cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1245113 - in /cxf/branches/2.5.x-fixes/rt/ws/security: ./ src/main/java/org/apache/cxf/ws/security/policy/interceptors/ src/test/java/org/apache/cxf/ws/security/wss4j/ src/test/resources/org/apache/cxf/ws/security/wss4j/
Date Thu, 16 Feb 2012 18:21:22 GMT
Author: coheigea
Date: Thu Feb 16 18:21:21 2012
New Revision: 1245113

URL: http://svn.apache.org/viewvc?rev=1245113&view=rev
Log:
[CXF-4099] - SignedParts, EncryptedParts policy assertions are silently ignored on the client
side if specified alone
 - Patch applied, thanks.
 - I also added in SignedElements, EncryptedElements and ContentEncryptedElements.


Conflicts:

	rt/ws/security/pom.xml

Added:
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityVerificationOutTest.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/encrypted_parts_missing_binding.xml
    cxf/branches/2.5.x-fixes/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/signed_parts_missing_binding.xml
Modified:
    cxf/branches/2.5.x-fixes/rt/ws/security/pom.xml
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/pom.xml?rev=1245113&r1=1245112&r2=1245113&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/pom.xml (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/pom.xml Thu Feb 16 18:21:21 2012
@@ -137,7 +137,11 @@
             <version>${project.version}</version>
             <scope>test</scope>
         </dependency>
-
+        <dependency>
+            <groupId>org.easymock</groupId>
+            <artifactId>easymock</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

Added: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java?rev=1245113&view=auto
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
(added)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
Thu Feb 16 18:21:21 2012
@@ -0,0 +1,101 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.policy.interceptors;
+
+import java.util.Collection;
+import java.util.logging.Logger;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+
+/**
+ * Interceptor verifies critical policy security assertions for client side
+ */
+public class SecurityVerificationOutInterceptor extends AbstractPhaseInterceptor<SoapMessage>
{
+    public static final SecurityVerificationOutInterceptor INSTANCE = 
+        new SecurityVerificationOutInterceptor();
+
+    private static final Logger LOG = LogUtils.getL7dLogger(SecurityVerificationOutInterceptor.class);
+
+    public SecurityVerificationOutInterceptor() {
+        super(Phase.PRE_LOGICAL);
+    }
+
+    /**
+     * Checks if some security assertions are specified without binding assertion and cannot
be fulfilled.
+     * Throw PolicyException in this case
+     * 
+     * @param message
+     * @throws PolicyException if assertions are specified without binding
+     */
+    public void handleMessage(SoapMessage message) throws Fault {
+        if (MessageUtils.isRequestor(message)) {
+            AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+            if (aim != null) {
+                Collection<AssertionInfo> aisTransport = aim.get(SP12Constants.TRANSPORT_BINDING);
+                Collection<AssertionInfo> aisAssymetric = aim.get(SP12Constants.ASYMMETRIC_BINDING);
+                Collection<AssertionInfo> aisSymetric = aim.get(SP12Constants.SYMMETRIC_BINDING);
+                if (((aisTransport == null) || aisTransport.isEmpty()) 
+                    && ((aisAssymetric == null) || aisAssymetric.isEmpty()) 
+                    && ((aisSymetric == null) || aisSymetric.isEmpty())) {
+                    
+                    Collection<AssertionInfo> aisSignedParts = aim.get(SP12Constants.SIGNED_PARTS);
+                    checkAssertion(aisSignedParts, SP12Constants.SIGNED_PARTS);
+                    Collection<AssertionInfo> aisSignedElements = aim.get(SP12Constants.SIGNED_ELEMENTS);
+                    checkAssertion(aisSignedElements, SP12Constants.SIGNED_ELEMENTS);
+                    
+                    Collection<AssertionInfo> aisEncryptedParts = aim.get(SP12Constants.ENCRYPTED_PARTS);
+                    checkAssertion(aisEncryptedParts, SP12Constants.ENCRYPTED_PARTS);
+                    Collection<AssertionInfo> aisEncryptedElements = 
+                        aim.get(SP12Constants.ENCRYPTED_ELEMENTS);
+                    checkAssertion(aisEncryptedElements, SP12Constants.ENCRYPTED_ELEMENTS);
+                    Collection<AssertionInfo> aisContentEncryptedElements = 
+                        aim.get(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS);
+                    checkAssertion(aisContentEncryptedElements, SP12Constants.CONTENT_ENCRYPTED_ELEMENTS);
+                }
+            }
+        }
+    }
+
+    private void checkAssertion(Collection<AssertionInfo> ais, QName assertion) {
+        if ((ais != null) && (!ais.isEmpty())) {
+            String error = String
+                .format("%s assertion cannot be fulfilled without binding. "
+                        + "At least one binding assertion (%s, %s, %s) must be specified
in policy.",
+                        assertion.getLocalPart(), SP12Constants.TRANSPORT_BINDING.getLocalPart(),
+                        SP12Constants.ASYMMETRIC_BINDING.getLocalPart(),
+                        SP12Constants.SYMMETRIC_BINDING.getLocalPart());
+            AssertionInfo info = ais.iterator().next();
+            info.setNotAsserted(error);
+            LOG.severe(error);
+            throw new PolicyException(info);
+        }
+    }
+}

