cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1369083 - in /cxf/branches/2.5.x-fixes: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_che...
Date Fri, 03 Aug 2012 16:21:16 GMT
Author: coheigea
Date: Fri Aug  3 16:21:16 2012
New Revision: 1369083

URL: http://svn.apache.org/viewvc?rev=1369083&view=rev
Log:
Merged revisions 1369079 via  git cherry-pick from
https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes

........
  r1369079 | coheigea | 2012-08-03 17:16:41 +0100 (Fri, 03 Aug 2012) | 10 lines

  Merged revisions 1369075 via  git cherry-pick from
  https://svn.apache.org/repos/asf/cxf/trunk

  ........
    r1369075 | coheigea | 2012-08-03 17:14:34 +0100 (Fri, 03 Aug 2012) | 2 lines

    [CXF-4453] - Add in default signature verification of WS-Addressing ReplyTo and FaultTo
headers

  ........

........

Modified:
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java?rev=1369083&r1=1369082&r2=1369083&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java
Fri Aug  3 16:21:16 2012
@@ -19,14 +19,18 @@
 package org.apache.cxf.ws.security.wss4j;
 
 
+import org.apache.cxf.ws.addressing.Names;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
 import org.apache.ws.security.WSConstants;
 
 /**
  * This utility extends the CryptoCoverageChecker to provide an easy way to check to see
- * if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, and if the Timestamp was signed.
- * The default configuration is that the SOAP Body and Timestamp must be signed.
+ * if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, if the Timestamp was signed,
+ * and if the WS-Addressing ReplyTo and FaultTo headers were signed.
+ * 
+ * The default configuration is that the SOAP Body, Timestamp must be signed, and WS-Addressing
+ * ReplyTo and FaultTo headers must be signed (if they exist in the message payload).
  */
 public class DefaultCryptoCoverageChecker extends CryptoCoverageChecker {
     
@@ -34,14 +38,16 @@ public class DefaultCryptoCoverageChecke
     public static final String SOAP12_NS = WSConstants.URI_SOAP12_ENV;
     public static final String WSU_NS = WSConstants.WSU_NS;
     public static final String WSSE_NS = WSConstants.WSSE_NS;
+    public static final String WSA_NS = Names.WSA_NAMESPACE_NAME;
     
     private boolean signBody;
     private boolean signTimestamp;
     private boolean encryptBody;
+    private boolean signAddressingHeaders;
     
     /**
-     * Creates a new instance. Enforces that the SOAP Body and Timestamp must be signed
-     * (if they exist in the message body).
+     * Creates a new instance. Enforces that the SOAP Body, Timestamp, and WS-Addressing
+     * ReplyTo and FaultTo headers must be signed (if they exist in the message payload).
      */
     public DefaultCryptoCoverageChecker() {
         super(null, null);
@@ -50,12 +56,16 @@ public class DefaultCryptoCoverageChecke
         prefixMap.put("soapenv12", SOAP12_NS);
         prefixMap.put("wsu", WSU_NS);
         prefixMap.put("wsse", WSSE_NS);
+        prefixMap.put("wsa", WSA_NS);
         
         // Sign SOAP Body
         setSignBody(true);
         
         // Sign Timestamp
         setSignTimestamp(true);
+        
+        // Sign Addressing Headers
+        setSignAddressingHeaders(true);
     }
     
     public boolean isSignBody() {
@@ -152,5 +162,62 @@ public class DefaultCryptoCoverageChecke
             }
         }
     }
+
+    public boolean isSignAddressingHeaders() {
+        return signAddressingHeaders;
+    }
+
+    public final void setSignAddressingHeaders(boolean signAddressingHeaders) {
+        this.signAddressingHeaders = signAddressingHeaders;
+        
+        XPathExpression soap11Expression = 
+            new XPathExpression(
+                "/soapenv:Envelope/soapenv:Header/wsa:ReplyTo", 
+                CoverageType.SIGNED
+            );
+        XPathExpression soap11Expression2 = 
+            new XPathExpression(
+                "/soapenv:Envelope/soapenv:Header/wsa:FaultTo", 
+                CoverageType.SIGNED
+            );
+        XPathExpression soap12Expression = 
+            new XPathExpression(
+                "/soapenv12:Envelope/soapenv12:Header/wsa:ReplyTo", 
+                CoverageType.SIGNED
+            );
+        XPathExpression soap12Expression2 = 
+            new XPathExpression(
+                "/soapenv12:Envelope/soapenv12:Header/wsa:FaultTo", 
+                CoverageType.SIGNED
+            );
+
+        if (signAddressingHeaders) {
+            if (!xPaths.contains(soap11Expression)) {
+                xPaths.add(soap11Expression);
+            }
+            if (!xPaths.contains(soap11Expression2)) {
+                xPaths.add(soap11Expression2);
+            }
+            if (!xPaths.contains(soap12Expression)) {
+                xPaths.add(soap12Expression);
+            }
+            if (!xPaths.contains(soap12Expression2)) {
+                xPaths.add(soap12Expression2);
+            }
+        } else {
+            if (xPaths.contains(soap11Expression)) {
+                xPaths.remove(soap11Expression);
+            }
+            if (xPaths.contains(soap11Expression2)) {
+                xPaths.remove(soap11Expression2);
+            }
+            if (xPaths.contains(soap12Expression)) {
+                xPaths.remove(soap12Expression);
+            }
+            if (xPaths.contains(soap12Expression2)) {
+                xPaths.remove(soap12Expression2);
+            }
+        }
+    }
     
