cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1204470 - in /cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j: ./ policyvalidators/
Date Mon, 21 Nov 2011 12:34:57 GMT
Author: coheigea
Date: Mon Nov 21 12:34:57 2011
New Revision: 1204470

URL: http://svn.apache.org/viewvc?rev=1204470&view=rev
Log:
More WS-SecPol refactoring

Added:
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
Modified:
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1204470&r1=1204469&r2=1204470&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Mon Nov 21 12:34:57 2011
@@ -45,7 +45,6 @@ import org.w3c.dom.NodeList;
 import org.apache.cxf.Bus;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
-import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.helpers.DOMUtils;
@@ -57,17 +56,12 @@ import org.apache.cxf.ws.policy.Assertio
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.SP11Constants;
 import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
 import org.apache.cxf.ws.security.policy.model.ContentEncryptedElements;
 import org.apache.cxf.ws.security.policy.model.Header;
 import org.apache.cxf.ws.security.policy.model.RequiredElements;
 import org.apache.cxf.ws.security.policy.model.RequiredParts;
 import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
 import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.TransportBinding;
-import org.apache.cxf.ws.security.policy.model.TransportToken;
 import org.apache.cxf.ws.security.policy.model.Wss11;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
@@ -84,6 +78,7 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDataRef;
@@ -111,8 +106,8 @@ public class PolicyBasedWSS4JInIntercept
     protected static Map<Object, Properties> getPropertiesCache(SoapMessage message)
{
         EndpointInfo info = message.getExchange().get(Endpoint.class).getEndpointInfo();
         synchronized (info) {
-            Map<Object, Properties> o = CastUtils.cast((Map<?, ?>)message
-                                                       .getContextualProperty(PROPERTIES_CACHE));
+            Map<Object, Properties> o = 
+                CastUtils.cast((Map<?, ?>)message.getContextualProperty(PROPERTIES_CACHE));
             if (o == null) {
                 o = new ConcurrentHashMap<Object, Properties>();
                 info.setProperty(PROPERTIES_CACHE, o);
@@ -164,26 +159,17 @@ public class PolicyBasedWSS4JInIntercept
         return properties;
     }
     
-    private boolean containsPolicy(AssertionInfoMap aim, 
-                                     QName n) {
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
-        return ais != null && !ais.isEmpty();
-    }
-    
     private void handleWSS11(AssertionInfoMap aim, SoapMessage message) {
-        if (!isRequestor(message)) {
-            assertPolicy(aim, SP12Constants.WSS11);
-            return;
-        }
-        message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
-        if (ais != null) {
-            for (AssertionInfo ai : ais) {
-                Wss11 wss11 = (Wss11)ai.getAssertion();
-                if (wss11.isRequireSignatureConfirmation()) {
-                    message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "true");
-                } else {
-                    ai.setAsserted(true);
+        if (isRequestor(message)) {
+            message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
+            Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
+            if (ais != null) {
+                for (AssertionInfo ai : ais) {
+                    Wss11 wss11 = (Wss11)ai.getAssertion();
+                    if (wss11.isRequireSignatureConfirmation()) {
+                        message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "true");
+                        break;
+                    }
                 }
             }
         }
@@ -210,121 +196,98 @@ public class PolicyBasedWSS4JInIntercept
         return false;
     }
 
-    private String checkAsymetricBinding(AssertionInfoMap aim, 
-                                 String action, 
-                                 SoapMessage message) {
+    private String checkAsymmetricBinding(
+        AssertionInfoMap aim, String action, SoapMessage message
+    ) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
-        if (ais != null) {
-            for (AssertionInfo ai : ais) {
-                AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
-                if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning)
{
-                    action = addToAction(action, "Signature", true);
-                    action = addToAction(action, "Encrypt", true);
-                } else {
-                    action = addToAction(action, "Encrypt", true);
-                    action = addToAction(action, "Signature", true);
-                }
-                Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
-                Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
-                if (s != null) {
-                    message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString());
-                    message.put("RefId-" + s.toString(), getProps(s, message));
-                    if (e == null) {
-                        e = s;
-                    }
-                }
-                if (e != null) {
-                    message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString());
-                    message.put("RefId-" + e.toString(), getProps(e, message));
-                }
+        if (ais == null || ais.isEmpty()) {
+            return action;
+        }
+        
+        action = addToAction(action, "Signature", true);
+        action = addToAction(action, "Encrypt", true);
+        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+        if (s != null) {
+            message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString());
+            message.put("RefId-" + s.toString(), getProps(s, message));
+            if (e == null) {
+                e = s;
             }
         }
+        if (e != null) {
+            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString());
+            message.put("RefId-" + e.toString(), getProps(e, message));
+        }
      
