Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 864C998C5 for ; Thu, 16 Feb 2012 18:08:29 +0000 (UTC) Received: (qmail 33695 invoked by uid 500); 16 Feb 2012 18:08:29 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 33636 invoked by uid 500); 16 Feb 2012 18:08:29 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 33629 invoked by uid 99); 16 Feb 2012 18:08:29 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Feb 2012 18:08:29 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Feb 2012 18:08:22 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 548C12388865; Thu, 16 Feb 2012 18:08:01 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1245108 - in /cxf/trunk/rt/ws/security: ./ src/main/java/org/apache/cxf/ws/security/policy/interceptors/ src/test/java/org/apache/cxf/ws/security/wss4j/ src/test/resources/org/apache/cxf/ws/security/wss4j/ Date: Thu, 16 Feb 2012 18:08:01 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120216180801.548C12388865@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: coheigea Date: Thu Feb 16 18:08:00 2012 New Revision: 1245108 URL: http://svn.apache.org/viewvc?rev=1245108&view=rev Log: [CXF-4099] - SignedParts, EncryptedParts policy assertions are silently ignored on the client side if specified alone - Patch applied, thanks. - I also added in SignedElements, EncryptedElements and ContentEncryptedElements. Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityVerificationOutTest.java cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/encrypted_parts_missing_binding.xml cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/signed_parts_missing_binding.xml Modified: cxf/trunk/rt/ws/security/pom.xml cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java Modified: cxf/trunk/rt/ws/security/pom.xml URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/pom.xml?rev=1245108&r1=1245107&r2=1245108&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/pom.xml (original) +++ cxf/trunk/rt/ws/security/pom.xml Thu Feb 16 18:08:00 2012 @@ -134,6 +134,11 @@ ${project.version} test + + org.easymock + easymock + test + Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java?rev=1245108&view=auto ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java (added) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java Thu Feb 16 18:08:00 2012 @@ -0,0 +1,101 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.ws.security.policy.interceptors; + +import java.util.Collection; +import java.util.logging.Logger; + +import javax.xml.namespace.QName; + +import org.apache.cxf.binding.soap.SoapMessage; +import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.interceptor.Fault; +import org.apache.cxf.message.MessageUtils; +import org.apache.cxf.phase.AbstractPhaseInterceptor; +import org.apache.cxf.phase.Phase; +import org.apache.cxf.ws.policy.AssertionInfo; +import org.apache.cxf.ws.policy.AssertionInfoMap; +import org.apache.cxf.ws.policy.PolicyException; +import org.apache.cxf.ws.security.policy.SP12Constants; + +/** + * Interceptor verifies critical policy security assertions for client side + */ +public class SecurityVerificationOutInterceptor extends AbstractPhaseInterceptor { + public static final SecurityVerificationOutInterceptor INSTANCE = + new SecurityVerificationOutInterceptor(); + + private static final Logger LOG = LogUtils.getL7dLogger(SecurityVerificationOutInterceptor.class); + + public SecurityVerificationOutInterceptor() { + super(Phase.PRE_LOGICAL); + } + + /** + * Checks if some security assertions are specified without binding assertion and cannot be fulfilled. + * Throw PolicyException in this case + * + * @param message + * @throws PolicyException if assertions are specified without binding + */ + public void handleMessage(SoapMessage message) throws Fault { + if (MessageUtils.isRequestor(message)) { + AssertionInfoMap aim = message.get(AssertionInfoMap.class); + if (aim != null) { + Collection aisTransport = aim.get(SP12Constants.TRANSPORT_BINDING); + Collection aisAssymetric = aim.get(SP12Constants.ASYMMETRIC_BINDING); + Collection aisSymetric = aim.get(SP12Constants.SYMMETRIC_BINDING); + if (((aisTransport == null) || aisTransport.isEmpty()) + && ((aisAssymetric == null) || aisAssymetric.isEmpty()) + && ((aisSymetric == null) || aisSymetric.isEmpty())) { + + Collection aisSignedParts = aim.get(SP12Constants.SIGNED_PARTS); + checkAssertion(aisSignedParts, SP12Constants.SIGNED_PARTS); + Collection aisSignedElements = aim.get(SP12Constants.SIGNED_ELEMENTS); + checkAssertion(aisSignedElements, SP12Constants.SIGNED_ELEMENTS); + + Collection aisEncryptedParts = aim.get(SP12Constants.ENCRYPTED_PARTS); + checkAssertion(aisEncryptedParts, SP12Constants.ENCRYPTED_PARTS); + Collection aisEncryptedElements = + aim.get(SP12Constants.ENCRYPTED_ELEMENTS); + checkAssertion(aisEncryptedElements, SP12Constants.ENCRYPTED_ELEMENTS); + Collection aisContentEncryptedElements = + aim.get(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS); + checkAssertion(aisContentEncryptedElements, SP12Constants.CONTENT_ENCRYPTED_ELEMENTS); + } + } + } + } + + private