cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1481050 - in /cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j: PolicyBasedWSS4JInInterceptor.java PolicyBasedWSS4JStaxInInterceptor.java PolicyStaxActionInInterceptor.java WSS4JStaxInInterceptor.java
Date Fri, 10 May 2013 15:16:28 GMT
Author: coheigea
Date: Fri May 10 15:16:28 2013
New Revision: 1481050

URL: http://svn.apache.org/r1481050
Log:
Enabled policy validation via the ws-security-policy-stax layer in WSS4J

Added:
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
Modified:
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1481050&r1=1481049&r2=1481050&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Fri May 10 15:16:28 2013
@@ -269,10 +269,10 @@ public class PolicyBasedWSS4JInIntercept
         }
         
         if (encrCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
             message.put("RefId-" + encrCrypto.hashCode(), (Crypto)encrCrypto);
         } else if (signCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
             message.put("RefId-" + signCrypto.hashCode(), (Crypto)signCrypto);
         }
      
@@ -313,10 +313,10 @@ public class PolicyBasedWSS4JInIntercept
         }
         
         if (encrCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
             message.put("RefId-" + encrCrypto.hashCode(), (Crypto)encrCrypto);
         } else if (signCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
             message.put("RefId-" + signCrypto.hashCode(), (Crypto)signCrypto);
         }
 
@@ -373,7 +373,7 @@ public class PolicyBasedWSS4JInIntercept
                 crypto = signCrypto;
             }
             if (crypto != null) {
-                message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + crypto.hashCode());
+                message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + crypto.hashCode());
                 message.put("RefId-" + crypto.hashCode(), crypto);
             }
             
@@ -391,7 +391,7 @@ public class PolicyBasedWSS4JInIntercept
                 crypto = encrCrypto;
             }
             if (crypto != null) {
-                message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + crypto.hashCode());
+                message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + crypto.hashCode());
                 message.put("RefId-" + crypto.hashCode(), crypto);
             }
             

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java?rev=1481050&r1=1481049&r2=1481050&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
Fri May 10 15:16:28 2013
@@ -22,10 +22,14 @@ package org.apache.cxf.ws.security.wss4j
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Properties;
 import java.util.logging.Logger;
 
@@ -33,15 +37,20 @@ import javax.xml.namespace.QName;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.binding.soap.model.SoapBindingInfo;
+import org.apache.cxf.binding.soap.model.SoapOperationInfo;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.resource.ResourceManager;
+import org.apache.cxf.service.model.BindingInfo;
+import org.apache.cxf.service.model.BindingOperationInfo;
 import org.apache.cxf.service.model.EndpointInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.policy.EffectivePolicy;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.CryptoFactory;
@@ -50,6 +59,13 @@ import org.apache.wss4j.dom.handler.WSHa
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.WSSPolicyException;
+import org.apache.wss4j.policy.stax.OperationPolicy;
+import org.apache.wss4j.policy.stax.PolicyEnforcer;
+import org.apache.wss4j.policy.stax.PolicyInputProcessor;
+import org.apache.wss4j.stax.ext.WSSSecurityProperties;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
 
 /**
  * 
@@ -69,6 +85,7 @@ public class PolicyBasedWSS4JStaxInInter
             MessageUtils.isTrue(msg.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
         if (aim != null && enableStax) {
             super.handleMessage(msg);
+            msg.getInterceptorChain().add(new PolicyStaxActionInInterceptor());
         }
     }
     
@@ -165,10 +182,10 @@ public class PolicyBasedWSS4JStaxInInter
         }
         
         if (encrCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
             message.put("RefId-" + encrCrypto.hashCode(), (Crypto)encrCrypto);
         } else if (signCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
             message.put("RefId-" + signCrypto.hashCode(), (Crypto)signCrypto);
         }
     }
@@ -205,10 +222,10 @@ public class PolicyBasedWSS4JStaxInInter
         }
         
         if (encrCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
             message.put("RefId-" + encrCrypto.hashCode(), (Crypto)encrCrypto);
         } else if (signCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
             message.put("RefId-" + signCrypto.hashCode(), (Crypto)signCrypto);
         }
     }
@@ -245,7 +262,7 @@ public class PolicyBasedWSS4JStaxInInter
                 crypto = signCrypto;
             }
             if (crypto != null) {
-                message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + crypto.hashCode());
+                message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + crypto.hashCode());
                 message.put("RefId-" + crypto.hashCode(), crypto);
             }
             
