cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1482412 - in /cxf/branches/wss4j2.0-port/rt/ws/security/src: main/java/org/apache/cxf/ws/security/policy/interceptors/ main/java/org/apache/cxf/ws/security/wss4j/ test/java/org/apache/cxf/ws/security/wss4j/
Date Tue, 14 May 2013 15:59:20 GMT
Author: coheigea
Date: Tue May 14 15:59:20 2013
New Revision: 1482412

URL: http://svn.apache.org/r1482412
Log:
Got a lot of the inbound StaX security tests working

Added:
    cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java
Modified:
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java?rev=1482412&r1=1482411&r2=1482412&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
Tue May 14 15:59:20 2013
@@ -21,12 +21,16 @@ package org.apache.cxf.ws.security.polic
 
 import java.security.Principal;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.TreeMap;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.configuration.security.AuthorizationPolicy;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.Message;
@@ -46,12 +50,19 @@ import org.apache.wss4j.policy.SP11Const
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.HttpsToken;
+import org.apache.wss4j.stax.impl.securityToken.HttpsSecurityTokenImpl;
+import org.apache.wss4j.stax.securityEvent.HttpsTokenSecurityEvent;
+import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 
 /**
  * 
  */
 public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProvider {
     
+    private static final Logger LOG = LogUtils.getL7dLogger(HttpsTokenInterceptorProvider.class);
+    
     private static final long serialVersionUID = -13951002554477036L;
 
     public HttpsTokenInterceptorProvider() {
@@ -171,7 +182,11 @@ public class HttpsTokenInterceptorProvid
                     return;
                 }
                 if (!isRequestor(message)) {
-                    assertHttps(aim, ais, message);
+                    try {
+                        assertHttps(aim, ais, message);
+                    } catch (XMLSecurityException e) {
+                        LOG.fine(e.getMessage());
+                    }
                     // Store the TLS principal on the message context
                     SecurityContext sc = message.get(SecurityContext.class);
                     if (sc == null || sc.getUserPrincipal() == null) {
@@ -199,11 +214,27 @@ public class HttpsTokenInterceptorProvid
             }
         }
         
-        private void assertHttps(AssertionInfoMap aim, Collection<AssertionInfo> ais,
Message message) {
+        private void assertHttps(
+            AssertionInfoMap aim, 
+            Collection<AssertionInfo> ais, 
+            Message message
+        ) throws XMLSecurityException {
+            @SuppressWarnings("unchecked")
+            List<SecurityEvent> securityEvents = 
+                (List<SecurityEvent>) message.getExchange().get(SecurityEvent.class.getName()
+ ".out");
+            if (securityEvents == null) {
+                securityEvents = new ArrayList<SecurityEvent>();
+                message.getExchange().put(SecurityEvent.class.getName() + ".out", securityEvents);
+            }
+            
+            AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
+            
             for (AssertionInfo ai : ais) {
                 boolean asserted = true;
                 HttpsToken token = (HttpsToken)ai.getAssertion();
                 
+                HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
+                
                 Map<String, List<String>> headers = getSetProtocolHeaders(message);
               
                 if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpBasicAuthentication)
{
                     List<String> auth = headers.get("Authorization");
@@ -211,6 +242,13 @@ public class HttpsTokenInterceptorProvid
                         || !auth.get(0).startsWith("Basic")) {
                         asserted = false;
                     } else {
+                        httpsTokenSecurityEvent.setAuthenticationType(
+                            HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication
+                        );
+                        HttpsSecurityTokenImpl httpsSecurityToken = 
+                            new HttpsSecurityTokenImpl(true, policy.getUserName());
+                        httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+                        httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
                         NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
                     }
                 }
@@ -220,6 +258,13 @@ public class HttpsTokenInterceptorProvid
                         || !auth.get(0).startsWith("Digest")) {
                         asserted = false;
                     } else {
+                        httpsTokenSecurityEvent.setAuthenticationType(
+                            HttpsTokenSecurityEvent.AuthenticationType.HttpDigestAuthentication
+                        );
+                        HttpsSecurityTokenImpl httpsSecurityToken = 
+                            new HttpsSecurityTokenImpl(false, policy.getUserName());
+                        httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+                        httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
                         NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
                     }
                 }
@@ -232,6 +277,13 @@ public class HttpsTokenInterceptorProvid
                             || tlsInfo.getPeerCertificates().length == 0)) {
                         asserted = false;
                     } else {
+                        httpsTokenSecurityEvent.setAuthenticationType(
+                            HttpsTokenSecurityEvent.AuthenticationType.HttpsClientCertificateAuthentication
+                        );
+                        HttpsSecurityTokenImpl httpsSecurityToken = 
+                            new HttpsSecurityTokenImpl((X509Certificate)tlsInfo.getPeerCertificates()[0]);
+                        httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+                        httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
                         NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
                     }
                 } else {
@@ -239,6 +291,10 @@ public class HttpsTokenInterceptorProvid
                 }                
                 
                 ai.setAsserted(asserted);
+                
+                if (asserted) {
+                    securityEvents.add(httpsTokenSecurityEvent);
+                }
             }
         }
         

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java?rev=1482412&r1=1482411&r2=1482412&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
Tue May 14 15:59:20 2013
@@ -410,6 +410,7 @@ public class PolicyBasedWSS4JStaxInInter
             @Override
             public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException
{
                 incomingSecurityEventList.add(securityEvent);
+                super.registerSecurityEvent(securityEvent);
             }
         };
         

