cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1189352 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ service...
Date Wed, 26 Oct 2011 18:06:33 GMT
Author: coheigea
Date: Wed Oct 26 18:06:32 2011
New Revision: 1189352

URL: http://svn.apache.org/viewvc?rev=1189352&view=rev
Log:
Added new policy validators for the Symmetric binding + Asymmetric binding
 - Started properly validating a load more policies

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
    cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/DoubleIt.wsdl

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
Wed Oct 26 18:06:32 2011
@@ -68,6 +68,9 @@ public final class SP11Constants extends
 
     public static final QName INCLUDE_TIMESTAMP = new QName(SP_NS,
             SPConstants.INCLUDE_TIMESTAMP, SP11Constants.SP_PREFIX);
+    
+    public static final QName ONLY_SIGN_ENTIRE_HEADERS_AND_BODY = new QName(SP_NS,
+            SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY, SP11Constants.SP_PREFIX);
 
     public static final QName TRANSPORT_TOKEN = new QName(SP_NS,
             SPConstants.TRANSPORT_TOKEN, SP11Constants.SP_PREFIX);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
Wed Oct 26 18:06:32 2011
@@ -130,7 +130,7 @@ public final class WSSecurityPolicyLoade
             SP12Constants.INCLUDE_TIMESTAMP, SP11Constants.INCLUDE_TIMESTAMP,
             SP12Constants.ENCRYPT_SIGNATURE, SP11Constants.ENCRYPT_SIGNATURE,
             SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY, 
-            new QName(SP11Constants.SP_NS, SP11Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY),
+            SP11Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY,
             SP12Constants.WSS_X509_V1_TOKEN_10,
             SP12Constants.WSS_X509_V1_TOKEN_11,
             SP12Constants.WSS_X509_V3_TOKEN_10,

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Wed Oct 26 18:06:32 2011
@@ -66,21 +66,19 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
 import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
 import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Token;
 import org.apache.cxf.ws.security.policy.model.TransportBinding;
 import org.apache.cxf.ws.security.policy.model.TransportToken;
 import org.apache.cxf.ws.security.policy.model.Wss11;
-import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
-import org.apache.neethi.Assertion;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDataRef;
 import org.apache.ws.security.WSSecurityEngineResult;
@@ -204,35 +202,6 @@ public class PolicyBasedWSS4JInIntercept
         }
         return false;
     }
-    private void assertPolicy(AssertionInfoMap aim, Token token, Boolean derived) {
-        if (derived == null) {
-            //no keys were needed for anything
-            return;
-        }
-        if (!derived && token instanceof X509Token && token.isDerivedKeys())
{
-            notAssertPolicy(aim, token, "No derived keys found.");
-        }
-    }
-    private void assertPolicy(AssertionInfoMap aim, Assertion token) {
-        Collection<AssertionInfo> ais = aim.get(token.getName());
-        if (ais != null && !ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                if (ai.getAssertion() == token) {
-                    ai.setAsserted(true);
-                }
-            }    
-        }
-    }
-    private void notAssertPolicy(AssertionInfoMap aim, Assertion token, String msg) {
-        Collection<AssertionInfo> ais = aim.get(token.getName());
-        if (ais != null && !ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                if (ai.getAssertion() == token) {
-                    ai.setNotAsserted(msg);
-                }
-            }    
-        }
-    }
 
     private String checkAsymetricBinding(AssertionInfoMap aim, 
                                  String action, 
@@ -472,37 +441,6 @@ public class PolicyBasedWSS4JInIntercept
         }
     }
     
-    enum Protections {
-        NONE,
-        SIGN,
-        ENCRYPT,
-        SIGN_ENCRYPT,
-        ENCRYPT_SIGN,
-        ENCRYPT_SIGN_PROTECT,
-    };
-    private Protections addSign(Protections prots) {
-        if (prots == Protections.NONE) {
-            return Protections.SIGN;
-        }
-        if (prots == Protections.ENCRYPT) {
-            return Protections.ENCRYPT_SIGN;
-        }
-        return prots;
-    }
-    private Protections addEncrypt(Protections prots) {
-        if (prots == Protections.NONE) {
-            return Protections.ENCRYPT;
-        }
-        if (prots == Protections.SIGN) {
-            return Protections.SIGN_ENCRYPT;
-        }
-        if (prots == Protections.ENCRYPT_SIGN
-            || prots == Protections.SIGN_ENCRYPT) {
-            return Protections.ENCRYPT_SIGN_PROTECT;
-        }
-        return prots;
-    }
-    
     @Override
     protected void doResults(
         SoapMessage msg, 
@@ -517,7 +455,6 @@ public class PolicyBasedWSS4JInIntercept
         Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
         Boolean hasDerivedKeys = null;
         boolean hasEndorsement = false;
-        Protections prots = Protections.NONE;
         
