cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1535031 - /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
Date Wed, 23 Oct 2013 13:50:48 GMT
Author: coheigea
Date: Wed Oct 23 13:50:47 2013
New Revision: 1535031

URL: http://svn.apache.org/r1535031
Log:
Asserting more security policies on the outbound side

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Wed Oct 23 13:50:47 2013
@@ -417,6 +417,7 @@ public abstract class AbstractBindingBui
                     || token instanceof SecureConversationToken
                     || token instanceof SecurityContextToken
                     || token instanceof KerberosToken)) {
+                assertToken(token);
                 //ws-trust/ws-sc stuff.......
                 SecurityToken secToken = getSecurityToken();
                 if (secToken == null) {
@@ -482,6 +483,7 @@ public abstract class AbstractBindingBui
             } else if (token instanceof X509Token) {
                 //We have to use a cert
                 //Prepare X509 signature
+                assertToken(token);
                 WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
                 Element bstElem = sig.getBinarySecurityTokenElement();
                 if (bstElem != null) {
@@ -493,6 +495,7 @@ public abstract class AbstractBindingBui
                 }
                 ret.put(token, sig);
             } else if (token instanceof KeyValueToken) {
+                assertToken(token);
                 WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
                 if (suppTokens.isEncryptedToken()) {
                     WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
@@ -693,16 +696,9 @@ public abstract class AbstractBindingBui
     }
 
     protected WSSecUsernameToken addUsernameToken(UsernameToken token) {
-        AssertionInfo info = null;
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(token.getName());
-        for (AssertionInfo ai : ais) {
-            if (ai.getAssertion() == token) {
-                info = ai;
-                if (!isRequestor()) {
-                    info.setAsserted(true);
-                    return null;
-                }
-            }
+        assertToken(token);
+        if (!isRequestor()) {
+            return null;
         }
         
         String userName = (String)message.getContextualProperty(SecurityConstants.USERNAME);
@@ -746,7 +742,6 @@ public abstract class AbstractBindingBui
                 assertPolicy(SP13Constants.NONCE);
             }
             
-            info.setAsserted(true);
             assertPolicy(
                 new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN10));
             assertPolicy(
@@ -759,16 +754,9 @@ public abstract class AbstractBindingBui
     }
     
     protected WSSecUsernameToken addDKUsernameToken(UsernameToken token, boolean useMac)
{
-        AssertionInfo info = null;
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(token.getName());
-        for (AssertionInfo ai : ais) {
-            if (ai.getAssertion() == token) {
-                info = ai;
-                if (!isRequestor()) {
-                    info.setAsserted(true);
-                    return null;
-                }
-            }
+        assertToken(token);
+        if (!isRequestor()) {
+            return null;
         }
         
         String userName = (String)message.getContextualProperty(SecurityConstants.USERNAME);
@@ -790,7 +778,6 @@ public abstract class AbstractBindingBui
                 return null;
             }
             
-            info.setAsserted(true);
             assertPolicy(
                 new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN10));
             assertPolicy(
@@ -803,16 +790,9 @@ public abstract class AbstractBindingBui
     }
     
     protected SamlAssertionWrapper addSamlToken(SamlToken token) throws WSSecurityException
{
-        AssertionInfo info = null;
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(token.getName());
-        for (AssertionInfo ai : ais) {
-            if (ai.getAssertion() == token) {
-                info = ai;
-                if (!isRequestor()) {
-                    info.setAsserted(true);
-                    return null;
-                }
-            }
+        assertToken(token);
+        if (!isRequestor()) {
+            return null;
         }
         
         //
@@ -851,8 +831,6 @@ public abstract class AbstractBindingBui
             return null;
         }
         
-        info.setAsserted(true);
-        
         SAMLCallback samlCallback = new SAMLCallback();
         SamlTokenType tokenType = token.getSamlTokenType();
         if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11)
{

