cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1513893 - in /cxf/branches/2.7.x-fixes: rt/ws/security/src/main/java/org/apache/cxf/ws/security/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/ systests/ws-...
Date Wed, 14 Aug 2013 14:24:39 GMT
Author: coheigea
Date: Wed Aug 14 14:24:38 2013
New Revision: 1513893

URL: http://svn.apache.org/r1513893
Log:
[CXF-5200] - Support newer signature algorithms in WS-SecurityPolicy (such as RSA-SHA256)


Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java
	systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml

Modified:
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
    cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
    cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
    cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
    cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1513893&r1=1513892&r2=1513893&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Wed Aug 14 14:24:38 2013
@@ -298,6 +298,14 @@ public final class SecurityConstants {
      */
     public static final String SUBJECT_ROLE_CLASSIFIER_TYPE = "ws-security.role.classifier.type";
     
+    /**
+     * This configuration tag allows the user to override the default Asymmetric Signature

+     * algorithm (RSA-SHA1) for use in WS-SecurityPolicy, as the WS-SecurityPolicy specification
+     * does not allow the use of other algorithms at present.
+     */
+    public static final String ASYMMETRIC_SIGNATURE_ALGORITHM = 
+        "ws-security.asymmetric.signature.algorithm";
+    
     //
     // Validator implementations for validating received security tokens
     //
@@ -480,7 +488,8 @@ public final class SecurityConstants {
             STS_TOKEN_DO_CANCEL, CACHE_ISSUED_TOKEN_IN_ENDPOINT,
             DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO,
             STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS, STS_TOKEN_ON_BEHALF_OF,
-            TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER, SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND
+            TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER, SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND,
+            ASYMMETRIC_SIGNATURE_ALGORITHM
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java?rev=1513893&r1=1513892&r2=1513893&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
Wed Aug 14 14:24:38 2013
@@ -139,7 +139,7 @@ public final class AlgorithmSuiteTransla
     /**
      * Get all of the WS-SecurityPolicy Bindings that are in operation
      */
-    private List<Binding> getBindings(AssertionInfoMap aim) {
+    public static List<Binding> getBindings(AssertionInfoMap aim) {
         List<Binding> bindings = new ArrayList<Binding>();
         if (aim != null) {
             Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
@@ -167,7 +167,7 @@ public final class AlgorithmSuiteTransla
     /**
      * Get all of the CXF AlgorithmSuites from the bindings
      */
-    private List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> getAlgorithmSuites(
+    public static List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> getAlgorithmSuites(
         List<Binding> bindings
     ) {
         List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> algorithmSuites
= 

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1513893&r1=1513892&r2=1513893&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Wed Aug 14 14:24:38 2013
@@ -42,7 +42,6 @@ import javax.xml.xpath.XPathFactory;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
-
 import org.apache.cxf.Bus;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
@@ -59,6 +58,7 @@ import org.apache.cxf.ws.policy.Assertio
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.SP11Constants;
 import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
 import org.apache.cxf.ws.security.policy.model.ContentEncryptedElements;
 import org.apache.cxf.ws.security.policy.model.Header;
 import org.apache.cxf.ws.security.policy.model.RequiredElements;
@@ -500,6 +500,14 @@ public class PolicyBasedWSS4JInIntercept
     protected void setAlgorithmSuites(SoapMessage message, RequestData data) throws WSSecurityException
{
         AlgorithmSuiteTranslater translater = new AlgorithmSuiteTranslater();
         translater.translateAlgorithmSuites(message.get(AssertionInfoMap.class), data);
+        
+        // Allow for setting non-standard asymmetric signature algorithms
+        String asymSignatureAlgorithm = 
+            (String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
+        if (asymSignatureAlgorithm != null && data.getAlgorithmSuite() != null) {
+            data.getAlgorithmSuite().getSignatureMethods().clear();
+            data.getAlgorithmSuite().getSignatureMethods().add(asymSignatureAlgorithm);
+        }
     }
 
     protected void computeAction(SoapMessage message, RequestData data) throws WSSecurityException
{
@@ -517,6 +525,22 @@ public class PolicyBasedWSS4JInIntercept
             if ("".equals(action) || (ais != null && !ais.isEmpty())) {
                 action = checkDefaultBinding(aim, action, message);
             }
+            
+            // Allow for setting non-standard asymmetric signature algorithms
+            String asymSignatureAlgorithm = 
+                (String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
+            if (asymSignatureAlgorithm != null) {
+                List<AlgorithmSuite> algorithmSuites = 
+                    AlgorithmSuiteTranslater.getAlgorithmSuites(
+                        AlgorithmSuiteTranslater.getBindings(aim)
+                    );
+                if (algorithmSuites != null && !algorithmSuites.isEmpty()) {
+                    for (AlgorithmSuite algorithmSuite : algorithmSuites) {
+                        algorithmSuite.setAsymmetricSignature(asymSignatureAlgorithm);
+                    }
+                }
+            }
+            
             checkUsernameToken(aim, message);
             
