Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 786507F13 for ; Mon, 21 Nov 2011 12:31:30 +0000 (UTC) Received: (qmail 36192 invoked by uid 500); 21 Nov 2011 12:31:30 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 36135 invoked by uid 500); 21 Nov 2011 12:31:29 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 36128 invoked by uid 99); 21 Nov 2011 12:31:29 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Nov 2011 12:31:29 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 21 Nov 2011 12:31:22 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 841C523889DE for ; Mon, 21 Nov 2011 12:31:02 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1204467 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j: ./ policyvalidators/ Date: Mon, 21 Nov 2011 12:31:02 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20111121123102.841C523889DE@eris.apache.org> Author: coheigea Date: Mon Nov 21 12:31:01 2011 New Revision: 1204467 URL: http://svn.apache.org/viewvc?rev=1204467&view=rev Log: More WS-SecPol refactoring Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1204467&r1=1204466&r2=1204467&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Mon Nov 21 12:31:01 2011 @@ -45,7 +45,6 @@ import org.w3c.dom.NodeList; import org.apache.cxf.Bus; import org.apache.cxf.binding.soap.SoapMessage; import org.apache.cxf.common.classloader.ClassLoaderUtils; -import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.endpoint.Endpoint; import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.helpers.DOMUtils; @@ -57,17 +56,12 @@ import org.apache.cxf.ws.policy.Assertio import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.policy.SP11Constants; import org.apache.cxf.ws.security.policy.SP12Constants; -import org.apache.cxf.ws.security.policy.SPConstants; -import org.apache.cxf.ws.security.policy.model.AsymmetricBinding; import org.apache.cxf.ws.security.policy.model.ContentEncryptedElements; import org.apache.cxf.ws.security.policy.model.Header; import org.apache.cxf.ws.security.policy.model.RequiredElements; import org.apache.cxf.ws.security.policy.model.RequiredParts; import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements; import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts; -import org.apache.cxf.ws.security.policy.model.SymmetricBinding; -import org.apache.cxf.ws.security.policy.model.TransportBinding; -import org.apache.cxf.ws.security.policy.model.TransportToken; import org.apache.cxf.ws.security.policy.model.Wss11; import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope; import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType; @@ -84,6 +78,7 @@ import org.apache.cxf.ws.security.wss4j. import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSDataRef; @@ -111,8 +106,8 @@ public class PolicyBasedWSS4JInIntercept protected static Map getPropertiesCache(SoapMessage message) { EndpointInfo info = message.getExchange().get(Endpoint.class).getEndpointInfo(); synchronized (info) { - Map o = CastUtils.cast((Map)message - .getContextualProperty(PROPERTIES_CACHE)); + Map o = + CastUtils.cast((Map)message.getContextualProperty(PROPERTIES_CACHE)); if (o == null) { o = new ConcurrentHashMap(); info.setProperty(PROPERTIES_CACHE, o); @@ -164,26 +159,17 @@ public class PolicyBasedWSS4JInIntercept return properties; } - private boolean containsPolicy(AssertionInfoMap aim, - QName n) { - Collection ais = aim.getAssertionInfo(n); - return ais != null && !ais.isEmpty(); - } - private void handleWSS11(AssertionInfoMap aim, SoapMessage message) { - if (!isRequestor(message)) { - assertPolicy(aim, SP12Constants.WSS11); - return; - } - message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false"); - Collection ais = aim.get(SP12Constants.WSS11); - if (ais != null) { - for (AssertionInfo ai : ais) { - Wss11 wss11 = (Wss11)ai.getAssertion(); - if (wss11.isRequireSignatureConfirmation()) { - message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "true"); - } else { - ai.setAsserted(true); + if (isRequestor(message)) { + message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false"); + Collection ais = aim.get(SP12Constants.WSS11); + if (ais != null) { + for (AssertionInfo ai : ais) { + Wss11 wss11 = (Wss11)ai.getAssertion(); + if (wss11.isRequireSignatureConfirmation()) { + message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "true"); + break; + } } } } @@ -210,121 +196,98 @@ public class PolicyBasedWSS4JInIntercept return false; } - private String checkAsymetricBinding(AssertionInfoMap aim, - String action, - SoapMessage message) { + private String checkAsymmetricBinding( + AssertionInfoMap aim, String action, SoapMessage message + ) { Collection ais = aim.get(SP12Constants.ASYMMETRIC_BINDING); - if (ais != null) { - for (AssertionInfo ai : ais) { - AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion(); - if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) { - action = addToAction(action, "Signature", true); - action = addToAction(action, "Encrypt", true); - } else { - action = addToAction(action, "Encrypt", true); - action = addToAction(action, "Signature", true); - } - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); - if (s != null) { - message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString()); - message.put("RefId-" + s.toString(), getProps(s, message)); - if (e == null) { - e = s; - } - } - if (e != null) { - message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString()); - message.put("RefId-" + e.toString(), getProps(e, message)); - } + if (ais == null || ais.isEmpty()) { + return action; + } + + action = addToAction(action, "Signature", true); + action = addToAction(action, "Encrypt", true); + Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + if (s != null) { + message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString()); + message.put("RefId-" + s.toString(), getProps(s, message)); + if (e == null) { + e = s; } } + if (e != null) { + message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString()); + message.put("RefId-" + e.toString(), getProps(e, message)); + } return action; } - private String checkTransportBinding(AssertionInfoMap aim, - String action, - SoapMessage message) { - if (isRequestor(message) && StringUtils.isEmpty(action)) { - //for a TransportBinding, these won't come back in the response - assertPolicy(aim, SP12Constants.TRANSPORT_BINDING); - assertPolicy(aim, SP12Constants.TRANSPORT_TOKEN); - assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS); + private String checkTransportBinding( + AssertionInfoMap aim, String action, SoapMessage message + ) { + Collection ais = aim.get(SP12Constants.TRANSPORT_BINDING); + if (ais == null || ais.isEmpty()) { + return action; } - Collection ais = aim.get(SP12Constants.TRANSPORT_BINDING); - if (ais != null) { - for (AssertionInfo ai : ais) { - TransportBinding binding = (TransportBinding)ai.getAssertion(); - TransportToken token = binding.getTransportToken(); - if (token != null) { - action = addToAction(action, "Signature", true); - action = addToAction(action, "Encrypt", true); - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); - if (s != null) { - message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString()); - message.put("RefId-" + s.toString(), getProps(s, message)); - if (e == null) { - e = s; - } - } - if (e != null) { - message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString()); - message.put("RefId-" + e.toString(), getProps(e, message)); - } - } + action = addToAction(action, "Signature", true); + action = addToAction(action, "Encrypt", true); + Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + if (s != null) { + message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString()); + message.put("RefId-" + s.toString(), getProps(s, message)); + if (e == null) { + e = s; } } - + if (e != null) { + message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString()); + message.put("RefId-" + e.toString(), getProps(e, message)); + } + return action; } - private String checkSymetricBinding(AssertionInfoMap aim, - String action, - SoapMessage message) { + private String checkSymmetricBinding( + AssertionInfoMap aim, String action, SoapMessage message + ) { Collection ais = aim.get(SP12Constants.SYMMETRIC_BINDING); - if (ais != null) { - for (AssertionInfo ai : ais) { - SymmetricBinding abinding = (SymmetricBinding)ai.getAssertion(); - if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) { - action = addToAction(action, "Signature", true); - action = addToAction(action, "Encrypt", true); - } else { - action = addToAction(action, "Encrypt", true); - action = addToAction(action, "Signature", true); - } - Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); - Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); - if (abinding.getProtectionToken() != null) { - if (e != null && s == null) { - s = e; - } else if (s != null && e == null) { - e = s; - } - } - if (isRequestor(message)) { - if (e != null) { - message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString()); - message.put("RefId-" + e.toString(), getProps(e, message)); - } - if (s != null) { - message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString()); - message.put("RefId-" + s.toString(), getProps(s, message)); - } - } else { - if (s != null) { - message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + s.toString()); - message.put("RefId-" + s.toString(), getProps(s, message)); - } - if (e != null) { - message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + e.toString()); - message.put("RefId-" + e.toString(), getProps(e, message)); - } - } + if (ais == null || ais.isEmpty()) { + return action; + } + + action = addToAction(action, "Signature", true); + action = addToAction(action, "Encrypt", true); + Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES); + Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES); + if (e != null && s == null) { + s = e; + } else if (s != null && e == null) { + e = s; + } + + if (isRequestor(message)) { + if (e != null) { + message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + e.toString()); + message.put("RefId-" + e.toString(), getProps(e, message)); + } + if (s != null) { + message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + s.toString()); + message.put("RefId-" + s.toString(), getProps(s, message)); + } + } else { + if (s != null) { + message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + s.toString()); + message.put("RefId-" + s.toString(), getProps(s, message)); + } + if (e != null) { + message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + e.toString()); + message.put("RefId-" + e.toString(), getProps(e, message)); } } + return action; } @@ -410,40 +373,19 @@ public class PolicyBasedWSS4JInIntercept } protected void computeAction(SoapMessage message, RequestData data) { - AssertionInfoMap aim = message.get(AssertionInfoMap.class); - // extract Assertion information String action = getString(WSHandlerConstants.ACTION, message); if (action == null) { action = ""; } + AssertionInfoMap aim = message.get(AssertionInfoMap.class); if (aim != null) { - if (containsPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP)) { - action = addToAction(action, WSHandlerConstants.TIMESTAMP, true); - } - if (containsPolicy(aim, SP12Constants.USERNAME_TOKEN)) { - if (isRequestor(message)) { - assertPolicy(aim, SP12Constants.USERNAME_TOKEN); - } else { - action = addToAction(action, WSHandlerConstants.USERNAME_TOKEN, true); - } - } - if (containsPolicy(aim, SP12Constants.SAML_TOKEN) && isRequestor(message)) { - assertPolicy(aim, SP12Constants.SAML_TOKEN); - } - - //relatively irrelevant stuff from a verification standpoint - assertPolicy(aim, SP12Constants.LAYOUT); - assertPolicy(aim, SP12Constants.WSS10); - assertPolicy(aim, SP12Constants.TRUST_13); - assertPolicy(aim, SP11Constants.TRUST_10); - //things that DO impact setup handleWSS11(aim, message); - action = checkAsymetricBinding(aim, action, message); - action = checkSymetricBinding(aim, action, message); + action = checkAsymmetricBinding(aim, action, message); + action = checkSymmetricBinding(aim, action, message); action = checkTransportBinding(aim, action, message); - //stuff we can default to asserted and un-assert if a condition isn't met + // stuff we can default to asserted and un-assert if a condition isn't met assertPolicy(aim, SP12Constants.KEYVALUE_TOKEN); message.put(WSHandlerConstants.ACTION, action.trim()); @@ -464,61 +406,75 @@ public class PolicyBasedWSS4JInIntercept Collection encrypted = new HashSet(); // - // Prefetch all signature results + // Pre-fetch various results // List signedResults = new ArrayList(); WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN, signedResults); - - for (WSSecurityEngineResult wser : results) { - Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); - switch (actInt.intValue()) { - case WSConstants.SIGN: - List sl = CastUtils.cast((List)wser - .get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); - if (sl != null) { - for (WSDataRef r : sl) { - signed.add(r); - } + for (WSSecurityEngineResult result : signedResults) { + List sl = + CastUtils.cast((List)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); + if (sl != null) { + for (WSDataRef r : sl) { + signed.add(r); } - break; - case WSConstants.ENCR: - List el = CastUtils.cast((List)wser - .get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); - if (el != null) { - for (WSDataRef r : el) { - encrypted.add(r); - } - } - break; - case WSConstants.UT: - case WSConstants.UT_NOPASSWORD: - if (utWithCallbacks) { - UsernameTokenPolicyValidator utValidator = - new UsernameTokenPolicyValidator(msg); - utValidator.validatePolicy(aim, wser); - } else { - Collection ais = aim.get(SP12Constants.USERNAME_TOKEN); - if (ais != null) { - for (AssertionInfo ai : ais) { - ai.setAsserted(true); - } - } + } + } + + List encryptResults = new ArrayList(); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.ENCR, encryptResults); + for (WSSecurityEngineResult result : encryptResults) { + List sl = + CastUtils.cast((List)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); + if (sl != null) { + for (WSDataRef r : sl) { + encrypted.add(r); } - break; - case WSConstants.ST_SIGNED: - case WSConstants.ST_UNSIGNED: - SamlTokenPolicyValidator validator = - new SamlTokenPolicyValidator(soapBody, signedResults, msg); - validator.validatePolicy(aim, wser); - break; - case WSConstants.SC: - assertPolicy(aim, SP12Constants.WSS11); - break; - default: - //System.out.println(actInt); - } + } + } + + /* + WSSecurityEngineResult tsResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS); + Element timestamp = null; + if (tsResult != null) { + Timestamp ts = (Timestamp)tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP); + timestamp = ts.getElement(); } + */ + // + // Check policies + // + checkSignedEncryptedCoverage(aim, msg, soapHeader, soapBody, signed, encrypted); + + checkTokenCoverage(aim, msg, soapBody, results, signedResults, utWithCallbacks); + + checkBindingCoverage(aim, msg, results, signedResults); + + checkSupportingTokenCoverage(aim, msg, results, signedResults, utWithCallbacks); + + // The supporting tokens are already validated + assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS); + + // relatively irrelevant stuff from a verification standpoint + assertPolicy(aim, SP12Constants.LAYOUT); + assertPolicy(aim, SP12Constants.WSS10); + assertPolicy(aim, SP12Constants.TRUST_13); + assertPolicy(aim, SP11Constants.TRUST_10); + + super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks); + } + + /** + * Check SignedParts, EncryptedParts, SignedElements, EncryptedElements, RequiredParts, etc. + */ + private void checkSignedEncryptedCoverage( + AssertionInfoMap aim, + SoapMessage msg, + Element soapHeader, + Element soapBody, + Collection signed, + Collection encrypted + ) throws SOAPException { CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted); // @@ -542,62 +498,118 @@ public class PolicyBasedWSS4JInIntercept CoverageType.ENCRYPTED, CoverageScope.CONTENT); assertHeadersExists(aim, msg, soapHeader); + } + + /** + * Check the token coverage + */ + private void checkTokenCoverage( + AssertionInfoMap aim, + SoapMessage msg, + Element soapBody, + List results, + List signedResults, + boolean utWithCallbacks + ) { + List utResults = new ArrayList(); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults); + + List samlResults = new ArrayList(); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults); X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results); x509Validator.validatePolicy(aim); + if (utWithCallbacks) { + UsernameTokenPolicyValidator utValidator = + new UsernameTokenPolicyValidator(msg, results); + utValidator.validatePolicy(aim); + } else { + Collection ais = aim.get(SP12Constants.USERNAME_TOKEN); + if (ais != null) { + for (AssertionInfo ai : ais) { + ai.setAsserted(true); + } + } + } + + SamlTokenPolicyValidator samlValidator = + new SamlTokenPolicyValidator(soapBody, signedResults, msg, results); + samlValidator.validatePolicy(aim); + + SecurityContextTokenPolicyValidator sctValidator = + new SecurityContextTokenPolicyValidator(msg, results); + sctValidator.validatePolicy(aim); + + WSS11PolicyValidator wss11Validator = new WSS11PolicyValidator(msg, results); + wss11Validator.validatePolicy(aim); + } + + /** + * Check the binding coverage + */ + private void checkBindingCoverage( + AssertionInfoMap