Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 545AFDA8F for ; Thu, 23 May 2013 13:18:16 +0000 (UTC) Received: (qmail 48526 invoked by uid 500); 23 May 2013 13:18:14 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 48293 invoked by uid 500); 23 May 2013 13:18:14 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 48117 invoked by uid 99); 23 May 2013 13:18:12 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 May 2013 13:18:12 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 May 2013 13:18:08 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id CC63E23889FA; Thu, 23 May 2013 13:17:48 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1485693 [4/14] - in /cxf/trunk: ./ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/client/ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/server/ distribution/src/main/release/samples/sts/src/main/jav... Date: Thu, 23 May 2013 13:17:32 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130523131748.CC63E23889FA@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java Thu May 23 13:17:26 2013 @@ -19,10 +19,14 @@ package org.apache.cxf.ws.security.policy.interceptors; +import java.util.ArrayList; import java.util.Collection; import java.util.Date; +import java.util.List; import java.util.logging.Logger; +import javax.xml.namespace.QName; + import org.w3c.dom.Element; import org.apache.cxf.binding.soap.SoapBindingConstants; @@ -41,19 +45,10 @@ import org.apache.cxf.ws.addressing.Addr import org.apache.cxf.ws.addressing.JAXWSAConstants; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; -import org.apache.cxf.ws.policy.PolicyBuilder; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.policy.SP12Constants; -import org.apache.cxf.ws.security.policy.model.Binding; -import org.apache.cxf.ws.security.policy.model.Header; -import org.apache.cxf.ws.security.policy.model.ProtectionToken; -import org.apache.cxf.ws.security.policy.model.SecureConversationToken; -import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts; -import org.apache.cxf.ws.security.policy.model.SymmetricBinding; -import org.apache.cxf.ws.security.policy.model.Trust10; -import org.apache.cxf.ws.security.policy.model.Trust13; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.cxf.ws.security.tokenstore.TokenStore; +import org.apache.cxf.ws.security.trust.DefaultSymmetricBinding; import org.apache.cxf.ws.security.trust.STSClient; import org.apache.cxf.ws.security.trust.STSUtils; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; @@ -61,8 +56,17 @@ import org.apache.neethi.All; import org.apache.neethi.Assertion; import org.apache.neethi.ExactlyOne; import org.apache.neethi.Policy; -import org.apache.ws.security.message.token.SecurityContextToken; -import org.apache.ws.security.util.Base64; +import org.apache.wss4j.dom.message.token.SecurityContextToken; +import org.apache.wss4j.policy.SPConstants; +import org.apache.wss4j.policy.SPConstants.SPVersion; +import org.apache.wss4j.policy.model.AbstractBinding; +import org.apache.wss4j.policy.model.Header; +import org.apache.wss4j.policy.model.ProtectionToken; +import org.apache.wss4j.policy.model.SecureConversationToken; +import org.apache.wss4j.policy.model.SignedParts; +import org.apache.wss4j.policy.model.Trust10; +import org.apache.wss4j.policy.model.Trust13; +import org.apache.xml.security.utils.Base64; class SecureConversationInInterceptor extends AbstractPhaseInterceptor { static final Logger LOG = LogUtils.getL7dLogger(SecureConversationInInterceptor.class); @@ -70,19 +74,21 @@ class SecureConversationInInterceptor ex public SecureConversationInInterceptor() { super(Phase.PRE_PROTOCOL); + getBefore().add(WSS4JInInterceptor.class.getName()); } - private Binding getBinding(AssertionInfoMap aim) { - Collection ais = aim.get(SP12Constants.SYMMETRIC_BINDING); - if (ais != null && !ais.isEmpty()) { - return (Binding)ais.iterator().next().getAssertion(); - } - ais = aim.get(SP12Constants.ASYMMETRIC_BINDING); - if (ais != null && !ais.isEmpty()) { - return (Binding)ais.iterator().next().getAssertion(); - } - ais = aim.get(SP12Constants.TRANSPORT_BINDING); - if (ais != null && !ais.isEmpty()) { - return (Binding)ais.iterator().next().getAssertion(); + private AbstractBinding getBinding(AssertionInfoMap aim) { + Collection ais = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING); + if (!ais.isEmpty()) { + return (AbstractBinding)ais.iterator().next().getAssertion(); + } + ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING); + if (!ais.isEmpty()) { + return (AbstractBinding)ais.iterator().next().getAssertion(); + } + ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING); + if (!ais.isEmpty()) { + return (AbstractBinding)ais.iterator().next().getAssertion(); } return null; } @@ -91,15 +97,17 @@ class SecureConversationInInterceptor ex AssertionInfoMap aim = message.get(AssertionInfoMap.class); // extract Assertion information if (aim != null) { - Collection ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN); - if (ais == null || ais.isEmpty()) { + Collection ais = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN); + if (ais.isEmpty()) { return; } if (isRequestor(message)) { //client side should be checked on the way out for (AssertionInfo ai : ais) { ai.setAsserted(true); - } + } + assertPolicies(aim); Object s = message.getContextualProperty(SecurityConstants.STS_TOKEN_DO_CANCEL); if (s != null && (Boolean.TRUE.equals(s) || "true".equalsIgnoreCase(s.toString()))) { @@ -126,7 +134,7 @@ class SecureConversationInInterceptor ex SecureConversationToken tok = (SecureConversationToken)ais.iterator() .next().getAssertion(); - Policy pol = tok.getBootstrapPolicy(); + Policy pol = tok.getBootstrapPolicy().getPolicy(); if (s.endsWith("Cancel") || s.endsWith("/Renew")) { //Cancel and Renew just sign with the token Policy p = new Policy(); @@ -136,31 +144,52 @@ class SecureConversationInInterceptor ex Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false); all.addPolicyComponent(ass); ea.addPolicyComponent(all); - PolicyBuilder pbuilder = message.getExchange().getBus() - .getExtension(PolicyBuilder.class); - SymmetricBinding binding = new SymmetricBinding(SP12Constants.INSTANCE, pbuilder); + + final SecureConversationToken secureConversationToken = + new SecureConversationToken( + SPConstants.SPVersion.SP12, + SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT, + null, + null, + null, + null + ); + secureConversationToken.setOptional(true); + + class InternalProtectionToken extends ProtectionToken { + public InternalProtectionToken(SPVersion version, Policy nestedPolicy) { + super(version, nestedPolicy); + super.setToken(secureConversationToken); + } + } + + DefaultSymmetricBinding binding = + new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, new Policy()); + binding.setProtectionToken( + new InternalProtectionToken(SPConstants.SPVersion.SP12, new Policy()) + ); binding.setIncludeTimestamp(true); - ProtectionToken token = new ProtectionToken(SP12Constants.INSTANCE, pbuilder); - token.setToken(new SecureConversationToken(SP12Constants.INSTANCE)); - binding.setProtectionToken(token); - binding.setEntireHeadersAndBodySignatures(true); + binding.setOnlySignEntireHeadersAndBody(true); + binding.setProtectTokens(false); - Binding origBinding = getBinding(aim); + AbstractBinding origBinding = getBinding(aim); binding.setAlgorithmSuite(origBinding.getAlgorithmSuite()); all.addPolicyComponent(binding); - SignedEncryptedParts parts = new SignedEncryptedParts(true, - SP12Constants.INSTANCE); - parts.setBody(true); + List
