cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] git commit: [CXF-5609] - Won't pass verification of explicit WSS Policy AsymmetricBinding -> Layout -> Policy -> Lax
Date Thu, 13 Mar 2014 16:47:48 GMT
[CXF-5609] - Won't pass verification of explicit WSS Policy AsymmetricBinding -> Layout
-> Policy -> Lax

Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
	systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/594ca433
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/594ca433
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/594ca433

Branch: refs/heads/2.7.x-fixes
Commit: 594ca4338a8b4605434368c74dcea5e72c6b9743
Parents: d7d452b
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Mar 13 14:52:10 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Mar 13 16:43:02 2014 +0000

----------------------------------------------------------------------
 .../wss4j/PolicyBasedWSS4JInInterceptor.java    |  5 ++
 .../AbstractBindingPolicyValidator.java         | 12 ----
 .../policyvalidators/LayoutPolicyValidator.java | 69 +++++++++++++++-----
 .../TransportBindingPolicyValidator.java        | 12 ----
 .../cxf/systest/ws/x509/DoubleItX509.wsdl       | 10 +--
 5 files changed, 62 insertions(+), 46 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/594ca433/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index ae40012..a9b1245 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -75,6 +75,7 @@ import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingToken
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.LayoutPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator;
@@ -776,6 +777,10 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor
{
                 aim, msg, soapBody, results, signedResults, encryptedResults
             );
         
+        // Check Layout that might not be tied to a binding
+        LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator();
+        check &= layoutValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
+        
         return check;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/594ca433/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index d54956a..5cf16ae 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -36,7 +36,6 @@ import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.SPConstants;
 import org.apache.cxf.ws.security.policy.model.EncryptionToken;
-import org.apache.cxf.ws.security.policy.model.Layout;
 import org.apache.cxf.ws.security.policy.model.ProtectionToken;
 import org.apache.cxf.ws.security.policy.model.SignatureToken;
 import org.apache.cxf.ws.security.policy.model.SymmetricAsymmetricBindingBase;
@@ -172,17 +171,6 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
         }
         assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
         
-        // Check the Layout
-        Layout layout = binding.getLayout();
-        LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(results, signedResults);
-        if (!layoutValidator.validatePolicy(layout)) {
-            String error = "Layout does not match the requirements";
-            notAssertPolicy(aim, layout, error);
-            ai.setNotAsserted(error);
-            return false;
-        }
-        assertPolicy(aim, layout);
-        
         // Check the EntireHeaderAndBodySignatures property
         if (binding.isEntireHeadersAndBodySignatures()
             && !validateEntireHeaderAndBodySignatures(signedResults)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/594ca433/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
index 997dd47..3762921 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
@@ -21,14 +21,18 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
+import java.util.Collection;
 import java.util.List;
 
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.SPConstants;
 import org.apache.cxf.ws.security.policy.model.Layout;
 import org.apache.ws.security.WSConstants;
@@ -46,17 +50,44 @@ import org.apache.ws.security.saml.ext.AssertionWrapper;
  */
 public class LayoutPolicyValidator {
     
-    private List<WSSecurityEngineResult> results;
-    private List<WSSecurityEngineResult> signedResults;
+    public boolean validatePolicy(
+        AssertionInfoMap aim,
+        Message message,
+        Element soapBody,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.LAYOUT);
+        if (ais != null && !ais.isEmpty()) {
+            parsePolicies(aim, ais, message, results, signedResults);
+        }
 
-    public LayoutPolicyValidator(
-        List<WSSecurityEngineResult> results, List<WSSecurityEngineResult> signedResults
+        return true;
+    }
+            
+    private void parsePolicies(
+        AssertionInfoMap aim,
+        Collection<AssertionInfo> ais, 
+        Message message,  
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
     ) {
-        this.results = results;
-        this.signedResults = signedResults;
+        for (AssertionInfo ai : ais) {
+            Layout layout = (Layout)ai.getAssertion();
+            ai.setAsserted(true);
+
+            if (!validatePolicy(layout, results, signedResults)) {
+                String error = "Layout does not match the requirements";
+                ai.setNotAsserted(error);
+            }
+        }
     }
-    
-    public boolean validatePolicy(Layout layout) {
+
+    public boolean validatePolicy(
+        Layout layout,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
         boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTsFirst;
         boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTsLast;
         boolean strict = layout.getValue() == SPConstants.Layout.Strict;
@@ -78,16 +109,19 @@ public class LayoutPolicyValidator {
             if (lastAction.intValue() != WSConstants.TS) {
                 return false;
             }
-        } else if (strict && (!validateStrictSignaturePlacement() 
-            || !validateStrictSignatureTokenPlacement()
-            || !checkSignatureIsSignedPlacement())) {
+        } else if (strict && (!validateStrictSignaturePlacement(results, signedResults)

