Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C72E8DD1D for ; Fri, 3 Aug 2012 16:22:02 +0000 (UTC) Received: (qmail 63816 invoked by uid 500); 3 Aug 2012 16:22:02 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 63765 invoked by uid 500); 3 Aug 2012 16:22:02 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 63752 invoked by uid 99); 3 Aug 2012 16:22:02 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Aug 2012 16:22:02 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Aug 2012 16:22:00 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 39FF823888CD; Fri, 3 Aug 2012 16:21:17 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1369083 - in /cxf/branches/2.5.x-fixes: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_che... Date: Fri, 03 Aug 2012 16:21:16 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120803162117.39FF823888CD@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: coheigea Date: Fri Aug 3 16:21:16 2012 New Revision: 1369083 URL: http://svn.apache.org/viewvc?rev=1369083&view=rev Log: Merged revisions 1369079 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes ........ r1369079 | coheigea | 2012-08-03 17:16:41 +0100 (Fri, 03 Aug 2012) | 10 lines Merged revisions 1369075 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/trunk ........ r1369075 | coheigea | 2012-08-03 17:14:34 +0100 (Fri, 03 Aug 2012) | 2 lines [CXF-4453] - Add in default signature verification of WS-Addressing ReplyTo and FaultTo headers ........ ........ Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java?rev=1369083&r1=1369082&r2=1369083&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java (original) +++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java Fri Aug 3 16:21:16 2012 @@ -19,14 +19,18 @@ package org.apache.cxf.ws.security.wss4j; +import org.apache.cxf.ws.addressing.Names; import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope; import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType; import org.apache.ws.security.WSConstants; /** * This utility extends the CryptoCoverageChecker to provide an easy way to check to see - * if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, and if the Timestamp was signed. - * The default configuration is that the SOAP Body and Timestamp must be signed. + * if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, if the Timestamp was signed, + * and if the WS-Addressing ReplyTo and FaultTo headers were signed. + * + * The default configuration is that the SOAP Body, Timestamp must be signed, and WS-Addressing + * ReplyTo and FaultTo headers must be signed (if they exist in the message payload). */ public class DefaultCryptoCoverageChecker extends CryptoCoverageChecker { @@ -34,14 +38,16 @@ public class DefaultCryptoCoverageChecke public static final String SOAP12_NS = WSConstants.URI_SOAP12_ENV; public static final String WSU_NS = WSConstants.WSU_NS; public static final String WSSE_NS = WSConstants.WSSE_NS; + public static final String WSA_NS = Names.WSA_NAMESPACE_NAME; private boolean signBody; private boolean signTimestamp; private boolean encryptBody; + private boolean signAddressingHeaders; /** - * Creates a new instance. Enforces that the SOAP Body and Timestamp must be signed - * (if they exist in the message body). + * Creates a new instance. Enforces that the SOAP Body, Timestamp, and WS-Addressing + * ReplyTo and FaultTo headers must be signed (if they exist in the message payload). */ public DefaultCryptoCoverageChecker() { super(null, null); @@ -50,12 +56,16 @@ public class DefaultCryptoCoverageChecke prefixMap.put("soapenv12", SOAP12_NS); prefixMap.put("wsu", WSU_NS); prefixMap.put("wsse", WSSE_NS); + prefixMap.put("wsa", WSA_NS); // Sign SOAP Body setSignBody(true); // Sign Timestamp setSignTimestamp(true); + + // Sign Addressing Headers + setSignAddressingHeaders(true); } public boolean isSignBody() { @@ -152,5 +162,62 @@ public class DefaultCryptoCoverageChecke } } } + + public boolean isSignAddressingHeaders() { + return signAddressingHeaders; + } + + public final void setSignAddressingHeaders(boolean signAddressingHeaders) { + this.signAddressingHeaders = signAddressingHeaders; + + XPathExpression soap11Expression = + new XPathExpression( + "/soapenv:Envelope/soapenv:Header/wsa:ReplyTo", + CoverageType.SIGNED + ); + XPathExpression soap11Expression2 = + new XPathExpression( + "/soapenv:Envelope/soapenv:Header/wsa:FaultTo", + CoverageType.SIGNED + ); + XPathExpression soap12Expression = + new XPathExpression( + "/soapenv12:Envelope/soapenv12:Header/wsa:ReplyTo", + CoverageType.SIGNED + ); + XPathExpression soap12Expression2 = + new XPathExpression( + "/soapenv12:Envelope/soapenv12:Header/wsa:FaultTo", + CoverageType.SIGNED + ); + + if (signAddressingHeaders) { + if (!xPaths.contains(soap11Expression)) { + xPaths.add(soap11Expression); + } + if (!xPaths.contains(soap11Expression2)) { + xPaths.add(soap11Expression2); + } + if (!xPaths.contains(soap12Expression)) { + xPaths.add(soap12Expression); + } + if (!xPaths.contains(soap12Expression2)) { + xPaths.add(soap12Expression2); + } + } else { + if (xPaths.contains(soap11Expression)) { + xPaths.remove(soap11Expression); + } + if (xPaths.contains(soap11Expression2)) { + xPaths.remove(soap11Expression2); + } + if (xPaths.contains(soap12Expression)) { + xPaths.remove(soap12Expression); + } + if (xPaths.contains(soap12Expression2)) { + xPaths.remove(soap12Expression2); + } + } + } } Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java?rev=1369083&r1=1369082&r2=1369083&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java (original) +++ cxf/branches/2.5.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageCheckerTest.java Fri Aug 3 16:21:16 2012 @@ -37,8 +37,8 @@ import org.junit.Test; /** * Test the DefaultCryptoCoverageChecker, which extends the CryptoCoverageChecker to provide - * an easier way to check to see if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, and - * if the Timestamp was signed. + * an easier way to check to see if the SOAP (1.1 + 1.2) Body was signed and/or encrypted, if + * the Timestamp was signed, and if the WS-Addressing ReplyTo and FaultTo headers were signed. */ public class DefaultCryptoCoverageCheckerTest extends AbstractSecurityTest { Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java?rev=1369083&r1=1369082&r2=1369083&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java (original) +++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java Fri Aug 3 16:21:16 2012 @@ -64,7 +64,7 @@ public class DefaultCryptoCoverageChecke SecurityTestUtil.cleanup(); stopAllServers(); } - + @org.junit.Test public void testSignedBodyTimestamp() throws Exception { if (!unrestrictedPoliciesInstalled) { @@ -403,6 +403,65 @@ public class DefaultCryptoCoverageChecke bus.shutdown(true); } + @org.junit.Test + public void testWSAddressing() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = DefaultCryptoCoverageCheckerTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = DefaultCryptoCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItWSAPort"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + Map outProps = new HashMap(); + outProps.put("action", "Timestamp Signature"); + outProps.put("signaturePropFile", + "org/apache/cxf/systest/ws/wssec10/client/alice.properties"); + outProps.put("user", "alice"); + outProps.put("passwordCallbackClass", + "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"); + outProps.put("signatureParts", + "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" + + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-" + + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"); + + WSS4JOutInterceptor wss4jOutInterceptor = new WSS4JOutInterceptor(outProps); + bus.getOutInterceptors().add(wss4jOutInterceptor); + + try { + port.doubleIt(25); + fail("Failure expected on not signing the WS-Addressing headers"); + } catch (Exception ex) { + // expected + } + + // Now sign the WS-Addressing headers + bus.getOutInterceptors().remove(wss4jOutInterceptor); + + outProps.put("signatureParts", + "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" + + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-" + + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;" + + "{}{http://www.w3.org/2005/08/addressing}ReplyTo;"); + + wss4jOutInterceptor = new WSS4JOutInterceptor(outProps); + bus.getOutInterceptors().add(wss4jOutInterceptor); + + port.doubleIt(25); + + bus.shutdown(true); + } + private boolean checkUnrestrictedPoliciesInstalled() { try { byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07}; Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl?rev=1369083&r1=1369082&r2=1369083&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl (original) +++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl Fri Aug 3 16:21:16 2012 @@ -74,6 +74,9 @@ + + + Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml?rev=1369083&r1=1369082&r2=1369083&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml (original) +++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml Fri Aug 3 16:21:16 2012 @@ -51,4 +51,11 @@ createdFromAPI="true"> + + + + + + Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml?rev=1369083&r1=1369082&r2=1369083&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml (original) +++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml Fri Aug 3 16:21:16 2012 @@ -122,5 +122,32 @@ + + + + + + + + + + + + + + + + + + +