headers = null; if (addNs != null) { - parts.addHeader(new Header("To", addNs)); - parts.addHeader(new Header("From", addNs)); - parts.addHeader(new Header("FaultTo", addNs)); - parts.addHeader(new Header("ReplyTO", addNs)); - parts.addHeader(new Header("MessageID", addNs)); - parts.addHeader(new Header("RelatesTo", addNs)); - parts.addHeader(new Header("Action", addNs)); + headers = new ArrayList
(); + headers.add(new Header("To", addNs)); + headers.add(new Header("From", addNs)); + headers.add(new Header("FaultTo", addNs)); + headers.add(new Header("ReplyTo", addNs)); + headers.add(new Header("Action", addNs)); + headers.add(new Header("MessageID", addNs)); + headers.add(new Header("RelatesTo", addNs)); } + + SignedParts parts = + new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false); all.addPolicyComponent(parts); pol = p; message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE); @@ -187,8 +216,23 @@ class SecureConversationInInterceptor ex } else { message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE); } + + assertPolicies(aim); } } + + private void assertPolicies(AssertionInfoMap aim) { + NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY); + NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_AMEND); + NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_CANCEL); + NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_RENEW); + QName oldCancelQName = + new QName( + "http://schemas.microsoft.com/ws/2005/07/securitypolicy", + SPConstants.MUST_NOT_SEND_CANCEL + ); + NegotiationUtils.assertPolicy(aim, oldCancelQName); + } private void unmapSecurityProps(Message message) { Exchange ex = message.getExchange(); @@ -311,8 +355,9 @@ class SecureConversationInInterceptor ex AssertionInfoMap aim = message.get(AssertionInfoMap.class); // extract Assertion information if (aim != null) { - Collection ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN); - if (ais == null || ais.isEmpty()) { + Collection ais = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN); + if (ais.isEmpty()) { return; } for (AssertionInfo inf : ais) { @@ -341,8 +386,9 @@ class SecureConversationInInterceptor ex if (aim == null) { return; } - Collection ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN); - if (ais == null || ais.isEmpty()) { + Collection ais = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN); + if (ais.isEmpty()) { return; } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java Thu May 23 13:17:26 2013 @@ -32,14 +32,14 @@ import org.apache.cxf.ws.addressing.Addr import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.policy.SP12Constants; -import org.apache.cxf.ws.security.policy.model.SecureConversationToken; -import org.apache.cxf.ws.security.policy.model.Trust10; -import org.apache.cxf.ws.security.policy.model.Trust13; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.cxf.ws.security.trust.STSClient; import org.apache.cxf.ws.security.trust.STSUtils; -import org.apache.ws.security.WSConstants; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.policy.SPConstants; +import org.apache.wss4j.policy.model.SecureConversationToken; +import org.apache.wss4j.policy.model.Trust10; +import org.apache.wss4j.policy.model.Trust13; class SecureConversationOutInterceptor extends AbstractPhaseInterceptor { public SecureConversationOutInterceptor() { @@ -49,8 +49,9 @@ class SecureConversationOutInterceptor e AssertionInfoMap aim = message.get(AssertionInfoMap.class); // extract Assertion information if (aim != null) { - Collection ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN); - if (ais == null || ais.isEmpty()) { + Collection ais = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN); + if (ais.isEmpty()) { return; } if (isRequestor(message)) { @@ -79,8 +80,8 @@ class SecureConversationOutInterceptor e message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getId()); message.getExchange().put(SecurityConstants.TOKEN, tok); NegotiationUtils.getTokenStore(message).add(tok); - } + NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY); } else { //server side should be checked on the way in for (AssertionInfo ai : ais) { Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java Thu May 23 13:17:26 2013 @@ -29,18 +29,17 @@ import org.apache.cxf.common.logging.Log import org.apache.cxf.message.Message; import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider; import org.apache.cxf.ws.policy.AssertionInfoMap; -import org.apache.cxf.ws.policy.PolicyBuilder; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.policy.SP11Constants; -import org.apache.cxf.ws.security.policy.SP12Constants; -import org.apache.cxf.ws.security.policy.SPConstants.SupportTokenType; -import org.apache.cxf.ws.security.policy.model.AlgorithmSuite; -import org.apache.cxf.ws.security.policy.model.SecureConversationToken; -import org.apache.cxf.ws.security.policy.model.SupportingToken; import org.apache.cxf.ws.security.trust.STSClient; import org.apache.neethi.All; import org.apache.neethi.ExactlyOne; import org.apache.neethi.Policy; +import org.apache.wss4j.policy.SP11Constants; +import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SPConstants; +import org.apache.wss4j.policy.model.AlgorithmSuite; +import org.apache.wss4j.policy.model.SecureConversationToken; +import org.apache.wss4j.policy.model.SupportingTokens; /** * @@ -53,7 +52,9 @@ public class SecureConversationTokenInte public SecureConversationTokenInterceptorProvider() { super(Arrays.asList(SP11Constants.SECURE_CONVERSATION_TOKEN, - SP12Constants.SECURE_CONVERSATION_TOKEN)); + SP12Constants.SECURE_CONVERSATION_TOKEN, + SP12Constants.BOOTSTRAP_POLICY, + SP11Constants.BOOTSTRAP_POLICY)); this.getOutInterceptors().add(new SecureConversationOutInterceptor()); this.getOutFaultInterceptors().add(new SecureConversationOutInterceptor()); this.getInInterceptors().add(new SecureConversationInInterceptor()); @@ -67,7 +68,7 @@ public class SecureConversationTokenInte boolean endorse) { client.setTrust(NegotiationUtils.getTrust10(aim)); client.setTrust(NegotiationUtils.getTrust13(aim)); - Policy pol = itok.getBootstrapPolicy(); + Policy pol = itok.getBootstrapPolicy().getPolicy(); Policy p = new Policy(); ExactlyOne ea = new ExactlyOne(); p.addPolicyComponent(ea); @@ -76,10 +77,10 @@ public class SecureConversationTokenInte ea.addPolicyComponent(all); if (endorse) { - SupportingToken st = new SupportingToken(SupportTokenType.SUPPORTING_TOKEN_ENDORSING, - SP12Constants.INSTANCE, - message.getExchange() - .getBus().getExtension(PolicyBuilder.class)); + SupportingTokens st = + new SupportingTokens(SPConstants.SPVersion.SP12, + SP12Constants.SupportingTokenTypes.EndorsingSupportingTokens, + new Policy()); st.addToken(itok); all.addPolicyComponent(st); } @@ -94,7 +95,7 @@ public class SecureConversationTokenInte AlgorithmSuite suite = NegotiationUtils.getAlgorithmSuite(aim); if (suite != null) { client.setAlgorithmSuite(suite); - int x = suite.getMaximumSymmetricKeyLength(); + int x = suite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength(); if (x < 256) { client.setKeySize(x); } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java Thu May 23 13:17:26 2013 @@ -22,8 +22,6 @@ package org.apache.cxf.ws.security.polic import java.util.Collection; import java.util.logging.Logger; -import javax.xml.namespace.QName; - import org.apache.cxf.binding.soap.SoapMessage; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.interceptor.Fault; @@ -33,7 +31,8 @@ import