cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject [2/2] git commit: If the WS-SC client does not send a SOAPAction, degrade to the old DOM based processing.
Date Tue, 12 Aug 2014 20:35:50 GMT
If the WS-SC client does not send a SOAPAction, degrade to the old DOM based processing.

Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/88e44fd0
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/88e44fd0
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/88e44fd0

Branch: refs/heads/2.7.x-fixes
Commit: 88e44fd0801fc65df50b00ef3c035d5ea699f701
Parents: 7e4353e
Author: Daniel Kulp <dkulp@apache.org>
Authored: Tue Aug 12 16:08:03 2014 -0400
Committer: Daniel Kulp <dkulp@apache.org>
Committed: Tue Aug 12 16:35:24 2014 -0400

----------------------------------------------------------------------
 .../SecureConversationInInterceptor.java        | 187 +++++++++++--------
 .../ws/security/wss4j/WSS4JInInterceptor.java   |   3 +
 .../apache/cxf/systest/ws/wssc/WSSCTest.java    |  41 +++-
 3 files changed, 150 insertions(+), 81 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/88e44fd0/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
index 72ae8bb..8189052 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
@@ -40,6 +40,7 @@ import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.staxutils.W3CDOMStreamWriter;
 import org.apache.cxf.ws.addressing.AddressingProperties;
 import org.apache.cxf.ws.addressing.JAXWSAConstants;
+import org.apache.cxf.ws.addressing.soap.MAPCodec;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.PolicyBuilder;
@@ -58,6 +59,7 @@ import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.cxf.ws.security.trust.STSUtils;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.neethi.All;
 import org.apache.neethi.Assertion;
@@ -92,10 +94,10 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
     }
     
     public void handleMessage(SoapMessage message) throws Fault {
-        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+        final AssertionInfoMap aim = message.get(AssertionInfoMap.class);
         // extract Assertion information
         if (aim != null) {
-            Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
+            final Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
             if (ais == null || ais.isEmpty()) {
                 return;
             }
@@ -115,91 +117,116 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
             if (s == null) {
                 s = SoapActionInInterceptor.getSoapAction(message);
             }
-            String addNs = null;
-            AddressingProperties inProps = (AddressingProperties)message
-                .getContextualProperty(JAXWSAConstants.ADDRESSING_PROPERTIES_INBOUND);
-            if (inProps != null) {
-                addNs = inProps.getNamespaceURI();
-                if (s == null) {
-                    //MS/WCF doesn't put a soap action out for this, must check the headers
-                    s = inProps.getAction().getValue();
-                }
+            
+            if (s != null) {
+                handleMessageForAction(message, s, aim, ais);
+            } else {
+                // could not get an action, we have to delay until after the WS-A headers
are read and
+                // processed
+                AbstractPhaseInterceptor<SoapMessage> post
+                    = new AbstractPhaseInterceptor<SoapMessage>(Phase.PRE_PROTOCOL)
{
+                        public void handleMessage(SoapMessage message) throws Fault {
+                            String s = (String)message.get(SoapBindingConstants.SOAP_ACTION);
+                            if (s == null) {
+                                s = SoapActionInInterceptor.getSoapAction(message);
+                            }
+                            handleMessageForAction(message, s, aim, ais);
+                        }
+                    };
+                post.addAfter(MAPCodec.class.getName());
+                post.addBefore(PolicyBasedWSS4JInInterceptor.class.getName());
+                message.getInterceptorChain().add(post);
+            }
+        }
+    }
+    
+    void handleMessageForAction(SoapMessage message, String s,
+                                AssertionInfoMap aim,
+                                Collection<AssertionInfo> ais) {
+        String addNs = null;
+        AddressingProperties inProps = (AddressingProperties)message
+            .getContextualProperty(JAXWSAConstants.ADDRESSING_PROPERTIES_INBOUND);
+        if (inProps != null) {
+            addNs = inProps.getNamespaceURI();
+            if (s == null) {
+                //MS/WCF doesn't put a soap action out for this, must check the headers
+                s = inProps.getAction().getValue();
             }
+        }
 
