cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1552638 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/interceptors/ wss4j/policyhandlers/
Date Fri, 20 Dec 2013 13:13:55 GMT
Author: coheigea
Date: Fri Dec 20 13:13:54 2013
New Revision: 1552638

URL: http://svn.apache.org/r1552638
Log:
Asserting more security policies

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1552638&r1=1552637&r2=1552638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Fri Dec 20 13:13:54 2013
@@ -27,6 +27,8 @@ import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 
+import javax.xml.namespace.QName;
+
 import org.w3c.dom.Element;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.helpers.CastUtils;
@@ -97,6 +99,30 @@ public class IssuedTokenInterceptorProvi
         this.getInFaultInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE);
     }
     
+    protected static void assertIssuedToken(IssuedToken issuedToken, AssertionInfoMap aim)
{
+        if (issuedToken == null) {
+            return;
+        }
+        // Assert some policies
+        if (issuedToken.isRequireExternalReference()) {
+            assertPolicy(new QName(issuedToken.getName().getNamespaceURI(), 
+                                   SPConstants.REQUIRE_EXTERNAL_REFERENCE), aim);
+        }
+        if (issuedToken.isRequireInternalReference()) {
+            assertPolicy(new QName(issuedToken.getName().getNamespaceURI(), 
+                                   SPConstants.REQUIRE_INTERNAL_REFERENCE), aim);
+        }
+    }
+    
+    protected static void assertPolicy(QName n, AssertionInfoMap aim) {
+        Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
+        if (ais != null && !ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }
+        }
+    }
+    
     static class IssuedTokenOutInterceptor extends AbstractPhaseInterceptor<Message>
{
         public IssuedTokenOutInterceptor() {
             super(Phase.PREPARE_SEND);
@@ -124,6 +150,7 @@ public class IssuedTokenInterceptorProvi
                 }
                 if (isRequestor(message)) {
                     IssuedToken itok = (IssuedToken)ais.iterator().next().getAssertion();
+                    assertIssuedToken(itok, aim);
                     
                     SecurityToken tok = retrieveCachedToken(message);
                     if (tok == null) {
@@ -155,10 +182,13 @@ public class IssuedTokenInterceptorProvi
                     //server side should be checked on the way in
                     for (AssertionInfo ai : ais) {
                         ai.setAsserted(true);
-                    }                    
+                    }
+                    IssuedToken itok = (IssuedToken)ais.iterator().next().getAssertion();
+                    assertIssuedToken(itok, aim);
                 }
             }
         }
+        
         private Trust10 getTrust10(AssertionInfoMap aim) {
             Collection<AssertionInfo> ais = 
                 NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
@@ -502,17 +532,19 @@ public class IssuedTokenInterceptorProvi
                 if (ais.isEmpty()) {
                     return;
                 }
+                
+                for (AssertionInfo ai : ais) {
+                    ai.setAsserted(true);
+                }
+                IssuedToken itok = (IssuedToken)ais.iterator().next().getAssertion();
+                assertIssuedToken(itok, aim);
+                
                 if (!isRequestor(message)) {
                     List<WSHandlerResult> results = 
                         CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
                     if (results != null && results.size() > 0) {
                         parseHandlerResults(results.get(0), message, aim);
                     }
-                } else {
-                    //client side should be checked on the way out
-                    for (AssertionInfo ai : ais) {
-                        ai.setAsserted(true);
-                    }                    
                 }
             }
         }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1552638&r1=1552637&r2=1552638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Fri Dec 20 13:13:54 2013
@@ -112,7 +112,6 @@ import org.apache.wss4j.dom.message.toke
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
-import org.apache.wss4j.policy.SP13Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
 import org.apache.wss4j.policy.model.AbstractBinding;
@@ -692,8 +691,6 @@ public abstract class AbstractBindingBui
             if (token.getPasswordType() == UsernameToken.PasswordType.NoPassword) {
                 utBuilder.setUserInfo(userName, null);
                 utBuilder.setPasswordType(null);
-                assertPolicy(
-                     new QName(token.getName().getNamespaceURI(), SPConstants.NO_PASSWORD));
             } else {
                 String password = (String)message.getContextualProperty(SecurityConstants.PASSWORD);
                 if (StringUtils.isEmpty(password)) {
@@ -704,9 +701,6 @@ public abstract class AbstractBindingBui
                     // If the password is available then build the token
                     if (token.getPasswordType() == UsernameToken.PasswordType.HashPassword)
{
                         utBuilder.setPasswordType(WSConstants.PASSWORD_DIGEST);
-                        assertPolicy(
-                            new QName(token.getName().getNamespaceURI(), 
-                                      SPConstants.HASH_PASSWORD));
                     } else {
                         utBuilder.setPasswordType(WSConstants.PASSWORD_TEXT);
                     }
@@ -719,17 +713,11 @@ public abstract class AbstractBindingBui
             
             if (token.isCreated() && token.getPasswordType() != UsernameToken.PasswordType.HashPassword)
{
                 utBuilder.addCreated();
-                assertPolicy(SP13Constants.CREATED);
             }
             if (token.isNonce() && token.getPasswordType() != UsernameToken.PasswordType.HashPassword)
{
                 utBuilder.addNonce();
-                assertPolicy(SP13Constants.NONCE);
             }
             
