cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1174790 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j: ./ policyhandlers/ policyvalidators/
Date Fri, 23 Sep 2011 14:11:29 GMT
Author: coheigea
Date: Fri Sep 23 14:11:29 2011
New Revision: 1174790

URL: http://svn.apache.org/viewvc?rev=1174790&view=rev
Log:
Add support for the SecurityContextToken policy

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1174790&r1=1174789&r2=1174790&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Fri Sep 23 14:11:29 2011
@@ -76,6 +76,7 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
 import org.apache.neethi.Assertion;
@@ -625,6 +626,10 @@ public class PolicyBasedWSS4JInIntercept
         X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results);
         x509Validator.validatePolicy(aim);
         
+        SecurityContextTokenPolicyValidator sctValidator = 
+            new SecurityContextTokenPolicyValidator(msg, results);
+        sctValidator.validatePolicy(aim);
+        
         //REVISIT - probably can verify some of these like if UT is encrypted and/or signed,
etc...
         assertPolicy(aim, SP12Constants.SIGNED_SUPPORTING_TOKENS);
         assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1174790&r1=1174789&r2=1174790&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Fri Sep 23 14:11:29 2011
@@ -84,6 +84,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.Layout;
 import org.apache.cxf.ws.security.policy.model.SamlToken;
 import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
 import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
 import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
 import org.apache.cxf.ws.security.policy.model.SupportingToken;
@@ -487,6 +488,7 @@ public abstract class AbstractBindingBui
             } else if (isRequestor() 
                 && (token instanceof IssuedToken
                     || token instanceof SecureConversationToken
+                    || token instanceof SecurityContextToken
                     || token instanceof KerberosToken)) {
                 //ws-trust/ws-sc stuff.......
                 SecurityToken secToken = getSecurityToken();

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1174790&r1=1174789&r2=1174790&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Fri Sep 23 14:11:29 2011
@@ -42,6 +42,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.IssuedToken;
 import org.apache.cxf.ws.security.policy.model.KerberosToken;
 import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
 import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
 import org.apache.cxf.ws.security.policy.model.Token;
 import org.apache.cxf.ws.security.policy.model.TokenWrapper;
@@ -156,7 +157,8 @@ public class SymmetricBindingHandler ext
                 SecurityToken tok = null;
                 if (encryptionToken instanceof IssuedToken || encryptionToken instanceof
KerberosToken) {
                     tok = getSecurityToken();
-                } else if (encryptionToken instanceof SecureConversationToken) {
+                } else if (encryptionToken instanceof SecureConversationToken
+                    || encryptionToken instanceof SecurityContextToken) {
                     tok = getSecurityToken();
                 } else if (encryptionToken instanceof X509Token) {
                     if (isRequestor()) {
@@ -268,7 +270,8 @@ public class SymmetricBindingHandler ext
         try {
             SecurityToken sigTok = null;
             if (sigToken != null) {
-                if (sigToken instanceof SecureConversationToken) {
+                if (sigToken instanceof SecureConversationToken
+                    || sigToken instanceof SecurityContextToken) {
                     sigTok = getSecurityToken();
                 } else if (sigToken instanceof IssuedToken || sigToken instanceof KerberosToken)
{
                     sigTok = getSecurityToken();
@@ -411,7 +414,9 @@ public class SymmetricBindingHandler ext
             } else {
                 if (attached) {
                     String id = encrTok.getWsuId();
-                    if (id == null && encrToken instanceof SecureConversationToken)
{
+                    if (id == null 
+                        && (encrToken instanceof SecureConversationToken 
+                            || encrToken instanceof SecurityContextToken)) {
                         dkEncr.setTokenIdDirectId(true);
                         id = encrTok.getId();
                     } else if (id == null) {
@@ -488,7 +493,9 @@ public class SymmetricBindingHandler ext
                     String encrTokId = encrTok.getId();
                     if (attached) {
                         encrTokId = encrTok.getWsuId();
-                        if (encrTokId == null && encrToken instanceof SecureConversationToken)
{
+                        if (encrTokId == null 
+                            && (encrToken instanceof SecureConversationToken
+                                || encrToken instanceof SecurityContextToken)) {
                             encr.setEncKeyIdDirectId(true);
                             encrTokId = encrTok.getId();
                         } else if (encrTokId == null) {
@@ -614,7 +621,8 @@ public class SymmetricBindingHandler ext
             }
             dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
         } else {
-            if (!attached || policyToken instanceof SecureConversationToken) {
+            if (!attached || policyToken instanceof SecureConversationToken 
+                || policyToken instanceof SecurityContextToken) {
                 dkSign.setTokenIdDirectId(true);
             }
             dkSign.setExternalKey(tok.getSecret(), tok.getId());
@@ -745,7 +753,8 @@ public class SymmetricBindingHandler ext
             if (included) {
                 sigTokId = tok.getWsuId();
                 if (sigTokId == null) {
-                    if (policyToken instanceof SecureConversationToken) {
+                    if (policyToken instanceof SecureConversationToken
+                        || policyToken instanceof SecurityContextToken) {
                         sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
                     }
                     sigTokId = tok.getId();                    

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1174790&r1=1174789&r2=1174790&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Fri Sep 23 14:11:29 2011
@@ -42,6 +42,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.KeyValueToken;
 import org.apache.cxf.ws.security.policy.model.SamlToken;
 import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
 import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
 import org.apache.cxf.ws.security.policy.model.SupportingToken;
 import org.apache.cxf.ws.security.policy.model.Token;
@@ -166,6 +167,7 @@ public class TransportBindingHandler ext
                         for (Token token : sgndSuppTokens.getTokens()) {
                             if (token instanceof IssuedToken
                                 || token instanceof SecureConversationToken
+                                || token instanceof SecurityContextToken
                                 || token instanceof KeyValueToken
                                 || token instanceof KerberosToken) {
                                 addSig(signatureValues, doIssuedTokenSignature(token, signdParts,
@@ -203,6 +205,7 @@ public class TransportBindingHandler ext
                         for (Token token : endSuppTokens.getTokens()) {
                             if (token instanceof IssuedToken
                                 || token instanceof SecureConversationToken
+                                || token instanceof SecurityContextToken
                                 || token instanceof KerberosToken) {
                                 addSig(signatureValues, doIssuedTokenSignature(token, 
                                                                                endSuppTokens

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java?rev=1174790&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
Fri Sep 23 14:11:29 2011
@@ -0,0 +1,74 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+/**
+ * Validate a WSSecurityEngineResult corresponding to the processing of a SecurityContextToken
+ * against the appropriate policy.
+ */
+public class SecurityContextTokenPolicyValidator extends AbstractTokenPolicyValidator {
+    
+    private List<WSSecurityEngineResult> sctResults;
+    private Message message;
+
+    public SecurityContextTokenPolicyValidator(Message message, List<WSSecurityEngineResult>
results) {
+        this.message = message;
+        sctResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.SCT, sctResults);
+    }
+    
+    public boolean validatePolicy(AssertionInfoMap aim) {
+        Collection<AssertionInfo> sctAis = aim.get(SP12Constants.SECURITY_CONTEXT_TOKEN);
+        if (sctAis != null && !sctAis.isEmpty()) {
+            for (AssertionInfo ai : sctAis) {
+                SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
+                ai.setAsserted(true);
+                    
+                boolean tokenRequired = isTokenRequired(sctPolicy, message);
+                
+                if (!tokenRequired) {
+                    continue;
+                }
+                
+                if (sctResults.isEmpty()) {
+                    ai.setNotAsserted(
+                        "The received token does not match the token inclusion requirement"
+                    );
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+    
+}



Mime
View raw message