@@ -263,7 +280,7 @@ public class PolicyBasedWSS4JStaxInInter
                 crypto = encrCrypto;
             }
             if (crypto != null) {
-                message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + crypto.hashCode());
+                message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + crypto.hashCode());
                 message.put("RefId-" + crypto.hashCode(), crypto);
             }
             
@@ -326,52 +343,80 @@ public class PolicyBasedWSS4JStaxInInter
     
     @Override
     protected void configureProperties(SoapMessage msg) throws WSSecurityException {
-        super.configureProperties(msg);
-        
         AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
         checkAsymmetricBinding(aim, msg);
         checkSymmetricBinding(aim, msg);
         checkTransportBinding(aim, msg);
+        
+        super.configureProperties(msg);
     }
     
-/*
-    protected void computeAction(SoapMessage message, RequestData data) throws WSSecurityException
{
-        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        if (aim != null) {
-            // stuff we can default to asserted and un-assert if a condition isn't met
-            assertPolicy(aim, SPConstants.KEY_VALUE_TOKEN);
-            assertPolicy(aim, SPConstants.RSA_KEY_VALUE);
-            assertPolicy(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
-            assertPolicy(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
-            assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
-            assertPolicy(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
-            assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
-            
-            // WSS10
-            assertPolicy(aim, SPConstants.WSS10);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
-            
-            // Trust 1.0
-            assertPolicy(aim, SPConstants.TRUST_10);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
-            assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
-            assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
-            
-            // Trust 1.3
-            assertPolicy(aim, SPConstants.TRUST_13);
-            assertPolicy(aim, SP12Constants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION);
-            assertPolicy(aim, SP12Constants.REQUIRE_APPLIES_TO);
-            assertPolicy(aim, SP13Constants.SCOPE_POLICY_15);
-            assertPolicy(aim, SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE);
+    @Override
+    protected SecurityEventListener configureSecurityEventListener(
+        SoapMessage msg, WSSSecurityProperties securityProperties
+    ) throws WSSPolicyException {
+        Endpoint endoint = msg.getExchange().get(Endpoint.class);
+        
+        PolicyEnforcer policyEnforcer = createPolicyEnforcer(endoint.getEndpointInfo(), msg);
+        securityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, securityProperties));
+
+        return policyEnforcer;
+    }
+    
+    private PolicyEnforcer createPolicyEnforcer(
+        EndpointInfo endpointInfo, SoapMessage msg
+    ) throws WSSPolicyException {
+
+        List<OperationPolicy> operationPolicies = new ArrayList<OperationPolicy>();
+        Collection<BindingOperationInfo> bindingOperationInfos = endpointInfo.getBinding().getOperations();
+        for (Iterator<BindingOperationInfo> bindingOperationInfoIterator =
+                     bindingOperationInfos.iterator(); bindingOperationInfoIterator.hasNext();)
{
+            BindingOperationInfo bindingOperationInfo = bindingOperationInfoIterator.next();
+            QName operationName = bindingOperationInfo.getName();
+
+            // todo: I'm not sure what the effectivePolicy exactly contains,
+            // a) only the operation policy,
+            // or b) all policies for the service,
+            // or c) all policies which applies for the current operation.
+            // c) is that what we need for stax.
+            EffectivePolicy policy = 
+                (EffectivePolicy)bindingOperationInfo.getProperty("policy-engine-info-serve-request");
+            //PolicyEngineImpl.POLICY_INFO_REQUEST_SERVER);
+            SoapOperationInfo soapOperationInfo = bindingOperationInfo.getExtensor(SoapOperationInfo.class);
+
+            String soapNS;
+            BindingInfo bindingInfo = bindingOperationInfo.getBinding();
+            if (bindingInfo instanceof SoapBindingInfo) {
+                soapNS = ((SoapBindingInfo)bindingInfo).getSoapVersion().getNamespace();
+            } else {
+                //no idea what todo here...
+                //most probably throw an exception:
+                throw new IllegalArgumentException("BindingInfo is not an instance of SoapBindingInfo");
+            }
+
+            //todo: I think its a bug that we handover only the localPart of the operation.