         return action;
     }
     
-    private String checkTransportBinding(AssertionInfoMap aim, 
-                                         String action, 
-                                         SoapMessage message) {
-        if (isRequestor(message) && StringUtils.isEmpty(action)) {
-            //for a TransportBinding, these won't come back in the response
-            assertPolicy(aim, SP12Constants.TRANSPORT_BINDING);
-            assertPolicy(aim, SP12Constants.TRANSPORT_TOKEN);
-            assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
+    private String checkTransportBinding(
+        AssertionInfoMap aim, String action, SoapMessage message
+    ) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
+        if (ais == null || ais.isEmpty()) {
+            return action;
         }
         
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
-        if (ais != null) {
-            for (AssertionInfo ai : ais) {
-                TransportBinding binding = (TransportBinding)ai.getAssertion();
-                TransportToken token = binding.getTransportToken();
-                if (token != null) {
-                    action = addToAction(action, "Signature", true);
-                    action = addToAction(action, "Encrypt", true);
-                    Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
-                    Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
-                    if (s != null) {
-                        message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString());
-                        message.put("RefId-" + s.toString(), getProps(s, message));
-                        if (e == null) {
-                            e = s;
-                        }
-                    }
-                    if (e != null) {
-                        message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString());
-                        message.put("RefId-" + e.toString(), getProps(e, message));
-                    }
-                }
+        action = addToAction(action, "Signature", true);
+        action = addToAction(action, "Encrypt", true);
+        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+        if (s != null) {
+            message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString());
+            message.put("RefId-" + s.toString(), getProps(s, message));
+            if (e == null) {
+                e = s;
             }
         }
-        
+        if (e != null) {
+            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString());
+            message.put("RefId-" + e.toString(), getProps(e, message));
+        }
+
         return action;
     }
     
-    private String checkSymetricBinding(AssertionInfoMap aim, 
-                                String action, 
-                                SoapMessage message) {
+    private String checkSymmetricBinding(
+        AssertionInfoMap aim, String action, SoapMessage message
+    ) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
-        if (ais != null) {
-            for (AssertionInfo ai : ais) {
-                SymmetricBinding abinding = (SymmetricBinding)ai.getAssertion();
-                if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning)
{
-                    action = addToAction(action, "Signature", true);
-                    action = addToAction(action, "Encrypt", true);
-                } else {
-                    action = addToAction(action, "Encrypt", true);
-                    action = addToAction(action, "Signature", true);
-                }
-                Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
-                Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
-                if (abinding.getProtectionToken() != null) {
-                    if (e != null && s == null) {
-                        s = e;
-                    } else if (s != null && e == null) {
-                        e = s;
-                    }
-                }
-                if (isRequestor(message)) {
-                    if (e != null) {
-                        message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString());
-                        message.put("RefId-" + e.toString(), getProps(e, message));
-                    }
-                    if (s != null) {
-                        message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString());
-                        message.put("RefId-" + s.toString(), getProps(s, message));
-                    }
-                } else {
-                    if (s != null) {
-                        message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + s.toString());
-                        message.put("RefId-" + s.toString(), getProps(s, message));
-                    }
-                    if (e != null) {
-                        message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + e.toString());
-                        message.put("RefId-" + e.toString(), getProps(e, message));
-                    }
-                }
+        if (ais == null || ais.isEmpty()) {
+            return action;
+        }
+        
+        action = addToAction(action, "Signature", true);
+        action = addToAction(action, "Encrypt", true);
+        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+        if (e != null && s == null) {
+            s = e;
+        } else if (s != null && e == null) {
+            e = s;
+        }
+        
+        if (isRequestor(message)) {
+            if (e != null) {
+                message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString());
+                message.put("RefId-" + e.toString(), getProps(e, message));
+            }
+            if (s != null) {
+                message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString());
+                message.put("RefId-" + s.toString(), getProps(s, message));
+            }
+        } else {
+            if (s != null) {
+                message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + s.toString());
+                message.put("RefId-" + s.toString(), getProps(s, message));
+            }
+            if (e != null) {
+                message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + e.toString());
+                message.put("RefId-" + e.toString(), getProps(e, message));
             }
         }
+        
         return action;
     }
     
