Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2E3086617 for ; Fri, 8 Jul 2011 17:39:18 +0000 (UTC) Received: (qmail 34757 invoked by uid 500); 8 Jul 2011 17:39:17 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 34655 invoked by uid 500); 8 Jul 2011 17:39:17 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 34648 invoked by uid 99); 8 Jul 2011 17:39:17 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jul 2011 17:39:17 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Jul 2011 17:39:13 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 1363B238890D for ; Fri, 8 Jul 2011 17:38:52 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1144400 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/interceptors/ wss4j/policyvalidators/ Date: Fri, 08 Jul 2011 17:38:52 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20110708173852.1363B238890D@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: coheigea Date: Fri Jul 8 17:38:51 2011 New Revision: 1144400 URL: http://svn.apache.org/viewvc?rev=1144400&view=rev Log: [CXF-3624] - BinarySecurityToken validated by STSTokenValidator doesn't satisfy IssuedToken policy Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1144400&r1=1144399&r2=1144400&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java Fri Jul 8 17:38:51 2011 @@ -54,6 +54,7 @@ import org.apache.ws.security.WSConstant import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.handler.WSHandlerConstants; import org.apache.ws.security.handler.WSHandlerResult; +import org.apache.ws.security.message.token.BinarySecurity; import org.apache.ws.security.saml.SAMLKeyInfo; import org.apache.ws.security.saml.ext.AssertionWrapper; import org.apache.ws.security.util.WSSecurityUtil; @@ -237,51 +238,69 @@ public class IssuedTokenInterceptorProvi ) { if (results != null) { for (WSHandlerResult rResult : results) { - WSSecurityEngineResult wser = - findSecurityResult(rResult.getResults()); - if (wser != null) { - List signedResults = - new ArrayList(); - WSSecurityUtil.fetchAllActionResults( - rResult.getResults(), WSConstants.SIGN, signedResults - ); - - // - // Validate the Issued Token policy - // - IssuedTokenPolicyValidator issuedValidator = - new IssuedTokenPolicyValidator(signedResults, message); - if (!issuedValidator.validatePolicy(aim, wser)) { - break; - } - - SecurityToken token = createSecurityToken(wser); - message.getExchange().put(SecurityConstants.TOKEN, token); + List signedResults = + new ArrayList(); + WSSecurityUtil.fetchAllActionResults( + rResult.getResults(), WSConstants.SIGN, signedResults + ); + IssuedTokenPolicyValidator issuedValidator = + new IssuedTokenPolicyValidator(signedResults, message); + Collection issuedAis = aim.get(SP12Constants.ISSUED_TOKEN); + + for (AssertionWrapper assertionWrapper + : findSamlTokenResults(rResult.getResults())) { + boolean valid = issuedValidator.validatePolicy(issuedAis, assertionWrapper); + if (valid) { + SecurityToken token = createSecurityToken(assertionWrapper); + message.getExchange().put(SecurityConstants.TOKEN, token); + return; + } + } + for (BinarySecurity binarySecurityToken + : findBinarySecurityTokenResults(rResult.getResults())) { + boolean valid = issuedValidator.validatePolicy(issuedAis, binarySecurityToken); + if (valid) { + SecurityToken token = createSecurityToken(binarySecurityToken); + message.getExchange().put(SecurityConstants.TOKEN, token); + return; + } } } } } - private WSSecurityEngineResult findSecurityResult( + private List findSamlTokenResults( List wsSecEngineResults ) { + List results = new ArrayList(); for (WSSecurityEngineResult wser : wsSecEngineResults) { Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) { - return wser; + results.add((AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION)); + } + } + return results; + } + + private List findBinarySecurityTokenResults( + List wsSecEngineResults + ) { + List results = new ArrayList(); + for (WSSecurityEngineResult wser : wsSecEngineResults) { + Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); + if (actInt.intValue() == WSConstants.BST) { + results.add((BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN)); } } - return null; + return results; } private SecurityToken createSecurityToken( - WSSecurityEngineResult wser + AssertionWrapper assertionWrapper ) { - AssertionWrapper assertionWrapper = - (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); SecurityToken token = new SecurityToken(assertionWrapper.getId()); - + SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo(); if (subjectKeyInfo != null) { token.setSecret(subjectKeyInfo.getSecret()); @@ -296,7 +315,19 @@ public class IssuedTokenInterceptorProvi