             // stuff we can default to asserted and un-assert if a condition isn't met

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java?rev=1513893&r1=1513892&r2=1513893&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
Wed Aug 14 14:24:38 2013
@@ -157,7 +157,14 @@ public class PolicyBasedWSS4JOutIntercep
                     if (config == null) {
                         config = WSSConfig.getNewInstance();
                     }
+
                     translateProperties(message, config);
+                    
+                    String asymSignatureAlgorithm = 
+                        (String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
+                    if (asymSignatureAlgorithm != null && transport.getAlgorithmSuite()
!= null) {
+                        transport.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
+                    }
 
                     if (transport instanceof TransportBinding) {
                         new TransportBindingHandler(config, (TransportBinding)transport,
saaj,

Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1513893&r1=1513892&r2=1513893&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
(original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
Wed Aug 14 14:24:38 2013
@@ -237,6 +237,29 @@ public class X509TokenTest extends Abstr
     }
     
     @org.junit.Test
+    public void testAsymmetricSHA256() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSHA256Port");
+        DoubleItPortType x509Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(x509Port, PORT);
+        
+        x509Port.doubleIt(25);
+        
+        ((java.io.Closeable)x509Port).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
     public void testAsymmetricThumbprint() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();

Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl?rev=1513893&r1=1513892&r2=1513893&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
(original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
Wed Aug 14 14:24:38 2013
@@ -125,6 +125,25 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItAsymmetricSHA256Binding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItAsymmetricSHA256Policy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
     <wsdl:binding name="DoubleItAsymmetricThumbprintBinding" type="tns:DoubleItPortType">
         <wsp:PolicyReference URI="#DoubleItAsymmetricThumbprintPolicy" />
         <soap:binding style="document"
@@ -422,6 +441,10 @@
                    binding="tns:DoubleItAsymmetricIssuerSerialBinding">
             <soap:address location="http://localhost:9001/DoubleItX509Asymmetric" />
         </wsdl:port>
+        <wsdl:port name="DoubleItAsymmetricSHA256Port" 
+                   binding="tns:DoubleItAsymmetricSHA256Binding">
+            <soap:address location="http://localhost:9001/DoubleItX509AsymmetricSHA256"
/>
+        </wsdl:port>
         <wsdl:port name="DoubleItAsymmetricThumbprintPort" 
                    binding="tns:DoubleItAsymmetricThumbprintBinding">
             <soap:address location="http://localhost:9001/DoubleItX509AsymmetricThumbprint"
/>
@@ -653,6 +676,50 @@
       </wsp:ExactlyOne>
     </wsp:Policy>
     
+    <wsp:Policy wsu:Id="DoubleItAsymmetricSHA256Policy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:AsymmetricBinding>
+               <wsp:Policy>
+                  <sp:InitiatorToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:InitiatorToken>
+                  <sp:RecipientToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:RecipientToken>
+                  <sp:Layout>
+                     <wsp:Policy>
+                        <sp:Lax/>
+                     </wsp:Policy>
+                  </sp:Layout>
+                  <sp:IncludeTimestamp/>
+                  <sp:OnlySignEntireHeadersAndBody/>
+                  <sp:AlgorithmSuite>
+                     <wsp:Policy>
+                        <sp:Basic128Sha256 />
+                     </wsp:Policy>
+                  </sp:AlgorithmSuite>
+               </wsp:Policy>
+            </sp:AsymmetricBinding>
+         </wsp:All>
+      </wsp:ExactlyOne>
+    </wsp:Policy>
+    
+    
     <wsp:Policy wsu:Id="DoubleItAsymmetricThumbprintPolicy">
       <wsp:ExactlyOne>
          <wsp:All>

Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1513893&r1=1513892&r2=1513893&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
(original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
Wed Aug 14 14:24:38 2013
@@ -98,6 +98,22 @@
        </jaxws:properties>
     </jaxws:client>
     
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricSHA256Port"

+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.encryption.properties"
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.username" value="bob"/>
+           <entry key="ws-security.signature.properties"
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.asymmetric.signature.algorithm" 
+                  value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
     <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricThumbprintPort"

                   createdFromAPI="true">
        <jaxws:properties>

Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1513893&r1=1513892&r2=1513893&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
(original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
Wed Aug 14 14:24:38 2013
@@ -187,6 +187,29 @@
     </jaxws:endpoint> 
     
     <jaxws:endpoint 
+       id="AsymmetricSHA256"
+       address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricSHA256" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItAsymmetricSHA256Port"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+        
+       <jaxws:properties>
+          <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+          <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

+          <entry key="ws-security.encryption.username" value="alice"/>
+          <entry key="ws-security.asymmetric.signature.algorithm" 
+                 value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
+    <jaxws:endpoint 
        id="AsymmetricThumbprint"
        address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricThumbprint"

        serviceName="s:DoubleItService"



Mime
View raw message