+                            return;
+                        }
+                    }
+                    for (BinarySecurity binarySecurityToken 
+                        : findBinarySecurityTokenResults(rResult.getResults())) {
+                        boolean valid = issuedValidator.validatePolicy(issuedAis, binarySecurityToken);
+                        if (valid) {
+                            SecurityToken token = createSecurityToken(binarySecurityToken);
+                            message.getExchange().put(SecurityConstants.TOKEN, token);
+                            return;
+                        }
                     }
                 }
             }
         }
         
-        private WSSecurityEngineResult findSecurityResult(
+        private List<AssertionWrapper> findSamlTokenResults(
             List<WSSecurityEngineResult> wsSecEngineResults
         ) {
+            List<AssertionWrapper> results = new ArrayList<AssertionWrapper>();
             for (WSSecurityEngineResult wser : wsSecEngineResults) {
                 Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
                 if (actInt.intValue() == WSConstants.ST_SIGNED
                     || actInt.intValue() == WSConstants.ST_UNSIGNED) {
-                    return wser;
+                    results.add((AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION));
+                }
+            }
+            return results;
+        }
+        
+        private List<BinarySecurity> findBinarySecurityTokenResults(
+            List<WSSecurityEngineResult> wsSecEngineResults
+        ) {
+            List<BinarySecurity> results = new ArrayList<BinarySecurity>();
+            for (WSSecurityEngineResult wser : wsSecEngineResults) {
+                Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+                if (actInt.intValue() == WSConstants.BST) {
+                    results.add((BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN));
                 }
             }
-            return null;
+            return results;
         }
         
         private SecurityToken createSecurityToken(
-            WSSecurityEngineResult wser
+            AssertionWrapper assertionWrapper
         ) {
-            AssertionWrapper assertionWrapper = 
-                (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
             SecurityToken token = new SecurityToken(assertionWrapper.getId());
-            
+
             SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
             if (subjectKeyInfo != null) {
                 token.setSecret(subjectKeyInfo.getSecret());
@@ -296,7 +315,19 @@ public class IssuedTokenInterceptorProvi
                 token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
             }
             token.setToken(assertionWrapper.getElement());
+
+            return token;
+        }
+    
+        private SecurityToken createSecurityToken(BinarySecurity binarySecurityToken) {
+            SecurityToken token = new SecurityToken(binarySecurityToken.getID());
+            token.setToken(binarySecurityToken.getElement());
+            token.setSecret(binarySecurityToken.getToken());
+            token.setTokenType(binarySecurityToken.getValueType());
+    
             return token;
         }
+        
     }
+        
 }

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1144404&r1=1144403&r2=1144404&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Fri Jul  8 18:00:40 2011
@@ -29,11 +29,10 @@ import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.model.IssuedToken;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.message.token.BinarySecurity;
 import org.apache.ws.security.saml.SAMLKeyInfo;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
 
@@ -57,20 +56,16 @@ public class IssuedTokenPolicyValidator 
     }
     
     public boolean validatePolicy(
-        AssertionInfoMap aim,
-        WSSecurityEngineResult wser
+        Collection<AssertionInfo> issuedAis,
+        AssertionWrapper assertionWrapper
     ) {
-        Collection<AssertionInfo> issuedAis = aim.get(SP12Constants.ISSUED_TOKEN);
-        if (issuedAis != null && !issuedAis.isEmpty()) {
+        if (issuedAis != null) {
             for (AssertionInfo ai : issuedAis) {
-                AssertionWrapper assertionWrapper = 
-                    (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                 IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
                 ai.setAsserted(true);
                 
                 boolean tokenRequired = isTokenRequired(issuedToken, message);
-                if ((tokenRequired && assertionWrapper == null) 
-                    || (!tokenRequired && assertionWrapper != null)) {
+                if (tokenRequired && assertionWrapper == null) {
                     ai.setNotAsserted(
                         "The received token does not match the token inclusion requirement"
                     );
@@ -100,6 +95,36 @@ public class IssuedTokenPolicyValidator 
         return true;
     }
     
+    public boolean validatePolicy(
+        Collection<AssertionInfo> issuedAis,
+        BinarySecurity binarySecurityToken
+    ) {
+        if (issuedAis != null) {
+            for (AssertionInfo ai : issuedAis) {
+                IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
+                ai.setAsserted(true);
+
+                boolean tokenRequired = isTokenRequired(issuedToken, message);
+                if (tokenRequired && binarySecurityToken == null) {
+                    ai.setNotAsserted(
+                        "The received token does not match the token inclusion requirement"
+                    );
+                    return false;
+                }
+                if (!tokenRequired) {
+                    continue;
+                }
+
+                Element template = issuedToken.getRstTemplate();
+                if (template != null && !checkIssuedTokenTemplate(template, binarySecurityToken))
{
+                    ai.setNotAsserted("Error in validating the IssuedToken policy");
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+    
     /**
      * Check the issued token template against the received assertion
      */
@@ -134,5 +159,23 @@ public class IssuedTokenPolicyValidator 
         }
         return true;
     }
+    
+    /**
+     * Check the issued token template against the received BinarySecurityToken
+     */
+    private boolean checkIssuedTokenTemplate(Element template, BinarySecurity binarySecurityToken)
{
+        Element child = DOMUtils.getFirstElement(template);
+        while (child != null) {
+            if ("TokenType".equals(child.getLocalName())) {
+                String content = child.getTextContent();
+                String valueType = binarySecurityToken.getValueType();
+                if (!content.equals(valueType)) {
+                    return false;
+                }
+            }
+            child = DOMUtils.getNextElement(child);
+        }
+        return true;
+    }
    
 }

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1144404&r1=1144403&r2=1144404&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Fri Jul  8 18:00:40 2011
@@ -72,8 +72,7 @@ public class SamlTokenPolicyValidator ex
                 ai.setAsserted(true);
                 
                 boolean tokenRequired = isTokenRequired(samlToken, message);
-                if ((tokenRequired && assertionWrapper == null) 
-                    || (!tokenRequired && assertionWrapper != null)) {
+                if (tokenRequired && assertionWrapper == null) {
                     ai.setNotAsserted(
                         "The received token does not match the token inclusion requirement"
                     );

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java?rev=1144404&r1=1144403&r2=1144404&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
Fri Jul  8 18:00:40 2011
@@ -56,8 +56,7 @@ public class UsernameTokenPolicyValidato
                 ai.setAsserted(true);
                 
                 boolean tokenRequired = isTokenRequired(usernameTokenPolicy, message);
-                if ((tokenRequired && usernameToken == null) 
-                    || (!tokenRequired && usernameToken != null)) {
+                if (tokenRequired && usernameToken == null) {
                     ai.setNotAsserted(
                         "The received token does not match the token inclusion requirement"
                     );



Mime
View raw message