aim, + SoapMessage msg, + List results, + List signedResults + ) { TransportBindingPolicyValidator transportValidator = new TransportBindingPolicyValidator(msg, results, signedResults); transportValidator.validatePolicy(aim); - + SymmetricBindingPolicyValidator symmetricValidator = new SymmetricBindingPolicyValidator(msg, results, signedResults); symmetricValidator.validatePolicy(aim); - + AsymmetricBindingPolicyValidator asymmetricValidator = new AsymmetricBindingPolicyValidator(msg, results, signedResults); asymmetricValidator.validatePolicy(aim); - - SecurityContextTokenPolicyValidator sctValidator = - new SecurityContextTokenPolicyValidator(msg, results); - sctValidator.validatePolicy(aim); - + } + + /** + * Check the supporting token coverage + */ + private void checkSupportingTokenCoverage( + AssertionInfoMap aim, + SoapMessage msg, + List results, + List signedResults, + boolean utWithCallbacks + ) { SignedTokenPolicyValidator suppValidator = new SignedTokenPolicyValidator(msg, results, signedResults); suppValidator.setValidateUsernameToken(utWithCallbacks); suppValidator.validatePolicy(aim); - + EndorsingTokenPolicyValidator endorsingValidator = new EndorsingTokenPolicyValidator(msg, results, signedResults); endorsingValidator.validatePolicy(aim); - + SignedEndorsingTokenPolicyValidator signedEdorsingValidator = new SignedEndorsingTokenPolicyValidator(msg, results, signedResults); signedEdorsingValidator.validatePolicy(aim); - + SignedEncryptedTokenPolicyValidator signedEncryptedValidator = new SignedEncryptedTokenPolicyValidator(msg, results, signedResults); signedEncryptedValidator.setValidateUsernameToken(utWithCallbacks); signedEncryptedValidator.validatePolicy(aim); - + EncryptedTokenPolicyValidator encryptedValidator = new EncryptedTokenPolicyValidator(msg, results, signedResults); encryptedValidator.setValidateUsernameToken(utWithCallbacks); encryptedValidator.validatePolicy(aim); - + EndorsingEncryptedTokenPolicyValidator endorsingEncryptedValidator = new EndorsingEncryptedTokenPolicyValidator(msg, results, signedResults); endorsingEncryptedValidator.setValidateUsernameToken(utWithCallbacks); endorsingEncryptedValidator.validatePolicy(aim); - + SignedEndorsingEncryptedTokenPolicyValidator signedEndorsingEncryptedValidator = new SignedEndorsingEncryptedTokenPolicyValidator(msg, results, signedResults); signedEndorsingEncryptedValidator.validatePolicy(aim); - - // The supporting tokens are already validated - assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS); - - super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks); } private void assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header) Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1204467&r1=1204466&r2=1204467&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java Mon Nov 21 12:31:01 2011 @@ -20,6 +20,7 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators; import java.security.cert.Certificate; +import java.util.ArrayList; import java.util.Collection; import java.util.List; @@ -32,10 +33,12 @@ import org.apache.cxf.ws.policy.Assertio import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.policy.SP12Constants; import org.apache.cxf.ws.security.policy.model.SamlToken; +import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSDataRef; import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.saml.ext.AssertionWrapper; import org.apache.ws.security.saml.ext.OpenSAMLUtil; +import org.apache.ws.security.util.WSSecurityUtil; import org.opensaml.common.SAMLVersion; @@ -48,40 +51,49 @@ public class SamlTokenPolicyValidator ex private List signedResults; private Element soapBody; private Message message; + private List samlResults; public SamlTokenPolicyValidator( Element soapBody, List signedResults, - Message message + Message message, + List results ) { this.soapBody = soapBody; this.signedResults = signedResults; this.message = message; + samlResults = new ArrayList(); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults); } public boolean validatePolicy( - AssertionInfoMap aim, - WSSecurityEngineResult wser + AssertionInfoMap aim ) { Collection samlAis = aim.get(SP12Constants.SAML_TOKEN); - if (samlAis != null && !samlAis.isEmpty()) { - for (AssertionInfo ai : samlAis) { + if (samlAis == null || samlAis.isEmpty()) { + return true; + } + + for (AssertionInfo ai : samlAis) { + SamlToken samlToken = (SamlToken)ai.getAssertion(); + ai.setAsserted(true); + + boolean tokenRequired = isTokenRequired(samlToken, message); + if (tokenRequired && samlResults.isEmpty()) { + ai.setNotAsserted( + "The received token does not match the token inclusion requirement" + ); + return false; + } + if (!tokenRequired) { + continue; + } + + for (WSSecurityEngineResult result : samlResults) { AssertionWrapper assertionWrapper = - (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); - SamlToken samlToken = (SamlToken)ai.getAssertion(); - ai.setAsserted(true); + (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); - boolean tokenRequired = isTokenRequired(samlToken, message); - if (tokenRequired && assertionWrapper == null) { - ai.setNotAsserted( - "The received token does not match the token inclusion requirement" - ); - return false; - } - if (!tokenRequired) { - continue; - } - if (!checkVersion(samlToken, assertionWrapper)) { ai.setNotAsserted("Wrong SAML Version"); return false; @@ -100,12 +112,13 @@ public class SamlTokenPolicyValidator ex return false; } /* - if (!checkIssuerName(samlToken, assertionWrapper)) { - ai.setNotAsserted("Wrong IssuerName"); - } - */ + if (!checkIssuerName(samlToken, assertionWrapper)) { + ai.setNotAsserted("Wrong IssuerName"); + } + */ } } + return true; } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java?rev=1204467&r1=1204466&r2=1204467&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java Mon Nov 21 12:31:01 2011 @@ -19,14 +19,18 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators; +import java.util.ArrayList; import java.util.Collection; +import java.util.List; import org.apache.cxf.message.Message; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.policy.SP12Constants; +import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.message.token.UsernameToken; +import org.apache.ws.security.util.WSSecurityUtil; /** * Validate a WSSecurityEngineResult corresponding to the processing of a UsernameToken @@ -35,56 +39,71 @@ import org.apache.ws.security.message.to public class UsernameTokenPolicyValidator extends AbstractTokenPolicyValidator { private Message message; + private List utResults; public UsernameTokenPolicyValidator( - Message message + Message message, + List results ) { this.message = message; + utResults = new ArrayList(); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults); } public boolean validatePolicy( - AssertionInfoMap aim, - WSSecurityEngineResult wser + AssertionInfoMap aim ) { Collection utAis = aim.get(SP12Constants.USERNAME_TOKEN); - if (utAis != null && !utAis.isEmpty()) { - for (AssertionInfo ai : utAis) { - UsernameToken usernameToken = - (UsernameToken)wser.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN); - org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy = - (org.apache.cxf.ws.security.policy.model.UsernameToken)ai.getAssertion(); - ai.setAsserted(true); - - boolean tokenRequired = isTokenRequired(usernameTokenPolicy, message); - if (tokenRequired && usernameToken == null) { - ai.setNotAsserted( - "The received token does not match the token inclusion requirement" - ); - return false; - } - if (!tokenRequired) { - continue; - } - - if (usernameTokenPolicy.isHashPassword() != usernameToken.isHashed()) { - ai.setNotAsserted("Password hashing policy not enforced"); - return false; - } - if (usernameTokenPolicy.isNoPassword() && usernameToken.getPassword() != null) { - ai.setNotAsserted("Username Token NoPassword policy not enforced"); - return false; - } - if (usernameTokenPolicy.isRequireCreated() - && (usernameToken.getCreated() == null || usernameToken.isHashed())) { - ai.setNotAsserted("Username Token Created policy not enforced"); - return false; - } - if (usernameTokenPolicy.isRequireNonce() - && (usernameToken.getNonce() == null || usernameToken.isHashed())) { - ai.setNotAsserted("Username Token Nonce policy not enforced"); - return false; - } + if (utAis == null || utAis.isEmpty()) { + return true; + } + + for (AssertionInfo ai : utAis) { + org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy = + (org.apache.cxf.ws.security.policy.model.UsernameToken)ai.getAssertion(); + ai.setAsserted(true); + + boolean tokenRequired = isTokenRequired(usernameTokenPolicy, message); + if (tokenRequired && utResults.isEmpty()) { + ai.setNotAsserted( + "The received