cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1188120 - in /cxf/trunk/rt/ws/security/src: main/java/org/apache/cxf/ws/security/wss4j/ main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ test/java/org/apache/cxf/ws/security/wss4j/
Date Mon, 24 Oct 2011 12:39:53 GMT
Author: coheigea
Date: Mon Oct 24 12:39:53 2011
New Revision: 1188120

URL: http://svn.apache.org/viewvc?rev=1188120&view=rev
Log:
Added a policy validator for the Transport binding.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1188120&r1=1188119&r2=1188120&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Mon Oct 24 12:39:53 2011
@@ -77,6 +77,7 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
 import org.apache.neethi.Assertion;
@@ -580,6 +581,7 @@ public class PolicyBasedWSS4JInIntercept
                     new SamlTokenPolicyValidator(soapBody, signedResults, msg);
                 validator.validatePolicy(aim, wser);
                 break;
+            // TODO remove
             case WSConstants.TS:
                 assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
                 break;
@@ -621,11 +623,14 @@ public class PolicyBasedWSS4JInIntercept
         
         assertAsymetricBinding(aim, msg, prots, results, hasDerivedKeys);
         assertSymmetricBinding(aim, msg, prots, results, hasDerivedKeys);
-        assertTransportBinding(aim, results);
         
         X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results);
         x509Validator.validatePolicy(aim);
         
+        TransportBindingPolicyValidator transportValidator = 
+            new TransportBindingPolicyValidator(msg, results, signedResults);
+        transportValidator.validatePolicy(aim);
+        
         SecurityContextTokenPolicyValidator sctValidator = 
             new SecurityContextTokenPolicyValidator(msg, results);
         sctValidator.validatePolicy(aim);
@@ -788,30 +793,6 @@ public class PolicyBasedWSS4JInIntercept
         }
         return true;
     }
-    private boolean assertTransportBinding(AssertionInfoMap aim, List<WSSecurityEngineResult>
results) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
-        if (ais == null) {                       
-            return true;
-        }
-        
-        for (AssertionInfo ai : ais) {
-            TransportBinding binding = (TransportBinding)ai.getAssertion();
-            ai.setAsserted(true);
-            if (binding.getTransportToken() != null) {
-                assertPolicy(aim, binding.getTransportToken());
-                assertPolicy(aim, binding.getTransportToken().getToken());
-            }
-            
-            AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
-            if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) {
-                return false;
-            }
-        }
-        
-        assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
-        assertPolicy(aim, SP12Constants.SIGNED_PARTS);
-        return true;
-    }
     
     private boolean isTransportBinding(AssertionInfoMap aim) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1188120&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
Mon Oct 24 12:39:53 2011
@@ -0,0 +1,179 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.neethi.Assertion;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.message.token.Timestamp;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+/**
+ * Some abstract functionality for validating a security binding.
+ */
+public abstract class AbstractBindingPolicyValidator {
+    
+    /**
+     * Validate a Timestamp
+     * @param includeTimestamp whether a Timestamp must be included or not
+     * @param transportBinding whether the Transport binding is in use or not
+     * @param results the results list
+     * @param signedResults the signed results list
+     * @param message the Message object
+     * @return whether the Timestamp policy is valid or not
+     */
+    protected boolean validateTimestamp(
+        boolean includeTimestamp,
+        boolean transportBinding,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults,
+        Message message
+    ) {
+        List<WSSecurityEngineResult> timestampResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.TS, timestampResults);
+        
+        // Check whether we received a timestamp and compare it to the policy
+        if (includeTimestamp && timestampResults.isEmpty()) {
+            return false;
+        } else if (!includeTimestamp && !timestampResults.isEmpty()) {
+            return false;
+        } else if (!includeTimestamp) {
+            return true;
+        }
+        
+        // At this point we received a (required) Timestamp. Now check that it is integrity
protected.
+        if (transportBinding) {
+            return true;
+        } else if (!signedResults.isEmpty()) {
+            Timestamp timestamp = 
+                (Timestamp)timestampResults.get(0).get(WSSecurityEngineResult.TAG_TIMESTAMP);
+            for (WSSecurityEngineResult signedResult : signedResults) {
+                List<WSDataRef> dataRefs = 
+                    CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+                for (WSDataRef dataRef : dataRefs) {
+                    if (timestamp == dataRef.getProtectedElement()) {
+                        return true;
+                    }
+                }
+            }
+        }
+        
+        return false;
+    }
+    
+    /**
+     * Validate the entire header and body signature property.
+     */
+    protected boolean validateEntireHeaderAndBodySignatures(
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        if (signedResults.isEmpty()) {
+            return false;
+        }
+        for (WSSecurityEngineResult signedResult : signedResults) {
+            List<WSDataRef> dataRefs = 
+                    CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+            for (WSDataRef dataRef : dataRefs) {
+                String xpath = dataRef.getXpath();
+                String[] nodes = xpath.split("/");
+                // envelope/Body || envelope/Header/header
+                if (nodes.length == 2 || nodes.length == 3) {
+                    return true;
+                // envelope/Header/wsse:Security/header
+                } else if (nodes.length == 4 && nodes[2].contains("Security")) {
+                    return true;
+                }
+            }
+        }
+        return true;
+    }
+    
+    /**
+     * Validate the layout assertion. It just checks the LaxTsFirst and LaxTsLast properties
+     */
+    protected boolean validateLayout(
+        List<WSSecurityEngineResult> results,
+        boolean laxTimestampFirst,
+        boolean laxTimestampLast
+    ) {
+        if (laxTimestampFirst) {
+            if (results.isEmpty()) {
+                return false;
+            }
+            Integer firstAction = (Integer)results.get(0).get(WSSecurityEngineResult.TAG_ACTION);
+            if (firstAction.intValue() != WSConstants.TS) {
+                return false;
+            }
+        } else if (laxTimestampLast) {
+            if (results.isEmpty()) {
+                return false;
+            }
+            Integer lastAction = 
+                (Integer)results.get(results.size() - 1).get(WSSecurityEngineResult.TAG_ACTION);
+            if (lastAction.intValue() != WSConstants.TS) {
+                return false;
+            }
+        }
+        return true;
+        
+    }
+    
+    protected void assertPolicy(AssertionInfoMap aim, Assertion token) {
+        Collection<AssertionInfo> ais = aim.get(token.getName());
+        if (ais != null && !ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                if (ai.getAssertion() == token) {
+                    ai.setAsserted(true);
+                }
+            }    
+        }
+    }
+    
+    protected boolean assertPolicy(AssertionInfoMap aim, QName q) {
+        Collection<AssertionInfo> ais = aim.get(q);
+        if (ais != null && !ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }    
+            return true;
+        }
+        return false;
+    }
+    
+    protected void notAssertPolicy(AssertionInfoMap aim, QName q, String msg) {
+        Collection<AssertionInfo> ais = aim.get(q);
+        if (ais != null && !ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setNotAsserted(msg);
+            }    
+        }
+    }
+}

