cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject git commit: If the WS-SC client does not send a SOAPAction, degrade to the old DOM based processing.
Date Tue, 12 Aug 2014 20:08:56 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 67201fdde -> 5b40876ad


If the WS-SC client does not send a SOAPAction, degrade to the old DOM based processing.


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5b40876a
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5b40876a
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5b40876a

Branch: refs/heads/master
Commit: 5b40876ade9ace5c4aba6fbfdc2ddf15a343a31d
Parents: 67201fd
Author: Daniel Kulp <dkulp@apache.org>
Authored: Tue Aug 12 16:08:03 2014 -0400
Committer: Daniel Kulp <dkulp@apache.org>
Committed: Tue Aug 12 16:08:03 2014 -0400

----------------------------------------------------------------------
 .../SecureConversationInInterceptor.java        | 216 +++++++++++--------
 .../ws/security/wss4j/WSS4JInInterceptor.java   |   3 +
 .../apache/cxf/systest/ws/wssc/WSSCTest.java    |  46 +++-
 3 files changed, 171 insertions(+), 94 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/5b40876a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
index fa553d0..d17bdd0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
@@ -28,6 +28,7 @@ import java.util.Properties;
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
+
 import org.apache.cxf.binding.soap.SoapBindingConstants;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor;
@@ -42,6 +43,7 @@ import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.staxutils.W3CDOMStreamWriter;
 import org.apache.cxf.ws.addressing.AddressingProperties;
 import org.apache.cxf.ws.addressing.JAXWSAConstants;
+import org.apache.cxf.ws.addressing.soap.MAPCodec;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
@@ -52,6 +54,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.trust.DefaultSymmetricBinding;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.cxf.ws.security.trust.STSUtils;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
@@ -97,10 +100,10 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
     }
     
     public void handleMessage(SoapMessage message) throws Fault {
-        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+        final AssertionInfoMap aim = message.get(AssertionInfoMap.class);
         // extract Assertion information
         if (aim != null) {
-            Collection<AssertionInfo> ais = 
+            final Collection<AssertionInfo> ais = 
                 NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
             if (ais.isEmpty()) {
                 return;
@@ -122,105 +125,132 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
             if (s == null) {
                 s = SoapActionInInterceptor.getSoapAction(message);
             }
-            String addNs = null;
-            AddressingProperties inProps = (AddressingProperties)message
-                .getContextualProperty(JAXWSAConstants.ADDRESSING_PROPERTIES_INBOUND);
-            if (inProps != null) {
-                addNs = inProps.getNamespaceURI();
-                if (s == null) {
-                    //MS/WCF doesn't put a soap action out for this, must check the headers
-                    s = inProps.getAction().getValue();
-                }
+            
+            if (s != null) {
+                handleMessageForAction(message, s, aim, ais);
+            } else {
+                // could not get an action, we have to delay until after the WS-A headers
are read and
+                // processed
+                AbstractPhaseInterceptor<SoapMessage> post 
+                    = new AbstractPhaseInterceptor<SoapMessage>(Phase.PRE_PROTOCOL)
{
+                            public void handleMessage(SoapMessage message) throws Fault {
+                                String s = (String)message.get(SoapBindingConstants.SOAP_ACTION);
+                                if (s == null) {
+                                    s = SoapActionInInterceptor.getSoapAction(message);
+                                }
+                                handleMessageForAction(message, s, aim, ais);
+                            }
+                        };
+                post.addAfter(MAPCodec.class.getName());
+                post.addBefore(PolicyBasedWSS4JInInterceptor.class.getName());
+                //need to drop to DOM version so we can setup the sec/conv stuff in advance
+                message.put(SecurityConstants.ENABLE_STREAMING_SECURITY, Boolean.FALSE);
+                message.getInterceptorChain().add(post);
+            }
+        }
+    }
+    
+    void handleMessageForAction(SoapMessage message, String s, 
+                                AssertionInfoMap aim,
+                                Collection<AssertionInfo> ais) {
+        String addNs = null;
+        AddressingProperties inProps = (AddressingProperties)message
+            .getContextualProperty(JAXWSAConstants.ADDRESSING_PROPERTIES_INBOUND);
+        if (inProps != null) {
+            addNs = inProps.getNamespaceURI();
+            if (s == null) {
+                //MS/WCF doesn't put a soap action out for this, must check the headers
+                s = inProps.getAction().getValue();
             }
+        }
 