org.apache.cxf.phase.Phase; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.policy.PolicyException; -import org.apache.cxf.ws.security.policy.SP12Constants; +import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SPConstants; /** * Interceptor verifies critical policy security assertions for client side @@ -59,37 +58,43 @@ public class SecurityVerificationOutInte if (MessageUtils.isRequestor(message)) { AssertionInfoMap aim = message.get(AssertionInfoMap.class); if (aim != null) { - Collection aisTransport = aim.get(SP12Constants.TRANSPORT_BINDING); - Collection aisAssymetric = aim.get(SP12Constants.ASYMMETRIC_BINDING); - Collection aisSymetric = aim.get(SP12Constants.SYMMETRIC_BINDING); - if (((aisTransport == null) || aisTransport.isEmpty()) - && ((aisAssymetric == null) || aisAssymetric.isEmpty()) - && ((aisSymetric == null) || aisSymetric.isEmpty())) { + Collection aisTransport = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING); + Collection aisAssymetric = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING); + Collection aisSymetric = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING); + + if (aisTransport.isEmpty() && aisAssymetric.isEmpty() && aisSymetric.isEmpty()) { + + Collection aisSignedParts = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS); + checkAssertion(aisSignedParts, SPConstants.SIGNED_PARTS); - Collection aisSignedParts = aim.get(SP12Constants.SIGNED_PARTS); - checkAssertion(aisSignedParts, SP12Constants.SIGNED_PARTS); Collection aisSignedElements = aim.get(SP12Constants.SIGNED_ELEMENTS); - checkAssertion(aisSignedElements, SP12Constants.SIGNED_ELEMENTS); + checkAssertion(aisSignedElements, SPConstants.SIGNED_ELEMENTS); Collection aisEncryptedParts = aim.get(SP12Constants.ENCRYPTED_PARTS); - checkAssertion(aisEncryptedParts, SP12Constants.ENCRYPTED_PARTS); + checkAssertion(aisEncryptedParts, SPConstants.ENCRYPTED_PARTS); + Collection aisEncryptedElements = aim.get(SP12Constants.ENCRYPTED_ELEMENTS); - checkAssertion(aisEncryptedElements, SP12Constants.ENCRYPTED_ELEMENTS); + checkAssertion(aisEncryptedElements, SPConstants.ENCRYPTED_ELEMENTS); + Collection aisContentEncryptedElements = aim.get(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS); - checkAssertion(aisContentEncryptedElements, SP12Constants.CONTENT_ENCRYPTED_ELEMENTS); + checkAssertion(aisContentEncryptedElements, SPConstants.CONTENT_ENCRYPTED_ELEMENTS); } } } } - private void checkAssertion(Collection ais, QName assertion) { + private void checkAssertion(Collection ais, String assertionName) { if ((ais != null) && (!ais.isEmpty())) { String error = String .format("%s assertion cannot be fulfilled without binding. " + "At least one binding assertion (%s, %s, %s) must be specified in policy.", - assertion.getLocalPart(), SP12Constants.TRANSPORT_BINDING.getLocalPart(), + assertionName, SP12Constants.TRANSPORT_BINDING.getLocalPart(), SP12Constants.ASYMMETRIC_BINDING.getLocalPart(), SP12Constants.SYMMETRIC_BINDING.getLocalPart()); AssertionInfo info = ais.iterator().next(); Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java Thu May 23 13:17:26 2013 @@ -43,7 +43,6 @@ import org.apache.cxf.ws.addressing.JAXW import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.policy.SP12Constants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.cxf.ws.security.tokenstore.TokenStore; import org.apache.cxf.ws.security.trust.STSUtils; @@ -52,12 +51,13 @@ import org.apache.neethi.All; import org.apache.neethi.Assertion; import org.apache.neethi.ExactlyOne; import org.apache.neethi.Policy; -import org.apache.ws.security.WSConstants; -import org.apache.ws.security.message.token.BinarySecurity; -import org.apache.ws.security.message.token.SecurityContextToken; -import org.apache.ws.security.spnego.SpnegoTokenContext; -import org.apache.ws.security.util.Base64; -import org.apache.ws.security.util.WSSecurityUtil; +import org.apache.wss4j.common.spnego.SpnegoTokenContext; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.dom.message.token.BinarySecurity; +import org.apache.wss4j.dom.message.token.SecurityContextToken; +import org.apache.wss4j.dom.util.WSSecurityUtil; +import org.apache.wss4j.policy.SPConstants; +import org.apache.xml.security.utils.Base64; class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor { static final Logger LOG = LogUtils.getL7dLogger(SpnegoContextTokenInInterceptor.class); @@ -70,8 +70,9 @@ class SpnegoContextTokenInInterceptor ex AssertionInfoMap aim = message.get(AssertionInfoMap.class); // extract Assertion information if (aim != null) { - Collection ais = aim.get(SP12Constants.SPNEGO_CONTEXT_TOKEN); - if (ais == null || ais.isEmpty()) { + Collection ais = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN); + if (ais.isEmpty()) { return; } if (isRequestor(message)) { @@ -348,8 +349,9 @@ class SpnegoContextTokenInInterceptor ex AssertionInfoMap aim = message.get(AssertionInfoMap.class); // extract Assertion information if (aim != null) { - Collection ais = aim.get(SP12Constants.SPNEGO_CONTEXT_TOKEN); - if (ais == null || ais.isEmpty()) { + Collection ais = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN); + if (ais.isEmpty()) { return; } for (AssertionInfo inf : ais) { Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java Thu May 23 13:17:26 2013 @@ -32,16 +32,16 @@ import org.apache.cxf.ws.addressing.Addr import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.policy.SP12Constants; -import org.apache.cxf.ws.security.policy.model.Trust10; -import org.apache.cxf.ws.security.policy.model.Trust13; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.cxf.ws.security.trust.STSClient; import org.apache.cxf.ws.security.trust.STSUtils; -import org.apache.ws.security.WSSecurityException; -import org.apache.ws.security.spnego.SpnegoClientAction; -import org.apache.ws.security.spnego.SpnegoTokenContext; -import org.apache.ws.security.util.Base64; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.spnego.SpnegoClientAction; +import org.apache.wss4j.common.spnego.SpnegoTokenContext; +import org.apache.wss4j.policy.SPConstants; +import org.apache.wss4j.policy.model.Trust10; +import org.apache.wss4j.policy.model.Trust13; +import org.apache.xml.security.utils.Base64; class SpnegoContextTokenOutInterceptor extends AbstractPhaseInterceptor { public SpnegoContextTokenOutInterceptor() { @@ -51,8 +51,9 @@ class SpnegoContextTokenOutInterceptor e AssertionInfoMap aim = message.get(AssertionInfoMap.class); // extract Assertion information if (aim != null) { - Collection ais = aim.get(SP12Constants.SPNEGO_CONTEXT_TOKEN); - if (ais == null || ais.isEmpty()) { + Collection ais = + NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN); + if (ais.isEmpty()) { return; } if (isRequestor(message)) { Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java Thu May 23 13:17:26 2013 @@ -30,14 +30,14 @@ import org.apache.cxf.message.Message; import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.policy.SP11Constants; -import org.apache.cxf.ws.security.policy.SP12Constants; -import org.apache.cxf.ws.security.policy.model.AlgorithmSuite; import org.apache.cxf.ws.security.trust.STSClient; import org.apache.neethi.All; import org.apache.neethi.ExactlyOne; import org.apache.neethi.Policy; -import org.apache.ws.security.WSSConfig; +import org.apache.wss4j.dom.WSSConfig; +import org.apache.wss4j.policy.SP11Constants; +import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.model.AlgorithmSuite; /** * @@ -79,7 +79,7 @@ public class SpnegoTokenInterceptorProvi