cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1359055 - in /cxf/branches/2.5.x-fixes: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/ services/sts/systests/basic/src/te...
Date Mon, 09 Jul 2012 10:57:26 GMT
Author: coheigea
Date: Mon Jul  9 10:57:26 2012
New Revision: 1359055

URL: http://svn.apache.org/viewvc?rev=1359055&view=rev
Log:
Merged revisions 1359043 via  git cherry-pick from
https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes

........
  r1359043 | coheigea | 2012-07-09 11:45:42 +0100 (Mon, 09 Jul 2012) | 10 lines

  Merged revisions 1359033 via  git cherry-pick from
  https://svn.apache.org/repos/asf/cxf/trunk

  ........
    r1359033 | coheigea | 2012-07-09 11:27:52 +0100 (Mon, 09 Jul 2012) | 2 lines

    [CXF-4410] - sp:EncryptSignature policy validation should only check to see if the primary
signature is encrypted

  ........

........

Modified:
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
    cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
    cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl
    cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-client.xml
    cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-service.xml

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1359055&r1=1359054&r2=1359055&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
Mon Jul  9 10:57:26 2012
@@ -313,13 +313,20 @@ public abstract class AbstractBindingPol
     }
     
     /**
-     * Check whether all Signature (and SignatureConfirmation) elements were encrypted
+     * Check whether the primary Signature (and all SignatureConfirmation) elements were
encrypted
      */
     protected boolean isSignatureEncrypted(List<WSSecurityEngineResult> results) {
-        for (WSSecurityEngineResult result : results) {
+        boolean foundPrimarySignature = false;
+        for (int i = results.size() - 1; i >= 0; i--) {
+            WSSecurityEngineResult result = results.get(i);
             Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.SIGN
-                || actInt.intValue() == WSConstants.SC) {
+            if (actInt.intValue() == WSConstants.SIGN && !foundPrimarySignature)
{
+                foundPrimarySignature = true;
+                String sigId = (String)result.get(WSSecurityEngineResult.TAG_ID);
+                if (sigId == null || !isIdEncrypted(sigId, results)) {
+                    return false;
+                }
+            } else if (actInt.intValue() == WSConstants.SC) {
                 String sigId = (String)result.get(WSSecurityEngineResult.TAG_ID);
                 if (sigId == null || !isIdEncrypted(sigId, results)) {
                     return false;

Modified: cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java?rev=1359055&r1=1359054&r2=1359055&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
(original)
+++ cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java
Mon Jul  9 10:57:26 2012
@@ -129,6 +129,31 @@ public class X509SymmetricBindingTest ex
         
         bus.shutdown(true);
     }
+    
+    @org.junit.Test
+    public void testX509SAML2Endorsing() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509SymmetricBindingTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = X509SymmetricBindingTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSAML2EndorsingPort");
+        DoubleItPortType symmetricSaml2Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(symmetricSaml2Port, PORT);
+        if (standalone) {
+            TokenTestUtils.updateSTSPort((BindingProvider)symmetricSaml2Port, STSPORT2);
+        }
+        
+        doubleIt(symmetricSaml2Port, 30);
+
+        bus.shutdown(true);
+    }
 
     private static void doubleIt(DoubleItPortType port, int numToDouble) {
         int resp = port.doubleIt(numToDouble);

Modified: cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl?rev=1359055&r1=1359054&r2=1359055&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl
(original)
+++ cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl
Mon Jul  9 10:57:26 2012
@@ -60,6 +60,22 @@
 			</wsdl:output>
 		</wsdl:operation>
 	</wsdl:binding>
+	<wsdl:binding name="DoubleItSymmetricSAML2EndorsingBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItSymmetricBindingSAML2EndorsingPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy" />
+            </wsdl:output>
+        </wsdl:operation>
+    </wsdl:binding>
 
 	<wsdl:service name="DoubleItService">
 		<wsdl:port name="DoubleItSymmetricSAML1Port" binding="tns:DoubleItSymmetricSAML1Binding">
@@ -70,6 +86,11 @@
 			<soap:address
 				location="http://localhost:8082/doubleit/services/doubleitsymmetricsaml2" />
 		</wsdl:port>
+		<wsdl:port name="DoubleItSymmetricSAML2EndorsingPort" 
+		           binding="tns:DoubleItSymmetricSAML2EndorsingBinding">
+            <soap:address
+                location="http://localhost:8082/doubleit/services/doubleitsymmetricsaml2endorsing"
/>
+        </wsdl:port>
 	</wsdl:service>
 	
 	<wsp:Policy wsu:Id="DoubleItSymmetricBindingSAML1Policy">
@@ -209,6 +230,87 @@
 		</wsp:ExactlyOne>
 	</wsp:Policy>
 	