         //
         // Prefetch all signature results
@@ -544,7 +481,6 @@ public class PolicyBasedWSS4JInIntercept
                     for (WSDataRef r : sl) {
                         signed.add(r);
                     }
-                    prots = addSign(prots);
                 }
                 break;
             case WSConstants.ENCR:
@@ -557,7 +493,6 @@ public class PolicyBasedWSS4JInIntercept
                     for (WSDataRef r : el) {
                         encrypted.add(r);
                     }
-                    prots = addEncrypt(prots);
                 }
                 break;
             case WSConstants.UT:
@@ -581,13 +516,6 @@ public class PolicyBasedWSS4JInIntercept
                     new SamlTokenPolicyValidator(soapBody, signedResults, msg);
                 validator.validatePolicy(aim, wser);
                 break;
-            // TODO remove
-            case WSConstants.TS:
-                assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
-                break;
-            case WSConstants.DKT:
-                hasDerivedKeys = Boolean.TRUE;
-                break;
             case WSConstants.SC:
                 assertPolicy(aim, SP12Constants.WSS11);
                 break;
@@ -621,9 +549,6 @@ public class PolicyBasedWSS4JInIntercept
         
         assertHeadersExists(aim, msg, soapHeader);
         
-        assertAsymetricBinding(aim, msg, prots, results, hasDerivedKeys);
-        assertSymmetricBinding(aim, msg, prots, results, hasDerivedKeys);
-        
         X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results);
         x509Validator.validatePolicy(aim);
         
@@ -631,6 +556,14 @@ public class PolicyBasedWSS4JInIntercept
             new TransportBindingPolicyValidator(msg, results, signedResults);
         transportValidator.validatePolicy(aim);
         
+        SymmetricBindingPolicyValidator symmetricValidator = 
+            new SymmetricBindingPolicyValidator(msg, results, signedResults);
+        symmetricValidator.validatePolicy(aim);
+        
+        AsymmetricBindingPolicyValidator asymmetricValidator = 
+            new AsymmetricBindingPolicyValidator(msg, results, signedResults);
+        asymmetricValidator.validatePolicy(aim);
+        
         SecurityContextTokenPolicyValidator sctValidator = 
             new SecurityContextTokenPolicyValidator(msg, results);
         sctValidator.validatePolicy(aim);
@@ -700,100 +633,6 @@ public class PolicyBasedWSS4JInIntercept
         