-            assertPolicy(
-                new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN10));
-            assertPolicy(
-                new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN11));
             return utBuilder;
         } else {
             policyNotAsserted(token, "No username available");
@@ -762,10 +750,6 @@ public abstract class AbstractBindingBui
                 return null;
             }
             
-            assertPolicy(
-                new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN10));
-            assertPolicy(
-                new QName(token.getName().getNamespaceURI(), SPConstants.USERNAME_TOKEN11));
             return utBuilder;
         } else {
             policyNotAsserted(token, "No username available");
@@ -819,14 +803,8 @@ public abstract class AbstractBindingBui
         SamlTokenType tokenType = token.getSamlTokenType();
         if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11)
{
             samlCallback.setSamlVersion(SAMLVersion.VERSION_11);
-            assertPolicy(
-                new QName(token.getName().getNamespaceURI(), "WssSamlV11Token10"));
-            assertPolicy(
-                new QName(token.getName().getNamespaceURI(), "WssSamlV11Token11"));
         } else if (tokenType == SamlTokenType.WssSamlV20Token11) {
             samlCallback.setSamlVersion(SAMLVersion.VERSION_20);
-            assertPolicy(
-                new QName(token.getName().getNamespaceURI(), "WssSamlV20Token11"));
         }
         SAMLUtil.doSAMLCallback(handler, samlCallback);
         SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java?rev=1552638&r1=1552637&r2=1552638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
Fri Dec 20 13:13:54 2013
@@ -134,6 +134,10 @@ public abstract class AbstractCommonBind
         assertPolicy(token.getName());
         
         String namespace = token.getName().getNamespaceURI();
+        if (token.getDerivedKeys() != null) {
+            assertPolicy(new QName(namespace, token.getDerivedKeys().name()));
+        }
+        
         if (token instanceof X509Token) {
             X509Token x509Token = (X509Token)token;
             assertX509Token(x509Token);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java?rev=1552638&r1=1552637&r2=1552638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
Fri Dec 20 13:13:54 2013
@@ -118,9 +118,25 @@ public class StaxTransportBindingHandler
                 throw new Fault(e);
             }
         } else {
-            if (tbinding != null && tbinding.getTransportToken() != null) {
-                assertTokenWrapper(tbinding.getTransportToken());
-                assertToken(tbinding.getTransportToken().getToken());
+            try {
+                handleNonEndorsingSupportingTokens(aim);
+            } catch (Exception e) {
+                LOG.log(Level.FINE, e.getMessage(), e);
+                throw new Fault(e);
+            }
+            if (tbinding != null) {
+                assertPolicy(tbinding.getName());
+                if (tbinding.getTransportToken() != null) {
+                    assertTokenWrapper(tbinding.getTransportToken());
+                    assertToken(tbinding.getTransportToken().getToken());
+                    
+                    try {
+                        handleEndorsingSupportingTokens(aim);
+                    } catch (Exception e) {
+                        LOG.log(Level.FINE, e.getMessage(), e);
+                        throw new Fault(e);
+                    }
+                }
             }
             addSignatureConfirmation(null);
         }
@@ -192,6 +208,11 @@ public class StaxTransportBindingHandler
     private void addSignedSupportingTokens(SupportingTokens sgndSuppTokens) 
         throws Exception {
         for (AbstractToken token : sgndSuppTokens.getTokens()) {
+            assertToken(token);
+            if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
+                continue;
+            }
+            
             if (token instanceof UsernameToken) {
                 addUsernameToken((UsernameToken)token);
             } else if (token instanceof IssuedToken) {
@@ -273,6 +294,11 @@ public class StaxTransportBindingHandler
     private void handleEndorsingToken(
         AbstractToken token, SupportingTokens wrapper
     ) throws Exception {
+        assertToken(token);
+        if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
+            return;
+        }
+        
         if (token instanceof IssuedToken) {
             SecurityToken securityToken = getSecurityToken();
             addIssuedToken(token, securityToken, false, true);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1552638&r1=1552637&r2=1552638&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Fri Dec 20 13:13:54 2013
@@ -97,6 +97,11 @@ public class TransportBindingHandler ext
     private void addSignedSupportingTokens(SupportingTokens sgndSuppTokens) 
         throws Exception {
         for (AbstractToken token : sgndSuppTokens.getTokens()) {
+            assertToken(token);
+            if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
+                continue;
+            }
+            
             if (token instanceof UsernameToken) {
                 WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken)token);
                 if (utBuilder != null) {
@@ -159,9 +164,11 @@ public class TransportBindingHandler ext
                     handleEndorsingSupportingTokens();
                 }
             } else {
+                handleNonEndorsingSupportingTokens();
                 if (tbinding != null && tbinding.getTransportToken() != null) {
                     assertTokenWrapper(tbinding.getTransportToken());
                     assertToken(tbinding.getTransportToken().getToken());
+                    handleEndorsingSupportingTokens();
                 }
                 addSignatureConfirmation(null);
             }
@@ -301,6 +308,11 @@ public class TransportBindingHandler ext
     private void handleEndorsingToken(
         AbstractToken token, SupportingTokens wrapper
     ) throws Exception {
+        assertToken(token);
+        if (token != null && !isTokenRequired(token.getIncludeTokenType())) {
+            return;
+        }
+        
         if (token instanceof IssuedToken
             || token instanceof SecureConversationToken
             || token instanceof SecurityContextToken



Mime
View raw message