cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1485137 - in /cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/interceptors/HttpsTokenInterceptorProvider.java wss4j/PolicyBasedWSS4JStaxInInterceptor.java wss4j/PolicyStaxActionInInterceptor.java
Date Wed, 22 May 2013 09:52:23 GMT
Author: coheigea
Date: Wed May 22 09:52:23 2013
New Revision: 1485137

URL: http://svn.apache.org/r1485137
Log:
Get streaming security policy enforcement working for the inbound client side

Modified:
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java?rev=1485137&r1=1485136&r2=1485137&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
Wed May 22 09:52:23 2013
@@ -207,6 +207,7 @@ public class HttpsTokenInterceptorProvid
                     for (AssertionInfo ai : ais) {
                         ai.setAsserted(true);
                     }
+                    
                     NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
                     NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
                     NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
@@ -219,14 +220,7 @@ public class HttpsTokenInterceptorProvid
             Collection<AssertionInfo> ais, 
             Message message
         ) throws XMLSecurityException {
-            @SuppressWarnings("unchecked")
-            List<SecurityEvent> securityEvents = 
-                (List<SecurityEvent>) message.getExchange().get(SecurityEvent.class.getName()
+ ".out");
-            if (securityEvents == null) {
-                securityEvents = new ArrayList<SecurityEvent>();
-                message.getExchange().put(SecurityEvent.class.getName() + ".out", securityEvents);
-            }
-            
+            List<SecurityEvent> securityEvents = getSecurityEventList(message);
             AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
             
             for (AssertionInfo ai : ais) {
@@ -309,6 +303,18 @@ public class HttpsTokenInterceptorProvid
             }
         }
         
+        private List<SecurityEvent> getSecurityEventList(Message message) {
+            @SuppressWarnings("unchecked")
+            List<SecurityEvent> securityEvents = 
+                (List<SecurityEvent>) message.getExchange().get(SecurityEvent.class.getName()
+ ".out");
+            if (securityEvents == null) {
+                securityEvents = new ArrayList<SecurityEvent>();
+                message.getExchange().put(SecurityEvent.class.getName() + ".out", securityEvents);
+            }
+            
+            return securityEvents;
+        }
+        
         private SecurityContext createSecurityContext(final Principal p) {
             return new SecurityContext() {
                 public Principal getUserPrincipal() {

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java?rev=1485137&r1=1485136&r2=1485137&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
Wed May 22 09:52:23 2013
@@ -43,6 +43,7 @@ import org.apache.cxf.common.classloader
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.resource.ResourceManager;
 import org.apache.cxf.service.model.BindingInfo;
@@ -64,6 +65,10 @@ import org.apache.wss4j.policy.stax.Oper
 import org.apache.wss4j.policy.stax.PolicyEnforcer;
 import org.apache.wss4j.policy.stax.PolicyInputProcessor;
 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
+import org.apache.wss4j.stax.impl.securityToken.HttpsSecurityTokenImpl;
+import org.apache.wss4j.stax.securityEvent.HttpsTokenSecurityEvent;
+import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
+import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
 
@@ -199,6 +204,24 @@ public class PolicyBasedWSS4JStaxInInter
             return;
         }
         
+        // Add a HttpsSecurityEvent so the policy verification code knows TLS is in use
+        if (isRequestor(message)) {
+            List<SecurityEvent> securityEvents = getSecurityEventList(message);
+            
+            HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
+            httpsTokenSecurityEvent.setAuthenticationType(
+                HttpsTokenSecurityEvent.AuthenticationType.HttpsNoAuthentication
+            );
+            HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl();
+            try {
+                httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+            } catch (XMLSecurityException e) {
+                LOG.fine(e.getMessage());
+            }
+            httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
+            securityEvents.add(httpsTokenSecurityEvent);
+        }
+        
         Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
         if (s == null) {
             s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
@@ -230,6 +253,18 @@ public class PolicyBasedWSS4JStaxInInter
         }
     }
     