+            || !validateStrictSignatureTokenPlacement(results)
+            || !checkSignatureIsSignedPlacement(signedResults))) {
             return false;
         }
         
         return true;
     }
     
-    private boolean validateStrictSignaturePlacement() {
+    private boolean validateStrictSignaturePlacement(
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
         // Go through each Signature and check any security header token is before the Signature
         for (WSSecurityEngineResult signedResult : signedResults) {
             List<WSDataRef> sl = 
@@ -125,13 +159,13 @@ public class LayoutPolicyValidator {
         return true;
     }
     
-    private boolean validateStrictSignatureTokenPlacement() {
+    private boolean validateStrictSignatureTokenPlacement(List<WSSecurityEngineResult>
results) {
         // Go through each Signature and check that the Signing Token appears before the
Signature
         for (int i = 0; i < results.size(); i++) {
             WSSecurityEngineResult result = results.get(i);
             Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt == WSConstants.SIGN) {
-                int correspondingIndex = findCorrespondingTokenIndex(result);
+                int correspondingIndex = findCorrespondingTokenIndex(result, results);
                 if (correspondingIndex > 0 && correspondingIndex < i) {
                     return false;
                 }
@@ -141,7 +175,7 @@ public class LayoutPolicyValidator {
         return true;
     }
     
-    private boolean checkSignatureIsSignedPlacement() {
+    private boolean checkSignatureIsSignedPlacement(List<WSSecurityEngineResult> signedResults)
{
         for (int i = 0; i < signedResults.size(); i++) {
             WSSecurityEngineResult signedResult = signedResults.get(i);
             List<WSDataRef> sl =
@@ -181,7 +215,8 @@ public class LayoutPolicyValidator {
      * to sign the "signatureResult" argument.
      */
     private int findCorrespondingTokenIndex(
-        WSSecurityEngineResult signatureResult
+        WSSecurityEngineResult signatureResult,
+        List<WSSecurityEngineResult> results
     ) {
         // See what was used to sign this result
         X509Certificate cert = 

http://git-wip-us.apache.org/repos/asf/cxf/blob/594ca433/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
index c28d739..359a7fe 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
@@ -30,7 +30,6 @@ import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Layout;
 import org.apache.cxf.ws.security.policy.model.TransportBinding;
 import org.apache.ws.security.WSSecurityEngineResult;
 
@@ -83,17 +82,6 @@ public class TransportBindingPolicyValidator extends AbstractBindingPolicyValida
                 continue;
             }
             assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
-            
-            // Check the Layout
-            Layout layout = binding.getLayout();
-            LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(results, signedResults);
-            if (!layoutValidator.validatePolicy(layout)) {
-                String error = "Layout does not match the requirements";
-                notAssertPolicy(aim, layout, error);
-                ai.setNotAsserted(error);
-                continue;
-            }
-            assertPolicy(aim, layout);
         }
         
         // We don't need to check these policies for the Transport binding

http://git-wip-us.apache.org/repos/asf/cxf/blob/594ca433/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
index 5cb3652..3d4134c 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
@@ -856,11 +856,6 @@
                         </sp:X509Token>
                      </wsp:Policy>
                   </sp:RecipientToken>
-                  <sp:Layout>
-                     <wsp:Policy>
-                        <sp:Lax/>
-                     </wsp:Policy>
-                  </sp:Layout>
                   <sp:IncludeTimestamp/>
                   <sp:OnlySignEntireHeadersAndBody/>
                   <sp:AlgorithmSuite>
@@ -870,6 +865,11 @@
                   </sp:AlgorithmSuite>
                </wsp:Policy>
             </sp:AsymmetricBinding>
+            <sp:Layout>
+               <wsp:Policy>
+                  <sp:Lax/>
+               </wsp:Policy>
+            </sp:Layout>
          </wsp:All>
       </wsp:ExactlyOne>
     </wsp:Policy>


Mime
View raw message