@@ -410,40 +373,19 @@ public class PolicyBasedWSS4JInIntercept
     }
     
     protected void computeAction(SoapMessage message, RequestData data) {
-        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        // extract Assertion information
         String action = getString(WSHandlerConstants.ACTION, message);
         if (action == null) {
             action = "";
         }
+        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
         if (aim != null) {
-            if (containsPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP)) {
-                action = addToAction(action, WSHandlerConstants.TIMESTAMP, true);
-            }
-            if (containsPolicy(aim, SP12Constants.USERNAME_TOKEN)) {
-                if (isRequestor(message)) {
-                    assertPolicy(aim, SP12Constants.USERNAME_TOKEN);
-                } else {
-                    action = addToAction(action, WSHandlerConstants.USERNAME_TOKEN, true);
-                }
-            }
-            if (containsPolicy(aim, SP12Constants.SAML_TOKEN) && isRequestor(message))
{
-                assertPolicy(aim, SP12Constants.SAML_TOKEN);
-            }
-            
-            //relatively irrelevant stuff from a verification standpoint
-            assertPolicy(aim, SP12Constants.LAYOUT);
-            assertPolicy(aim, SP12Constants.WSS10);
-            assertPolicy(aim, SP12Constants.TRUST_13);
-            assertPolicy(aim, SP11Constants.TRUST_10);
-            
             //things that DO impact setup
             handleWSS11(aim, message);
-            action = checkAsymetricBinding(aim, action, message);
-            action = checkSymetricBinding(aim, action, message);
+            action = checkAsymmetricBinding(aim, action, message);
+            action = checkSymmetricBinding(aim, action, message);
             action = checkTransportBinding(aim, action, message);
             
-            //stuff we can default to asserted and un-assert if a condition isn't met
+            // stuff we can default to asserted and un-assert if a condition isn't met
             assertPolicy(aim, SP12Constants.KEYVALUE_TOKEN);
 
             message.put(WSHandlerConstants.ACTION, action.trim());
@@ -464,61 +406,75 @@ public class PolicyBasedWSS4JInIntercept
         Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
         
         //
-        // Prefetch all signature results
+        // Pre-fetch various results
         //
         List<WSSecurityEngineResult> signedResults = new ArrayList<WSSecurityEngineResult>();
         WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN, signedResults);
-
-        for (WSSecurityEngineResult wser : results) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            switch (actInt.intValue()) {   
-            case WSConstants.SIGN:
-                List<WSDataRef> sl = CastUtils.cast((List<?>)wser
-                                                       .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
-                if (sl != null) {
-                    for (WSDataRef r : sl) {
-                        signed.add(r);
-                    }
+        for (WSSecurityEngineResult result : signedResults) {
+            List<WSDataRef> sl = 
+                CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+            if (sl != null) {
+                for (WSDataRef r : sl) {
+                    signed.add(r);
                 }
-                break;
-            case WSConstants.ENCR:
-                List<WSDataRef> el = CastUtils.cast((List<?>)wser
-                                                       .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
-                if (el != null) {
-                    for (WSDataRef r : el) {
-                        encrypted.add(r);
-                    }
-                }
-                break;
-            case WSConstants.UT:
-            case WSConstants.UT_NOPASSWORD:
-                if (utWithCallbacks) {
-                    UsernameTokenPolicyValidator utValidator = 
-                        new UsernameTokenPolicyValidator(msg);
-                    utValidator.validatePolicy(aim, wser);
-                } else {
-                    Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
-                    if (ais != null) {
-                        for (AssertionInfo ai : ais) {
-                            ai.setAsserted(true);
-                        }
-                    }
+            }
+        }
+        
+        List<WSSecurityEngineResult> encryptResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ENCR, encryptResults);
+        for (WSSecurityEngineResult result : encryptResults) {
+            List<WSDataRef> sl = 
+                CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+            if (sl != null) {
+                for (WSDataRef r : sl) {
+                    encrypted.add(r);
                 }
-                break;
-            case WSConstants.ST_SIGNED:
-            case WSConstants.ST_UNSIGNED:
-                SamlTokenPolicyValidator validator = 
-                    new SamlTokenPolicyValidator(soapBody, signedResults, msg);
-                validator.validatePolicy(aim, wser);
-                break;
-            case WSConstants.SC:
-                assertPolicy(aim, SP12Constants.WSS11);
-                break;
-            default:
-                //System.out.println(actInt);
-            }                        
+            }
+        }
+        
+        /*
+        WSSecurityEngineResult tsResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
+        Element timestamp = null;
+        if (tsResult != null) {
+            Timestamp ts = (Timestamp)tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
+            timestamp = ts.getElement();
         }
+        */
         