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
Wed Oct 23 13:50:47 2013
@@ -44,15 +44,28 @@ import org.apache.wss4j.common.ext.WSSec
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SP13Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
 import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractTokenWrapper;
 import org.apache.wss4j.policy.model.AlgorithmSuite;
 import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.policy.model.HttpsToken;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SpnegoContextToken;
 import org.apache.wss4j.policy.model.Trust10;
 import org.apache.wss4j.policy.model.Trust13;
+import org.apache.wss4j.policy.model.UsernameToken;
 import org.apache.wss4j.policy.model.Wss10;
 import org.apache.wss4j.policy.model.Wss11;
+import org.apache.wss4j.policy.model.X509Token;
 import org.apache.xml.security.utils.Base64;
 
 /**
@@ -108,6 +121,168 @@ public abstract class AbstractCommonBind
         }
     }
     
+    protected void assertTokenWrapper(AbstractTokenWrapper tokenWrapper) {
+        if (tokenWrapper == null) {
+            return;
+        }
+        assertPolicy(tokenWrapper.getName());
+    }
+    
+    protected void assertToken(AbstractToken token) {
+        if (token == null) {
+            return;
+        }
+        assertPolicy(token.getName());
+        
+        String namespace = token.getName().getNamespaceURI();
+        if (token instanceof X509Token) {
+            X509Token x509Token = (X509Token)token;
+            assertX509Token(x509Token);
+        } else if (token instanceof HttpsToken) {
+            HttpsToken httpsToken = (HttpsToken)token;
+            if (httpsToken.getAuthenticationType() != null) {
+                assertPolicy(new QName(namespace, httpsToken.getAuthenticationType().name()));
+            }
+        } else if (token instanceof KeyValueToken) {
+            KeyValueToken keyValueToken = (KeyValueToken)token;
+            if (keyValueToken.isRsaKeyValue()) {
+                assertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE));
+            }
+        } else if (token instanceof UsernameToken) {
+            UsernameToken usernameToken = (UsernameToken)token;
+            assertUsernameToken(usernameToken);
+        } else if (token instanceof SecureConversationToken) {
+            SecureConversationToken scToken = (SecureConversationToken)token;
+            assertSecureConversationToken(scToken);
+        } else if (token instanceof SecurityContextToken) {
+            SecurityContextToken scToken = (SecurityContextToken)token;
+            assertSecurityContextToken(scToken);
+        } else if (token instanceof SpnegoContextToken) {
+            SpnegoContextToken scToken = (SpnegoContextToken)token;
+            assertSpnegoContextToken(scToken);
+        } else if (token instanceof IssuedToken) {
+            IssuedToken issuedToken = (IssuedToken)token;
+            assertIssuedToken(issuedToken);
+        } else if (token instanceof KerberosToken) {
+            KerberosToken kerberosToken = (KerberosToken)token;
+            assertKerberosToken(kerberosToken);
+        } else if (token instanceof SamlToken) {
+            SamlToken samlToken = (SamlToken)token;
+            assertSamlToken(samlToken);
+        } 
+    }
+    
+    private void assertX509Token(X509Token token) {
+        String namespace = token.getName().getNamespaceURI();
+        
+        if (token.isRequireEmbeddedTokenReference()) {
+            assertPolicy(new QName(namespace, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE));
+        }
+        if (token.isRequireIssuerSerialReference()) {
+            assertPolicy(new QName(namespace, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE));
+        }
+        if (token.isRequireKeyIdentifierReference()) {
+            assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+        }
+        if (token.isRequireThumbprintReference()) {
+            assertPolicy(new QName(namespace, SPConstants.REQUIRE_THUMBPRINT_REFERENCE));
+        }
+        if (token.getTokenType() != null) {
+            assertPolicy(new QName(namespace, token.getTokenType().name()));
+        }
+    }
+    
+    private void assertUsernameToken(UsernameToken token) {
+        String namespace = token.getName().getNamespaceURI();
+        
+        if (token.getPasswordType() != null) {
+            assertPolicy(new QName(namespace, token.getPasswordType().name()));
+        }
+        if (token.getUsernameTokenType() != null) {
+            assertPolicy(new QName(namespace, token.getUsernameTokenType().name()));
+        }
+        if (token.isCreated()) {
+            assertPolicy(SP13Constants.CREATED);
+        }
+        if (token.isNonce()) {
+            assertPolicy(SP13Constants.NONCE);
+        }
+    }
+    
+    private void assertSecurityContextToken(SecurityContextToken token) {
+        String namespace = token.getName().getNamespaceURI();
+        if (token.isRequireExternalUriReference()) {
+            assertPolicy(new QName(namespace, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE));
+        }
+        if (token.isSc10SecurityContextToken()) {
+            assertPolicy(new QName(namespace, SPConstants.SC10_SECURITY_CONTEXT_TOKEN));
+        }
+        if (token.isSc13SecurityContextToken()) {
+            assertPolicy(new QName(namespace, SPConstants.SC13_SECURITY_CONTEXT_TOKEN));
+        }
+    }
+    
+    private void assertSecureConversationToken(SecureConversationToken token) {
+        assertSecurityContextToken(token);
+        
+        String namespace = token.getName().getNamespaceURI();
+        if (token.isMustNotSendAmend()) {
+            assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_AMEND));
+        }
+        if (token.isMustNotSendCancel()) {
+            assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_CANCEL));
+        }
+        if (token.isMustNotSendRenew()) {
+            assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_RENEW));
+        }
+    }
+    
+    private void assertSpnegoContextToken(SpnegoContextToken token) {
+        String namespace = token.getName().getNamespaceURI();
+        if (token.isMustNotSendAmend()) {
+            assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_AMEND));
+        }
+        if (token.isMustNotSendCancel()) {
+            assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_CANCEL));
+        }
+        if (token.isMustNotSendRenew()) {
+            assertPolicy(new QName(namespace, SPConstants.MUST_NOT_SEND_RENEW));
+        }
+    }
+    
+    private void assertIssuedToken(IssuedToken token) {
+        String namespace = token.getName().getNamespaceURI();
+        
+        if (token.isRequireExternalReference()) {
+            assertPolicy(new QName(namespace, SPConstants.REQUIRE_EXTERNAL_REFERENCE));
+        }
+        if (token.isRequireInternalReference()) {
+            assertPolicy(new QName(namespace, SPConstants.REQUIRE_INTERNAL_REFERENCE));
+        }
+    }
+    
+    private void assertKerberosToken(KerberosToken token) {
+        String namespace = token.getName().getNamespaceURI();
+        
+        if (token.isRequireKeyIdentifierReference()) {
+            assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+        }
+        if (token.getApReqTokenType() != null) {
+            assertPolicy(new QName(namespace, token.getApReqTokenType().name()));
+        }
+    }
+    
+    private void assertSamlToken(SamlToken token) {
+        String namespace = token.getName().getNamespaceURI();
+        
+        if (token.isRequireKeyIdentifierReference()) {
+            assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+        }
+        if (token.getSamlTokenType() != null) {
+            assertPolicy(new QName(namespace, token.getSamlTokenType().name()));
+        }
+    }
+    
     protected void assertAlgorithmSuite(AlgorithmSuite algorithmSuite) {
         if (algorithmSuite == null) {
             return;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
Wed Oct 23 13:50:47 2013
@@ -130,6 +130,7 @@ public abstract class AbstractStaxBindin
     }
 