+    private List<SecurityEvent> getSecurityEventList(Message message) {
+        @SuppressWarnings("unchecked")
+        List<SecurityEvent> securityEvents = 
+            (List<SecurityEvent>) message.getExchange().get(SecurityEvent.class.getName()
+ ".out");
+        if (securityEvents == null) {
+            securityEvents = new ArrayList<SecurityEvent>();
+            message.getExchange().put(SecurityEvent.class.getName() + ".out", securityEvents);
+        }
+        
+        return securityEvents;
+    }
+    
     private void checkSymmetricBinding(
         AssertionInfoMap aim, SoapMessage message
     ) throws WSSecurityException {
@@ -382,9 +417,11 @@ public class PolicyBasedWSS4JStaxInInter
             EffectivePolicy policy = 
                 (EffectivePolicy)bindingOperationInfo.getProperty("policy-engine-info-serve-request");
             //PolicyEngineImpl.POLICY_INFO_REQUEST_SERVER);
+            String localName = operationName.getLocalPart();
             if (MessageUtils.isRequestor(msg)) {
                 policy = 
                     (EffectivePolicy)bindingOperationInfo.getProperty("policy-engine-info-client-response");
+                localName = bindingOperationInfo.getOutput().getMessageInfo().getName().getLocalPart();
             }
             SoapOperationInfo soapOperationInfo = bindingOperationInfo.getExtensor(SoapOperationInfo.class);
 
@@ -397,10 +434,10 @@ public class PolicyBasedWSS4JStaxInInter
                 //most probably throw an exception:
                 throw new IllegalArgumentException("BindingInfo is not an instance of SoapBindingInfo");
             }
-
+            
             //todo: I think its a bug that we handover only the localPart of the operation.

             // Needs to be fixed in ws-security-policy-stax
-            OperationPolicy operationPolicy = new OperationPolicy(operationName.getLocalPart());
+            OperationPolicy operationPolicy = new OperationPolicy(localName);
             operationPolicy.setPolicy(policy.getPolicy());
             operationPolicy.setOperationAction(soapOperationInfo.getAction());
             operationPolicy.setSoapMessageVersionNamespace(soapNS);
@@ -410,7 +447,7 @@ public class PolicyBasedWSS4JStaxInInter
         
         final List<SecurityEvent> incomingSecurityEventList = new LinkedList<SecurityEvent>();
         // TODO Soap Action
-        PolicyEnforcer securityEventListener = new PolicyEnforcer(operationPolicies, "")
{
+        PolicyEnforcer securityEventListener = new PolicyEnforcer(operationPolicies, "",
isRequestor(msg)) {
             @Override
             public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException
{
                 incomingSecurityEventList.add(securityEvent);

