Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C2042EFF1 for ; Tue, 12 Mar 2013 17:34:38 +0000 (UTC) Received: (qmail 31009 invoked by uid 500); 12 Mar 2013 17:26:59 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 20489 invoked by uid 500); 12 Mar 2013 17:20:39 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 69467 invoked by uid 99); 12 Mar 2013 14:45:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Mar 2013 14:45:00 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Mar 2013 14:44:56 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 629942388ADA; Tue, 12 Mar 2013 14:44:35 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1455556 [3/3] - in /cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/ policy/builders/ policy/interceptors/ policy/model/ wss4j/ wss4j/policyhandlers/ wss4j/policyvalidators/ Date: Tue, 12 Mar 2013 14:44:33 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130312144435.629942388ADA@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java?rev=1455556&r1=1455555&r2=1455556&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java Tue Mar 12 14:44:31 2013 @@ -29,8 +29,7 @@ import org.apache.cxf.ws.policy.Assertio import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSecurityEngineResult; -import org.apache.wss4j.policy.SP11Constants; -import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.SymmetricBinding; /** @@ -46,13 +45,8 @@ public class SymmetricBindingPolicyValid List signedResults, List encryptedResults ) { - Collection ais = aim.get(SP12Constants.SYMMETRIC_BINDING); - if (ais != null && !ais.isEmpty()) { - parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults); - } - - ais = aim.get(SP11Constants.SYMMETRIC_BINDING); - if (ais != null && !ais.isEmpty()) { + Collection ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING); + if (!ais.isEmpty()) { parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults); } @@ -117,6 +111,9 @@ public class SymmetricBindingPolicyValid ai.setNotAsserted("Message fails the DerivedKeys requirement"); return false; } + assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS); + assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS); + assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS); } if (binding.getSignatureToken() != null) { @@ -127,6 +124,9 @@ public class SymmetricBindingPolicyValid ai.setNotAsserted("Message fails the DerivedKeys requirement"); return false; } + assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS); + assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS); + assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS); } if (binding.getProtectionToken() != null) { @@ -137,6 +137,9 @@ public class SymmetricBindingPolicyValid ai.setNotAsserted("Message fails the DerivedKeys requirement"); return false; } + assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS); + assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS); + assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS); } return true; Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java?rev=1455556&r1=1455555&r2=1455556&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java Tue Mar 12 14:44:31 2013 @@ -34,6 +34,7 @@ import org.apache.cxf.ws.policy.Assertio import org.apache.wss4j.dom.WSSecurityEngineResult; import org.apache.wss4j.policy.SP11Constants; import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.Layout; import org.apache.wss4j.policy.model.Layout.LayoutType; import org.apache.wss4j.policy.model.TransportBinding; @@ -51,21 +52,11 @@ public class TransportBindingPolicyValid List signedResults, List encryptedResults ) { - Collection ais = aim.get(SP12Constants.TRANSPORT_BINDING); - boolean policyFound = false; - if (ais != null && !ais.isEmpty()) { + Collection ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING); + if (!ais.isEmpty()) { parsePolicies(aim, ais, message, results, signedResults); - policyFound = true; - } - - ais = aim.get(SP11Constants.TRANSPORT_BINDING); - if (ais != null && !ais.isEmpty()) { - parsePolicies(aim, ais, message, results, signedResults); - policyFound = true; - } - - // We don't need to check these policies for the Transport binding - if (policyFound) { + + // We don't need to check these policies for the Transport binding assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS); assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS); assertPolicy(aim, SP12Constants.SIGNED_PARTS); Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java?rev=1455556&r1=1455555&r2=1455556&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java Tue Mar 12 14:44:31 2013 @@ -34,7 +34,6 @@ import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSecurityEngineResult; import org.apache.wss4j.dom.message.token.UsernameToken; import org.apache.wss4j.dom.util.WSSecurityUtil; -import org.apache.wss4j.policy.SP11Constants; import org.apache.wss4j.policy.SP12Constants; import org.apache.wss4j.policy.SP13Constants; import