+            // Needs to be fixed in ws-security-policy-stax
+            OperationPolicy operationPolicy = new OperationPolicy(operationName.getLocalPart());
+            operationPolicy.setPolicy(policy.getPolicy());
+            operationPolicy.setOperationAction(soapOperationInfo.getAction());
+            operationPolicy.setSoapMessageVersionNamespace(soapNS);
             
-            message.put(WSHandlerConstants.ACTION, action.trim());
+            operationPolicies.add(operationPolicy);
         }
+        
+        final List<SecurityEvent> incomingSecurityEventList = new LinkedList<SecurityEvent>();
+        // TODO Soap Action
+        PolicyEnforcer securityEventListener = new PolicyEnforcer(operationPolicies, "")
{
+            @Override
+            public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException
{
+                incomingSecurityEventList.add(securityEvent);
+            }
+        };
+        
+        msg.getExchange().put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
+        msg.put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
+        
+        return securityEventListener;
     }
-    */
-
+    
 }

Added: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java?rev=1481050&view=auto
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
(added)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
Fri May 10 15:16:28 2013
@@ -0,0 +1,199 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.wss4j;
+
+import java.util.Collection;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
+
+/**
+ * This interceptor handles parsing the StaX WS-Security results (events) + marks the 
+ * corresponding CXF AssertionInfos as asserted accordingly. WSS4J 2.0 (StAX) takes care
of all
+ * policy validation, so we are just asserting the appropriate AssertionInfo objects in CXF
to 
+ * make sure that policy validation passes.
+ */
+public class PolicyStaxActionInInterceptor extends AbstractPhaseInterceptor<SoapMessage>
{
+    
+    public PolicyStaxActionInInterceptor() {
+        super(Phase.PRE_PROTOCOL);
+        this.getBefore().add(StaxSecurityContextInInterceptor.class.getName());
+    }
+
+    @Override
+    public void handleMessage(SoapMessage soapMessage) throws Fault {
+        
+        AssertionInfoMap aim = soapMessage.get(AssertionInfoMap.class);
+        @SuppressWarnings("unchecked")
+        final List<SecurityEvent> incomingSecurityEventList = 
+            (List<SecurityEvent>)soapMessage.get(SecurityEvent.class.getName() + ".in");
+        if (aim == null || incomingSecurityEventList == null) {
+            return;
+        }
+        
+        verifyTokens(aim, incomingSecurityEventList);
+        verifyPartsAndElements(aim, incomingSecurityEventList);
+        verifyBindings(aim);
+    }
+    
+    private void verifyPartsAndElements(
+        AssertionInfoMap aim, List<SecurityEvent> incomingSecurityEventList
+    ) {
+        for (SecurityEvent event : incomingSecurityEventList) {
+            if (WSSecurityEventConstants.SignedPart == event.getSecurityEventType()) {
+                assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+            } else if (WSSecurityEventConstants.SignedElement == event.getSecurityEventType())
{
+                assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+            } else if (WSSecurityEventConstants.EncryptedPart == event.getSecurityEventType())
{
+                assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
+            } else if (WSSecurityEventConstants.EncryptedElement == event.getSecurityEventType())
{
+                assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+            } else if (WSSecurityEventConstants.ContentEncrypted == event.getSecurityEventType())
{
+                assertAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+            } else if (WSSecurityEventConstants.RequiredPart == event.getSecurityEventType())
{
+                assertAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
+            } else if (WSSecurityEventConstants.RequiredElement == event.getSecurityEventType())
{
+                assertAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
+            } 
+        }
+    }
+    
+    private void verifyTokens(
+        AssertionInfoMap aim, List<SecurityEvent> incomingSecurityEventList
+    ) {
+        for (SecurityEvent event : incomingSecurityEventList) {
+            if (WSSecurityEventConstants.Timestamp == event.getSecurityEventType()) {
+                assertAllAssertionsByLocalname(aim, "Timestamp");
+            } else if (WSSecurityEventConstants.UsernameToken == event.getSecurityEventType())
{
+                assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+                assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN10);
+                assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN11);
+                assertAllAssertionsByLocalname(aim, SPConstants.HASH_PASSWORD);
+                assertAllAssertionsByLocalname(aim, SPConstants.NO_PASSWORD);
+                assertAllAssertionsByLocalname(aim, SPConstants.NONCE);
+                assertAllAssertionsByLocalname(aim, SPConstants.CREATED);
+            } else if (WSSecurityEventConstants.X509Token == event.getSecurityEventType())
{
+                assertAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
+                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKCS7_TOKEN10);