     }
 
-    private boolean assertSymmetricBinding(AssertionInfoMap aim, 
-                                           SoapMessage message,
-                                           Protections prots,
-                                           List<WSSecurityEngineResult> results,
-                                           Boolean derived) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
-        if (ais == null) {
-            return true;
-        }
-        
-        for (AssertionInfo ai : ais) {
-            SymmetricBinding abinding = (SymmetricBinding)ai.getAssertion();
-            ai.setAsserted(true);
-            if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning)
{
-                if (abinding.isSignatureProtection()) {
-                    if (prots == Protections.ENCRYPT_SIGN
-                        || prots == Protections.SIGN_ENCRYPT) {
-                        ai.setNotAsserted("Not encrypted before signed and then protected");
-                        return false;
-                    }
-                } else if (prots == Protections.SIGN_ENCRYPT) {
-                    ai.setNotAsserted("Not encrypted before signed");
-                    return false;
-                }
-            } else if (prots == Protections.ENCRYPT_SIGN) {
-                ai.setNotAsserted("Not signed before encrypted");
-                return false;
-            }
-            
-            AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
-            if (!algorithmValidator.validatePolicy(ai, abinding.getAlgorithmSuite())) {
-                return false;
-            }
-            
-            if (abinding.getEncryptionToken() != null) {
-                assertPolicy(aim, abinding.getEncryptionToken());
-                assertPolicy(aim, abinding.getEncryptionToken().getToken(), derived);
-            }
-            if (abinding.getSignatureToken() != null) {
-                assertPolicy(aim, abinding.getSignatureToken());
-                assertPolicy(aim, abinding.getSignatureToken().getToken(), derived);
-            }
-            if (abinding.getProtectionToken() != null) {
-                assertPolicy(aim, abinding.getProtectionToken());
-                assertPolicy(aim, abinding.getProtectionToken().getToken(), derived);
-            }
-        }
-        return true;
-    }
-    private boolean assertAsymetricBinding(AssertionInfoMap aim, 
-                                           SoapMessage message,
-                                           Protections prots,
-                                           List<WSSecurityEngineResult> results,
-                                           Boolean derived) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
-        if (ais == null) {                       
-            return true;
-        }
-        for (AssertionInfo ai : ais) {
-            AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
-            ai.setAsserted(true);
-            if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning)
{
-                if (abinding.isSignatureProtection()) {
-                    if (prots == Protections.ENCRYPT_SIGN
-                        || prots == Protections.SIGN_ENCRYPT) {
-                        ai.setNotAsserted("Not encrypted before signed and then protected");
-                        return false;
-                    }
-                } else if (prots == Protections.SIGN_ENCRYPT) {
-                    ai.setNotAsserted("Not encrypted before signed");
-                    return false;
-                }
-            } else if (prots == Protections.ENCRYPT_SIGN) {
-                ai.setNotAsserted("Not signed before encrypted");
-                return false;
-            }
-            
-            AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
-            if (!algorithmValidator.validatePolicy(ai, abinding.getAlgorithmSuite())) {
-                return false;
-            }
-            
-            if (abinding.getInitiatorToken() != null) {
-                assertPolicy(aim, abinding.getInitiatorToken());
-                assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
-            }
-            if (abinding.getRecipientToken() != null) {
-                assertPolicy(aim, abinding.getRecipientToken());
-                assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
-            }
-        }
-        return true;
-    }
-    
     private boolean isTransportBinding(AssertionInfoMap aim) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
         if (ais != null && ais.size() > 0) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
Wed Oct 26 18:06:32 2011
@@ -25,10 +25,22 @@ import java.util.List;
 
 import javax.xml.namespace.QName;
 
+import org.w3c.dom.Element;
+
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.EncryptionToken;
+import org.apache.cxf.ws.security.policy.model.Layout;
+import org.apache.cxf.ws.security.policy.model.ProtectionToken;
+import org.apache.cxf.ws.security.policy.model.SignatureToken;
+import org.apache.cxf.ws.security.policy.model.SymmetricAsymmetricBindingBase;
+import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.TokenWrapper;
+import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.neethi.Assertion;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDataRef;
@@ -41,11 +53,14 @@ import org.apache.ws.security.util.WSSec
  */
 public abstract class AbstractBindingPolicyValidator {
     