+        //
+        // Check policies
+        //
+        checkSignedEncryptedCoverage(aim, msg, soapHeader, soapBody, signed, encrypted);
+        
+        checkTokenCoverage(aim, msg, soapBody, results, signedResults, utWithCallbacks);
+        
+        checkBindingCoverage(aim, msg, results, signedResults);
+
+        checkSupportingTokenCoverage(aim, msg, results, signedResults, utWithCallbacks);
+        
+        // The supporting tokens are already validated
+        assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
+        
+        // relatively irrelevant stuff from a verification standpoint
+        assertPolicy(aim, SP12Constants.LAYOUT);
+        assertPolicy(aim, SP12Constants.WSS10);
+        assertPolicy(aim, SP12Constants.TRUST_13);
+        assertPolicy(aim, SP11Constants.TRUST_10);
+        
+        super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
+    }
+    
+    /**
+     * Check SignedParts, EncryptedParts, SignedElements, EncryptedElements, RequiredParts,
etc.
+     */
+    private void checkSignedEncryptedCoverage(
+        AssertionInfoMap aim,
+        SoapMessage msg,
+        Element soapHeader,
+        Element soapBody,
+        Collection<WSDataRef> signed, 
+        Collection<WSDataRef> encrypted
+    ) throws SOAPException {
         CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
         
         //
@@ -542,62 +498,118 @@ public class PolicyBasedWSS4JInIntercept
                 CoverageType.ENCRYPTED, CoverageScope.CONTENT);
         
         assertHeadersExists(aim, msg, soapHeader);
+    }
+    
+    /**
+     * Check the token coverage
+     */
+    private void checkTokenCoverage(
+        AssertionInfoMap aim,
+        SoapMessage msg,
+        Element soapBody,
+        List<WSSecurityEngineResult> results, 
+        List<WSSecurityEngineResult> signedResults, 
+        boolean utWithCallbacks
+    ) {
+        List<WSSecurityEngineResult> utResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults);
+        
+        List<WSSecurityEngineResult> samlResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
         
         X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results);
         x509Validator.validatePolicy(aim);
         