AlgorithmSuite suite = NegotiationUtils.getAlgorithmSuite(aim); if (suite != null) { client.setAlgorithmSuite(suite); - int x = suite.getMaximumSymmetricKeyLength(); + int x = suite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength(); if (x < 256) { client.setKeySize(x); } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java Thu May 23 13:17:26 2013 @@ -26,8 +26,9 @@ import javax.xml.namespace.QName; import org.apache.cxf.Bus; import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider; -import org.apache.cxf.ws.security.policy.SP12Constants; import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor; +import org.apache.wss4j.policy.SP11Constants; +import org.apache.wss4j.policy.SP12Constants; /** * @@ -39,6 +40,7 @@ public class UsernameTokenInterceptorPro ASSERTION_TYPES = new ArrayList(); ASSERTION_TYPES.add(SP12Constants.USERNAME_TOKEN); + ASSERTION_TYPES.add(SP11Constants.USERNAME_TOKEN); } public UsernameTokenInterceptorProvider() { Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java Thu May 23 13:17:26 2013 @@ -25,9 +25,12 @@ import java.util.Collection; import javax.xml.namespace.QName; import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider; -import org.apache.cxf.ws.security.policy.SP12Constants; import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor; import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor; +import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor; +import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor; +import org.apache.wss4j.policy.SP11Constants; +import org.apache.wss4j.policy.SP12Constants; /** * @@ -41,6 +44,10 @@ public class WSSecurityInterceptorProvid ASSERTION_TYPES.add(SP12Constants.TRANSPORT_BINDING); ASSERTION_TYPES.add(SP12Constants.ASYMMETRIC_BINDING); ASSERTION_TYPES.add(SP12Constants.SYMMETRIC_BINDING); + + ASSERTION_TYPES.add(SP11Constants.TRANSPORT_BINDING); + ASSERTION_TYPES.add(SP11Constants.ASYMMETRIC_BINDING); + ASSERTION_TYPES.add(SP11Constants.SYMMETRIC_BINDING); } public WSSecurityInterceptorProvider() { @@ -49,5 +56,10 @@ public class WSSecurityInterceptorProvid this.getOutFaultInterceptors().add(PolicyBasedWSS4JOutInterceptor.INSTANCE); this.getInInterceptors().add(PolicyBasedWSS4JInInterceptor.INSTANCE); this.getInFaultInterceptors().add(PolicyBasedWSS4JInInterceptor.INSTANCE); + + this.getOutInterceptors().add(PolicyBasedWSS4JStaxOutInterceptor.INSTANCE); + this.getOutFaultInterceptors().add(PolicyBasedWSS4JStaxOutInterceptor.INSTANCE); + this.getInInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE); + this.getInFaultInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE); } } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java Thu May 23 13:17:26 2013 @@ -25,8 +25,8 @@ import java.util.Collection; import javax.xml.namespace.QName; import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider; -import org.apache.cxf.ws.security.policy.SP11Constants; -import org.apache.cxf.ws.security.policy.SP12Constants; +import org.apache.wss4j.policy.SP11Constants; +import org.apache.wss4j.policy.SP12Constants; /** * @@ -39,9 +39,13 @@ public class WSSecurityPolicyInterceptor ASSERTION_TYPES.add(SP12Constants.LAYOUT); ASSERTION_TYPES.add(SP12Constants.INCLUDE_TIMESTAMP); ASSERTION_TYPES.add(SP12Constants.ALGORITHM_SUITE); + ASSERTION_TYPES.add(SP12Constants.ENCRYPT_SIGNATURE); + ASSERTION_TYPES.add(SP12Constants.PROTECT_TOKENS); + ASSERTION_TYPES.add(SP12Constants.ENCRYPT_BEFORE_SIGNING); + ASSERTION_TYPES.add(SP12Constants.SIGN_BEFORE_ENCRYPTING); + ASSERTION_TYPES.add(SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY); ASSERTION_TYPES.add(SP12Constants.WSS10); ASSERTION_TYPES.add(SP12Constants.WSS11); - ASSERTION_TYPES.add(SP11Constants.TRUST_10); ASSERTION_TYPES.add(SP12Constants.TRUST_13); ASSERTION_TYPES.add(SP12Constants.PROTECTION_TOKEN); ASSERTION_TYPES.add(SP12Constants.X509_TOKEN); @@ -61,14 +65,48 @@ public class WSSecurityPolicyInterceptor ASSERTION_TYPES.add(SP12Constants.ENCRYPTED_ELEMENTS); ASSERTION_TYPES.add(SP12Constants.SIGNED_ELEMENTS); ASSERTION_TYPES.add(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS); - ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSupportingTokens()); - ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSignedSupportingTokens()); - ASSERTION_TYPES.add(SP12Constants.INSTANCE.getEndorsingSupportingTokens()); - ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSignedEndorsingSupportingTokens()); + ASSERTION_TYPES.add(SP12Constants.SUPPORTING_TOKENS); + ASSERTION_TYPES.add(SP12Constants.SIGNED_SUPPORTING_TOKENS); + ASSERTION_TYPES.add(SP12Constants.ENDORSING_SUPPORTING_TOKENS); ASSERTION_TYPES.add(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS); + ASSERTION_TYPES.add(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS); ASSERTION_TYPES.add(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS); ASSERTION_TYPES.add(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS); ASSERTION_TYPES.add(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS); + + ASSERTION_TYPES.add(SP11Constants.LAYOUT); + ASSERTION_TYPES.add(SP11Constants.INCLUDE_TIMESTAMP); + ASSERTION_TYPES.add(SP11Constants.ALGORITHM_SUITE); + ASSERTION_TYPES.add(SP11Constants.ENCRYPT_SIGNATURE); + ASSERTION_TYPES.add(SP11Constants.PROTECT_TOKENS); + ASSERTION_TYPES.add(SP11Constants.ENCRYPT_BEFORE_SIGNING); + ASSERTION_TYPES.add(SP11Constants.SIGN_BEFORE_ENCRYPTING); + ASSERTION_TYPES.add(SP11Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY); + ASSERTION_TYPES.add(SP11Constants.WSS10); + ASSERTION_TYPES.add(SP11Constants.WSS11); + ASSERTION_TYPES.add(SP11Constants.TRUST_10); + ASSERTION_TYPES.add(SP11Constants.PROTECTION_TOKEN); + ASSERTION_TYPES.add(SP11Constants.X509_TOKEN); + ASSERTION_TYPES.add(SP11Constants.ENCRYPTION_TOKEN); + ASSERTION_TYPES.add(SP11Constants.SIGNATURE_TOKEN); + ASSERTION_TYPES.add(SP11Constants.TRANSPORT_TOKEN); + ASSERTION_TYPES.add(SP11Constants.INITIATOR_TOKEN); + ASSERTION_TYPES.add(SP11Constants.INITIATOR_SIGNATURE_TOKEN); + ASSERTION_TYPES.add(SP11Constants.INITIATOR_ENCRYPTION_TOKEN); + ASSERTION_TYPES.add(SP11Constants.RECIPIENT_TOKEN); + ASSERTION_TYPES.add(SP11Constants.RECIPIENT_SIGNATURE_TOKEN); + ASSERTION_TYPES.add(SP11Constants.RECIPIENT_ENCRYPTION_TOKEN); + ASSERTION_TYPES.add(SP11Constants.SIGNED_PARTS); + ASSERTION_TYPES.add(SP11Constants.REQUIRED_PARTS); + ASSERTION_TYPES.add(SP11Constants.REQUIRED_ELEMENTS); + ASSERTION_TYPES.add(SP11Constants.ENCRYPTED_PARTS); + ASSERTION_TYPES.add(SP11Constants.ENCRYPTED_ELEMENTS); + ASSERTION_TYPES.add(SP11Constants.SIGNED_ELEMENTS); + ASSERTION_TYPES.add(SP11Constants.CONTENT_ENCRYPTED_ELEMENTS); + ASSERTION_TYPES.add(SP11Constants.SUPPORTING_TOKENS); + ASSERTION_TYPES.add(SP11Constants.SIGNED_SUPPORTING_TOKENS); + ASSERTION_TYPES.add(SP11Constants.ENDORSING_SUPPORTING_TOKENS); + ASSERTION_TYPES.add(SP11Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS); } public WSSecurityPolicyInterceptorProvider() { Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java Thu May 23 13:17:26 2013 @@ -37,7 +37,7 @@ import org.apache.cxf.Bus; import org.apache.cxf.buslifecycle.BusLifeCycleListener; import org.apache.cxf.buslifecycle.BusLifeCycleManager; import org.apache.cxf.common.util.StringUtils; -import org.apache.cxf.ws.security.cache.EHCacheManagerHolder; +import org.apache.wss4j.common.cache.EHCacheManagerHolder; /** * An in-memory EHCache implementation of the TokenStore interface. The default TTL is 60 minutes @@ -59,7 +59,7 @@ public class EHCacheTokenStore