+                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKCS7_TOKEN11);
+                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
+                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
+                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V1_TOKEN10);
+                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V1_TOKEN11);
+                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V3_TOKEN10);
+                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V3_TOKEN11);
+            } else if (WSSecurityEventConstants.SamlToken == event.getSecurityEventType())
{
+                assertAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+                assertAllAssertionsByLocalname(aim, "WssSamlV11Token10");
+                assertAllAssertionsByLocalname(aim, "WssSamlV11Token11");
+                assertAllAssertionsByLocalname(aim, "WssSamlV20Token11");
+            } else if (WSSecurityEventConstants.SecurityContextToken == event.getSecurityEventType())
{
+                assertAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
+                assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE);
+            }
+        }
+        
+        assertAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
+        assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+        assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
+        assertAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
+        assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+        assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+        assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+        assertAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+        assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+    }
+    
+    private void verifyBindings(AssertionInfoMap aim) {
+        assertAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+        assertAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+        assertAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+        assertAllAssertionsByLocalname(aim, SPConstants.PROTECTION_TOKEN);
+        assertAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_TOKEN);
+        assertAllAssertionsByLocalname(aim, SPConstants.INITIATOR_ENCRYPTION_TOKEN);
+        assertAllAssertionsByLocalname(aim, SPConstants.INITIATOR_SIGNATURE_TOKEN);
+        assertAllAssertionsByLocalname(aim, SPConstants.INITIATOR_TOKEN);
+        assertAllAssertionsByLocalname(aim, SPConstants.RECIPIENT_ENCRYPTION_TOKEN);
+        assertAllAssertionsByLocalname(aim, SPConstants.RECIPIENT_SIGNATURE_TOKEN);
+        assertAllAssertionsByLocalname(aim, SPConstants.RECIPIENT_TOKEN);
+        
+        assertAllAssertionsByLocalname(aim, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
+        assertAllAssertionsByLocalname(aim, SPConstants.PROTECT_TOKENS);
+        assertAllAssertionsByLocalname(aim, SPConstants.INCLUDE_TIMESTAMP);
+        assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPT_SIGNATURE);
+        assertAllAssertionsByLocalname(aim, SPConstants.SIGN_BEFORE_ENCRYPTING);
+        assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPT_BEFORE_SIGNING);
+        assertAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
+        assertAllAssertionsByLocalname(aim, SPConstants.LAYOUT_LAX);
+        assertAllAssertionsByLocalname(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
+        assertAllAssertionsByLocalname(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
+        assertAllAssertionsByLocalname(aim, SPConstants.LAYOUT_STRICT);
+        assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+        assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION);
+        
+        assertAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
+        for (String s : AlgorithmSuite.getSupportedAlgorithmSuiteNames()) {
+            assertAllAssertionsByLocalname(aim, s);
+        }
+        
+        assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
+        assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
+        assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
+        assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
+        assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
+        assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
+        
+        assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
+        assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
+        assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
+        assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
+
+        assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT);
+        assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY);
+    }
+    
+    private void assertAllAssertionsByLocalname(AssertionInfoMap aim, String localname) {
+        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS,
localname));
+        if (sp11Ais != null) {
+            for (AssertionInfo ai : sp11Ais) {
+                ai.setAsserted(true);
+            }
+        }
+        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS,
localname));
+        if (sp12Ais != null) {
+            for (AssertionInfo ai : sp12Ais) {
+                ai.setAsserted(true);
+            }
+        }
+    }
+
+}