token does not match the token inclusion requirement" + ); + return false; + } + + if (tokenRequired && !checkTokens(usernameTokenPolicy, ai)) { + return false; + } + } + return true; + } + + public boolean checkTokens( + org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy, + AssertionInfo ai + ) { + for (WSSecurityEngineResult result : utResults) { + UsernameToken usernameToken = + (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN); + if (usernameTokenPolicy.isHashPassword() != usernameToken.isHashed()) { + ai.setNotAsserted("Password hashing policy not enforced"); + return false; + } + if (usernameTokenPolicy.isNoPassword() && usernameToken.getPassword() != null) { + ai.setNotAsserted("Username Token NoPassword policy not enforced"); + return false; + } + if (usernameTokenPolicy.isRequireCreated() + && (usernameToken.getCreated() == null || usernameToken.isHashed())) { + ai.setNotAsserted("Username Token Created policy not enforced"); + return false; + } + if (usernameTokenPolicy.isRequireNonce() + && (usernameToken.getNonce() == null || usernameToken.isHashed())) { + ai.setNotAsserted("Username Token Nonce policy not enforced"); + return false; } } return true; Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java?rev=1204467&view=auto ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java (added) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java Mon Nov 21 12:31:01 2011 @@ -0,0 +1,79 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.ws.security.wss4j.policyvalidators; + +import java.util.ArrayList; +import java.util.Collection; +import java.util.List; + +import org.apache.cxf.message.Message; +import org.apache.cxf.message.MessageUtils; +import org.apache.cxf.ws.policy.AssertionInfo; +import org.apache.cxf.ws.policy.AssertionInfoMap; +import org.apache.cxf.ws.security.policy.SP12Constants; +import org.apache.cxf.ws.security.policy.model.Wss11; +import org.apache.ws.security.WSConstants; +import org.apache.ws.security.WSSecurityEngineResult; +import org.apache.ws.security.util.WSSecurityUtil; + +/** + * Validate a WSS11 policy. + */ +public class WSS11PolicyValidator { + + private List scResults; + private Message message; + + public WSS11PolicyValidator( + Message message, + List results + ) { + this.message = message; + scResults = new ArrayList(); + WSSecurityUtil.fetchAllActionResults(results, WSConstants.SC, scResults); + } + + public boolean validatePolicy( + AssertionInfoMap aim + ) { + Collection ais = aim.get(SP12Constants.WSS11); + if (ais == null || ais.isEmpty()) { + return true; + } + + for (AssertionInfo ai : ais) { + Wss11 wss11 = (Wss11)ai.getAssertion(); + ai.setAsserted(true); + + if (!MessageUtils.isRequestor(message)) { + continue; + } + + if (wss11.isRequireSignatureConfirmation() && scResults.isEmpty()) { + ai.setNotAsserted( + "Signature Confirmation policy validation failed" + ); + return false; + } + } + return true; + } + +} Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java?rev=1204467&r1=1204466&r2=1204467&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java Mon Nov 21 12:31:01 2011 @@ -59,26 +59,28 @@ public class X509TokenPolicyValidator ex AssertionInfoMap aim ) { Collection x509Ais = aim.get(SP12Constants.X509_TOKEN); - if (x509Ais != null && !x509Ais.isEmpty()) { - for (AssertionInfo ai : x509Ais) { - X509Token x509TokenPolicy = (X509Token)ai.getAssertion(); - ai.setAsserted(true); - - if (!isTokenRequired(x509TokenPolicy, message)) { - continue; - } - - if (bstResults.isEmpty()) { - ai.setNotAsserted( - "The received token does not match the token inclusion requirement" - ); - return false; - } - - if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType())) { - ai.setNotAsserted("An incorrect X.509 Token Type is detected"); - return false; - } + if (x509Ais == null || x509Ais.isEmpty()) { + return true; + } + + for (AssertionInfo ai : x509Ais) { + X509Token x509TokenPolicy = (X509Token)ai.getAssertion(); + ai.setAsserted(true); + + if (!isTokenRequired(x509TokenPolicy, message)) { + continue; + } + + if (bstResults.isEmpty()) { + ai.setNotAsserted( + "The received token does not match the token inclusion requirement" + ); + return false; + } + + if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType())) { + ai.setNotAsserted("An incorrect X.509 Token Type is detected"); + return false; } } return true;