cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ff...@apache.org
Subject svn commit: r1291599 - in /cxf/branches/2.4.x-fixes: ./ rt/ws/security/src/main/java/org/apache/cxf/ws/security/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/ rt...
Date Tue, 21 Feb 2012 05:10:10 GMT
Author: ffang
Date: Tue Feb 21 05:10:10 2012
New Revision: 1291599

URL: http://svn.apache.org/viewvc?rev=1291599&view=rev
Log:
Merged revisions 1291176-1291191,1291193-1291218,1291220-1291591 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/branches/2.5.x-fixes

................
  r1291176 | ffang | 2012-02-20 18:10:21 +0800 (一, 20  2 2012) | 13 lines
  
  Merged revisions 1291166-1291167 via svnmerge from 
  https://svn.apache.org/repos/asf/cxf/trunk
  
  ........
    r1291166 | ffang | 2012-02-20 17:51:20 +0800 (一, 20  2 2012) | 1 line
    
    [CXF-4119]support Certificates revocation check before encrypt when use CXF WS-SecurityPolicy
  ........
    r1291167 | ffang | 2012-02-20 18:01:32 +0800 (一, 20  2 2012) | 1 line
    
    [CXF-4119]support Certificates revocation check before encrypt when use CXF WS-SecurityPolicy
  ........
................
  r1291591 | ffang | 2012-02-21 12:43:56 +0800 (二, 21  2 2012) | 9 lines
  
  Merged revisions 1291583 via svnmerge from 
  https://svn.apache.org/repos/asf/cxf/trunk
  
  ........
    r1291583 | ffang | 2012-02-21 11:54:59 +0800 (二, 21  2 2012) | 1 line
    
    [CXF-4119]use jaxws property to configure enableRevocation
  ........
................

Added:
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
      - copied unchanged from r1291176, cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks
      - copied unchanged from r1291176, cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
      - copied unchanged from r1291176, cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks
      - copied unchanged from r1291176, cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks
Modified:
    cxf/branches/2.4.x-fixes/   (props changed)
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl

Propchange: cxf/branches/2.4.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1291599&r1=1291598&r2=1291599&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Tue Feb 21 05:10:10 2012
@@ -60,6 +60,8 @@ public final class SecurityConstants {
     
     public static final String TIMESTAMP_TTL = "ws-security.timestamp.timeToLive";
     
+    public static final String ENABLE_REVOCATION = "ws-security.enableRevocation";
+    
     //WebLogic and WCF always encrypt UsernameTokens whenever possible
     //See:  http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
     //Be default, we will encrypt as well for interop reasons.  However, this

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1291599&r1=1291598&r2=1291599&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
Tue Feb 21 05:10:10 2012
@@ -386,6 +386,7 @@ public abstract class SPConstants {
     
     public static final String MUST_SUPPORT_ISSUED_TOKENS = "MustSupportIssuedTokens";
     
+       
     public static final String REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION 
         = "RequireRequestSecurityTokenCollection";
     

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java?rev=1291599&r1=1291598&r2=1291599&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
Tue Feb 21 05:10:10 2012
@@ -65,7 +65,7 @@ public class WSS10Builder implements Ass
                     parent.setMustSupportRefExternalURI(true);
                 } else if (SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN.equals(name)) {
                     parent.setMustSupportRefEmbeddedToken(true);
-                }
+                } 
                 child = DOMUtils.getNextElement(child);
             }
         }

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java?rev=1291599&r1=1291598&r2=1291599&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
Tue Feb 21 05:10:10 2012
@@ -75,7 +75,7 @@ public class WSS11Builder implements Ass
     
                 } else if (SPConstants.REQUIRE_SIGNATURE_CONFIRMATION.equals(name)) {
                     parent.setRequireSignatureConfirmation(true);
-                }
+                } 
                 child = DOMUtils.getNextElement(child);
             }
         }

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java?rev=1291599&r1=1291598&r2=1291599&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
Tue Feb 21 05:10:10 2012
@@ -91,7 +91,8 @@ public class Wss10 extends AbstractSecur
     public void setMustSupportRefKeyIdentifier(boolean mustSupportRefKeyIdentifier) {
         this.mustSupportRefKeyIdentifier = mustSupportRefKeyIdentifier;
     }
-
+    
+        
     public QName getRealName() {
         return constants.getWSS10();
     }
@@ -150,7 +151,8 @@ public class Wss10 extends AbstractSecur
             writer.writeEndElement();
 
         }
-
+        
+        
         // </wsp:Policy>
         writer.writeEndElement();
 

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java?rev=1291599&r1=1291598&r2=1291599&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
Tue Feb 21 05:10:10 2012
@@ -151,7 +151,8 @@ public class Wss11 extends Wss10 {
             writer.writeStartElement(prefix, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION,
namespaceURI);
             writer.writeEndElement();
         }
-
+        
+        
         // </wsp:Policy>
         writer.writeEndElement();
 