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java?rev=1482412&r1=1482411&r2=1482412&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
Tue May 14 15:59:20 2013
@@ -27,6 +27,7 @@ import org.apache.cxf.binding.soap.SoapM
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.policy.SP11Constants;
@@ -61,25 +62,39 @@ public class PolicyStaxActionInIntercept
         }
         
         verifyTokens(aim, incomingSecurityEventList);
-        verifyPartsAndElements(aim, incomingSecurityEventList);
+        verifyPartsAndElements(aim, incomingSecurityEventList, soapMessage);
         verifyBindings(aim);
     }
     
     private void verifyPartsAndElements(
-        AssertionInfoMap aim, List<SecurityEvent> incomingSecurityEventList
+        AssertionInfoMap aim, List<SecurityEvent> incomingSecurityEventList,
+        SoapMessage soapMessage
     ) {
+        TLSSessionInfo tlsInfo = soapMessage.get(TLSSessionInfo.class);
+        if (tlsInfo != null) {
+            assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+            assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+            assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
+            assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+            assertAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+        } else {
+            for (SecurityEvent event : incomingSecurityEventList) {
+                if (WSSecurityEventConstants.SignedPart == event.getSecurityEventType())
{
+                    assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+                } else if (WSSecurityEventConstants.SignedElement == event.getSecurityEventType())
{
+                    assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+                } else if (WSSecurityEventConstants.EncryptedPart == event.getSecurityEventType())
{
+                    assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
+                } else if (WSSecurityEventConstants.EncryptedElement == event.getSecurityEventType())
{
+                    assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+                } else if (WSSecurityEventConstants.ContentEncrypted == event.getSecurityEventType())
{
+                    assertAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+                }
+            }
+        }
+        
         for (SecurityEvent event : incomingSecurityEventList) {
-            if (WSSecurityEventConstants.SignedPart == event.getSecurityEventType()) {
-                assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
-            } else if (WSSecurityEventConstants.SignedElement == event.getSecurityEventType())
{
-                assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
-            } else if (WSSecurityEventConstants.EncryptedPart == event.getSecurityEventType())
{
-                assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
-            } else if (WSSecurityEventConstants.EncryptedElement == event.getSecurityEventType())
{
-                assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
-            } else if (WSSecurityEventConstants.ContentEncrypted == event.getSecurityEventType())
{
-                assertAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
-            } else if (WSSecurityEventConstants.RequiredPart == event.getSecurityEventType())
{
+            if (WSSecurityEventConstants.RequiredPart == event.getSecurityEventType()) {
                 assertAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
             } else if (WSSecurityEventConstants.RequiredElement == event.getSecurityEventType())
{
                 assertAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
@@ -179,6 +194,12 @@ public class PolicyStaxActionInIntercept
 
         assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT);
         assertAllAssertionsByLocalname(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY);
+        
+        assertAllAssertionsByLocalname(aim, SPConstants.KEY_VALUE_TOKEN);
+        assertAllAssertionsByLocalname(aim, SPConstants.RSA_KEY_VALUE);
+        
+        assertAllAssertionsByLocalname(aim, SPConstants.WSS10);
+        assertAllAssertionsByLocalname(aim, SPConstants.WSS11);
     }
     
     private void assertAllAssertionsByLocalname(AssertionInfoMap aim, String localname) {

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java?rev=1482412&r1=1482411&r2=1482412&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
Tue May 14 15:59:20 2013
@@ -39,7 +39,6 @@ import org.apache.cxf.interceptor.StaxIn
 import org.apache.cxf.interceptor.URIMappingInterceptor;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.Phase;
-import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.ConfigurationConstants;
 import org.apache.wss4j.common.cache.ReplayCache;
@@ -126,11 +125,6 @@ public class WSS4JStaxInInterceptor exte
             SecurityEventListener securityEventListener = 
                 configureSecurityEventListener(soapMessage, secProps);
             
-            TLSSessionInfo tlsInfo = soapMessage.get(TLSSessionInfo.class);
-            if (tlsInfo != null) {
-                // TODO HttpsSecurityTokenEvent
-            }
-            
             inboundWSSec = WSSec.getInboundWSSec(secProps);
             
             newXmlStreamReader = 

Added: cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java?rev=1482412&view=auto
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java
(added)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java
Tue May 14 15:59:20 2013
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.wss4j;
+
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.neethi.Policy;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.model.AsymmetricBinding;
+import org.junit.Test;
+
+public class CustomPolicyAlgorithmsTest extends AbstractPolicySecurityTest {
+
+    @Test
+    public void testSHA256AsymSigAlgorithm() throws Exception {
+
+        final String rsaSha2SigMethod = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
+        String policyName = "signed_elements_policy.xml";
+        Policy policy = policyBuilder.getPolicy(this.getResourceAsStream(policyName)); 
+        AssertionInfoMap aim = new AssertionInfoMap(policy);
+
+        AssertionInfo assertInfo = aim.get(SP12Constants.ASYMMETRIC_BINDING).iterator().next();
+
+        AsymmetricBinding binding = (AsymmetricBinding) assertInfo.getAssertion();
+
+        // set Signature Algorithm to RSA SHA-256
+        binding.getAlgorithmSuite().setAsymmetricSignature(rsaSha2SigMethod);
+
+        String sigMethod = binding.getAlgorithmSuite().getAsymmetricSignature();
+
+        assertNotNull(sigMethod);
+        assertEquals(rsaSha2SigMethod, sigMethod);
+    }
+    
+}



Mime
View raw message