org.apache.wss4j.policy.SPConstants; @@ -55,23 +54,18 @@ public class UsernameTokenPolicyValidato List results, List signedResults ) { - Collection ais = aim.get(SP12Constants.USERNAME_TOKEN); - if (ais != null && !ais.isEmpty()) { - parsePolicies(ais, message, results); - } - - ais = aim.get(SP11Constants.USERNAME_TOKEN); - if (ais != null && !ais.isEmpty()) { + Collection ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN); + if (!ais.isEmpty()) { parsePolicies(ais, message, results); + + assertPolicy(aim, new QName(SP13Constants.SP_NS, SP12Constants.CREATED)); + assertPolicy(aim, new QName(SP13Constants.SP_NS, SP12Constants.NONCE)); + assertPolicy(aim, SPConstants.NO_PASSWORD); + assertPolicy(aim, SPConstants.HASH_PASSWORD); + assertPolicy(aim, SP12Constants.WSS_USERNAME_TOKEN10); + assertPolicy(aim, SP12Constants.WSS_USERNAME_TOKEN11); } - assertPolicy(aim, new QName(SP13Constants.SP_NS, SP12Constants.CREATED)); - assertPolicy(aim, new QName(SP13Constants.SP_NS, SP12Constants.NONCE)); - assertPolicy(aim, SP12Constants.NO_PASSWORD); - assertPolicy(aim, SP12Constants.HASH_PASSWORD); - assertPolicy(aim, SP12Constants.WSS_USERNAME_TOKEN10); - assertPolicy(aim, SP12Constants.WSS_USERNAME_TOKEN11); - return true; } Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java?rev=1455556&r1=1455555&r2=1455556&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java Tue Mar 12 14:44:31 2013 @@ -32,14 +32,14 @@ import org.apache.cxf.ws.policy.Assertio import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSecurityEngineResult; import org.apache.wss4j.dom.util.WSSecurityUtil; -import org.apache.wss4j.policy.SP11Constants; -import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.Wss11; /** * Validate a WSS11 policy. */ -public class WSS11PolicyValidator implements TokenPolicyValidator { +public class WSS11PolicyValidator + extends AbstractTokenPolicyValidator implements TokenPolicyValidator { public boolean validatePolicy( AssertionInfoMap aim, @@ -48,14 +48,13 @@ public class WSS11PolicyValidator implem List results, List signedResults ) { - Collection ais = aim.get(SP12Constants.WSS11); - if (ais != null && !ais.isEmpty()) { - parsePolicies(ais, message, results); - } - - ais = aim.get(SP11Constants.WSS11); - if (ais != null && !ais.isEmpty()) { + Collection ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11); + if (!ais.isEmpty()) { parsePolicies(ais, message, results); + + assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT); + assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY); + assertPolicy(aim, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION); } return true; Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java?rev=1455556&r1=1455555&r2=1455556&view=diff ============================================================================== --- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java (original) +++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java Tue Mar 12 14:44:31 2013 @@ -32,8 +32,7 @@ import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSecurityEngineResult; import org.apache.wss4j.dom.message.token.BinarySecurity; import org.apache.wss4j.dom.util.WSSecurityUtil; -import org.apache.wss4j.policy.SP11Constants; -import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.X509Token; import org.apache.wss4j.policy.model.X509Token.TokenType; @@ -52,29 +51,18 @@ public class X509TokenPolicyValidator ex List results, List signedResults ) { - Collection ais = aim.get(SP12Constants.X509_TOKEN); - if (ais != null && !ais.isEmpty()) { + Collection ais = getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN); + if (!ais.isEmpty()) { parsePolicies(ais, message, results); + + assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10); + assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11); + assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN10); + assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN11); + assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN10); + assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN11); } - ais = aim.get(SP11Constants.X509_TOKEN); - if (ais != null && !ais.isEmpty()) { - parsePolicies(ais, message, results); - } - - assertPolicy(aim, SP12Constants.WSS_X509_PKI_PATH_V1_TOKEN_10); - assertPolicy(aim, SP11Constants.WSS_X509_PKI_PATH_V1_TOKEN_10); - assertPolicy(aim, SP12Constants.WSS_X509_PKI_PATH_V1_TOKEN_11); - assertPolicy(aim, SP11Constants.WSS_X509_PKI_PATH_V1_TOKEN_11); - assertPolicy(aim, SP12Constants.WSS_X509_V1_TOKEN_10); - assertPolicy(aim, SP11Constants.WSS_X509_V1_TOKEN_10); - assertPolicy(aim, SP12Constants.WSS_X509_V1_TOKEN_11); - assertPolicy(aim, SP11Constants.WSS_X509_V1_TOKEN_11); - assertPolicy(aim, SP12Constants.WSS_X509_V3_TOKEN_10); - assertPolicy(aim, SP11Constants.WSS_X509_V3_TOKEN_10); - assertPolicy(aim, SP12Constants.WSS_X509_V3_TOKEN_11); - assertPolicy(aim, SP11Constants.WSS_X509_V3_TOKEN_11); - return true; }