implement b.getExtension(BusLifeCycleManager.class).registerLifeCycleListener(this); } - cacheManager = EHCacheManagerHolder.getCacheManager(bus, configFileURL); + cacheManager = EHCacheManagerHolder.getCacheManager(configFileURL); // Cannot overflow to disk as SecurityToken Elements can't be serialized CacheConfiguration cc = EHCacheManagerHolder.getCacheConfiguration(key, cacheManager); cc.overflowToDisk(false); //tokens not writable Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java Thu May 23 13:17:26 2013 @@ -33,10 +33,10 @@ import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.security.SecurityContext; import org.apache.cxf.staxutils.StaxUtils; import org.apache.cxf.staxutils.W3CDOMStreamWriter; -import org.apache.ws.security.WSConstants; -import org.apache.ws.security.components.crypto.Crypto; -import org.apache.ws.security.message.token.Reference; -import org.apache.ws.security.util.XmlSchemaDateFormat; +import org.apache.wss4j.common.crypto.Crypto; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.dom.message.token.Reference; +import org.apache.wss4j.dom.util.XmlSchemaDateFormat; /** Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java Thu May 23 13:17:26 2013 @@ -26,7 +26,6 @@ import org.apache.cxf.common.classloader import org.apache.cxf.message.Message; import org.apache.cxf.resource.ResourceManager; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.cache.ReplayCacheFactory; /** * An abstract factory to return a TokenStore instance. It returns an EHCacheTokenStoreFactory @@ -69,7 +68,7 @@ public abstract class TokenStoreFactory url = rm.resolveResource((String)o, URL.class); try { if (url == null) { - url = ClassLoaderUtils.getResource((String)o, ReplayCacheFactory.class); + url = ClassLoaderUtils.getResource((String)o, TokenStoreFactory.class); } if (url == null) { url = new URL((String)o); Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java Thu May 23 13:17:26 2013 @@ -25,6 +25,7 @@ import java.io.StringReader; import java.net.URL; import java.security.PublicKey; import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.Date; import java.util.HashMap; import java.util.Iterator; @@ -91,16 +92,6 @@ import org.apache.cxf.ws.policy.PolicyCo import org.apache.cxf.ws.policy.PolicyEngine; import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.policy.SPConstants; -import org.apache.cxf.ws.security.policy.model.AlgorithmSuite; -import org.apache.cxf.ws.security.policy.model.Binding; -import org.apache.cxf.ws.security.policy.model.Header; -import org.apache.cxf.ws.security.policy.model.ProtectionToken; -import org.apache.cxf.ws.security.policy.model.SecureConversationToken; -import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts; -import org.apache.cxf.ws.security.policy.model.SymmetricBinding; -import org.apache.cxf.ws.security.policy.model.Trust10; -import org.apache.cxf.ws.security.policy.model.Trust13; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.cxf.ws.security.trust.claims.ClaimsCallback; import org.apache.cxf.ws.security.trust.delegation.DelegationCallback; @@ -111,27 +102,39 @@ import org.apache.neethi.All; import org.apache.neethi.ExactlyOne; import org.apache.neethi.Policy; import org.apache.neethi.PolicyComponent; -import org.apache.ws.security.WSConstants; -import org.apache.ws.security.WSDocInfo; -import org.apache.ws.security.WSSConfig; -import org.apache.ws.security.WSSecurityEngineResult; -import org.apache.ws.security.WSSecurityException; -import org.apache.ws.security.components.crypto.Crypto; -import org.apache.ws.security.components.crypto.CryptoFactory; -import org.apache.ws.security.components.crypto.CryptoType; -import org.apache.ws.security.conversation.ConversationException; -import org.apache.ws.security.conversation.dkalgo.P_SHA1; -import org.apache.ws.security.handler.RequestData; -import org.apache.ws.security.message.token.BinarySecurity; -import org.apache.ws.security.message.token.Reference; -import org.apache.ws.security.processor.EncryptedKeyProcessor; -import org.apache.ws.security.processor.X509Util; -import org.apache.ws.security.util.Base64; -import org.apache.ws.security.util.WSSecurityUtil; -import org.apache.ws.security.util.XmlSchemaDateFormat; +import org.apache.wss4j.common.crypto.Crypto; +import org.apache.wss4j.common.crypto.CryptoFactory; +import org.apache.wss4j.common.crypto.CryptoType; +import org.apache.wss4j.common.derivedKey.ConversationException; +import org.apache.wss4j.common.derivedKey.P_SHA1; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.dom.WSDocInfo; +import org.apache.wss4j.dom.WSSConfig; +import org.apache.wss4j.dom.WSSecurityEngineResult; +import org.apache.wss4j.dom.handler.RequestData; +import org.apache.wss4j.dom.message.token.BinarySecurity; +import org.apache.wss4j.dom.message.token.Reference; +import org.apache.wss4j.dom.processor.EncryptedKeyProcessor; +import org.apache.wss4j.dom.processor.X509Util; +import org.apache.wss4j.dom.util.WSSecurityUtil; +import org.apache.wss4j.dom.util.XmlSchemaDateFormat; +import org.apache.wss4j.policy.SPConstants; +import org.apache.wss4j.policy.SPConstants.SPVersion; +import org.apache.wss4j.policy.model.AbstractBinding; +import org.apache.wss4j.policy.model.AlgorithmSuite; +import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType; +import org.apache.wss4j.policy.model.Header; +import org.apache.wss4j.policy.model.ProtectionToken; +import org.apache.wss4j.policy.model.SecureConversationToken; +import org.apache.wss4j.policy.model.SignedParts; +import org.apache.wss4j.policy.model.Trust10; +import org.apache.wss4j.policy.model.Trust13; +import org.apache.xml.security.exceptions.Base64DecodingException; import org.apache.xml.security.keys.content.X509Data; import org.apache.xml.security.keys.content.keyvalues.DSAKeyValue; import org.apache.xml.security.keys.content.keyvalues.RSAKeyValue; +import org.apache.xml.security.utils.Base64; /** * An abstract class with some functionality to invoke on a SecurityTokenService (STS) via the @@ -159,7 +162,7 @@ public abstract class AbstractSTSClient protected AlgorithmSuite algorithmSuite; protected String namespace = STSUtils.WST_NS_05_12; protected String addressingNamespace = "http://www.w3.org/2005/08/addressing"; - protected String wspNamespace = SPConstants.P_NS; + protected String wspNamespace = "http://www.w3.org/ns/ws-policy"; protected Object onBehalfOf; protected boolean enableAppliesTo = true; @@ -440,8 +443,8 @@ public abstract class AbstractSTSClient while (i.hasNext() && algorithmSuite == null) { List p = CastUtils.cast((List)i.next()); for (PolicyComponent p2 : p) { - if (p2 instanceof Binding) { - algorithmSuite = ((Binding)p2).getAlgorithmSuite(); + if (p2 instanceof AbstractBinding) { + algorithmSuite = ((AbstractBinding)p2).getAlgorithmSuite(); } } } @@ -812,8 +815,9 @@ public abstract class AbstractSTSClient if (algorithmSuite == null) { requestorEntropy = WSSecurityUtil.generateNonce(keySize / 8); } else { + AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType(); requestorEntropy = WSSecurityUtil - .generateNonce(algorithmSuite.getMaximumSymmetricKeyLength() / 8); + .generateNonce(algType.getMaximumSymmetricKeyLength() / 8); } writer.writeCharacters(Base64.encode(requestorEntropy)); @@ -1050,38 +1054,52 @@ public abstract class AbstractSTSClient All all = new All(); one.addPolicyComponent(all); all.addAssertion(getAddressingAssertion()); + + final SecureConversationToken secureConversationToken = + new