     protected SecurePart addUsernameToken(UsernameToken usernameToken) {
+        assertToken(usernameToken);
         IncludeTokenType includeToken = usernameToken.getIncludeTokenType();
         if (!isTokenRequired(includeToken)) {
             return null;
@@ -206,6 +207,7 @@ public abstract class AbstractStaxBindin
     protected SecurePart addKerberosToken(
         KerberosToken token, boolean signed, boolean endorsing, boolean encrypting
     ) throws WSSecurityException {
+        assertToken(token);
         IncludeTokenType includeToken = token.getIncludeTokenType();
         if (!isTokenRequired(includeToken)) {
             return null;
@@ -285,6 +287,7 @@ public abstract class AbstractStaxBindin
         boolean signed,
         boolean endorsing
     ) throws WSSecurityException {
+        assertToken(token);
         IncludeTokenType includeToken = token.getIncludeTokenType();
         if (!isTokenRequired(includeToken)) {
             return null;
@@ -338,6 +341,7 @@ public abstract class AbstractStaxBindin
     
     protected SecurePart addIssuedToken(IssuedToken token, SecurityToken secToken, 
                                   boolean signed, boolean endorsing) {
+        assertToken(token);
         if (isTokenRequired(token.getIncludeTokenType())) {
             final Element el = secToken.getToken();
             