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java?rev=1481050&r1=1481049&r2=1481050&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
Fri May 10 15:16:28 2013
@@ -39,11 +39,13 @@ import org.apache.cxf.interceptor.StaxIn
 import org.apache.cxf.interceptor.URIMappingInterceptor;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.ConfigurationConstants;
 import org.apache.wss4j.common.cache.ReplayCache;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.policy.WSSPolicyException;
 import org.apache.wss4j.stax.ConfigurationConverter;
 import org.apache.wss4j.stax.WSSec;
 import org.apache.wss4j.stax.ext.InboundWSSec;
@@ -106,7 +108,7 @@ public class WSS4JStaxInInterceptor exte
         
         try {
             @SuppressWarnings("unchecked")
-            final List<SecurityEvent> requestSecurityEvents = 
+            List<SecurityEvent> requestSecurityEvents = 
                 (List<SecurityEvent>) soapMessage.getExchange().get(SecurityEvent.class.getName()
+ ".out");
             
             translateProperties(soapMessage);
@@ -114,16 +116,22 @@ public class WSS4JStaxInInterceptor exte
             configureCallbackHandler(soapMessage);
             
             InboundWSSec inboundWSSec = null;
+            WSSSecurityProperties secProps = null;
             if (getSecurityProperties() != null) {
-                inboundWSSec = WSSec.getInboundWSSec(getSecurityProperties());
+                secProps = getSecurityProperties();
             } else {
-                WSSSecurityProperties convertedProperties = 
-                    ConfigurationConverter.convert(getProperties());
-                inboundWSSec = WSSec.getInboundWSSec(convertedProperties);
+                secProps = ConfigurationConverter.convert(getProperties());
             }
             
             SecurityEventListener securityEventListener = 
-                configureSecurityEventListener(soapMessage, inboundWSSec);
+                configureSecurityEventListener(soapMessage, secProps);
+            
+            TLSSessionInfo tlsInfo = soapMessage.get(TLSSessionInfo.class);
+            if (tlsInfo != null) {
+                // TODO HttpsSecurityTokenEvent
+            }
+            
+            inboundWSSec = WSSec.getInboundWSSec(secProps);
             
             newXmlStreamReader = 
                 inboundWSSec.processInMessage(originalXmlStreamReader, requestSecurityEvents,
securityEventListener);
@@ -137,12 +145,16 @@ public class WSS4JStaxInInterceptor exte
             // processing in the WS-Stack.
         } catch (WSSecurityException e) {
             throw createSoapFault(soapMessage.getVersion(), e);
+        } catch (WSSPolicyException e) {
+            throw new SoapFault(e.getMessage(), e, soapMessage.getVersion().getSender());
         } catch (XMLStreamException e) {
             throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender());
         }
     }
     
-    protected SecurityEventListener configureSecurityEventListener(SoapMessage msg, InboundWSSec
inboundWSSec) {
+    protected SecurityEventListener configureSecurityEventListener(
+        SoapMessage msg, WSSSecurityProperties securityProperties
+    ) throws WSSPolicyException {
         final List<SecurityEvent> incomingSecurityEventList = new LinkedList<SecurityEvent>();
         SecurityEventListener securityEventListener = new SecurityEventListener() {
             @Override



Mime
View raw message