void checkAssertion(Collection ais, QName assertion) { + if ((ais != null) && (!ais.isEmpty())) { + String error = String + .format("%s assertion cannot be fulfilled without binding. " + + "At least one binding assertion (%s, %s, %s) must be specified in policy.", + assertion.getLocalPart(), SP12Constants.TRANSPORT_BINDING.getLocalPart(), + SP12Constants.ASYMMETRIC_BINDING.getLocalPart(), + SP12Constants.SYMMETRIC_BINDING.getLocalPart()); + AssertionInfo info = ais.iterator().next(); + info.setNotAsserted(error); + LOG.severe(error); + throw new PolicyException(info); + } + } +} Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java?rev=1245108&r1=1245107&r2=1245108&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java Thu Feb 16 18:08:00 2012 @@ -73,5 +73,6 @@ public class WSSecurityPolicyInterceptor public WSSecurityPolicyInterceptorProvider() { super(ASSERTION_TYPES); + getOutInterceptors().add(SecurityVerificationOutInterceptor.INSTANCE); } } Added: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityVerificationOutTest.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityVerificationOutTest.java?rev=1245108&view=auto ============================================================================== --- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityVerificationOutTest.java (added) +++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityVerificationOutTest.java Thu Feb 16 18:08:00 2012 @@ -0,0 +1,88 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.ws.security.wss4j; + +import java.io.IOException; + +import javax.xml.parsers.ParserConfigurationException; + +import org.xml.sax.SAXException; + +import org.apache.cxf.binding.soap.SoapMessage; +import org.apache.cxf.message.Message; +import org.apache.cxf.ws.policy.AssertionInfoMap; +import org.apache.cxf.ws.policy.PolicyException; +import org.apache.cxf.ws.security.policy.interceptors.SecurityVerificationOutInterceptor; +import org.apache.neethi.Policy; +import org.easymock.EasyMock; +import org.easymock.IMocksControl; +import org.junit.Before; +import org.junit.Test; + +public class SecurityVerificationOutTest extends AbstractPolicySecurityTest { + private IMocksControl control; + + + @Before + public void setUp() { + control = EasyMock.createNiceControl(); + } + + @Test(expected = PolicyException.class) + public void testEncryptedPartsNoBinding() throws Exception { + SoapMessage message = coachMessage("encrypted_parts_missing_binding.xml"); + control.replay(); + SecurityVerificationOutInterceptor.INSTANCE.handleMessage(message); + control.verify(); + } + + @Test(expected = PolicyException.class) + public void testSignedPartsNoBinding() throws Exception { + SoapMessage message = coachMessage("signed_parts_missing_binding.xml"); + control.replay(); + SecurityVerificationOutInterceptor.INSTANCE.handleMessage(message); + control.verify(); + } + + @Test + public void testEncryptedPartsOK() throws Exception { + SoapMessage message = coachMessage("encrypted_parts_policy_body.xml"); + control.replay(); + SecurityVerificationOutInterceptor.INSTANCE.handleMessage(message); + control.verify(); + } + + @Test + public void testSignedPartsOK() throws Exception { + SoapMessage message = coachMessage("signed_parts_policy_body.xml"); + control.replay(); + SecurityVerificationOutInterceptor.INSTANCE.handleMessage(message); + control.verify(); + } + + private SoapMessage coachMessage(String policyName) + throws IOException, ParserConfigurationException, SAXException { + Policy policy = policyBuilder.getPolicy(this.getResourceAsStream(policyName)); + AssertionInfoMap aim = new AssertionInfoMap(policy); + SoapMessage message = control.createMock(SoapMessage.class); + EasyMock.expect(message.get(Message.REQUESTOR_ROLE)).andReturn(Boolean.TRUE); + EasyMock.expect(message.get(AssertionInfoMap.class)).andReturn(aim); + return message; + } +} Added: cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/encrypted_parts_missing_binding.xml URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/encrypted_parts_missing_binding.xml?rev=1245108&view=auto ============================================================================== --- cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/encrypted_parts_missing_binding.xml (added) +++ cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/encrypted_parts_missing_binding.xml Thu Feb 16 18:08:00 2012 @@ -0,0 +1,12 @@ + + + + + + + + + + Added: cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/signed_parts_missing_binding.xml URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/signed_parts_missing_binding.xml?rev=1245108&view=auto ============================================================================== --- cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/signed_parts_missing_binding.xml (added) +++ cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/signed_parts_missing_binding.xml Thu Feb 16 18:08:00 2012 @@ -0,0 +1,12 @@ + + + + + + + + + +