SecureConversationToken( + SPConstants.SPVersion.SP12, + SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT, + null, + null, + null, + null + ); + secureConversationToken.setOptional(true); + + class InternalProtectionToken extends ProtectionToken { + public InternalProtectionToken(SPVersion version, Policy nestedPolicy) { + super(version, nestedPolicy); + super.setToken(secureConversationToken); + } + } - PolicyBuilder pbuilder = bus.getExtension(PolicyBuilder.class); - SymmetricBinding binding = new SymmetricBinding(pbuilder); + DefaultSymmetricBinding binding = + new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, new Policy()); all.addAssertion(binding); all.addAssertion(getAddressingAssertion()); - ProtectionToken ptoken = new ProtectionToken(pbuilder); - binding.setProtectionToken(ptoken); + binding.setProtectionToken( + new InternalProtectionToken(SPConstants.SPVersion.SP12, new Policy()) + ); binding.setIncludeTimestamp(true); - binding.setEntireHeadersAndBodySignatures(true); - binding.setTokenProtection(false); - AlgorithmSuite suite = new AlgorithmSuite(); - binding.setAlgorithmSuite(suite); - SecureConversationToken sct = new SecureConversationToken(); - sct.setOptional(true); - ptoken.setToken(sct); - - SignedEncryptedParts parts = new SignedEncryptedParts(true); - parts.setOptional(true); - parts.setBody(true); + binding.setOnlySignEntireHeadersAndBody(true); + binding.setProtectTokens(false); String addrNamespace = addressingNamespace; if (addrNamespace == null) { addrNamespace = "http://www.w3.org/2005/08/addressing"; } - parts.addHeader(new Header("To", addrNamespace)); - parts.addHeader(new Header("From", addrNamespace)); - parts.addHeader(new Header("FaultTo", addrNamespace)); - parts.addHeader(new Header("ReplyTo", addrNamespace)); - parts.addHeader(new Header("Action", addrNamespace)); - parts.addHeader(new Header("MessageID", addrNamespace)); - parts.addHeader(new Header("RelatesTo", addrNamespace)); + List
headers = new ArrayList
(); + headers.add(new Header("To", addrNamespace)); + headers.add(new Header("From", addrNamespace)); + headers.add(new Header("FaultTo", addrNamespace)); + headers.add(new Header("ReplyTo", addrNamespace)); + headers.add(new Header("Action", addrNamespace)); + headers.add(new Header("MessageID", addrNamespace)); + headers.add(new Header("RelatesTo", addrNamespace)); + + SignedParts parts = new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false); + parts.setOptional(true); all.addPolicyComponent(parts); client.getRequestContext().put(PolicyConstants.POLICY_OVERRIDE, cancelPolicy); @@ -1223,7 +1241,7 @@ public abstract class AbstractSTSClient } protected SecurityToken createSecurityToken(Element el, byte[] requestorEntropy) - throws WSSecurityException { + throws WSSecurityException, Base64DecodingException { if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) { el = DOMUtils.getFirstElement(el); @@ -1337,7 +1355,7 @@ public abstract class AbstractSTSClient return token; } - protected byte[] decryptKey(Element child) throws TrustException, WSSecurityException { + protected byte[] decryptKey(Element child) throws TrustException, WSSecurityException, Base64DecodingException { String encryptionAlgorithm = X509Util.getEncAlgo(child); // For the SPNEGO case just return the decoded cipher value and decrypt it later if (encryptionAlgorithm != null && encryptionAlgorithm.endsWith("spnego#GSS_Wrap")) { @@ -1354,7 +1372,7 @@ public abstract class AbstractSTSClient } } if (cipherValue == null) { - throw new WSSecurityException(WSSecurityException.INVALID_SECURITY, "noCipher"); + throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noCipher"); } return cipherValue; } else { Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java Thu May 23 13:17:26 2013 @@ -33,9 +33,9 @@ import org.apache.cxf.interceptor.Fault; import org.apache.cxf.message.Message; import org.apache.cxf.phase.AbstractPhaseInterceptor; import org.apache.cxf.phase.Phase; -import org.apache.ws.security.WSConstants; -import org.apache.ws.security.message.token.UsernameToken; -import org.apache.ws.security.validate.Credential; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.dom.message.token.UsernameToken; +import org.apache.wss4j.dom.validate.Credential; public class AuthPolicyValidatingInterceptor extends AbstractPhaseInterceptor { Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java Thu May 23 13:17:26 2013 @@ -19,11 +19,11 @@ package org.apache.cxf.ws.security.trust; -import org.apache.ws.security.WSSecurityException; -import org.apache.ws.security.handler.RequestData; -import org.apache.ws.security.saml.ext.AssertionWrapper; -import org.apache.ws.security.validate.Credential; -import org.apache.ws.security.validate.SamlAssertionValidator; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.dom.handler.RequestData; +import org.apache.wss4j.dom.validate.Credential; +import org.apache.wss4j.dom.validate.SamlAssertionValidator; /** * This class validates a SAML Assertion by invoking the SamlAssertionValidator in WSS4J. It @@ -56,7 +56,7 @@ public class STSSamlAssertionValidator e */ @Override protected Credential verifySignedAssertion( - AssertionWrapper assertion, + SamlAssertionWrapper assertion, RequestData data ) throws WSSecurityException { try { Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java Thu May 23 13:17:26 2013 @@ -31,11 +31,11 @@ import org.apache.cxf.ws.security.Securi import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.cxf.ws.security.tokenstore.TokenStore; import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory; -import org.apache.ws.security.WSSecurityException; -import org.apache.ws.security.handler.RequestData; -import org.apache.ws.security.saml.ext.AssertionWrapper; -import org.apache.ws.security.validate.Credential; -import org.apache.ws.security.validate.Validator; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.dom.handler.RequestData; +import org.apache.wss4j.dom.validate.Credential; +import org.apache.wss4j.dom.validate.Validator; /** * @@ -70,13 +70,13 @@ public class STSTokenValidator implement SecurityToken token = new SecurityToken(); Element tokenElement = null; int hash = 0; - if (credential.getAssertion() != null) { - AssertionWrapper assertion = credential.getAssertion(); + if (credential.getSamlAssertion() != null) { + SamlAssertionWrapper assertion = credential.getSamlAssertion(); byte[] signatureValue = assertion.getSignatureValue(); if (signatureValue != null && signatureValue.length > 0) { hash = Arrays.hashCode(signatureValue); } - tokenElement = credential.getAssertion().getElement(); + tokenElement = credential.getSamlAssertion().getElement(); } else if (credential.getUsernametoken() != null) { tokenElement = credential.getUsernametoken().getElement(); hash = credential.getUsernametoken().hashCode(); @@ -93,7 +93,7 @@ public class STSTokenValidator implement if (tokenStore != null && hash != 0) { SecurityToken transformedToken = getTransformedToken(tokenStore, hash); if (transformedToken != null) { - AssertionWrapper assertion = new AssertionWrapper(transformedToken.getToken()); + SamlAssertionWrapper assertion = new SamlAssertionWrapper(transformedToken.getToken()); credential.setTransformedToken(assertion); return credential; } @@ -106,7 +106,7 @@ public class STSTokenValidator implement List tokens = c.validateSecurityToken(token); SecurityToken returnedToken = tokens.get(0); if (returnedToken != token) { - AssertionWrapper assertion = new AssertionWrapper(returnedToken.getToken()); + SamlAssertionWrapper assertion = new