cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1519638 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/ systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/
Date Tue, 03 Sep 2013 10:35:08 GMT
Author: coheigea
Date: Tue Sep  3 10:35:08 2013
New Revision: 1519638

URL: http://svn.apache.org/r1519638
Log:
[CXF-5248] - Signed SAML assertion validation error w/ SupportingTokens only policy
 - Added tests + some other bits and pieces

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java?rev=1519638&r1=1519637&r2=1519638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
Tue Sep  3 10:35:08 2013
@@ -200,17 +200,16 @@ public class PolicyBasedWSS4JStaxInInter
     
     private void checkTransportBinding(
         AssertionInfoMap aim, SoapMessage message
-    ) throws WSSecurityException {
-        Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
-        if (ais.isEmpty()) {
+    ) throws XMLSecurityException {
+        boolean transportPolicyInEffect = 
+            !getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING).isEmpty();
+        if (!transportPolicyInEffect && !(getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING).isEmpty()
+            && getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING).isEmpty()))
{
             return;
         }
         
         // Add a HttpsSecurityEvent so the policy verification code knows TLS is in use
         if (isRequestor(message)) {
-            List<SecurityEvent> securityEvents = getSecurityEventList(message);
-            
             HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
             httpsTokenSecurityEvent.setAuthenticationType(
                 HttpsTokenSecurityEvent.AuthenticationType.HttpsNoAuthentication
@@ -222,6 +221,8 @@ public class PolicyBasedWSS4JStaxInInter
                 LOG.fine(e.getMessage());
             }
             httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
+
+            List<SecurityEvent> securityEvents = getSecurityEventList(message);
             securityEvents.add(httpsTokenSecurityEvent);
         }
         
@@ -233,7 +234,7 @@ public class PolicyBasedWSS4JStaxInInter
         if (e == null) {
             e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
         }
-        
+
         Crypto encrCrypto = getEncryptionCrypto(e, message);
         Crypto signCrypto = null;
         if (e != null && e.equals(s)) {
@@ -241,12 +242,12 @@ public class PolicyBasedWSS4JStaxInInter
         } else {
             signCrypto = getSignatureCrypto(s, message);
         }
-        
+
         if (signCrypto != null) {
             message.put(WSHandlerConstants.DEC_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
             message.put("RefId-" + signCrypto.hashCode(), signCrypto);
         }
-        
+
         if (encrCrypto != null) {
             message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
             message.put("RefId-" + encrCrypto.hashCode(), (Crypto)encrCrypto);
@@ -255,7 +256,7 @@ public class PolicyBasedWSS4JStaxInInter
             message.put("RefId-" + signCrypto.hashCode(), (Crypto)signCrypto);
         }
     }
-    
+
     private List<SecurityEvent> getSecurityEventList(Message message) {
         @SuppressWarnings("unchecked")
         List<SecurityEvent> securityEvents = 
@@ -384,7 +385,7 @@ public class PolicyBasedWSS4JStaxInInter
     }
     
     @Override
-    protected void configureProperties(SoapMessage msg) throws WSSecurityException {
+    protected void configureProperties(SoapMessage msg) throws XMLSecurityException {
         AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
         checkAsymmetricBinding(aim, msg);
         checkSymmetricBinding(aim, msg);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java?rev=1519638&r1=1519637&r2=1519638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
Tue Sep  3 10:35:08 2013
@@ -23,6 +23,7 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
 import java.security.Principal;
+import java.security.cert.Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -32,7 +33,6 @@ import javax.security.auth.callback.Call
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.Bus;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
@@ -45,6 +45,7 @@ import org.apache.cxf.interceptor.securi
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.resource.ResourceManager;
 import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
@@ -64,6 +65,7 @@ import org.apache.wss4j.dom.handler.Requ
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.processor.SAMLTokenProcessor;
+import org.apache.wss4j.dom.saml.DOMSAMLUtil;
 import org.apache.wss4j.dom.validate.Validator;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
@@ -126,6 +128,20 @@ public class SamlTokenInterceptor extend
                                 if (!checkVersion(aim, samlToken, assertionWrapper)) {
                                     ai.setNotAsserted("Wrong SAML Version");
                                 }
+                                
+                                TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+                                Certificate[] tlsCerts = null;
+                                if (tlsInfo != null) {
+                                    tlsCerts = tlsInfo.getPeerCertificates();
+                                }
+                                if (!DOMSAMLUtil.checkHolderOfKey(assertionWrapper, null,
tlsCerts)) {
+                                    ai.setNotAsserted("Assertion fails holder-of-key requirements");
+                                    continue;
+                                }
+                                if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts,
null, null)) {
+                                    ai.setNotAsserted("Assertion fails sender-vouches requirements");
+                                    continue;
+                                }
                             }
                         }
                         
@@ -184,6 +200,9 @@ public class SamlTokenInterceptor extend
         };
         data.setWssConfig(WSSConfig.getNewInstance());
         
+        data.setSigVerCrypto(getCrypto(null, SecurityConstants.SIGNATURE_CRYPTO,
+                                     SecurityConstants.SIGNATURE_PROPERTIES, message));
+        
         SAMLTokenProcessor p = new SAMLTokenProcessor();
         List<WSSecurityEngineResult> results = 
             p.handleToken(tokenElement, data, wsDocInfo);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java?rev=1519638&r1=1519637&r2=1519638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
Tue Sep  3 10:35:08 2013
@@ -58,6 +58,7 @@ import org.apache.wss4j.stax.ext.Inbound
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
 import org.apache.wss4j.stax.validate.Validator;
+import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
 