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java?rev=1188120&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
Mon Oct 24 12:39:53 2011
@@ -0,0 +1,112 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.security.transport.TLSSessionInfo;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.Layout;
+import org.apache.cxf.ws.security.policy.model.TransportBinding;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate a TransportBinding policy.
+ */
+public class TransportBindingPolicyValidator extends AbstractBindingPolicyValidator {
+    
+    private List<WSSecurityEngineResult> results;
+    private List<WSSecurityEngineResult> signedResults;
+    private Message message;
+
+    public TransportBindingPolicyValidator(
+        Message message,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        this.message = message;
+        this.results = results;
+        this.signedResults = signedResults;
+    }
+    
+    public boolean validatePolicy(
+        AssertionInfoMap aim
+    ) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
+        if (ais == null || ais.isEmpty()) {                       
+            return true;
+        }
+        
+        for (AssertionInfo ai : ais) {
+            TransportBinding binding = (TransportBinding)ai.getAssertion();
+            ai.setAsserted(true);
+            
+            // Check that TLS is in use if we are not the requestor
+            boolean initiator = MessageUtils.isRequestor(message);
+            TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+            if (!initiator && tlsInfo == null) {
+                ai.setNotAsserted("TLS is not enabled");
+                return false;
+            }
+            
+            // HttpsToken is validated by the HttpsTokenInterceptorProvider
+            if (binding.getTransportToken() != null) {
+                assertPolicy(aim, binding.getTransportToken());
+                assertPolicy(aim, binding.getTransportToken().getToken());
+            }
+            
+            // Check the AlgorithmSuite
+            AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
+            if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) {
+                return false;
+            }
+            
+            // Check the IncludeTimestamp
+            if (!validateTimestamp(binding.isIncludeTimestamp(), true, results, signedResults,
message)) {
+                String error = "Received Timestamp does not match the requirements";
+                notAssertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP, error);
+                return false;
+            }
+            
+            // Check the Layout
+            Layout layout = binding.getLayout();
+            boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTimestampFirst;
+            boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTimestampLast;
+            if (!validateLayout(results, timestampFirst, timestampLast)) {
+                String error = "Layout does not match the requirements";
+                notAssertPolicy(aim, SP12Constants.LAYOUT, error);
+                return false;
+            }
+        }
+        
+        // We don't need to check these policies for the Transport binding
+        assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
+        assertPolicy(aim, SP12Constants.SIGNED_PARTS);
+        
+        return true;
+    }
+    
+}

Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=1188120&r1=1188119&r2=1188120&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
(original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Mon Oct 24 12:39:53 2011
@@ -18,7 +18,6 @@
  */
 package org.apache.cxf.ws.security.wss4j;
 
-import java.util.ArrayList;
 import java.util.Arrays;
 
 import javax.xml.namespace.QName;
@@ -59,29 +58,6 @@ public class PolicyBasedWss4JInOutTest e
     }
     
     @Test
-    public void testTransportBinding() throws Exception {
-        this.runInInterceptorAndValidate(
-                "wsse-request-clean.xml",
-                "transport_binding_policy.xml",
-                Arrays.asList(SP12Constants.TRANSPORT_BINDING,
-                              SP12Constants.TRANSPORT_TOKEN),
-                null,
-                new ArrayList<CoverageType>());
-        
-        // Note that outbound does not asset TRANSPORT_TOKEN as another handler
-        // would assert that.
-        this.runAndValidate(
-                "wsse-request-clean.xml",
-                "transport_binding_policy.xml",
-                Arrays.asList(SP12Constants.TRANSPORT_BINDING),
-                null,
-                Arrays.asList(SP12Constants.TRANSPORT_BINDING,
-                              SP12Constants.TRANSPORT_TOKEN),
-                null,
-                new ArrayList<CoverageType>());
-    }
-
-    @Test
     public void testAsymmetricBindingAlgorithmSuitePolicy() throws Exception {
         this.runAndValidate(
                 "wsse-request-clean.xml",



Mime
View raw message