+    private static final QName SIG_QNAME = new QName(WSConstants.SIG_NS, WSConstants.SIG_LN);
+    
+    protected List<WSSecurityEngineResult> results;
+    
     /**
      * Validate a Timestamp
      * @param includeTimestamp whether a Timestamp must be included or not
      * @param transportBinding whether the Transport binding is in use or not
-     * @param results the results list
      * @param signedResults the signed results list
      * @param message the Message object
      * @return whether the Timestamp policy is valid or not
@@ -53,7 +68,6 @@ public abstract class AbstractBindingPol
     protected boolean validateTimestamp(
         boolean includeTimestamp,
         boolean transportBinding,
-        List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults,
         Message message
     ) {
@@ -79,7 +93,7 @@ public abstract class AbstractBindingPol
                 List<WSDataRef> dataRefs = 
                     CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
                 for (WSDataRef dataRef : dataRefs) {
-                    if (timestamp == dataRef.getProtectedElement()) {
+                    if (timestamp.getElement() == dataRef.getProtectedElement()) {
                         return true;
                     }
                 }
@@ -95,21 +109,17 @@ public abstract class AbstractBindingPol
     protected boolean validateEntireHeaderAndBodySignatures(
         List<WSSecurityEngineResult> signedResults
     ) {
-        if (signedResults.isEmpty()) {
-            return false;
-        }
         for (WSSecurityEngineResult signedResult : signedResults) {
             List<WSDataRef> dataRefs = 
                     CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
             for (WSDataRef dataRef : dataRefs) {
                 String xpath = dataRef.getXpath();
                 String[] nodes = xpath.split("/");
-                // envelope/Body || envelope/Header/header
-                if (nodes.length == 2 || nodes.length == 3) {
-                    return true;
-                // envelope/Header/wsse:Security/header
-                } else if (nodes.length == 4 && nodes[2].contains("Security")) {
-                    return true;
+                // envelope/Body || envelope/Header/header || envelope/Header/wsse:Security/header
+                if (nodes.length == 5 && nodes[3].contains("Security")) {
+                    continue;
+                } else if (nodes.length < 3 || nodes.length > 4) {
+                    return false;
                 }
             }
         }
@@ -120,7 +130,6 @@ public abstract class AbstractBindingPol
      * Validate the layout assertion. It just checks the LaxTsFirst and LaxTsLast properties
      */
     protected boolean validateLayout(
-        List<WSSecurityEngineResult> results,
         boolean laxTimestampFirst,
         boolean laxTimestampLast
     ) {
@@ -146,6 +155,198 @@ public abstract class AbstractBindingPol
         
