cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ff...@apache.org
Subject svn commit: r1291176 - in /cxf/branches/2.5.x-fixes: ./ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/pol...
Date Mon, 20 Feb 2012 10:10:22 GMT
Author: ffang
Date: Mon Feb 20 10:10:21 2012
New Revision: 1291176

URL: http://svn.apache.org/viewvc?rev=1291176&view=rev
Log:
Merged revisions 1291166-1291167 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1291166 | ffang | 2012-02-20 17:51:20 +0800 (一, 20  2 2012) | 1 line
  
  [CXF-4119]support Certificates revocation check before encrypt when use CXF WS-SecurityPolicy
........
  r1291167 | ffang | 2012-02-20 18:01:32 +0800 (一, 20  2 2012) | 1 line
  
  [CXF-4119]support Certificates revocation check before encrypt when use CXF WS-SecurityPolicy
........

Added:
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
      - copied unchanged from r1291167, cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks
      - copied unchanged from r1291167, cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
      - copied unchanged from r1291167, cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks
      - copied unchanged from r1291167, cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks
Modified:
    cxf/branches/2.5.x-fixes/   (props changed)
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl

Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
Mon Feb 20 10:10:21 2012
@@ -386,6 +386,8 @@ public abstract class SPConstants {
     
     public static final String MUST_SUPPORT_ISSUED_TOKENS = "MustSupportIssuedTokens";
     
+    public static final String ENABLE_REVOCATION = "EnableRevocation";
+    
     public static final String REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION 
         = "RequireRequestSecurityTokenCollection";
     

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
Mon Feb 20 10:10:21 2012
@@ -65,6 +65,8 @@ public class WSS10Builder implements Ass
                     parent.setMustSupportRefExternalURI(true);
                 } else if (SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN.equals(name)) {
                     parent.setMustSupportRefEmbeddedToken(true);
+                } else if (SPConstants.ENABLE_REVOCATION.equals(name)) {
+                    parent.setEnableRevocation(true);
                 }
                 child = DOMUtils.getNextElement(child);
             }

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
Mon Feb 20 10:10:21 2012
@@ -75,6 +75,8 @@ public class WSS11Builder implements Ass
     
                 } else if (SPConstants.REQUIRE_SIGNATURE_CONFIRMATION.equals(name)) {
                     parent.setRequireSignatureConfirmation(true);
+                } else if (SPConstants.ENABLE_REVOCATION.equals(name)) {
+                    parent.setEnableRevocation(true);
                 }
                 child = DOMUtils.getNextElement(child);
             }

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
Mon Feb 20 10:10:21 2012
@@ -31,6 +31,7 @@ public class Wss10 extends AbstractSecur
     private boolean mustSupportRefIssuerSerial;
     private boolean mustSupportRefExternalURI;
     private boolean mustSupportRefEmbeddedToken;
+    private boolean enableRevocation;
 
     public Wss10(SPConstants version) {
         super(version);
@@ -91,6 +92,20 @@ public class Wss10 extends AbstractSecur
     public void setMustSupportRefKeyIdentifier(boolean mustSupportRefKeyIdentifier) {
         this.mustSupportRefKeyIdentifier = mustSupportRefKeyIdentifier;
     }
+    
+    /**
+     * @return Returns the enableRevocation.
+     */
+    public boolean isEnableRevocation() {
+        return enableRevocation;
+    }
+
+    /**
+     * @param enableRevocation The enableRevocation to set.
+     */
+    public void setEnableRevocation(boolean enableRevocation) {
+        this.enableRevocation = enableRevocation;
+    }
 
     public QName getRealName() {
         return constants.getWSS10();
@@ -150,6 +165,13 @@ public class Wss10 extends AbstractSecur
             writer.writeEndElement();
 
         }
+        
+        if (isEnableRevocation()) {
+            // <sp:EnableRevocation />
+            writer.writeStartElement(prefix, SPConstants.ENABLE_REVOCATION, namespaceURI);
+            writer.writeEndElement();
+
+        }
 
         // </wsp:Policy>
         writer.writeEndElement();

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
Mon Feb 20 10:10:21 2012
@@ -151,6 +151,13 @@ public class Wss11 extends Wss10 {
             writer.writeStartElement(prefix, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION,
namespaceURI);
             writer.writeEndElement();
         }
+        
+        if (isEnableRevocation()) {
+            // <sp:EnableRevocation />
+            writer.writeStartElement(prefix, SPConstants.ENABLE_REVOCATION, namespaceURI);
+            writer.writeEndElement();
+
+        }
 
         // </wsp:Policy>
         writer.writeEndElement();