@@ -500,6 +504,9 @@ public abstract class AbstractStaxBindin
             }
             ai.setAsserted(true);
         }
+        if (layout != null && layout.getLayoutType() != null) {
+            assertPolicy(new QName(layout.getName().getNamespaceURI(), layout.getLayoutType().name()));
+        }
         
         if (!timestampAdded) {
             return;
@@ -519,8 +526,7 @@ public abstract class AbstractStaxBindin
                        action + " " + ConfigurationConstants.TIMESTAMP);
             }
         } else {
-            config.put(ConfigurationConstants.ACTION, 
-                       ConfigurationConstants.TIMESTAMP);
+            config.put(ConfigurationConstants.ACTION, ConfigurationConstants.TIMESTAMP);
         }
     }
 
@@ -739,6 +745,7 @@ public abstract class AbstractStaxBindin
                     }
                 }
             } else if (token instanceof X509Token || token instanceof KeyValueToken) {
+                assertToken(token);
                 configureSignature(suppTokens, token, false);
                 if (suppTokens.isEncryptedToken()) {
                     SecurePart part = 

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Wed Oct 23 13:50:47 2013
@@ -97,6 +97,7 @@ public class AsymmetricBindingHandler ex
     public void handleBinding() {
         WSSecTimestamp timestamp = createTimestamp();
         handleLayout(timestamp);
+        assertPolicy(abinding.getName());
         
         if (abinding.getProtectionOrder() 
             == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
@@ -122,6 +123,7 @@ public class AsymmetricBindingHandler ex
             if (initiatorWrapper == null) {
                 initiatorWrapper = abinding.getInitiatorToken();
             }
+            assertTokenWrapper(initiatorWrapper);
             boolean attached = false;
             if (initiatorWrapper != null) {
                 AbstractToken initiatorToken = initiatorWrapper.getToken();
@@ -155,6 +157,7 @@ public class AsymmetricBindingHandler ex
                         return;
                     }
                 }
+                assertToken(initiatorToken);
             }
             
             // Add timestamp
@@ -178,6 +181,8 @@ public class AsymmetricBindingHandler ex
                     recipientSignatureToken = abinding.getRecipientToken();
                 }
                 if (recipientSignatureToken != null) {
+                    assertTokenWrapper(recipientSignatureToken);
+                    assertToken(recipientSignatureToken.getToken());
                     doSignature(recipientSignatureToken, sigs, attached);
                 }
             }
@@ -213,6 +218,10 @@ public class AsymmetricBindingHandler ex
                 }
             }            
             doEncryption(encToken, enc, false);
+            if (encToken != null) {
+                assertTokenWrapper(encToken);
+                assertToken(encToken.getToken());
+            }
             
         } catch (Exception e) {
             String reason = e.getMessage();
@@ -222,9 +231,8 @@ public class AsymmetricBindingHandler ex
         }
     }
 
-    private void doEncryptBeforeSign() {
+    private AbstractTokenWrapper getEncryptBeforeSignWrapper() {
         AbstractTokenWrapper wrapper;
-        AbstractToken encryptionToken = null;
         if (isRequestor()) {
             wrapper = abinding.getRecipientEncryptionToken();
             if (wrapper == null) {
@@ -236,12 +244,21 @@ public class AsymmetricBindingHandler ex
                 wrapper = abinding.getInitiatorToken();
             }
         }
-        encryptionToken = wrapper.getToken();
+        assertTokenWrapper(wrapper);
+        
+        return wrapper;
+    }
+    
+    private void doEncryptBeforeSign() {
+        AbstractTokenWrapper wrapper = getEncryptBeforeSignWrapper();
+        AbstractToken encryptionToken = wrapper.getToken();
+        assertToken(encryptionToken);
         
         AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
         if (initiatorWrapper == null) {
             initiatorWrapper = abinding.getInitiatorToken();
         }
+        assertTokenWrapper(initiatorWrapper);
         boolean attached = false;
         
         if (initiatorWrapper != null) {
@@ -283,6 +300,7 @@ public class AsymmetricBindingHandler ex
                     return;
                 }
             }
+            assertToken(initiatorToken);
         }
         
         List<WSEncryptionPart> encrParts = null;
@@ -297,10 +315,6 @@ public class AsymmetricBindingHandler ex
             throw new Fault(ex);
         }
         
-        //if (encryptionToken == null && encrParts.size() > 0) {
-            //REVISIT - no token to encrypt with  
-        //}
-        
         WSSecBase encrBase = null;
         if (encryptionToken != null && encrParts.size() > 0) {
             encrBase = doEncryption(wrapper, encrParts, true);
@@ -335,6 +349,8 @@ public class AsymmetricBindingHandler ex
                         recipientSignatureToken = abinding.getRecipientToken(); 
                     }
                     if (recipientSignatureToken != null) {
+                        assertTokenWrapper(recipientSignatureToken);
+                        assertToken(recipientSignatureToken.getToken());
                         doSignature(recipientSignatureToken, sigParts, attached);
                     }
                 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
Wed Oct 23 13:50:47 2013
@@ -81,6 +81,7 @@ public class StaxAsymmetricBindingHandle
         AssertionInfoMap aim = getMessage().get(AssertionInfoMap.class);
         configureTimestamp(aim);
         abinding = (AsymmetricBinding)getBinding(aim);
+        assertPolicy(abinding.getName());
         
         String asymSignatureAlgorithm = 
             (String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
@@ -105,6 +106,10 @@ public class StaxAsymmetricBindingHandle
         assertTrustProperties(abinding.getName().getNamespaceURI());
         assertPolicy(
             new QName(abinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
+        if (abinding.isProtectTokens()) {
+            assertPolicy(
+                new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
+        }
     }
 
     private void doSignBeforeEncrypt() {
@@ -114,6 +119,7 @@ public class StaxAsymmetricBindingHandle
                 initiatorWrapper = abinding.getInitiatorToken();
             }
             if (initiatorWrapper != null) {
+                assertTokenWrapper(initiatorWrapper);
                 AbstractToken initiatorToken = initiatorWrapper.getToken();
                 if (initiatorToken instanceof IssuedToken) {
                     SecurityToken sigTok = getSecurityToken();
@@ -134,6 +140,7 @@ public class StaxAsymmetricBindingHandle
                 } else if (initiatorToken instanceof SamlToken) {
                     addSamlToken((SamlToken)initiatorToken, false, true);
                 }
+                assertToken(initiatorToken);
             }
             
             // Add timestamp
@@ -156,6 +163,10 @@ public class StaxAsymmetricBindingHandle
                 if (recipientSignatureToken == null) {
                     recipientSignatureToken = abinding.getRecipientToken();
                 }
+                if (recipientSignatureToken != null) {
+                    assertTokenWrapper(recipientSignatureToken);
+                    assertToken(recipientSignatureToken.getToken());
+                }
                 if (recipientSignatureToken != null && sigs.size() > 0) {
                     doSignature(recipientSignatureToken, sigs);
                 }
@@ -202,7 +213,11 @@ public class StaxAsymmetricBindingHandle
                 if (encToken == null) {
                     encToken = abinding.getInitiatorToken();
                 }
-            }            
+            }           
+            if (encToken != null) {
+                assertTokenWrapper(encToken);
+                assertToken(encToken.getToken());
+            }
             doEncryption(encToken, enc, false);
             
         } catch (Exception e) {
@@ -227,7 +242,9 @@ public class StaxAsymmetricBindingHandle
                     wrapper = abinding.getInitiatorToken();
                 }
             }
+            assertTokenWrapper(wrapper);
             encryptionToken = wrapper.getToken();
+            assertToken(encryptionToken);
             
             AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
             if (initiatorWrapper == null) {
@@ -235,6 +252,7 @@ public class StaxAsymmetricBindingHandle
             }
             
             if (initiatorWrapper != null) {
+                assertTokenWrapper(initiatorWrapper);
                 AbstractToken initiatorToken = initiatorWrapper.getToken();
                 if (initiatorToken instanceof IssuedToken) {
                     SecurityToken sigTok = getSecurityToken();
@@ -308,6 +326,8 @@ public class StaxAsymmetricBindingHandle
                         recipientSignatureToken = abinding.getRecipientToken(); 
                     }
                     if (recipientSignatureToken != null) {
+                        assertTokenWrapper(recipientSignatureToken);
+                        assertToken(recipientSignatureToken.getToken());
                         doSignature(recipientSignatureToken, sigParts);
                     }
                 }
@@ -438,11 +458,6 @@ public class StaxAsymmetricBindingHandle
             config.put(ConfigurationConstants.INCLUDE_SIGNATURE_TOKEN, "false");
         }
         
-        if (abinding.isProtectTokens()) {
-            assertPolicy(
-                new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
-        }
-        
         config.put(ConfigurationConstants.SIGNATURE_PARTS, parts);
         config.put(ConfigurationConstants.OPTIONAL_SIGNATURE_PARTS, optionalParts);
         

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
Wed Oct 23 13:50:47 2013
@@ -105,6 +105,7 @@ public class StaxSymmetricBindingHandler
         AssertionInfoMap aim = getMessage().get(AssertionInfoMap.class);
         configureTimestamp(aim);
         sbinding = (SymmetricBinding)getBinding(aim);
+        assertPolicy(sbinding.getName());
         
         String asymSignatureAlgorithm = 
             (String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
@@ -142,11 +143,16 @@ public class StaxSymmetricBindingHandler
         assertTrustProperties(sbinding.getName().getNamespaceURI());
         assertPolicy(
             new QName(sbinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
+        if (sbinding.isProtectTokens()) {
+            assertPolicy(
+                new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
+        }
     }
     
     private void doEncryptBeforeSign() {
         try {
             AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
+            assertTokenWrapper(encryptionWrapper);
             AbstractToken encryptionToken = encryptionWrapper.getToken();
 
             //The encryption token can be an IssuedToken or a 
@@ -196,6 +202,7 @@ public class StaxSymmetricBindingHandler
                 policyNotAsserted(sbinding, "UsernameTokens not supported with Symmetric
binding");
                 return;
             }
+            assertToken(encryptionToken);
             if (tok == null) {
                 if (tokenId != null && tokenId.startsWith("#")) {
                     tokenId = tokenId.substring(1);
@@ -270,6 +277,7 @@ public class StaxSymmetricBindingHandler
     
     private void doSignBeforeEncrypt() {
         AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
+        assertTokenWrapper(sigAbstractTokenWrapper);
         AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
         String sigTokId = null;
         
@@ -319,6 +327,7 @@ public class StaxSymmetricBindingHandler
                     policyNotAsserted(sbinding, "UsernameTokens not supported with Symmetric
binding");
                     return;
                 }
+                assertToken(sigToken);
             } else {
                 policyNotAsserted(sbinding, "No signature token");
                 return;
@@ -546,12 +555,8 @@ public class StaxSymmetricBindingHandler
         }
         