     }
     
+    /**
+     * Check various properties set in the policy of the binding
+     */
+    protected boolean checkProperties(
+        SymmetricAsymmetricBindingBase binding, 
+        AssertionInfo ai,
+        AssertionInfoMap aim,
+        List<WSSecurityEngineResult> signedResults,
+        Message message
+    ) {
+        // Check the AlgorithmSuite
+        AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
+        if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) {
+            return false;
+        }
+        
+        // Check the IncludeTimestamp
+        if (!validateTimestamp(binding.isIncludeTimestamp(), false, signedResults, message))
{
+            String error = "Received Timestamp does not match the requirements";
+            notAssertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP, error);
+            ai.setNotAsserted(error);
+            return false;
+        }
+        assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
+        
+        // Check the Layout
+        Layout layout = binding.getLayout();
+        boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTimestampFirst;
+        boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTimestampLast;
+        if (!validateLayout(timestampFirst, timestampLast)) {
+            String error = "Layout does not match the requirements";
+            notAssertPolicy(aim, SP12Constants.LAYOUT, error);
+            ai.setNotAsserted(error);
+            return false;
+        }
+        assertPolicy(aim, SP12Constants.LAYOUT);
+        
+        // Check the EntireHeaderAndBodySignatures property
+        if (binding.isEntireHeadersAndBodySignatures()
+            && !validateEntireHeaderAndBodySignatures(signedResults)) {
+            String error = "OnlySignEntireHeadersAndBody does not match the requirements";
+            ai.setNotAsserted(error);
+            return false;
+        }
+        
+        // Check whether the signatures were encrypted or not
+        if (binding.isSignatureProtection() && !isSignatureEncrypted()) {
+            ai.setNotAsserted("The signature is not protected");
+            return false;
+        }
+        
+        return true;
+    }
+    
+    /**
+     * Check the Protection Order of the binding
+     */
+    protected boolean checkProtectionOrder(SymmetricAsymmetricBindingBase binding, AssertionInfo
ai) {
+        if (binding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning)
{
+            if (!binding.isSignatureProtection() && isSignedBeforeEncrypted()) {
+                ai.setNotAsserted("Not encrypted before signed");
+                return false;
+            }
+        } else if (isEncryptedBeforeSigned()) {
+            ai.setNotAsserted("Not signed before encrypted");
+            return false;
+        }
+        return true;
+    }
+    
+    /**
+     * Check to see if a signature was applied before encryption.
+     * Note that results are stored in the reverse order.
+     */
+    private boolean isSignedBeforeEncrypted() {
+        boolean signed = false;
+        for (WSSecurityEngineResult result : results) {
+            Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+            List<WSDataRef> el = 
+                CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+            
+            // Don't count an endorsing signature
+            if (actInt.intValue() == WSConstants.SIGN && el != null
+                && !(el.size() == 1 && el.get(0).getName().equals(SIG_QNAME)))
{
+                signed = true;
+            }
+            if (actInt.intValue() == WSConstants.ENCR && el != null) {
+                if (signed) {
+                    return true;
+                }
+                return false;
+            }
+        }
+        return false;
+    }
+    
+    /**
+     * Check to see if encryption was applied before signature.
+     * Note that results are stored in the reverse order.
+     */
+    private boolean isEncryptedBeforeSigned() {
+        boolean encrypted = false;
+        for (WSSecurityEngineResult result : results) {
+            Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+            List<WSDataRef> el = 
+                CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+            
+            if (actInt.intValue() == WSConstants.ENCR && el != null) {
+                encrypted = true;
+            }
+            // Don't count an endorsing signature
+            if (actInt.intValue() == WSConstants.SIGN && el != null
+                && !(el.size() == 1 && el.get(0).getName().equals(SIG_QNAME)))
{
+                if (encrypted) {
+                    return true;
+                }
+                return false;
+            }
+        }
+        return false;
+    }
+    
+    /**
+     * Check the derived key requirement.
+     */
+    protected boolean checkDerivedKeys(
+        TokenWrapper tokenWrapper, 
+        boolean hasDerivedKeys,
+        List<WSSecurityEngineResult> signedResults,
+        List<WSSecurityEngineResult> encryptedResults
+    ) {
+        Token token = tokenWrapper.getToken();
+        // If derived keys are not required then just return
+        if (!(token instanceof X509Token && token.isDerivedKeys())) {
+            return true;
+        }
+        if (tokenWrapper instanceof EncryptionToken 
+            && !hasDerivedKeys && !encryptedResults.isEmpty()) {
+            return false;
+        } else if (tokenWrapper instanceof SignatureToken
+            && !hasDerivedKeys && !signedResults.isEmpty()) {
+            return false;
+        } else if (tokenWrapper instanceof ProtectionToken
+            && !hasDerivedKeys && !(signedResults.isEmpty() || encryptedResults.isEmpty()))
{
+            return false;
+        }
+        return true;
+    }
+    
+    /**
+     * Check whether all Signature (and SignatureConfirmation) elements were encrypted
+     */
+    protected boolean isSignatureEncrypted() {
+        for (WSSecurityEngineResult result : results) {
+            Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+            if (actInt.intValue() == WSConstants.SIGN) {
+                // TODO || actInt.intValue() == WSConstants.SC) {
+                String sigId = (String)result.get(WSSecurityEngineResult.TAG_ID);
+                if (sigId == null || !isIdEncrypted(sigId)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+    
+    /**
+     * Return true if the given id was encrypted
+     */
+    private boolean isIdEncrypted(String sigId) {
+        for (WSSecurityEngineResult wser : results) {
+            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+            if (actInt.intValue() == WSConstants.ENCR) {
+                List<WSDataRef> el = 
+                    CastUtils.cast((List<?>)wser.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+                if (el != null) {
+                    for (WSDataRef r : el) {
+                        Element protectedElement = r.getProtectedElement();
+                        if (protectedElement != null) {
+                            String id = protectedElement.getAttribute("Id");
+                            String wsuId = protectedElement.getAttributeNS(WSConstants.WSU_NS,
"Id");
+                            if (sigId.equals(id) || sigId.equals(wsuId)) {
+                                return true;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return false;
+    }
+    
     protected void assertPolicy(AssertionInfoMap aim, Assertion token) {
         Collection<AssertionInfo> ais = aim.get(token.getName());
         if (ais != null && !ais.isEmpty()) {