+	<wsp:Policy wsu:Id="DoubleItSymmetricBindingSAML2EndorsingPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <wsam:Addressing wsp:Optional="false">
+                    <wsp:Policy />
+                </wsam:Addressing>
+                <sp:SymmetricBinding>
+                    <wsp:Policy>
+                        <sp:ProtectionToken>
+                            <wsp:Policy>
+                                <sp:X509Token
+                                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                                    <wsp:Policy>
+                                        <sp:RequireThumbprintReference/>
+                                        <sp:WssX509V3Token10/>
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:ProtectionToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:OnlySignEntireHeadersAndBody />
+                        <sp:EncryptSignature />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:SymmetricBinding>
+                <sp:EndorsingSupportingTokens>
+                    <wsp:Policy>
+                        <sp:IssuedToken
+                                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                    <sp:RequestSecurityTokenTemplate>
+                                        <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
+                                        <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType>
+                                        <t:KeySize>128</t:KeySize>
+                                    </sp:RequestSecurityTokenTemplate>
+                                    <wsp:Policy>
+                                        <sp:RequireInternalReference />
+                                    </wsp:Policy>
+                                    <sp:Issuer>
+                                        <wsaw:Address>http://localhost:8080/SecurityTokenService/UT
+                                        </wsaw:Address>
+                                        <wsaw:Metadata>
+                                            <wsx:Metadata>
+                                                <wsx:MetadataSection>
+                                                    <wsx:MetadataReference>
+                                                        <wsaw:Address>http://localhost:8080/SecurityTokenService/UT/mex
+                                                        </wsaw:Address>
+                                                    </wsx:MetadataReference>
+                                                </wsx:MetadataSection>
+                                            </wsx:Metadata>
+                                        </wsaw:Metadata>
+                                    </sp:Issuer>
+                                </sp:IssuedToken>
+                    </wsp:Policy>
+                </sp:EndorsingSupportingTokens>
+                <sp:Wss11>
+                    <wsp:Policy>
+                        <sp:MustSupportRefIssuerSerial />
+                        <sp:MustSupportRefThumbprint />
+                        <sp:MustSupportRefEncryptedKey />
+                    </wsp:Policy>
+                </sp:Wss11>
+                <sp:Trust13>
+                    <wsp:Policy>
+                        <sp:MustSupportIssuedTokens />
+                        <sp:RequireClientEntropy />
+                        <sp:RequireServerEntropy />
+                    </wsp:Policy>
+                </sp:Trust13>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
 	<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
 		<wsp:ExactlyOne>
 			<wsp:All>

Modified: cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-client.xml?rev=1359055&r1=1359054&r2=1359055&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-client.xml
(original)
+++ cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-client.xml
Mon Jul  9 10:57:26 2012
@@ -89,5 +89,34 @@ http://cxf.apache.org/configuration/secu
        </jaxws:properties>
    </jaxws:client>
    
+   <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricSAML2EndorsingPort"

+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.encryption.properties" value="clientKeystore.properties"/>

+           <entry key="ws-security.encryption.username" value="myservicekey"/>
+           <entry key="ws-security.sts.client">
+               <bean class="org.apache.cxf.ws.security.trust.STSClient">
+                   <constructor-arg ref="cxf"/>
+                   <property name="wsdlLocation" 
+                             value="http://localhost:8080/SecurityTokenService/X509?wsdl"/>
+                   <property name="serviceName" 
+                             value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
+                   <property name="endpointName" 
+                             value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}X509_Port"/>
+                   <property name="properties">
+                       <map>
+                           <entry key="ws-security.signature.username" value="myclientkey"/>
+                           <entry key="ws-security.callback-handler" 
+                                  value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+                           <entry key="ws-security.signature.properties" value="clientKeystore.properties"/>

+                           <entry key="ws-security.encryption.properties" value="clientKeystore.properties"/>

+                           <entry key="ws-security.encryption.username" value="mystskey"/>
+                       </map>
+                   </property>
+               </bean>            
+           </entry> 
+       </jaxws:properties>
+   </jaxws:client>
+   
 </beans>
 

Modified: cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-service.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-service.xml?rev=1359055&r1=1359054&r2=1359055&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-service.xml
(original)
+++ cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-service.xml
Mon Jul  9 10:57:26 2012
@@ -77,5 +77,21 @@
       </jaxws:properties> 
    </jaxws:endpoint>
    
+   <jaxws:endpoint id="doubleitsymmetricsaml2endorsing"
+      implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl"
+      endpointName="s:DoubleItSymmetricSAML2EndorsingPort"
+      serviceName="s:DoubleItService"
+      address="http://localhost:${testutil.ports.Server}/doubleit/services/doubleitsymmetricsaml2endorsing"
+      wsdlLocation="org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl"
+      xmlns:s="http://www.example.org/contract/DoubleIt">
+        
+      <jaxws:properties>
+         <entry key="ws-security.callback-handler" 
+                value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+         <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/>
+         <entry key="ws-security.is-bsp-compliant" value="false"/>
+      </jaxws:properties> 
+   </jaxws:endpoint>
+   
 </beans>
 



Mime
View raw message