         AbstractToken sigToken = wrapper.getToken();
-        if (sbinding.isProtectTokens()) {
-            if ((sigToken instanceof X509Token) && isRequestor()) {
-                parts += "{Element}{" + WSSConstants.NS_XMLENC + "}EncryptedKey;";
-            }
-            assertPolicy(
-                new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
+        if (sbinding.isProtectTokens() && sigToken instanceof X509Token &&
isRequestor()) {
+            parts += "{Element}{" + WSSConstants.NS_XMLENC + "}EncryptedKey;";
         }
         
         config.put(ConfigurationConstants.SIGNATURE_PARTS, parts);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
Wed Oct 23 13:50:47 2013
@@ -81,6 +81,7 @@ public class StaxTransportBindingHandler
         if (this.isRequestor()) {
             tbinding = (TransportBinding)getBinding(aim);
             if (tbinding != null) {
+                assertPolicy(tbinding.getName());
                 String asymSignatureAlgorithm = 
                     (String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
                 if (asymSignatureAlgorithm != null && tbinding.getAlgorithmSuite()
!= null) {
@@ -96,6 +97,8 @@ public class StaxTransportBindingHandler
                     }
                     addIssuedToken((IssuedToken)token.getToken(), secToken, false, false);
                 }
+                assertToken(token.getToken());
+                assertTokenWrapper(token);
             }
             
             try {
@@ -106,6 +109,10 @@ public class StaxTransportBindingHandler
                 throw new Fault(e);
             }
         } else {
+            if (tbinding != null && tbinding.getTransportToken() != null) {
+                assertTokenWrapper(tbinding.getTransportToken());
+                assertToken(tbinding.getTransportToken().getToken());
+            }
             addSignatureConfirmation(null);
         }
         

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Wed Oct 23 13:50:47 2013
@@ -113,6 +113,7 @@ public class SymmetricBindingHandler ext
     public void handleBinding() {
         WSSecTimestamp timestamp = createTimestamp();
         handleLayout(timestamp);
+        assertPolicy(sbinding.getName());
         
         if (isRequestor()) {
             //Setup required tokens
@@ -156,6 +157,7 @@ public class SymmetricBindingHandler ext
     private void doEncryptBeforeSign() {
         try {
             AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
+            assertTokenWrapper(encryptionWrapper);
             AbstractToken encryptionToken = encryptionWrapper.getToken();
             List<WSEncryptionPart> encrParts = getEncryptedParts();
             List<WSEncryptionPart> sigParts = getSignedParts();
@@ -188,6 +190,7 @@ public class SymmetricBindingHandler ext
                         tokenId = getUTDerivedKey();
                     }
                 }
+                assertToken(encryptionToken);
                 if (tok == null) {
                     //if (tokenId == null || tokenId.length() == 0) {
                         //REVISIT - no tokenId?   Exception?
@@ -290,6 +293,7 @@ public class SymmetricBindingHandler ext
     
     private void doSignBeforeEncrypt() {
         AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
+        assertTokenWrapper(sigAbstractTokenWrapper);
         AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
         String sigTokId = null;
         Element sigTokElem = null;
@@ -316,6 +320,7 @@ public class SymmetricBindingHandler ext
                         sigTokId = getUTDerivedKey();
                     }
                 }
+                assertToken(sigToken);
             } else {
                 policyNotAsserted(sbinding, "No signature token");
                 return;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1535031&r1=1535030&r2=1535031&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Wed Oct 23 13:50:47 2013
@@ -147,6 +147,8 @@ public class TransportBindingHandler ext
                             addEncryptedKeyElement(cloneElement(el));
                         } 
                     }
+                    assertToken(transportToken);
+                    assertTokenWrapper(transportTokenWrapper);
                 }
                     
                 handleNonEndorsingSupportingTokens();
@@ -154,6 +156,10 @@ public class TransportBindingHandler ext
                     handleEndorsingSupportingTokens();
                 }
             } else {
+                if (tbinding != null && tbinding.getTransportToken() != null) {
+                    assertTokenWrapper(tbinding.getTransportToken());
+                    assertToken(tbinding.getTransportToken().getToken());
+                }
                 addSignatureConfirmation(null);
             }
         } catch (Exception e) {
@@ -162,6 +168,7 @@ public class TransportBindingHandler ext
         }
         
         if (tbinding != null) {
+            assertPolicy(tbinding.getName());
             assertAlgorithmSuite(tbinding.getAlgorithmSuite());
             assertWSSProperties(tbinding.getName().getNamespaceURI());
             assertTrustProperties(tbinding.getName().getNamespaceURI());



Mime
View raw message