-            if (s != null 
-                && s.contains("/RST/SCT")
-                && (s.startsWith(STSUtils.WST_NS_05_02)
-                    || s.startsWith(STSUtils.WST_NS_05_12))) {
+        if (s != null 
+            && s.contains("/RST/SCT")
+            && (s.startsWith(STSUtils.WST_NS_05_02)
+                || s.startsWith(STSUtils.WST_NS_05_12))) {
 
-                SecureConversationToken tok = (SecureConversationToken)ais.iterator()
-                    .next().getAssertion();
-                Policy pol = tok.getBootstrapPolicy().getPolicy();
-                if (s.endsWith("Cancel") || s.endsWith("/Renew")) {
-                    //Cancel and Renew just sign with the token
-                    Policy p = new Policy();
-                    ExactlyOne ea = new ExactlyOne();
-                    p.addPolicyComponent(ea);
-                    All all = new All();
-                    Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
-                    all.addPolicyComponent(ass);
-                    ea.addPolicyComponent(all);
-                    
-                    final SecureConversationToken secureConversationToken = 
-                        new SecureConversationToken(
-                            SPConstants.SPVersion.SP12,
-                            SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER,
-                            null,
-                            null,
-                            null,
-                            new Policy()
-                        );
-                    
-                    Policy sctPolicy = new Policy();
-                    ExactlyOne sctPolicyEa = new ExactlyOne();
-                    sctPolicy.addPolicyComponent(sctPolicyEa);
-                    All sctPolicyAll = new All();
-                    sctPolicyAll.addPolicyComponent(secureConversationToken);
-                    sctPolicyEa.addPolicyComponent(sctPolicyAll);
-                    
-                    Policy bindingPolicy = new Policy();
-                    ExactlyOne bindingPolicyEa = new ExactlyOne();
-                    bindingPolicy.addPolicyComponent(bindingPolicyEa);
-                    All bindingPolicyAll = new All();
-                    
-                    AbstractBinding origBinding = getBinding(aim);
-                    bindingPolicyAll.addPolicyComponent(origBinding.getAlgorithmSuite());
-                    bindingPolicyAll.addPolicyComponent(new ProtectionToken(SPConstants.SPVersion.SP12,
sctPolicy));
-                    bindingPolicyAll.addAssertion(
-                        new PrimitiveAssertion(SP12Constants.INCLUDE_TIMESTAMP));
-                    bindingPolicyAll.addAssertion(
-                        new PrimitiveAssertion(SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
-                    bindingPolicyEa.addPolicyComponent(bindingPolicyAll);
-                    
-                    DefaultSymmetricBinding binding = 
-                        new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, bindingPolicy);
-                    binding.setOnlySignEntireHeadersAndBody(true);
-                    binding.setProtectTokens(false);
-                    
-                    all.addPolicyComponent(binding);
-                    
-                    SignedParts signedParts = getSignedParts(aim, addNs);
-                    all.addPolicyComponent(signedParts);
-                    pol = p;
-                    message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
-                } else {
-                    Policy p = new Policy();
-                    ExactlyOne ea = new ExactlyOne();
-                    p.addPolicyComponent(ea);
-                    All all = new All();
-                    Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
-                    all.addPolicyComponent(ass);
-                    ea.addPolicyComponent(all);
-                    pol = p.merge(pol);
-                }
+            SecureConversationToken tok = (SecureConversationToken)ais.iterator()
+                .next().getAssertion();
+            Policy pol = tok.getBootstrapPolicy().getPolicy();
+            if (s.endsWith("Cancel") || s.endsWith("/Renew")) {
+                //Cancel and Renew just sign with the token
+                Policy p = new Policy();
+                ExactlyOne ea = new ExactlyOne();
+                p.addPolicyComponent(ea);
+                All all = new All();
+                Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
+                all.addPolicyComponent(ass);
+                ea.addPolicyComponent(all);
                 