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Mon Feb 20 10:10:21 2012
@@ -108,6 +108,7 @@ import org.apache.ws.security.WSSecurity
 import org.apache.ws.security.WSUsernameTokenPrincipal;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
 import org.apache.ws.security.conversation.ConversationConstants;
 import org.apache.ws.security.conversation.ConversationException;
 import org.apache.ws.security.handler.WSHandlerConstants;
@@ -1371,9 +1372,31 @@ public abstract class AbstractBindingBui
 
 
     public Crypto getEncryptionCrypto(TokenWrapper wrapper) throws WSSecurityException {
-        return getCrypto(wrapper, 
-                         SecurityConstants.ENCRYPT_CRYPTO,
-                         SecurityConstants.ENCRYPT_PROPERTIES);
+        Crypto crypto = getCrypto(wrapper, SecurityConstants.ENCRYPT_CRYPTO,
+                                  SecurityConstants.ENCRYPT_PROPERTIES);
+        Wss10 wss10 = getWss10();
+        if (wss10 == null) {
+            return crypto;
+        }
+        boolean enableRevocation = wss10.isEnableRevocation();
+        if (enableRevocation && crypto != null) {
+            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+            String encrUser = (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
+            if (crypto != null && encrUser == null) {
+                try {
+                    encrUser = crypto.getDefaultX509Identifier();
+                } catch (WSSecurityException e1) {
+                    throw new Fault(e1);
+                }
+            }
+            cryptoType.setAlias(encrUser);
+            X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
+            if (certs != null && certs.length > 0) {
+                crypto.verifyTrust(certs, enableRevocation);
+            }
+        }
+        return crypto;
+
     }
     
     public Crypto getCrypto(

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
Mon Feb 20 10:10:21 2012
@@ -39,6 +39,7 @@ public class KeystorePasswordCallback im
     public KeystorePasswordCallback() {
         passwords.put("alice", "password");
         passwords.put("bob", "password");
+        passwords.put("wss40rev", "security");
     }
 
     /**

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
Mon Feb 20 10:10:21 2012
@@ -489,4 +489,42 @@ public class SecurityPolicyTest extends 
         di.setNumberToDouble(5);
         assertEquals(10, pt.doubleIt(di, 1).getDoubledNumber());
     }
+    
+    @Test
+    public void testCXF4119() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+
+        Bus bus = bf.createBus();
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = SecurityPolicyTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        
+        DoubleItPortTypeHeader pt;
+
+        QName portQName = new QName(NAMESPACE, "DoubleItPortCXF4119");
+        pt = service.getPort(portQName, DoubleItPortTypeHeader.class);
+        
+        updateAddressPort(pt, PORT);
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,

+                                                      new KeystorePasswordCallback());
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+                                                      getClass().getResource("alice.properties"));
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,

+                                                      getClass().getResource("revocation.properties"));
+        
+        DoubleIt di = new DoubleIt();
+        di.setNumberToDouble(5);
+        try {
+            pt.doubleIt(di, 1);
+            fail("Failure expected on a revoked certificate");
+        } catch (Exception ex) {
+            String errorMessage = ex.getMessage();
+            // Different errors using different JDKs...
+            assertTrue(errorMessage.contains("Certificate has been revoked")
+                       || errorMessage.contains("Certificate revocation")
+                       || errorMessage.contains("Error during certificate path validation"));
+        }
+    }
 }

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
Mon Feb 20 10:10:21 2012
@@ -205,6 +205,24 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItBindingCXF4119" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#CXF4119" />
+        <soap:binding style="document"
+          transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+
 
 
     <wsdl:service name="DoubleItService">
@@ -241,6 +259,9 @@
         <wsdl:port name="DoubleItPortCXF3452" binding="tns:DoubleItBindingCXF3452">
             <soap:address location="http://localhost:9010/SecPolTestCXF3452" />
         </wsdl:port>
+        <wsdl:port name="DoubleItPortCXF4119" binding="tns:DoubleItBindingCXF4119">
+            <soap:address location="http://localhost:9010/SecPolTestCXF4119" />
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItBindingPolicy">
@@ -785,5 +806,63 @@
             <sp:Header Namespace="http://cxf.apache.org/policytest/DoubleIt"/>
         </sp:SignedParts>
     </wsp:Policy>
-
+    <wsp:Policy wsu:Id="CXF4119">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:AsymmetricBinding
+                  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+                    <wsp:Policy>
+                        <sp:InitiatorToken>
+                            <wsp:Policy>
+                                <sp:X509Token
+                                  sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
+                                    <wsp:Policy>
+                                        <sp:WssX509V1Token11 />
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:InitiatorToken>
+                        <sp:RecipientToken>
+                            <wsp:Policy>
+                                <sp:X509Token
+                                  sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
+                                    <wsp:Policy>
+                                        <sp:WssX509V1Token11 />
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:RecipientToken>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:TripleDesRsa15 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:EncryptSignature />
+                        <sp:OnlySignEntireHeadersAndBody />
+                        <sp:EncryptBeforeSigning />
+                    </wsp:Policy>
+                </sp:AsymmetricBinding>
+                <sp:SignedParts
+                  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+                    <sp:Body />
+                </sp:SignedParts>
+                <sp:EncryptedParts
+                  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+                    <sp:Body />
+                </sp:EncryptedParts>
+                <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+                    <wsp:Policy>
+                        <sp:MustSupportRefIssuerSerial />
+                        <sp:EnableRevocation/>
+                    </wsp:Policy>
+                </sp:Wss10>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
 </wsdl:definitions>



Mime
View raw message