SamlAssertionWrapper(returnedToken.getToken()); credential.setTransformedToken(assertion); if (hash != 0) { tokenStore.add(returnedToken); @@ -119,7 +119,7 @@ public class STSTokenValidator implement } catch (RuntimeException e) { throw e; } catch (Exception e) { - throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e); + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", null, e); } } @@ -147,14 +147,14 @@ public class STSTokenValidator implement protected boolean isValidatedLocally(Credential credential, RequestData data) throws WSSecurityException { - if (!alwaysValidateToSts && credential.getAssertion() != null) { + if (!alwaysValidateToSts && credential.getSamlAssertion() != null) { try { samlValidator.validate(credential, data); return samlValidator.isTrustVerificationSucceeded(); } catch (RuntimeException e) { throw e; } catch (Exception e) { - throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e); + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", null, e); } } return false; Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java Thu May 23 13:17:26 2013 @@ -19,6 +19,7 @@ package org.apache.cxf.ws.security.trust; +import javax.xml.bind.JAXBException; import javax.xml.namespace.QName; import org.apache.cxf.Bus; @@ -44,9 +45,11 @@ import org.apache.cxf.service.model.Oper import org.apache.cxf.service.model.ServiceInfo; import org.apache.cxf.transport.ConduitInitiator; import org.apache.cxf.transport.ConduitInitiatorManager; +import org.apache.cxf.ws.addressing.EndpointReferenceType; +import org.apache.cxf.ws.addressing.VersionTransformer; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.policy.model.IssuedToken; import org.apache.neethi.Policy; +import org.apache.wss4j.policy.model.IssuedToken; /** * @@ -102,12 +105,18 @@ public final class STSUtils { if (MessageUtils.getContextualBoolean(message, SecurityConstants.STS_CLIENT_SOAP12_BINDING, false)) { client.setSoap12(); } - if ((itok != null) && (itok.getIssuerEpr() != null)) { + if ((itok != null) && (itok.getIssuer() != null)) { + EndpointReferenceType epr = null; + try { + epr = VersionTransformer.parseEndpointReference(itok.getIssuer()); + } catch (JAXBException e) { + throw new IllegalArgumentException(e); + } //configure via mex boolean useEPRWSAAddrAsMEXLocation = !Boolean.valueOf( (String)message.getContextualProperty( SecurityConstants.DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS)); - client.configureViaEPR(itok.getIssuerEpr(), useEPRWSAAddrAsMEXLocation); + client.configureViaEPR(epr, useEPRWSAAddrAsMEXLocation); } } return client; Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java Thu May 23 13:17:26 2013 @@ -33,13 +33,13 @@ import org.apache.cxf.binding.soap.SoapM import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.message.Message; import org.apache.cxf.phase.PhaseInterceptorChain; -import org.apache.ws.security.WSConstants; -import org.apache.ws.security.WSSecurityEngineResult; -import org.apache.ws.security.handler.WSHandlerConstants; -import org.apache.ws.security.handler.WSHandlerResult; -import org.apache.ws.security.message.token.BinarySecurity; -import org.apache.ws.security.message.token.UsernameToken; -import org.apache.ws.security.saml.ext.AssertionWrapper; +import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.dom.WSSecurityEngineResult; +import org.apache.wss4j.dom.handler.WSHandlerConstants; +import org.apache.wss4j.dom.handler.WSHandlerResult; +import org.apache.wss4j.dom.message.token.BinarySecurity; +import org.apache.wss4j.dom.message.token.UsernameToken; /** * This CallbackHandler implementation obtains the previously received message from a @@ -97,8 +97,8 @@ public class ReceivedTokenCallbackHandle Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); if (actInt.intValue() == WSConstants.ST_SIGNED || actInt.intValue() == WSConstants.ST_UNSIGNED) { - AssertionWrapper assertion = - (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + SamlAssertionWrapper assertion = + (SamlAssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); return assertion.getElement(); } else if (actInt.intValue() == WSConstants.UT || actInt.intValue() == WSConstants.UT_NOPASSWORD) { Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java Thu May 23 13:17:26 2013 @@ -31,7 +31,7 @@ import org.w3c.dom.Node; import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.message.Message; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.ws.security.message.token.UsernameToken; +import org.apache.wss4j.dom.message.token.UsernameToken; /** * This CallbackHandler implementation obtains a username via the jaxws property Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java Thu May 23 13:17:26 2013 @@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j import java.util.Collection; import java.util.Collections; +import java.util.HashSet; import java.util.Set; import java.util.logging.Logger; @@ -48,11 +49,13 @@ import org.apache.cxf.ws.policy.Assertio import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.policy.PolicyException; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.policy.SP12Constants; -import org.apache.cxf.ws.security.policy.model.Token; import org.apache.cxf.ws.security.tokenstore.TokenStore; -import org.apache.ws.security.WSConstants; -import org.apache.ws.security.WSPasswordCallback; +import org.apache.wss4j.common.ext.WSPasswordCallback; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.policy.SP11Constants; +import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SPConstants; +import org.apache.wss4j.policy.model.AbstractToken; /** * An abstract interceptor that can be used to form the basis of an interceptor to add and process @@ -70,6 +73,7 @@ public abstract class AbstractTokenInter super(Phase.PRE_PROTOCOL); addAfter(PolicyBasedWSS4JOutInterceptor.class.getName()); addAfter(PolicyBasedWSS4JInInterceptor.class.getName()); + addAfter(PolicyBasedWSS4JStaxInInterceptor.class.getName()); } public Set getUnderstoodHeaders() { @@ -78,6 +82,12 @@ public abstract class AbstractTokenInter public void handleMessage(SoapMessage message) throws Fault { + boolean enableStax = + MessageUtils.isTrue(message.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY)); + if (enableStax) { + return; + } + boolean isReq = MessageUtils.isRequestor(message); boolean isOut = MessageUtils.isOutbound(message); @@ -106,26 +116,64 @@ public abstract class AbstractTokenInter protected abstract void addToken(SoapMessage message); - protected abstract Token assertTokens(SoapMessage message); + protected abstract AbstractToken assertTokens(SoapMessage message); - protected Token assertTokens(SoapMessage message, QName assertion, boolean signed) { + protected boolean assertPolicy(AssertionInfoMap aim, String localname) { + Collection ais = getAllAssertionsByLocalname(aim, localname); + if (!ais.isEmpty()) { + for (AssertionInfo ai : ais) { + ai.setAsserted(true); + } + return true; + } + return false; + } + + protected boolean assertPolicy(AssertionInfoMap aim, QName name) { + Collection ais = aim.getAssertionInfo(name); + if (ais != null && !ais.isEmpty()) { + for (AssertionInfo ai : ais) { + ai.setAsserted(true); + } + return true; + } + return false; + } + + protected Collection getAllAssertionsByLocalname( + AssertionInfoMap aim, + String localname + ) { + Collection sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname)); + Collection sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname)); + + if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) { + Collection