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java?rev=1189352&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
Wed Oct 26 18:06:32 2011
@@ -0,0 +1,126 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate an AsymmetricBinding policy.
+ */
+public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValidator {
+    
+    private List<WSSecurityEngineResult> signedResults;
+    private List<WSSecurityEngineResult> encryptedResults;
+    private Message message;
+    private boolean hasDerivedKeys;
+
+    public AsymmetricBindingPolicyValidator(
+        Message message,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        this.message = message;
+        this.results = results;
+        this.signedResults = signedResults;
+        
+        // Store the encryption results and whether we have any derived key results
+        encryptedResults = new ArrayList<WSSecurityEngineResult>();
+        for (WSSecurityEngineResult result : results) {
+            Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+            if (actInt.intValue() == WSConstants.DKT) {
+                hasDerivedKeys = true;
+            } else if (actInt.intValue() == WSConstants.ENCR) {
+                encryptedResults.add(result);
+            }
+        }
+    }
+    
+    public boolean validatePolicy(
+        AssertionInfoMap aim
+    ) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
+        if (ais == null || ais.isEmpty()) {                       
+            return true;
+        }
+        
+        for (AssertionInfo ai : ais) {
+            AsymmetricBinding binding = (AsymmetricBinding)ai.getAssertion();
+            ai.setAsserted(true);
+
+            // Check the protection order
+            if (!checkProtectionOrder(binding, ai)) {
+                return false;
+            }
+            
+            // Check various properties of the binding
+            if (!checkProperties(binding, ai, aim, signedResults, message)) {
+                return false;
+            }
+            
+            // Check various tokens of the binding
+            if (!checkTokens(binding, ai, aim)) {
+                return false;
+            }
+        }
+        
+        return true;
+    }
+    
+    /**
+     * Check various tokens of the binding
+     */
+    private boolean checkTokens(
+        AsymmetricBinding binding, 
+        AssertionInfo ai,
+        AssertionInfoMap aim
+    ) {
+        if (binding.getInitiatorToken() != null) {
+            assertPolicy(aim, binding.getInitiatorToken());
+            if (!checkDerivedKeys(
+                binding.getInitiatorToken(), hasDerivedKeys, signedResults, encryptedResults
+            )) {
+                ai.setNotAsserted("Message fails the DerivedKeys requirement");
+                return false;
+            }
+        }
+        if (binding.getRecipientToken() != null) {
+            assertPolicy(aim, binding.getRecipientToken());
+            if (!checkDerivedKeys(
+                binding.getRecipientToken(), hasDerivedKeys, signedResults, encryptedResults
+            )) {
+                ai.setNotAsserted("Message fails the DerivedKeys requirement");
+                return false;
+            }
+        }
+        
+        return true;
+    }
+    
+}

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java?rev=1189352&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
Wed Oct 26 18:06:32 2011
@@ -0,0 +1,137 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate a SymmetricBinding policy.
+ */
+public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValidator {
+    
+    private List<WSSecurityEngineResult> signedResults;
+    private List<WSSecurityEngineResult> encryptedResults;
+    private Message message;
+    private boolean hasDerivedKeys;
+
+    public SymmetricBindingPolicyValidator(
+        Message message,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        this.message = message;
+        this.results = results;
+        this.signedResults = signedResults;
+        
+        // Store the encryption results and whether we have any derived key results
+        encryptedResults = new ArrayList<WSSecurityEngineResult>();
+        for (WSSecurityEngineResult result : results) {
+            Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+            if (actInt.intValue() == WSConstants.DKT) {
+                hasDerivedKeys = true;
+            } else if (actInt.intValue() == WSConstants.ENCR) {
+                encryptedResults.add(result);
+            }
+        }
+    }
+    
+    public boolean validatePolicy(
+        AssertionInfoMap aim
+    ) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
+        if (ais == null || ais.isEmpty()) {                       
+            return true;
+        }
+        
+        for (AssertionInfo ai : ais) {
+            SymmetricBinding binding = (SymmetricBinding)ai.getAssertion();
+            ai.setAsserted(true);
+
+            // Check the protection order
+            if (!checkProtectionOrder(binding, ai)) {
+                return false;
+            }
+            
+            // Check various properties of the binding
+            if (!checkProperties(binding, ai, aim, signedResults, message)) {
+                return false;
+            }
+            
+            // Check various tokens of the binding
+            if (!checkTokens(binding, ai, aim)) {
+                return false;
+            }
+        }
+        
+        return true;
+    }
+    
+    /**
+     * Check various tokens of the binding
+     */
+    private boolean checkTokens(
+        SymmetricBinding binding, 
+        AssertionInfo ai,
+        AssertionInfoMap aim
+    ) {
+        if (binding.getEncryptionToken() != null) {
+            assertPolicy(aim, binding.getEncryptionToken());
+            if (!checkDerivedKeys(
+                binding.getEncryptionToken(), hasDerivedKeys, signedResults, encryptedResults
+            )) {
+                ai.setNotAsserted("Message fails the DerivedKeys requirement");
+                return false;
+            }
+        }
+        
+        if (binding.getSignatureToken() != null) {
+            assertPolicy(aim, binding.getSignatureToken());
+            if (!checkDerivedKeys(
+                binding.getSignatureToken(), hasDerivedKeys, signedResults, encryptedResults
+            )) {
+                ai.setNotAsserted("Message fails the DerivedKeys requirement");
+                return false;
+            }
+        }
+        
+        if (binding.getProtectionToken() != null) {
+            assertPolicy(aim, binding.getProtectionToken());
+            if (!checkDerivedKeys(
+                binding.getProtectionToken(), hasDerivedKeys, signedResults, encryptedResults
+            )) {
+                ai.setNotAsserted("Message fails the DerivedKeys requirement");
+                return false;
+            }
+        }
+        
+        return true;
+    }
+    
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
Wed Oct 26 18:06:32 2011
@@ -38,7 +38,6 @@ import org.apache.ws.security.WSSecurity
  */
 public class TransportBindingPolicyValidator extends AbstractBindingPolicyValidator {
     
