cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Improving some policy asserting
Date Mon, 07 Jul 2014 10:51:38 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 58f2f57e7 -> 1feb5a781


Improving some policy asserting


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1feb5a78
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1feb5a78
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1feb5a78

Branch: refs/heads/master
Commit: 1feb5a7811be010c92ae73477d35f1830212cff7
Parents: 58f2f57
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jul 7 11:51:13 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jul 7 11:51:33 2014 +0100

----------------------------------------------------------------------
 .../wss4j/PolicyBasedWSS4JInInterceptor.java    | 62 +++++++++++++-------
 .../IssuedTokenPolicyValidator.java             | 14 ++++-
 .../KerberosTokenPolicyValidator.java           |  2 +
 .../SamlTokenPolicyValidator.java               |  2 +
 .../policyvalidators/WSS11PolicyValidator.java  |  6 ++
 .../X509TokenPolicyValidator.java               |  5 ++
 6 files changed, 68 insertions(+), 23 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/1feb5a78/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 5bd22a8..39d84ba 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -690,33 +690,53 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor
{
             // stuff we can default to asserted and un-assert if a condition isn't met
             assertPolicy(aim, SPConstants.KEY_VALUE_TOKEN);
             assertPolicy(aim, SPConstants.RSA_KEY_VALUE);
-            assertPolicy(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
-            assertPolicy(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
-            assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
-            assertPolicy(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
-            assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
             
             // WSS10
-            assertPolicy(aim, SPConstants.WSS10);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
+            ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
+            if (!ais.isEmpty()) {
+                for (AssertionInfo ai : ais) {
+                    ai.setAsserted(true);
+                }
+                assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
+                assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
+                assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
+                assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
+            }
             
             // Trust 1.0
-            assertPolicy(aim, SPConstants.TRUST_10);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
-            assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
-            assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
+            ais = getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
+            boolean trust10Asserted = false;
+            if (!ais.isEmpty()) {
+                for (AssertionInfo ai : ais) {
+                    ai.setAsserted(true);
+                }
+                assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
+                assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
+                assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
+                assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
+                assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
+                trust10Asserted = true;
+            }
             
             // Trust 1.3
-            assertPolicy(aim, SPConstants.TRUST_13);
-            assertPolicy(aim, SP12Constants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION);
-            assertPolicy(aim, SP12Constants.REQUIRE_APPLIES_TO);
-            assertPolicy(aim, SP13Constants.SCOPE_POLICY_15);
-            assertPolicy(aim, SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE);
+            ais = getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
+            if (!ais.isEmpty()) {
+                for (AssertionInfo ai : ais) {
+                    ai.setAsserted(true);
+                }
+                assertPolicy(aim, SP12Constants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION);
+                assertPolicy(aim, SP12Constants.REQUIRE_APPLIES_TO);
+                assertPolicy(aim, SP13Constants.SCOPE_POLICY_15);
+                assertPolicy(aim, SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE);
+                
+                if (!trust10Asserted) {
+                    assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
+                    assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
+                    assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
+                    assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
+                    assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
+                }
+            }
             
             message.put(WSHandlerConstants.ACTION, action.trim());
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/1feb5a78/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
index 650d0d1..d88ffd9 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
@@ -24,18 +24,18 @@ import java.util.Collection;
 import java.util.List;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.IssuedToken;
-
 import org.opensaml.common.SAMLVersion;
 
 /**
@@ -105,6 +105,11 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator
{
                 continue;
             }
         }
+        
+        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+        assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
+        assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
+        
         return true;
     }
     
@@ -136,6 +141,11 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator
{
                 return false;
             }
         }
+        
+        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+        assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
+        assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
+        
         return true;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/1feb5a78/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
index cdf8970..6624e9c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
@@ -52,6 +52,8 @@ public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator
{
         Collection<AssertionInfo> krbAis = getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
         if (!krbAis.isEmpty()) {
             parsePolicies(aim, krbAis, kerberosToken);
+            
+            assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
         }
         
         return true;

http://git-wip-us.apache.org/repos/asf/cxf/blob/1feb5a78/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
index 6b66731..4762bb0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
@@ -63,6 +63,8 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator
implem
         Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
         if (!ais.isEmpty()) {
             parsePolicies(aim, ais, message, results, signedResults);
+            
+            assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
         }
         
         return true;

http://git-wip-us.apache.org/repos/asf/cxf/blob/1feb5a78/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
index 9a29fc1..bbaebf9 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
@@ -54,6 +54,12 @@ public class WSS11PolicyValidator
             assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT);
             assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY);
             assertPolicy(aim, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION);
+            
+            // WSS 1.0
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
         }
         
         return true;

http://git-wip-us.apache.org/repos/asf/cxf/blob/1feb5a78/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
index 47bc249..ff1730a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
@@ -67,6 +67,11 @@ public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator
imple
             assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN11);
             assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN10);
             assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN11);
+            
+            assertPolicy(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
+            assertPolicy(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
+            assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
+            assertPolicy(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
         }
         
         return true;


Mime
View raw message