Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CC4F2E65A for ; Mon, 11 Mar 2013 12:52:46 +0000 (UTC) Received: (qmail 2793 invoked by uid 500); 11 Mar 2013 12:34:46 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 2707 invoked by uid 500); 11 Mar 2013 12:34:44 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 2642 invoked by uid 99); 11 Mar 2013 12:34:41 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Mar 2013 12:34:41 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Mar 2013 12:34:35 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 0C52D23889E3; Mon, 11 Mar 2013 12:34:15 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1455117 - in /cxf/branches/wss4j2.0-port: rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyva... Date: Mon, 11 Mar 2013 12:34:14 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130311123415.0C52D23889E3@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: coheigea Date: Mon Mar 11 12:34:14 2013 New Revision: 1455117 URL: http://svn.apache.org/r1455117 Log: Asserted some more Assertions to get testcases passing Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java?rev=1455117&r1=1455116&r2=1455117&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java Mon Mar 11 12:34:14 2013 @@ -176,6 +176,9 @@ public final class WSSecurityPolicyLoade SP12Constants.SIGN_BEFORE_ENCRYPTING, SP12Constants.REQUIRE_KEY_IDENTIFIER_REFERENCE, SP11Constants.REQUIRE_KEY_IDENTIFIER_REFERENCE, + SP12Constants.PROTECT_TOKENS, + SP11Constants.PROTECT_TOKENS, + SP12Constants.RSA_KEY_VALUE, SP11Constants.LAX, SP11Constants.LAXTSFIRST, SP11Constants.LAXTSLAST, SP12Constants.LAX, SP12Constants.LAXTSFIRST, SP12Constants.LAXTSLAST, Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1455117&r1=1455116&r2=1455117&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Mon Mar 11 12:34:14 2013 @@ -515,6 +515,11 @@ public class PolicyBasedWSS4JInIntercept // stuff we can default to asserted and un-assert if a condition isn't met assertPolicy(aim, SP12Constants.KEY_VALUE_TOKEN); + assertPolicy(aim, SP12Constants.RSA_KEY_VALUE); + assertPolicy(aim, SP12Constants.REQUIRE_ISSUER_SERIAL_REFERENCE); + assertPolicy(aim, SP12Constants.REQUIRE_THUMBPRINT_REFERENCE); + assertPolicy(aim, SP12Constants.REQUIRE_KEY_IDENTIFIER_REFERENCE); + message.put(WSHandlerConstants.ACTION, action.trim()); } Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1455117&r1=1455116&r2=1455117&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java Mon Mar 11 12:34:14 2013 @@ -135,27 +135,37 @@ public abstract class AbstractBindingPol * Validate the layout assertion. It just checks the LaxTsFirst and LaxTsLast properties */ protected boolean validateLayout( + AssertionInfoMap aim, boolean laxTimestampFirst, boolean laxTimestampLast, List results ) { if (laxTimestampFirst) { if (results.isEmpty()) { + notAssertPolicy(aim, SP12Constants.LAXTSFIRST, "Layout does not match the requirements"); return false; } Integer firstAction = (Integer)results.get(0).get(WSSecurityEngineResult.TAG_ACTION); if (firstAction.intValue() != WSConstants.TS) { + notAssertPolicy(aim, SP12Constants.LAXTSFIRST, "Layout does not match the requirements"); return false; } + assertPolicy(aim, SP12Constants.LAXTSFIRST); } else if (laxTimestampLast) { if (results.isEmpty()) { + notAssertPolicy(aim, SP12Constants.LAXTSLAST, "Layout does not match the requirements"); return false; } Integer lastAction = (Integer)results.get(results.size() - 1).get(WSSecurityEngineResult.TAG_ACTION); if (lastAction.intValue() != WSConstants.TS) { + notAssertPolicy(aim, SP12Constants.LAXTSLAST, "Layout does not match the requirements"); return false; } + assertPolicy(aim, SP12Constants.LAXTSLAST); + } else { + assertPolicy(aim, SP12Constants.LAX); + assertPolicy(aim, SP12Constants.STRICT); } return true; @@ -177,6 +187,13 @@ public abstract class AbstractBindingPol if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) { return false; } + assertPolicy(aim, SP12Constants.ALGORITHM_SUITE); + String namespace = binding.getAlgorithmSuite().getVersion().getNamespace(); + String name = binding.getAlgorithmSuite().getAlgorithmSuiteType().getName(); + Collection algSuiteAis = aim.get(new QName(namespace, name)); + for (AssertionInfo algSuiteAi : algSuiteAis) { + algSuiteAi.setAsserted(true); + } // Check the IncludeTimestamp if (!validateTimestamp(binding.isIncludeTimestamp(), false, results, signedResults, message)) { @@ -192,7 +209,7 @@ public abstract class AbstractBindingPol LayoutType layoutType = layout.getLayoutType(); boolean timestampFirst = layoutType == LayoutType.LaxTsFirst; boolean timestampLast = layoutType == LayoutType.LaxTsLast; - if (!validateLayout(timestampFirst, timestampLast, results)) { + if (!validateLayout(aim, timestampFirst, timestampLast, results)) { String error = "Layout does not match the requirements"; notAssertPolicy(aim, SP12Constants.LAYOUT, error); ai.setNotAsserted(error); @@ -207,12 +224,14 @@ public abstract class AbstractBindingPol ai.setNotAsserted(error); return false; } + assertPolicy(aim, SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY); // Check whether the signatures were encrypted or not if (binding.isProtectTokens() && !isSignatureEncrypted(results)) { ai.setNotAsserted("The signature is not protected"); return false; } + assertPolicy(aim, SP12Constants.PROTECT_TOKENS); return true; } Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java?rev=1455117&r1=1455116&r2=1455117&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java Mon Mar 11 12:34:14 2013 @@ -19,8 +19,14 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators; +import java.util.Collection; + +import javax.xml.namespace.QName; + import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; +import org.apache.cxf.ws.policy.AssertionInfo; +import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.wss4j.policy.SPConstants.IncludeTokenType; import org.apache.wss4j.policy.model.AbstractToken; @@ -56,4 +62,14 @@ public abstract class AbstractTokenPolic } } + protected boolean assertPolicy(AssertionInfoMap aim, QName q) { + Collection ais = aim.get(q); + if (ais != null && !ais.isEmpty()) { + for (AssertionInfo ai : ais) { + ai.setAsserted(true); + } + return true; + } + return false; + } } Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1455117&r1=1455116&r2=1455117&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java Mon Mar 11 12:34:14 2013 @@ -24,6 +24,8 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; +import javax.xml.namespace.QName; + import org.w3c.dom.Element; import org.apache.cxf.message.Message; @@ -87,7 +89,7 @@ public class SamlTokenPolicyValidator ex SamlAssertionWrapper assertionWrapper = (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); - if (!checkVersion(samlToken, assertionWrapper)) { + if (!checkVersion(aim, samlToken, assertionWrapper)) { ai.setNotAsserted("Wrong SAML Version"); continue; } @@ -132,7 +134,11 @@ public class SamlTokenPolicyValidator ex /** * Check the policy version against the received assertion */ - private boolean checkVersion(SamlToken samlToken, SamlAssertionWrapper assertionWrapper) { + private boolean checkVersion( + AssertionInfoMap aim, + SamlToken samlToken, + SamlAssertionWrapper assertionWrapper + ) { SamlTokenType samlTokenType = samlToken.getSamlTokenType(); if ((samlTokenType == SamlTokenType.WssSamlV11Token10 || samlTokenType == SamlTokenType.WssSamlV11Token11) @@ -142,6 +148,8 @@ public class SamlTokenPolicyValidator ex && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) { return false; } + + assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), samlTokenType.name())); return true; } Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java?rev=1455117&r1=1455116&r2=1455117&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java Mon Mar 11 12:34:14 2013 @@ -22,6 +22,8 @@ package org.apache.cxf.ws.security.wss4j import java.util.Collection; import java.util.List; +import javax.xml.namespace.QName; + import org.w3c.dom.Element; import org.apache.cxf.message.Message; @@ -52,7 +54,6 @@ public class TransportBindingPolicyValid if (ais == null || ais.isEmpty()) { return true; } - for (AssertionInfo ai : ais) { TransportBinding binding = (TransportBinding)ai.getAssertion(); ai.setAsserted(true); @@ -75,6 +76,13 @@ public class TransportBindingPolicyValid if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) { continue; } + assertPolicy(aim, SP12Constants.ALGORITHM_SUITE); + String namespace = binding.getAlgorithmSuite().getVersion().getNamespace(); + String name = binding.getAlgorithmSuite().getAlgorithmSuiteType().getName(); + Collection algSuiteAis = aim.get(new QName(namespace, name)); + for (AssertionInfo algSuiteAi : algSuiteAis) { + algSuiteAi.setAsserted(true); + } // Check the IncludeTimestamp if (!validateTimestamp(binding.isIncludeTimestamp(), true, results, signedResults, message)) { @@ -90,7 +98,7 @@ public class TransportBindingPolicyValid LayoutType layoutType = layout.getLayoutType(); boolean timestampFirst = layoutType == LayoutType.LaxTsFirst; boolean timestampLast = layoutType == LayoutType.LaxTsLast; - if (!validateLayout(timestampFirst, timestampLast, results)) { + if (!validateLayout(aim, timestampFirst, timestampLast, results)) { String error = "Layout does not match the requirements"; notAssertPolicy(aim, SP12Constants.LAYOUT, error); ai.setNotAsserted(error); Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java?rev=1455117&r1=1455116&r2=1455117&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java Mon Mar 11 12:34:14 2013 @@ -23,6 +23,8 @@ import java.util.ArrayList; import java.util.Collection; import java.util.List; +import javax.xml.namespace.QName; + import org.w3c.dom.Element; import org.apache.cxf.message.Message; @@ -33,6 +35,7 @@ import org.apache.wss4j.dom.WSSecurityEn import org.apache.wss4j.dom.message.token.UsernameToken; import org.apache.wss4j.dom.util.WSSecurityUtil; import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SP13Constants; import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.AbstractSecurityAssertion; import org.apache.wss4j.policy.model.SupportingTokens; @@ -64,7 +67,6 @@ public class UsernameTokenPolicyValidato org.apache.wss4j.policy.model.UsernameToken usernameTokenPolicy = (org.apache.wss4j.policy.model.UsernameToken)ai.getAssertion(); ai.setAsserted(true); - if (!isTokenRequired(usernameTokenPolicy, message)) { continue; } @@ -80,6 +82,14 @@ public class UsernameTokenPolicyValidato continue; } } + + assertPolicy(aim, new QName(SP13Constants.SP_NS, SP12Constants.CREATED)); + assertPolicy(aim, new QName(SP13Constants.SP_NS, SP12Constants.NONCE)); + assertPolicy(aim, SP12Constants.NO_PASSWORD); + assertPolicy(aim, SP12Constants.HASH_PASSWORD); + assertPolicy(aim, SP12Constants.WSS_USERNAME_TOKEN10); + assertPolicy(aim, SP12Constants.WSS_USERNAME_TOKEN11); + return true; } @@ -101,6 +111,7 @@ public class UsernameTokenPolicyValidato ai.setNotAsserted("Password hashing policy not enforced"); return false; } + if (isNoPassword && (usernameToken.getPassword() != null)) { ai.setNotAsserted("Username Token NoPassword policy not enforced"); return false; @@ -115,6 +126,7 @@ public class UsernameTokenPolicyValidato ai.setNotAsserted("Username Token Created policy not enforced"); return false; } + if (usernameTokenPolicy.isNonce() && (usernameToken.getNonce() == null || usernameToken.isHashed())) { ai.setNotAsserted("Username Token Nonce policy not enforced"); Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java?rev=1455117&r1=1455116&r2=1455117&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java Mon Mar 11 12:34:14 2013 @@ -79,6 +79,14 @@ public class X509TokenPolicyValidator ex continue; } } + + assertPolicy(aim, SP12Constants.WSS_X509_PKI_PATH_V1_TOKEN_10); + assertPolicy(aim, SP12Constants.WSS_X509_PKI_PATH_V1_TOKEN_11); + assertPolicy(aim, SP12Constants.WSS_X509_V1_TOKEN_10); + assertPolicy(aim, SP12Constants.WSS_X509_V1_TOKEN_11); + assertPolicy(aim, SP12Constants.WSS_X509_V3_TOKEN_10); + assertPolicy(aim, SP12Constants.WSS_X509_V3_TOKEN_11); + return true; } Modified: cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1455117&r1=1455116&r2=1455117&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original) +++ cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Mon Mar 11 12:34:14 2013 @@ -85,7 +85,7 @@ -