@@ -156,6 +157,8 @@ public class WSS4JStaxInInterceptor exte
             // processing in the WS-Stack.
         } catch (WSSecurityException e) {
             throw createSoapFault(soapMessage.getVersion(), e);
+        } catch (XMLSecurityException e) {
+            throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender());
         } catch (WSSPolicyException e) {
             throw new SoapFault(e.getMessage(), e, soapMessage.getVersion().getSender());
         } catch (XMLStreamException e) {
@@ -179,7 +182,7 @@ public class WSS4JStaxInInterceptor exte
         return Collections.singletonList(securityEventListener);
     }
     
-    protected void configureProperties(SoapMessage msg) throws WSSecurityException {
+    protected void configureProperties(SoapMessage msg) throws XMLSecurityException {
         WSSSecurityProperties securityProperties = getSecurityProperties();
         Map<String, Object> config = getProperties();
         

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1519638&r1=1519637&r2=1519638&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Tue Sep  3 10:35:08 2013
@@ -32,6 +32,7 @@ import org.apache.cxf.systest.ws.saml.cl
 import org.apache.cxf.systest.ws.saml.client.SamlElementCallbackHandler;
 import org.apache.cxf.systest.ws.saml.client.SamlRoleCallbackHandler;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.wss4j.common.saml.builder.SAML2Constants;
 import org.example.contract.doubleit.DoubleItPortType;
@@ -221,6 +222,54 @@ public class SamlTokenTest extends Abstr
         bus.shutdown(true);
     }
     
+    // Self-signing (see CXF-5248)
+    @org.junit.Test
+    public void testSaml1SupportingSelfSigned() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSaml1SupportingPort");
+        DoubleItPortType saml1Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(saml1Port, PORT2);
+        
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", new SamlCallbackHandler(false)
+        );
+        
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.SELF_SIGN_SAML_ASSERTION, true
+        );
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.SIGNATURE_USERNAME, "alice"
+        );
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.SIGNATURE_PROPERTIES, "alice.properties"
+        );
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.CALLBACK_HANDLER, 
+            "org.apache.cxf.systest.ws.common.KeystorePasswordCallback"
+        );
+        
+        // DOM
+        int result = saml1Port.doubleIt(25);
+        assertTrue(result == 50);
+        
+        // Streaming
+        SecurityTestUtil.enableStreaming(saml1Port);
+        saml1Port.doubleIt(25);
+        
+        ((java.io.Closeable)saml1Port).close();
+        bus.shutdown(true);
+    }
+    
     @org.junit.Test
     public void testSaml1ElementOverTransport() throws Exception {
 

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java?rev=1519638&r1=1519637&r2=1519638&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSamlTokenTest.java
Tue Sep  3 10:35:08 2013
@@ -32,6 +32,7 @@ import org.apache.cxf.systest.ws.saml.cl
 import org.apache.cxf.systest.ws.saml.client.SamlElementCallbackHandler;
 import org.apache.cxf.systest.ws.saml.client.SamlRoleCallbackHandler;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.wss4j.common.saml.builder.SAML1Constants;
 import org.apache.wss4j.common.saml.builder.SAML2Constants;
@@ -224,6 +225,56 @@ public class StaxSamlTokenTest extends A
         bus.shutdown(true);
     }
     
+    // Self-signing (see CXF-5248)
+    @org.junit.Test
+    public void testSaml1SupportingSelfSigned() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = StaxSamlTokenTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSaml1SupportingPort");
+        DoubleItPortType saml1Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(saml1Port, PORT2);
+        
+        SamlCallbackHandler callbackHandler = new SamlCallbackHandler(false);
+        callbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", callbackHandler
+        );
+        
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.SELF_SIGN_SAML_ASSERTION, true
+        );
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.SIGNATURE_USERNAME, "alice"
+        );
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.SIGNATURE_PROPERTIES, "alice.properties"
+        );
+        ((BindingProvider)saml1Port).getRequestContext().put(
+            SecurityConstants.CALLBACK_HANDLER, 
+            "org.apache.cxf.systest.ws.common.KeystorePasswordCallback"
+        );
+        
+        // DOM
+        int result = saml1Port.doubleIt(25);
+        assertTrue(result == 50);
+        
+        // Streaming
+        SecurityTestUtil.enableStreaming(saml1Port);
+        saml1Port.doubleIt(25);
+        
+        ((java.io.Closeable)saml1Port).close();
+        bus.shutdown(true);
+    }
+  
     @org.junit.Test
     public void testSaml1ElementOverTransport() throws Exception {
 
@@ -1105,5 +1156,4 @@ public class StaxSamlTokenTest extends A
         ((java.io.Closeable)saml2Port).close();
         bus.shutdown(true);
     }
-    
 }

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml?rev=1519638&r1=1519637&r2=1519638&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
Tue Sep  3 10:35:08 2013
@@ -116,6 +116,10 @@
        depends-on="tls-settings">
         
        <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.properties" value="bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml?rev=1519638&r1=1519637&r2=1519638&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
Tue Sep  3 10:35:08 2013
@@ -118,6 +118,10 @@
        depends-on="tls-settings">
         
        <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.properties" value="bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
            <entry key="ws-security.enable.streaming" value="true"/>
        </jaxws:properties> 
      



Mime
View raw message