token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); } token.setToken(assertionWrapper.getElement()); + + return token; + } + + private SecurityToken createSecurityToken(BinarySecurity binarySecurityToken) { + SecurityToken token = new SecurityToken(binarySecurityToken.getID()); + token.setToken(binarySecurityToken.getElement()); + token.setSecret(binarySecurityToken.getToken()); + token.setTokenType(binarySecurityToken.getValueType()); + return token; } + } + } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1144400&r1=1144399&r2=1144400&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java Fri Jul 8 17:38:51 2011 @@ -29,11 +29,10 @@ import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.message.Message; import org.apache.cxf.security.transport.TLSSessionInfo; import org.apache.cxf.ws.policy.AssertionInfo; -import org.apache.cxf.ws.policy.AssertionInfoMap; -import org.apache.cxf.ws.security.policy.SP12Constants; import org.apache.cxf.ws.security.policy.model.IssuedToken; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSSecurityEngineResult; +import org.apache.ws.security.message.token.BinarySecurity; import org.apache.ws.security.saml.SAMLKeyInfo; import org.apache.ws.security.saml.ext.AssertionWrapper; @@ -57,20 +56,16 @@ public class IssuedTokenPolicyValidator } public boolean validatePolicy( - AssertionInfoMap aim, - WSSecurityEngineResult wser + Collection issuedAis, + AssertionWrapper assertionWrapper ) { - Collection issuedAis = aim.get(SP12Constants.ISSUED_TOKEN); - if (issuedAis != null && !issuedAis.isEmpty()) { + if (issuedAis != null) { for (AssertionInfo ai : issuedAis) { - AssertionWrapper assertionWrapper = - (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); IssuedToken issuedToken = (IssuedToken)ai.getAssertion(); ai.setAsserted(true); boolean tokenRequired = isTokenRequired(issuedToken, message); - if ((tokenRequired && assertionWrapper == null) - || (!tokenRequired && assertionWrapper != null)) { + if (tokenRequired && assertionWrapper == null) { ai.setNotAsserted( "The received token does not match the token inclusion requirement" ); @@ -100,6 +95,36 @@ public class IssuedTokenPolicyValidator return true; } + public boolean validatePolicy( + Collection issuedAis, + BinarySecurity binarySecurityToken + ) { + if (issuedAis != null) { + for (AssertionInfo ai : issuedAis) { + IssuedToken issuedToken = (IssuedToken)ai.getAssertion(); + ai.setAsserted(true); + + boolean tokenRequired = isTokenRequired(issuedToken, message); + if (tokenRequired && binarySecurityToken == null) { + ai.setNotAsserted( + "The received token does not match the token inclusion requirement" + ); + return false; + } + if (!tokenRequired) { + continue; + } + + Element template = issuedToken.getRstTemplate(); + if (template != null && !checkIssuedTokenTemplate(template, binarySecurityToken)) { + ai.setNotAsserted("Error in validating the IssuedToken policy"); + return false; + } + } + } + return true; + } + /** * Check the issued token template against the received assertion */ @@ -134,5 +159,23 @@ public class IssuedTokenPolicyValidator } return true; } + + /** + * Check the issued token template against the received BinarySecurityToken + */ + private boolean checkIssuedTokenTemplate(Element template, BinarySecurity binarySecurityToken) { + Element child = DOMUtils.getFirstElement(template); + while (child != null) { + if ("TokenType".equals(child.getLocalName())) { + String content = child.getTextContent(); + String valueType = binarySecurityToken.getValueType(); + if (!content.equals(valueType)) { + return false; + } + } + child = DOMUtils.getNextElement(child); + } + return true; + } } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1144400&r1=1144399&r2=1144400&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java Fri Jul 8 17:38:51 2011 @@ -72,8 +72,7 @@ public class SamlTokenPolicyValidator ex ai.setAsserted(true); boolean tokenRequired = isTokenRequired(samlToken, message); - if ((tokenRequired && assertionWrapper == null) - || (!tokenRequired && assertionWrapper != null)) { + if (tokenRequired && assertionWrapper == null) { ai.setNotAsserted( "The received token does not match the token inclusion requirement" ); Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java?rev=1144400&r1=1144399&r2=1144400&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java Fri Jul 8 17:38:51 2011 @@ -56,8 +56,7 @@ public class UsernameTokenPolicyValidato ai.setAsserted(true); boolean tokenRequired = isTokenRequired(usernameTokenPolicy, message); - if ((tokenRequired && usernameToken == null) - || (!tokenRequired && usernameToken != null)) { + if (tokenRequired && usernameToken == null) { ai.setNotAsserted( "The received token does not match the token inclusion requirement" );