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1291599&r1=1291598&r2=1291599&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Tue Feb 21 05:10:10 2012
@@ -109,6 +109,7 @@ import org.apache.ws.security.WSSecurity
 import org.apache.ws.security.WSUsernameTokenPrincipal;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
 import org.apache.ws.security.conversation.ConversationConstants;
 import org.apache.ws.security.conversation.ConversationException;
 import org.apache.ws.security.handler.WSHandlerConstants;
@@ -1394,9 +1395,28 @@ public abstract class AbstractBindingBui
 
 
     public Crypto getEncryptionCrypto(TokenWrapper wrapper) throws WSSecurityException {
-        return getCrypto(wrapper, 
-                         SecurityConstants.ENCRYPT_CRYPTO,
-                         SecurityConstants.ENCRYPT_PROPERTIES);
+        Crypto crypto = getCrypto(wrapper, SecurityConstants.ENCRYPT_CRYPTO,
+                                  SecurityConstants.ENCRYPT_PROPERTIES);
+        boolean enableRevocation = MessageUtils.isTrue(
+                                       message.getContextualProperty(SecurityConstants.ENABLE_REVOCATION));
+        if (enableRevocation && crypto != null) {
+            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+            String encrUser = (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
+            if (crypto != null && encrUser == null) {
+                try {
+                    encrUser = crypto.getDefaultX509Identifier();
+                } catch (WSSecurityException e1) {
+                    throw new Fault(e1);
+                }
+            }
+            cryptoType.setAlias(encrUser);
+            X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
+            if (certs != null && certs.length > 0) {
+                crypto.verifyTrust(certs, enableRevocation);
+            }
+        }
+        return crypto;
+
     }
     
     public Crypto getCrypto(

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java?rev=1291599&r1=1291598&r2=1291599&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
Tue Feb 21 05:10:10 2012
@@ -39,6 +39,7 @@ public class KeystorePasswordCallback im
     public KeystorePasswordCallback() {
         passwords.put("alice", "password");
         passwords.put("bob", "password");
+        passwords.put("wss40rev", "security");
     }
 
     /**

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1291599&r1=1291598&r2=1291599&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
Tue Feb 21 05:10:10 2012
@@ -489,4 +489,44 @@ public class SecurityPolicyTest extends 
         di.setNumberToDouble(5);
         assertEquals(10, pt.doubleIt(di, 1).getDoubledNumber());
     }
+    
+    @Test
+    public void testCXF4119() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+
+        Bus bus = bf.createBus();
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = SecurityPolicyTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        
+        DoubleItPortTypeHeader pt;
+
+        QName portQName = new QName(NAMESPACE, "DoubleItPortCXF4119");
+        pt = service.getPort(portQName, DoubleItPortTypeHeader.class);
+        
+        updateAddressPort(pt, PORT);
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,

+                                                      new KeystorePasswordCallback());
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+                                                      getClass().getResource("alice.properties"));
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,

+                                                      getClass().getResource("revocation.properties"));
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENABLE_REVOCATION,

+                                                      "true");
+        
+        DoubleIt di = new DoubleIt();
+        di.setNumberToDouble(5);
+        try {
+            pt.doubleIt(di, 1);
+            fail("Failure expected on a revoked certificate");
+        } catch (Exception ex) {
+            String errorMessage = ex.getMessage();
+            // Different errors using different JDKs...
+            assertTrue(errorMessage.contains("Certificate has been revoked")
+                       || errorMessage.contains("Certificate revocation")
+                       || errorMessage.contains("Error during certificate path validation"));
+        }
+    }
 }

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl?rev=1291599&r1=1291598&r2=1291599&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
Tue Feb 21 05:10:10 2012
@@ -205,6 +205,24 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItBindingCXF4119" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#CXF4119" />
+        <soap:binding style="document"
+          transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+
 
 
     <wsdl:service name="DoubleItService">
@@ -241,6 +259,9 @@
         <wsdl:port name="DoubleItPortCXF3452" binding="tns:DoubleItBindingCXF3452">
             <soap:address location="http://localhost:9010/SecPolTestCXF3452" />
         </wsdl:port>
+        <wsdl:port name="DoubleItPortCXF4119" binding="tns:DoubleItBindingCXF4119">
+            <soap:address location="http://localhost:9010/SecPolTestCXF4119" />
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItBindingPolicy">
@@ -785,5 +806,62 @@
             <sp:Header Namespace="http://cxf.apache.org/policytest/DoubleIt"/>
         </sp:SignedParts>
     </wsp:Policy>
-
+    <wsp:Policy wsu:Id="CXF4119">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:AsymmetricBinding
+                  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+                    <wsp:Policy>
+                        <sp:InitiatorToken>
+                            <wsp:Policy>
+                                <sp:X509Token
+                                  sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
+                                    <wsp:Policy>
+                                        <sp:WssX509V1Token11 />
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:InitiatorToken>
+                        <sp:RecipientToken>
+                            <wsp:Policy>
+                                <sp:X509Token
+                                  sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
+                                    <wsp:Policy>
+                                        <sp:WssX509V1Token11 />
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:RecipientToken>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:TripleDesRsa15 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:EncryptSignature />
+                        <sp:OnlySignEntireHeadersAndBody />
+                        <sp:EncryptBeforeSigning />
+                    </wsp:Policy>
+                </sp:AsymmetricBinding>
+                <sp:SignedParts
+                  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+                    <sp:Body />
+                </sp:SignedParts>
+                <sp:EncryptedParts
+                  xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+                    <sp:Body />
+                </sp:EncryptedParts>
+                <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
+                    <wsp:Policy>
+                        <sp:MustSupportRefIssuerSerial />
+                    </wsp:Policy>
+                </sp:Wss10>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
 </wsdl:definitions>



Mime
View raw message