 }

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java?rev=1369083&r1=1369082&r2=1369083&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java
Fri Aug  3 16:21:16 2012
@@ -37,8 +37,8 @@ import org.junit.Test;
 
 /**
  * Test the DefaultCryptoCoverageChecker, which extends the CryptoCoverageChecker to provide
- * an easier way to check to see if the SOAP (1.1 + 1.2) Body was signed and/or encrypted,
and 
- * if the Timestamp was signed.
+ * an easier way to check to see if the SOAP (1.1 + 1.2) Body was signed and/or encrypted,
if 
+ * the Timestamp was signed, and if the WS-Addressing ReplyTo and FaultTo headers were signed.
  */
 public class DefaultCryptoCoverageCheckerTest extends AbstractSecurityTest {
     

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java?rev=1369083&r1=1369082&r2=1369083&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java
Fri Aug  3 16:21:16 2012
@@ -64,7 +64,7 @@ public class DefaultCryptoCoverageChecke
         SecurityTestUtil.cleanup();
         stopAllServers();
     }
-
+    
     @org.junit.Test
     public void testSignedBodyTimestamp() throws Exception {
         if (!unrestrictedPoliciesInstalled) {
@@ -403,6 +403,65 @@ public class DefaultCryptoCoverageChecke
         bus.shutdown(true);
     }
     
+    @org.junit.Test
+    public void testWSAddressing() throws Exception {
+        if (!unrestrictedPoliciesInstalled) {
+            return;
+        }
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = DefaultCryptoCoverageCheckerTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = DefaultCryptoCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItWSAPort");
+        DoubleItPortType port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        
+        Map<String, Object> outProps = new HashMap<String, Object>();
+        outProps.put("action", "Timestamp Signature");
+        outProps.put("signaturePropFile", 
+                     "org/apache/cxf/systest/ws/wssec10/client/alice.properties");
+        outProps.put("user", "alice");
+        outProps.put("passwordCallbackClass", 
+                     "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback");
+        outProps.put("signatureParts",
+                     "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;"
+                     + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-"
+                     + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;");
+        
+        WSS4JOutInterceptor wss4jOutInterceptor = new WSS4JOutInterceptor(outProps);
+        bus.getOutInterceptors().add(wss4jOutInterceptor);
+        
+        try {
+            port.doubleIt(25);
+            fail("Failure expected on not signing the WS-Addressing headers");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Now sign the WS-Addressing headers
+        bus.getOutInterceptors().remove(wss4jOutInterceptor);
+        
+        outProps.put("signatureParts",
+                "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;"
+                + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-"
+                + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"
+                + "{}{http://www.w3.org/2005/08/addressing}ReplyTo;");
+        
+        wss4jOutInterceptor = new WSS4JOutInterceptor(outProps);
+        bus.getOutInterceptors().add(wss4jOutInterceptor);
+        
+        port.doubleIt(25);
+        
+        bus.shutdown(true);
+    }
+    
     private boolean checkUnrestrictedPoliciesInstalled() {
         try {
             byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl?rev=1369083&r1=1369082&r2=1369083&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl
Fri Aug  3 16:21:16 2012
@@ -74,6 +74,9 @@
         <wsdl:port name="DoubleItSignedEncryptedBodyPort" binding="tns:DoubleItSoapBinding">
             <soap:address location="http://localhost:9001/DoubleItSignedEncrypted" />
         </wsdl:port>
+        <wsdl:port name="DoubleItWSAPort" binding="tns:DoubleItSoapBinding">
+            <soap:address location="http://localhost:9001/DoubleItWSA" />
+        </wsdl:port>
     </wsdl:service>
     
 </wsdl:definitions>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml?rev=1369083&r1=1369082&r2=1369083&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml
Fri Aug  3 16:21:16 2012
@@ -51,4 +51,11 @@
                   createdFromAPI="true">
     </jaxws:client>
     
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItWSAPort" 
+                  createdFromAPI="true">
+         <jaxws:features>
+             <wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
+         </jaxws:features>
+    </jaxws:client>
+    
 </beans>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml?rev=1369083&r1=1369082&r2=1369083&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml
Fri Aug  3 16:21:16 2012
@@ -122,5 +122,32 @@
         </bean>
        </jaxws:inInterceptors>
     </jaxws:endpoint> 
+    
+    <jaxws:endpoint 
+       id="WSA"
+       address="http://localhost:${testutil.ports.Server}/DoubleItWSA" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItWSAPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl">
+        
+       <jaxws:inInterceptors>
+         <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+           <constructor-arg>
+            <map>
+               <entry key="action" value="Signature Timestamp"/>
+               <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+               <entry key="passwordCallbackClass" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+            </map>
+           </constructor-arg>
+        </bean>
+        <bean class="org.apache.cxf.ws.security.wss4j.DefaultCryptoCoverageChecker"/>
+       </jaxws:inInterceptors>
+       <jaxws:features>
+           <wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
+       </jaxws:features>
+    </jaxws:endpoint> 
    
 </beans>



Mime
View raw message