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java?rev=1485137&r1=1485136&r2=1485137&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
(original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyStaxActionInInterceptor.java
Wed May 22 09:52:23 2013
@@ -27,7 +27,6 @@ import org.apache.cxf.binding.soap.SoapM
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
-import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.policy.SP11Constants;
@@ -39,8 +38,7 @@ import org.apache.wss4j.stax.securityEve
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 
 /**
- * This interceptor handles parsing the StaX WS-Security results (events) + marks the 
- * corresponding CXF AssertionInfos as asserted accordingly. WSS4J 2.0 (StAX) takes care
of all
+ * This interceptor marks the CXF AssertionInfos as asserted. WSS4J 2.0 (StAX) takes care
of all
  * policy validation, so we are just asserting the appropriate AssertionInfo objects in CXF
to 
  * make sure that policy validation passes.
  */
@@ -71,80 +69,62 @@ public class PolicyStaxActionInIntercept
         AssertionInfoMap aim, List<SecurityEvent> incomingSecurityEventList,
         SoapMessage soapMessage
     ) {
-        TLSSessionInfo tlsInfo = soapMessage.get(TLSSessionInfo.class);
-        if (tlsInfo != null) {
-            assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
-            assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
-            assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
-            assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
-            assertAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
-        } else {
-            for (SecurityEvent event : incomingSecurityEventList) {
-                if (WSSecurityEventConstants.SignedPart == event.getSecurityEventType())
{
-                    assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
-                } else if (WSSecurityEventConstants.SignedElement == event.getSecurityEventType())
{
-                    assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
-                } else if (WSSecurityEventConstants.EncryptedPart == event.getSecurityEventType())
{
-                    assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
-                } else if (WSSecurityEventConstants.EncryptedElement == event.getSecurityEventType())
{
-                    assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
-                } else if (WSSecurityEventConstants.ContentEncrypted == event.getSecurityEventType())
{
-                    assertAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
-                }
-            }
-        }
-        
-        for (SecurityEvent event : incomingSecurityEventList) {
-            if (WSSecurityEventConstants.RequiredPart == event.getSecurityEventType()) {
-                assertAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
-            } else if (WSSecurityEventConstants.RequiredElement == event.getSecurityEventType())
{
-                assertAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
-            } 
-        }
+        assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+        assertAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+        assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
+        assertAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+        assertAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+
+        assertAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
+        assertAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
     }
-    
+
     private void verifyTokens(
         AssertionInfoMap aim, List<SecurityEvent> incomingSecurityEventList
     ) {
+        // UsernameToken
+        assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+        assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN10);
+        assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN11);
+        assertAllAssertionsByLocalname(aim, SPConstants.HASH_PASSWORD);
+        assertAllAssertionsByLocalname(aim, SPConstants.NO_PASSWORD);
+        Collection<AssertionInfo> sp13Ais = aim.get(SP13Constants.NONCE);
+        if (sp13Ais != null) {
+            for (AssertionInfo ai : sp13Ais) {
+                ai.setAsserted(true);
+            }
+        }
+        sp13Ais = aim.get(SP13Constants.CREATED);
+        if (sp13Ais != null) {
+            for (AssertionInfo ai : sp13Ais) {
+                ai.setAsserted(true);
+            }
+        }
+        
+        // X509
+        assertAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
+        assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKCS7_TOKEN10);
+        assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKCS7_TOKEN11);
+        assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
+        assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
+        assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V1_TOKEN10);
+        assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V1_TOKEN11);
+        assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V3_TOKEN10);
+        assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V3_TOKEN11);
+        
+        // SAML
+        assertAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+        assertAllAssertionsByLocalname(aim, "WssSamlV11Token10");
+        assertAllAssertionsByLocalname(aim, "WssSamlV11Token11");
+        assertAllAssertionsByLocalname(aim, "WssSamlV20Token11");
+        
+        // SCT
+        assertAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
+        assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE);
+        
         for (SecurityEvent event : incomingSecurityEventList) {
             if (WSSecurityEventConstants.Timestamp == event.getSecurityEventType()) {
                 assertAllAssertionsByLocalname(aim, "Timestamp");
-            } else if (WSSecurityEventConstants.UsernameToken == event.getSecurityEventType())
{
-                assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
-                assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN10);
-                assertAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN11);
-                assertAllAssertionsByLocalname(aim, SPConstants.HASH_PASSWORD);
-                assertAllAssertionsByLocalname(aim, SPConstants.NO_PASSWORD);
-                Collection<AssertionInfo> sp13Ais = aim.get(SP13Constants.NONCE);
-                if (sp13Ais != null) {
-                    for (AssertionInfo ai : sp13Ais) {
-                        ai.setAsserted(true);
-                    }
-                }
-                sp13Ais = aim.get(SP13Constants.CREATED);
-                if (sp13Ais != null) {
-                    for (AssertionInfo ai : sp13Ais) {
-                        ai.setAsserted(true);
-                    }
-                }
-            } else if (WSSecurityEventConstants.X509Token == event.getSecurityEventType())
{
-                assertAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
-                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKCS7_TOKEN10);
-                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKCS7_TOKEN11);
-                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
-                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
-                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V1_TOKEN10);
-                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V1_TOKEN11);
-                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V3_TOKEN10);
-                assertAllAssertionsByLocalname(aim, SPConstants.WSS_X509_V3_TOKEN11);
-            } else if (WSSecurityEventConstants.SamlToken == event.getSecurityEventType())
{
-                assertAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
-                assertAllAssertionsByLocalname(aim, "WssSamlV11Token10");
-                assertAllAssertionsByLocalname(aim, "WssSamlV11Token11");
-                assertAllAssertionsByLocalname(aim, "WssSamlV20Token11");
-            } else if (WSSecurityEventConstants.SecurityContextToken == event.getSecurityEventType())
{
-                assertAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
-                assertAllAssertionsByLocalname(aim, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE);
             }
         }
         



Mime
View raw message