-                //setup SCT endpoint and forward to it.
-                unmapSecurityProps(message);
-                String ns = STSUtils.WST_NS_05_12;
-                if (s.startsWith(STSUtils.WST_NS_05_02)) {
-                    ns = STSUtils.WST_NS_05_02;
-                }
-                NegotiationUtils.recalcEffectivePolicy(message, ns, pol, 
-                                                       new SecureConversationSTSInvoker(),
-                                                       true);
-                //recalc based on new endpoint
-                SoapActionInInterceptor.getAndSetOperation(message, s);
-            } else {
+                final SecureConversationToken secureConversationToken = 
+                    new SecureConversationToken(
+                        SPConstants.SPVersion.SP12,
+                        SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER,
+                        null,
+                        null,
+                        null,
+                        new Policy()
+                    );
+                
+                Policy sctPolicy = new Policy();
+                ExactlyOne sctPolicyEa = new ExactlyOne();
+                sctPolicy.addPolicyComponent(sctPolicyEa);
+                All sctPolicyAll = new All();
+                sctPolicyAll.addPolicyComponent(secureConversationToken);
+                sctPolicyEa.addPolicyComponent(sctPolicyAll);
+                
+                Policy bindingPolicy = new Policy();
+                ExactlyOne bindingPolicyEa = new ExactlyOne();
+                bindingPolicy.addPolicyComponent(bindingPolicyEa);
+                All bindingPolicyAll = new All();
+                
+                AbstractBinding origBinding = getBinding(aim);
+                bindingPolicyAll.addPolicyComponent(origBinding.getAlgorithmSuite());
+                bindingPolicyAll.addPolicyComponent(new ProtectionToken(SPConstants.SPVersion.SP12,
sctPolicy));
+                bindingPolicyAll.addAssertion(
+                    new PrimitiveAssertion(SP12Constants.INCLUDE_TIMESTAMP));
+                bindingPolicyAll.addAssertion(
+                    new PrimitiveAssertion(SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
+                bindingPolicyEa.addPolicyComponent(bindingPolicyAll);
+                
+                DefaultSymmetricBinding binding = 
+                    new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, bindingPolicy);
+                binding.setOnlySignEntireHeadersAndBody(true);
+                binding.setProtectTokens(false);
+                
+                all.addPolicyComponent(binding);
+                
+                SignedParts signedParts = getSignedParts(aim, addNs);
+                all.addPolicyComponent(signedParts);
+                pol = p;
                 message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
+            } else {
+                Policy p = new Policy();
+                ExactlyOne ea = new ExactlyOne();
+                p.addPolicyComponent(ea);
+                All all = new All();
+                Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
+                all.addPolicyComponent(ass);
+                ea.addPolicyComponent(all);
+                pol = p.merge(pol);
             }
             
-            assertPolicies(aim);
+            //setup SCT endpoint and forward to it.
+            unmapSecurityProps(message);
+            String ns = STSUtils.WST_NS_05_12;
+            if (s.startsWith(STSUtils.WST_NS_05_02)) {
+                ns = STSUtils.WST_NS_05_02;
+            }
+            NegotiationUtils.recalcEffectivePolicy(message, ns, pol, 
+                                                   new SecureConversationSTSInvoker(),
+                                                   true);
+            //recalc based on new endpoint
+            SoapActionInInterceptor.getAndSetOperation(message, s);
+        } else {
+            message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
         }
+        
+        assertPolicies(aim);
     }
     
     private SignedParts getSignedParts(AssertionInfoMap aim, String addNs) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/5b40876a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index f408f35..59ec589 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -45,6 +45,7 @@ import javax.xml.transform.dom.DOMSource;
 
