cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Assert SignedParts/EncryptedParts when we are using TLS with no bindings
Date Thu, 01 May 2014 14:20:02 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 0edab8ddf -> a989069e5


Assert SignedParts/EncryptedParts when we are using TLS with no bindings


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a989069e
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a989069e
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a989069e

Branch: refs/heads/master
Commit: a989069e57c1af85ca523097881543e3b91d58da
Parents: 0edab8d
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu May 1 15:19:11 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu May 1 15:19:41 2014 +0100

----------------------------------------------------------------------
 .../wss4j/PolicyBasedWSS4JInInterceptor.java    | 37 ++++++++++++++------
 1 file changed, 26 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a989069e/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index bd37481..5bd22a8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -55,6 +55,7 @@ import org.apache.cxf.helpers.MapNamespaceContext;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.resource.ResourceManager;
+import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.service.model.EndpointInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -803,7 +804,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor
{
         // SIGNED_PARTS and ENCRYPTED_PARTS only apply to non-Transport bindings
         //
         boolean check = true;
-        if (!isTransportBinding(aim)) {
+        if (!isTransportBinding(aim, msg)) {
             check &= assertTokens(
                 aim, SPConstants.SIGNED_PARTS, signed, msg, soapHeader, soapBody, CoverageType.SIGNED
             );
@@ -1039,20 +1040,34 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor
{
         return true;
     }
 
-    private boolean isTransportBinding(AssertionInfoMap aim) {
+    private boolean isTransportBinding(AssertionInfoMap aim, SoapMessage message) {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+            getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
         if (ais.size() > 0) {
-            ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
-            if (ais.size() > 0) {
-                return false;
-            }
-            ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
-            if (ais.size() > 0) {
-                return false;
-            }
+            return false;
+        }
+        
+        ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+        if (ais.size() > 0) {
+            return false;
+        }
+        
+        ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+        if (ais.size() > 0) {
+            return true;
+        }
+        
+        // No bindings, check if we are using TLS
+        TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+        if (tlsInfo != null) {
+            // We don't need to check these policies for TLS
+            assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
+            assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS);
+            assertPolicy(aim, SP12Constants.SIGNED_PARTS);
+            assertPolicy(aim, SP11Constants.SIGNED_PARTS);
             return true;
         }
+        
         return false;
     }
     


Mime
View raw message