+        if (utWithCallbacks) {
+            UsernameTokenPolicyValidator utValidator = 
+                new UsernameTokenPolicyValidator(msg, results);
+            utValidator.validatePolicy(aim);
+        } else {
+            Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
+            if (ais != null) {
+                for (AssertionInfo ai : ais) {
+                    ai.setAsserted(true);
+                }
+            }
+        }
+        
+        SamlTokenPolicyValidator samlValidator = 
+            new SamlTokenPolicyValidator(soapBody, signedResults, msg, results);
+        samlValidator.validatePolicy(aim);
+        
+        SecurityContextTokenPolicyValidator sctValidator = 
+            new SecurityContextTokenPolicyValidator(msg, results);
+        sctValidator.validatePolicy(aim);
+        
+        WSS11PolicyValidator wss11Validator = new WSS11PolicyValidator(msg, results);
+        wss11Validator.validatePolicy(aim);
+    }
+    
+    /**
+     * Check the binding coverage
+     */
+    private void checkBindingCoverage(
+        AssertionInfoMap aim, 
+        SoapMessage msg,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
         TransportBindingPolicyValidator transportValidator = 
             new TransportBindingPolicyValidator(msg, results, signedResults);
         transportValidator.validatePolicy(aim);
-        
+            
         SymmetricBindingPolicyValidator symmetricValidator = 
             new SymmetricBindingPolicyValidator(msg, results, signedResults);
         symmetricValidator.validatePolicy(aim);
-        
+
         AsymmetricBindingPolicyValidator asymmetricValidator = 
             new AsymmetricBindingPolicyValidator(msg, results, signedResults);
         asymmetricValidator.validatePolicy(aim);
-        
-        SecurityContextTokenPolicyValidator sctValidator = 
-            new SecurityContextTokenPolicyValidator(msg, results);
-        sctValidator.validatePolicy(aim);
-        
+    }
+    
+    /**
+     * Check the supporting token coverage
+     */
+    private void checkSupportingTokenCoverage(
+        AssertionInfoMap aim,
+        SoapMessage msg,
+        List<WSSecurityEngineResult> results, 
+        List<WSSecurityEngineResult> signedResults, 
+        boolean utWithCallbacks
+    ) {
         SignedTokenPolicyValidator suppValidator = 
             new SignedTokenPolicyValidator(msg, results, signedResults);
         suppValidator.setValidateUsernameToken(utWithCallbacks);
         suppValidator.validatePolicy(aim);
-        
+
         EndorsingTokenPolicyValidator endorsingValidator = 
             new EndorsingTokenPolicyValidator(msg, results, signedResults);
         endorsingValidator.validatePolicy(aim);
-        
+
         SignedEndorsingTokenPolicyValidator signedEdorsingValidator = 
             new SignedEndorsingTokenPolicyValidator(msg, results, signedResults);
         signedEdorsingValidator.validatePolicy(aim);
-        
+
         SignedEncryptedTokenPolicyValidator signedEncryptedValidator = 
             new SignedEncryptedTokenPolicyValidator(msg, results, signedResults);
         signedEncryptedValidator.setValidateUsernameToken(utWithCallbacks);
         signedEncryptedValidator.validatePolicy(aim);
-        
+
         EncryptedTokenPolicyValidator encryptedValidator = 
             new EncryptedTokenPolicyValidator(msg, results, signedResults);
         encryptedValidator.setValidateUsernameToken(utWithCallbacks);
         encryptedValidator.validatePolicy(aim);
-        
+
         EndorsingEncryptedTokenPolicyValidator endorsingEncryptedValidator = 
             new EndorsingEncryptedTokenPolicyValidator(msg, results, signedResults);
         endorsingEncryptedValidator.setValidateUsernameToken(utWithCallbacks);
         endorsingEncryptedValidator.validatePolicy(aim);
-        
+
         SignedEndorsingEncryptedTokenPolicyValidator signedEndorsingEncryptedValidator =

             new SignedEndorsingEncryptedTokenPolicyValidator(msg, results, signedResults);
         signedEndorsingEncryptedValidator.validatePolicy(aim);
-        
-        // The supporting tokens are already validated
-        assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
-        
-        super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
     }
     
     private void assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header)


Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1204470&r1=1204469&r2=1204470&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Mon Nov 21 12:34:57 2011
@@ -20,6 +20,7 @@
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
 import java.security.cert.Certificate;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
@@ -32,10 +33,12 @@ import org.apache.cxf.ws.policy.Assertio
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.model.SamlToken;
+import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDataRef;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.ws.security.util.WSSecurityUtil;
 
 import org.opensaml.common.SAMLVersion;
 
@@ -48,40 +51,49 @@ public class SamlTokenPolicyValidator ex
     private List<WSSecurityEngineResult> signedResults;
     private Element soapBody;
     private Message message;
+    private List<WSSecurityEngineResult> samlResults;
 
     public SamlTokenPolicyValidator(
         Element soapBody,
         List<WSSecurityEngineResult> signedResults,
-        Message message
+        Message message,
+        List<WSSecurityEngineResult> results
     ) {
         this.soapBody = soapBody;
         this.signedResults = signedResults;
         this.message = message;
+        samlResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
     }
     