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
+
 import org.apache.cxf.binding.soap.SoapFault;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.SoapVersion;
@@ -66,6 +67,7 @@ import org.apache.cxf.rt.security.saml.SAMLUtils;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.staxutils.StaxUtils;
+import org.apache.cxf.ws.addressing.soap.MAPCodec;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
@@ -122,6 +124,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
 
         setPhase(Phase.PRE_PROTOCOL);
         getAfter().add(SAAJInInterceptor.class.getName());
+        getAfter().add(MAPCodec.class.getName());
     }
     public WSS4JInInterceptor(boolean ignore) {
         this();

http://git-wip-us.apache.org/repos/asf/cxf/blob/5b40876a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
index d062d19..fdf2346 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
@@ -27,10 +27,21 @@ import javax.xml.ws.BindingProvider;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
+import org.apache.cxf.binding.soap.SoapBindingConstants;
+import org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor;
+import org.apache.cxf.binding.soap.interceptor.SoapPreProtocolOutInterceptor;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
 import org.apache.cxf.systest.ws.common.SecurityTestUtil;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.trust.STSClient;
+import org.apache.cxf.ws.security.trust.STSUtils;
+
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -60,14 +71,23 @@ public class WSSCTest extends AbstractBusClientServerTestBase {
         final String prefix;
         final boolean streaming;
         final String port;
+        final boolean clearAction;
         
         public TestParam(String p, String port, boolean b) {
             prefix = p;
             this.port = port;
             streaming = b;
+            clearAction = false;
+        }
+        public TestParam(String p, String port, boolean b, boolean a) {
+            prefix = p;
+            this.port = port;
+            streaming = b;
+            clearAction = a;
         }
         public String toString() {
-            return prefix + ":" + port + ":" + (streaming ? "streaming" : "dom");
+            return prefix + ":" + port + ":" + (streaming ? "streaming" : "dom") 
+                + (clearAction ? "/no SOAPAction" : "");
         }
     }
     
@@ -204,6 +224,11 @@ public class WSSCTest extends AbstractBusClientServerTestBase {
             // {new TestParam("_XD_IPingService", STAX_PORT, true)},
             // {new TestParam("_XD-SEES_IPingService", STAX_PORT, true)},
             // {new TestParam("_XD-ES_IPingService", STAX_PORT, true)},
+            
+            {new TestParam("AC_IPingService", PORT, false, true)},
+            {new TestParam("AC_IPingService", PORT, true, true)},
+            {new TestParam("AC_IPingService", STAX_PORT, false, true)},
+            {new TestParam("AC_IPingService", STAX_PORT, true, true)},
         });
     }
     
@@ -244,6 +269,25 @@ public class WSSCTest extends AbstractBusClientServerTestBase {
                 SecurityConstants.ENABLE_STREAMING_SECURITY, "true"
             );
         }
+        if (test.clearAction) {
+            AbstractPhaseInterceptor<Message> clearActionInterceptor 
+                = new AbstractPhaseInterceptor<Message>(Phase.POST_LOGICAL) {
+                    public void handleMessage(Message message) throws Fault {
+                        STSClient client = STSUtils.getClient(message, "sct");
+                        client.getOutInterceptors().add(this);
+                        message.put(SecurityConstants.STS_CLIENT, client);
+                        String s = (String)message.get(SoapBindingConstants.SOAP_ACTION);
+                        if (s == null) {
+                            s = SoapActionInInterceptor.getSoapAction(message);
+                        }
+                        if (s != null && s.contains("RST/SCT")) {
+                            message.put(SoapBindingConstants.SOAP_ACTION, "");
+                        }
+                    }
+                };
+            clearActionInterceptor.addBefore(SoapPreProtocolOutInterceptor.class.getName());
+            ((Client)port).getOutInterceptors().add(clearActionInterceptor);
+        }
 
         wssec.wssc.PingRequest params = new wssec.wssc.PingRequest();
         org.xmlsoap.ping.Ping ping = new org.xmlsoap.ping.Ping();


Mime
View raw message