-    private List<WSSecurityEngineResult> results;
     private List<WSSecurityEngineResult> signedResults;
     private Message message;
 
@@ -85,21 +84,25 @@ public class TransportBindingPolicyValid
             }
             
             // Check the IncludeTimestamp
-            if (!validateTimestamp(binding.isIncludeTimestamp(), true, results, signedResults,
message)) {
+            if (!validateTimestamp(binding.isIncludeTimestamp(), true, signedResults, message))
{
                 String error = "Received Timestamp does not match the requirements";
                 notAssertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP, error);
+                ai.setNotAsserted(error);
                 return false;
             }
+            assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
             
             // Check the Layout
             Layout layout = binding.getLayout();
             boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTimestampFirst;
             boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTimestampLast;
-            if (!validateLayout(results, timestampFirst, timestampLast)) {
+            if (!validateLayout(timestampFirst, timestampLast)) {
                 String error = "Layout does not match the requirements";
                 notAssertPolicy(aim, SP12Constants.LAYOUT, error);
+                ai.setNotAsserted(error);
                 return false;
             }
+            assertPolicy(aim, SP12Constants.LAYOUT);
         }
         
         // We don't need to check these policies for the Transport binding

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
Wed Oct 26 18:06:32 2011
@@ -61,7 +61,7 @@ public class SAMLTokenProvider implement
     
     private List<AttributeStatementProvider> attributeStatementProviders;
     private List<AuthenticationStatementProvider> authenticationStatementProviders;
-    private List<AuthDecisionStatementProvider> authenticationDecisionStatementProviders;
+    private List<AuthDecisionStatementProvider> authDecisionStatementProviders;
     private SubjectProvider subjectProvider = new DefaultSubjectProvider();
     private ConditionsProvider conditionsProvider = new DefaultConditionsProvider();
     private boolean signToken = true;
@@ -355,11 +355,11 @@ public class SAMLTokenProvider implement
         
         // Parse the AuthDecisionStatements
         List<AuthDecisionStatementBean> authDecisionBeanList = null;
-        if (authenticationDecisionStatementProviders != null 
-            && authenticationDecisionStatementProviders.size() > 0) {
+        if (authDecisionStatementProviders != null 
+            && authDecisionStatementProviders.size() > 0) {
             authDecisionBeanList = new ArrayList<AuthDecisionStatementBean>();
             for (AuthDecisionStatementProvider statementProvider 
-                : authenticationDecisionStatementProviders) {
+                : authDecisionStatementProviders) {
                 AuthDecisionStatementBean statementBean = 
                     statementProvider.getStatement(tokenParameters);
                 if (statementBean != null) {

Modified: cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/DoubleIt.wsdl?rev=1189352&r1=1189351&r2=1189352&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/DoubleIt.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/DoubleIt.wsdl Wed
Oct 26 18:06:32 2011
@@ -538,7 +538,6 @@
                             </wsp:Policy>
                         </sp:Layout>
                         <sp:IncludeTimestamp />
-                        <sp:OnlySignEntireHeadersAndBody />
                     </wsp:Policy>
                 </sp:SymmetricBinding>
                 <sp:EncryptedElements



Mime
View raw message