     public boolean validatePolicy(
-        AssertionInfoMap aim,
-        WSSecurityEngineResult wser
+        AssertionInfoMap aim
     ) {
         Collection<AssertionInfo> samlAis = aim.get(SP12Constants.SAML_TOKEN);
-        if (samlAis != null && !samlAis.isEmpty()) {
-            for (AssertionInfo ai : samlAis) {
+        if (samlAis == null || samlAis.isEmpty()) {
+            return true;
+        }
+        
+        for (AssertionInfo ai : samlAis) {
+            SamlToken samlToken = (SamlToken)ai.getAssertion();
+            ai.setAsserted(true);
+
+            boolean tokenRequired = isTokenRequired(samlToken, message);
+            if (tokenRequired && samlResults.isEmpty()) {
+                ai.setNotAsserted(
+                    "The received token does not match the token inclusion requirement"
+                );
+                return false;
+            }
+            if (!tokenRequired) {
+                continue;
+            }
+
+            for (WSSecurityEngineResult result : samlResults) {
                 AssertionWrapper assertionWrapper = 
-                    (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-                SamlToken samlToken = (SamlToken)ai.getAssertion();
-                ai.setAsserted(true);
+                    (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                 
-                boolean tokenRequired = isTokenRequired(samlToken, message);
-                if (tokenRequired && assertionWrapper == null) {
-                    ai.setNotAsserted(
-                        "The received token does not match the token inclusion requirement"
-                    );
-                    return false;
-                }
-                if (!tokenRequired) {
-                    continue;
-                }
-
                 if (!checkVersion(samlToken, assertionWrapper)) {
                     ai.setNotAsserted("Wrong SAML Version");
                     return false;
@@ -100,12 +112,13 @@ public class SamlTokenPolicyValidator ex
                     return false;
                 }
                 /*
-                if (!checkIssuerName(samlToken, assertionWrapper)) {
-                    ai.setNotAsserted("Wrong IssuerName");
-                }
-                */
+                    if (!checkIssuerName(samlToken, assertionWrapper)) {
+                        ai.setNotAsserted("Wrong IssuerName");
+                    }
+                 */
             }
         }
+        
         return true;
     }
     

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java?rev=1204470&r1=1204469&r2=1204470&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
Mon Nov 21 12:34:57 2011
@@ -19,14 +19,18 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.List;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.ws.security.util.WSSecurityUtil;
 
 /**
  * Validate a WSSecurityEngineResult corresponding to the processing of a UsernameToken
@@ -35,56 +39,71 @@ import org.apache.ws.security.message.to
 public class UsernameTokenPolicyValidator extends AbstractTokenPolicyValidator {
     
     private Message message;
+    private List<WSSecurityEngineResult> utResults;
 
     public UsernameTokenPolicyValidator(
-        Message message
+        Message message,
+        List<WSSecurityEngineResult> results
     ) {
         this.message = message;
+        utResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults);
     }
     
     public boolean validatePolicy(
-        AssertionInfoMap aim,
-        WSSecurityEngineResult wser
+        AssertionInfoMap aim
     ) {
         Collection<AssertionInfo> utAis = aim.get(SP12Constants.USERNAME_TOKEN);
-        if (utAis != null && !utAis.isEmpty()) {
-            for (AssertionInfo ai : utAis) {
-                UsernameToken usernameToken = 
-                    (UsernameToken)wser.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
-                org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy
= 
-                    (org.apache.cxf.ws.security.policy.model.UsernameToken)ai.getAssertion();
-                ai.setAsserted(true);
-                
-                boolean tokenRequired = isTokenRequired(usernameTokenPolicy, message);
-                if (tokenRequired && usernameToken == null) {
-                    ai.setNotAsserted(
-                        "The received token does not match the token inclusion requirement"
-                    );
-                    return false;
-                }
-                if (!tokenRequired) {
-                    continue;
-                }
-                
-                if (usernameTokenPolicy.isHashPassword() != usernameToken.isHashed()) {
-                    ai.setNotAsserted("Password hashing policy not enforced");
-                    return false;
-                }
-                if (usernameTokenPolicy.isNoPassword() && usernameToken.getPassword()
!= null) {
-                    ai.setNotAsserted("Username Token NoPassword policy not enforced");
-                    return false;
-                }
-                if (usernameTokenPolicy.isRequireCreated() 
-                    && (usernameToken.getCreated() == null || usernameToken.isHashed()))
{
-                    ai.setNotAsserted("Username Token Created policy not enforced");
-                    return false;
-                }
-                if (usernameTokenPolicy.isRequireNonce() 
-                    && (usernameToken.getNonce() == null || usernameToken.isHashed()))
{
-                    ai.setNotAsserted("Username Token Nonce policy not enforced");
-                    return false;
-                }
+        if (utAis == null || utAis.isEmpty()) {
+            return true;
+        }
+        
+        for (AssertionInfo ai : utAis) {
+            org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy = 
+                (org.apache.cxf.ws.security.policy.model.UsernameToken)ai.getAssertion();
+            ai.setAsserted(true);
+
+            boolean tokenRequired = isTokenRequired(usernameTokenPolicy, message);
+            if (tokenRequired && utResults.isEmpty()) {
+                ai.setNotAsserted(
+                    "The received token does not match the token inclusion requirement"
+                );
+                return false;
+            }
+            
+            if (tokenRequired && !checkTokens(usernameTokenPolicy, ai)) {
+                return false;
+            }
 