ais = new HashSet(); + if (sp11Ais != null) { + ais.addAll(sp11Ais); + } + if (sp12Ais != null) { + ais.addAll(sp12Ais); + } + return ais; + } + + return Collections.emptySet(); + } + + protected AbstractToken assertTokens(SoapMessage message, String localname, boolean signed) { AssertionInfoMap aim = message.get(AssertionInfoMap.class); - Collection ais = aim.getAssertionInfo(assertion); - Token tok = null; + Collection ais = getAllAssertionsByLocalname(aim, localname); + AbstractToken tok = null; for (AssertionInfo ai : ais) { - tok = (Token)ai.getAssertion(); + tok = (AbstractToken)ai.getAssertion(); ai.setAsserted(true); } - ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS); - for (AssertionInfo ai : ais) { - ai.setAsserted(true); - } + + assertPolicy(aim, SPConstants.SUPPORTING_TOKENS); if (signed || isTLSInUse(message)) { - ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS); - for (AssertionInfo ai : ais) { - ai.setAsserted(true); - } + assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS); } return tok; } @@ -190,7 +238,8 @@ public abstract class AbstractTokenInter return sh; } - protected String getPassword(String userName, Token info, int type, SoapMessage message) { + protected String getPassword(String userName, AbstractToken info, + WSPasswordCallback.Usage usage, SoapMessage message) { //Then try to get the password from the given callback handler CallbackHandler handler = getCallback(message); @@ -199,7 +248,7 @@ public abstract class AbstractTokenInter return null; } - WSPasswordCallback[] cb = {new WSPasswordCallback(userName, type)}; + WSPasswordCallback[] cb = {new WSPasswordCallback(userName, usage)}; try { handler.handle(cb); } catch (Exception e) { @@ -210,14 +259,13 @@ public abstract class AbstractTokenInter return cb[0].getPassword(); } - protected void policyNotAsserted(Token assertion, String reason, SoapMessage message) { + protected void policyNotAsserted(AbstractToken assertion, String reason, SoapMessage message) { if (assertion == null) { return; } AssertionInfoMap aim = message.get(AssertionInfoMap.class); - Collection ais; - ais = aim.get(assertion.getName()); + Collection ais = aim.get(assertion.getName()); if (ais != null) { for (AssertionInfo ai : ais) { if (ai.getAssertion() == assertion) { @@ -230,13 +278,12 @@ public abstract class AbstractTokenInter } } - protected void policyNotAsserted(Token assertion, Exception reason, SoapMessage message) { + protected void policyNotAsserted(AbstractToken assertion, Exception reason, SoapMessage message) { if (assertion == null) { return; } AssertionInfoMap aim = message.get(AssertionInfoMap.class); - Collection ais; - ais = aim.get(assertion.getName()); + Collection ais = aim.get(assertion.getName()); if (ais != null) { for (AssertionInfo ai : ais) { if (ai.getAssertion() == assertion) { Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java Thu May 23 13:17:26 2013 @@ -35,11 +35,11 @@ import org.apache.cxf.interceptor.securi import org.apache.cxf.message.Message; import org.apache.cxf.phase.PhaseInterceptorChain; import org.apache.cxf.security.SecurityContext; -import org.apache.ws.security.WSSecurityEngine; -import org.apache.ws.security.WSSecurityException; -import org.apache.ws.security.handler.RequestData; -import org.apache.ws.security.validate.UsernameTokenValidator; -import org.apache.ws.security.validate.Validator; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.dom.WSSecurityEngine; +import org.apache.wss4j.dom.handler.RequestData; +import org.apache.wss4j.dom.validate.UsernameTokenValidator; +import org.apache.wss4j.dom.validate.Validator; /** @@ -139,13 +139,15 @@ public abstract class AbstractUsernameTo } catch (Exception ex) { String errorMessage = "Failed Authentication : Subject has not been created"; LOG.severe(errorMessage); - throw new WSSecurityException(errorMessage, ex); + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, + ex); } if (subject == null || subject.getPrincipals().size() == 0 || !subject.getPrincipals().iterator().next().getName().equals(name)) { String errorMessage = "Failed Authentication : Invalid Subject"; LOG.severe(errorMessage); - throw new WSSecurityException(errorMessage); + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, + new Exception(errorMessage)); } msg.put(Subject.class, subject); } @@ -182,7 +184,7 @@ public abstract class AbstractUsernameTo @Override protected void verifyCustomPassword( - org.apache.ws.security.message.token.UsernameToken usernameToken, + org.apache.wss4j.dom.message.token.UsernameToken usernameToken, RequestData data ) throws WSSecurityException { AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject( @@ -192,7 +194,7 @@ public abstract class AbstractUsernameTo @Override protected void verifyPlaintextPassword( - org.apache.ws.security.message.token.UsernameToken usernameToken, + org.apache.wss4j.dom.message.token.UsernameToken usernameToken, RequestData data ) throws WSSecurityException { AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject( @@ -202,11 +204,11 @@ public abstract class AbstractUsernameTo @Override protected void verifyDigestPassword( - org.apache.ws.security.message.token.UsernameToken usernameToken, + org.apache.wss4j.dom.message.token.UsernameToken usernameToken, RequestData data ) throws WSSecurityException { if (!supportDigestPasswords) { - throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION); + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION); } String user = usernameToken.getName(); String password = usernameToken.getPassword(); @@ -220,7 +222,7 @@ public abstract class AbstractUsernameTo @Override protected void verifyUnknownPassword( - org.apache.ws.security.message.token.UsernameToken usernameToken, + org.apache.wss4j.dom.message.token.UsernameToken usernameToken, RequestData data ) throws WSSecurityException { AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject( Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java Thu May 23 13:17:26 2013 @@ -40,13 +40,13 @@ import org.apache.cxf.message.MessageUti import org.apache.cxf.phase.PhaseInterceptor; import org.apache.cxf.resource.ResourceManager; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.ws.security.WSConstants; -import org.apache.ws.security.WSSecurityException; -import org.apache.ws.security.components.crypto.Crypto; -import org.apache.ws.security.components.crypto.CryptoFactory; -import org.apache.ws.security.handler.RequestData; -import org.apache.ws.security.handler.WSHandler; -import org.apache.ws.security.handler.WSHandlerConstants; +import org.apache.wss4j.common.crypto.Crypto; +import org.apache.wss4j.common.crypto.CryptoFactory; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.dom.handler.RequestData; +import org.apache.wss4j.dom.handler.WSHandler; +import org.apache.wss4j.dom.handler.WSHandlerConstants; public abstract class AbstractWSS4JInterceptor extends WSHandler implements SoapInterceptor, PhaseInterceptor { @@ -190,6 +190,16 @@ public abstract class AbstractWSS4JInter if (certConstraints != null) { msg.setContextualProperty(WSHandlerConstants.SIG_SUBJECT_CERT_CONSTRAINTS, certConstraints); } + + // Now set SAML SenderVouches + Holder Of Key requirements + boolean validateSAMLSubjectConf = + MessageUtils.getContextualBoolean( + msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true + ); + msg.setContextualProperty( + WSHandlerConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, + Boolean.toString(validateSAMLSubjectConf) + ); } @Override