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java?rev=1245113&r1=1245112&r2=1245113&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
Thu Feb 16 18:21:21 2012
@@ -72,5 +72,6 @@ public class WSSecurityPolicyInterceptor
 
     public WSSecurityPolicyInterceptorProvider() {
         super(ASSERTION_TYPES);
+        getOutInterceptors().add(SecurityVerificationOutInterceptor.INSTANCE);
     }
 }

Added: cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityVerificationOutTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityVerificationOutTest.java?rev=1245113&view=auto
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityVerificationOutTest.java
(added)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityVerificationOutTest.java
Thu Feb 16 18:21:21 2012
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.wss4j;
+
+import java.io.IOException;
+
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.xml.sax.SAXException;
+
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.policy.interceptors.SecurityVerificationOutInterceptor;
+import org.apache.neethi.Policy;
+import org.easymock.EasyMock;
+import org.easymock.IMocksControl;
+import org.junit.Before;
+import org.junit.Test;
+
+public class SecurityVerificationOutTest extends AbstractPolicySecurityTest {
+    private IMocksControl control;
+    
+
+    @Before
+    public void setUp() {
+        control = EasyMock.createNiceControl();
+    } 
+    
+    @Test(expected = PolicyException.class)
+    public void testEncryptedPartsNoBinding() throws Exception {
+        SoapMessage message = coachMessage("encrypted_parts_missing_binding.xml");
+        control.replay();
+        SecurityVerificationOutInterceptor.INSTANCE.handleMessage(message);
+        control.verify();    
+    }
+
+    @Test(expected = PolicyException.class)
+    public void testSignedPartsNoBinding() throws Exception {
+        SoapMessage message = coachMessage("signed_parts_missing_binding.xml");
+        control.replay();
+        SecurityVerificationOutInterceptor.INSTANCE.handleMessage(message);
+        control.verify();    
+    }
+
+    @Test
+    public void testEncryptedPartsOK() throws Exception {
+        SoapMessage message = coachMessage("encrypted_parts_policy_body.xml");
+        control.replay();
+        SecurityVerificationOutInterceptor.INSTANCE.handleMessage(message);
+        control.verify();    
+    }
+
+    @Test
+    public void testSignedPartsOK() throws Exception {
+        SoapMessage message = coachMessage("signed_parts_policy_body.xml");
+        control.replay();
+        SecurityVerificationOutInterceptor.INSTANCE.handleMessage(message);
+        control.verify();    
+    }
+
+    private SoapMessage coachMessage(String policyName) 
+        throws IOException, ParserConfigurationException, SAXException {
+        Policy policy = policyBuilder.getPolicy(this.getResourceAsStream(policyName)); 
+        AssertionInfoMap aim = new AssertionInfoMap(policy);
+        SoapMessage message = control.createMock(SoapMessage.class);        
+        EasyMock.expect(message.get(Message.REQUESTOR_ROLE)).andReturn(Boolean.TRUE);
+        EasyMock.expect(message.get(AssertionInfoMap.class)).andReturn(aim);
+        return message;
+    }
+}

Added: cxf/branches/2.5.x-fixes/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/encrypted_parts_missing_binding.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/encrypted_parts_missing_binding.xml?rev=1245113&view=auto
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/encrypted_parts_missing_binding.xml
(added)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/encrypted_parts_missing_binding.xml
Thu Feb 16 18:21:21 2012
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<wsp:Policy 
+    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
+    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+  <wsp:ExactlyOne>
+    <wsp:All>
+      <sp:SignedParts>
+        <sp:Body/>
+      </sp:SignedParts>  
+    </wsp:All>
+  </wsp:ExactlyOne>
+</wsp:Policy>

Added: cxf/branches/2.5.x-fixes/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/signed_parts_missing_binding.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/signed_parts_missing_binding.xml?rev=1245113&view=auto
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/signed_parts_missing_binding.xml
(added)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/signed_parts_missing_binding.xml
Thu Feb 16 18:21:21 2012
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<wsp:Policy 
+    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
+    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+  <wsp:ExactlyOne>
+    <wsp:All>
+      <sp:EncryptedParts>
+        <sp:Body/>
+      </sp:EncryptedParts>  
+    </wsp:All>
+  </wsp:ExactlyOne>
+</wsp:Policy>



Mime
View raw message