+        }
+        return true;
+    }
+    
+    public boolean checkTokens(
+        org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy,
+        AssertionInfo ai
+    ) {
+        for (WSSecurityEngineResult result : utResults) {
+            UsernameToken usernameToken = 
+                (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
+            if (usernameTokenPolicy.isHashPassword() != usernameToken.isHashed()) {
+                ai.setNotAsserted("Password hashing policy not enforced");
+                return false;
+            }
+            if (usernameTokenPolicy.isNoPassword() && usernameToken.getPassword()
!= null) {
+                ai.setNotAsserted("Username Token NoPassword policy not enforced");
+                return false;
+            }
+            if (usernameTokenPolicy.isRequireCreated() 
+                    && (usernameToken.getCreated() == null || usernameToken.isHashed()))
{
+                ai.setNotAsserted("Username Token Created policy not enforced");
+                return false;
+            }
+            if (usernameTokenPolicy.isRequireNonce() 
+                && (usernameToken.getNonce() == null || usernameToken.isHashed()))
{
+                ai.setNotAsserted("Username Token Nonce policy not enforced");
+                return false;
             }
         }
         return true;

Added: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java?rev=1204470&view=auto
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
(added)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
Mon Nov 21 12:34:57 2011
@@ -0,0 +1,79 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.Wss11;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+/**
+ * Validate a WSS11 policy.
+ */
+public class WSS11PolicyValidator {
+    
+    private List<WSSecurityEngineResult> scResults;
+    private Message message;
+
+    public WSS11PolicyValidator(
+        Message message,
+        List<WSSecurityEngineResult> results
+    ) {
+        this.message = message;
+        scResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.SC, scResults);
+    }
+    
+    public boolean validatePolicy(
+        AssertionInfoMap aim
+    ) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
+        if (ais == null || ais.isEmpty()) {
+            return true;
+        }
+        
+        for (AssertionInfo ai : ais) {
+            Wss11 wss11 = (Wss11)ai.getAssertion();
+            ai.setAsserted(true);
+
+            if (!MessageUtils.isRequestor(message)) {
+                continue;
+            }
+            
+            if (wss11.isRequireSignatureConfirmation() && scResults.isEmpty()) {
+                ai.setNotAsserted(
+                    "Signature Confirmation policy validation failed"
+                );
+                return false;
+            }
+        }
+        return true;
+    }
+    
+}

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java?rev=1204470&r1=1204469&r2=1204470&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
Mon Nov 21 12:34:57 2011
@@ -59,26 +59,28 @@ public class X509TokenPolicyValidator ex
         AssertionInfoMap aim
     ) {
         Collection<AssertionInfo> x509Ais = aim.get(SP12Constants.X509_TOKEN);
-        if (x509Ais != null && !x509Ais.isEmpty()) {
-            for (AssertionInfo ai : x509Ais) {
-                X509Token x509TokenPolicy = (X509Token)ai.getAssertion();
-                ai.setAsserted(true);
-                
-                if (!isTokenRequired(x509TokenPolicy, message)) {
-                    continue;
-                }
-                
-                if (bstResults.isEmpty()) {
-                    ai.setNotAsserted(
-                        "The received token does not match the token inclusion requirement"
-                    );
-                    return false;
-                }
-                
-                if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType())) {
-                    ai.setNotAsserted("An incorrect X.509 Token Type is detected");
-                    return false;
-                }
+        if (x509Ais == null || x509Ais.isEmpty()) {
+            return true;
+        }
+        
+        for (AssertionInfo ai : x509Ais) {
+            X509Token x509TokenPolicy = (X509Token)ai.getAssertion();
+            ai.setAsserted(true);
+
+            if (!isTokenRequired(x509TokenPolicy, message)) {
+                continue;
+            }
+
+            if (bstResults.isEmpty()) {
+                ai.setNotAsserted(
+                    "The received token does not match the token inclusion requirement"
+                );
+                return false;
+            }
+
+            if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType())) {
+                ai.setNotAsserted("An incorrect X.509 Token Type is detected");
+                return false;
             }
         }
         return true;



Mime
View raw message