-            if (s != null 
-                && s.contains("/RST/SCT")
-                && (s.startsWith(STSUtils.WST_NS_05_02)
-                    || s.startsWith(STSUtils.WST_NS_05_12))) {
+        if (s != null 
+            && s.contains("/RST/SCT")
+            && (s.startsWith(STSUtils.WST_NS_05_02)
+                || s.startsWith(STSUtils.WST_NS_05_12))) {
 
-                SecureConversationToken tok = (SecureConversationToken)ais.iterator()
-                    .next().getAssertion();
-                Policy pol = tok.getBootstrapPolicy();
-                if (s.endsWith("Cancel") || s.endsWith("/Renew")) {
-                    //Cancel and Renew just sign with the token
-                    Policy p = new Policy();
-                    ExactlyOne ea = new ExactlyOne();
-                    p.addPolicyComponent(ea);
-                    All all = new All();
-                    Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
-                    all.addPolicyComponent(ass);
-                    ea.addPolicyComponent(all);
-                    PolicyBuilder pbuilder = message.getExchange().getBus()
-                        .getExtension(PolicyBuilder.class);
-                    SymmetricBinding binding = new SymmetricBinding(SP12Constants.INSTANCE,
pbuilder);
-                    binding.setIncludeTimestamp(true);
-                    ProtectionToken token = new ProtectionToken(SP12Constants.INSTANCE, pbuilder);
-                    
-                    SecureConversationToken scToken = 
-                        new SecureConversationToken(SP12Constants.INSTANCE);
-                    scToken.setInclusion(SP12Constants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT);
-                    token.setToken(scToken);
-                    binding.setProtectionToken(token);
-                    binding.setEntireHeadersAndBodySignatures(true);
-                    
-                    Binding origBinding = getBinding(aim);
-                    binding.setAlgorithmSuite(origBinding.getAlgorithmSuite());
-                    all.addPolicyComponent(binding);
-                    
-                    SignedEncryptedParts parts = new SignedEncryptedParts(true, 
-                                                                          SP12Constants.INSTANCE);
-                    parts.setBody(true);
-                    if (addNs != null) {
-                        parts.addHeader(new Header("To", addNs));
-                        parts.addHeader(new Header("From", addNs));
-                        parts.addHeader(new Header("FaultTo", addNs));
-                        parts.addHeader(new Header("ReplyTO", addNs));
-                        parts.addHeader(new Header("MessageID", addNs));
-                        parts.addHeader(new Header("RelatesTo", addNs));
-                        parts.addHeader(new Header("Action", addNs));
-                    }
-                    all.addPolicyComponent(parts);
-                    pol = p;
-                    message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
-                } else {
-                    Policy p = new Policy();
-                    ExactlyOne ea = new ExactlyOne();
-                    p.addPolicyComponent(ea);
-                    All all = new All();
-                    Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
-                    all.addPolicyComponent(ass);
-                    ea.addPolicyComponent(all);
-                    pol = p.merge(pol);
-                }
+            SecureConversationToken tok = (SecureConversationToken)ais.iterator()
+                .next().getAssertion();
+            Policy pol = tok.getBootstrapPolicy();
+            if (s.endsWith("Cancel") || s.endsWith("/Renew")) {
+                //Cancel and Renew just sign with the token
+                Policy p = new Policy();
+                ExactlyOne ea = new ExactlyOne();
+                p.addPolicyComponent(ea);
+                All all = new All();
+                Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
+                all.addPolicyComponent(ass);
+                ea.addPolicyComponent(all);
+                PolicyBuilder pbuilder = message.getExchange().getBus()
+                    .getExtension(PolicyBuilder.class);
+                SymmetricBinding binding = new SymmetricBinding(SP12Constants.INSTANCE, pbuilder);
+                binding.setIncludeTimestamp(true);
+                ProtectionToken token = new ProtectionToken(SP12Constants.INSTANCE, pbuilder);
                 
-                //setup SCT endpoint and forward to it.
-                unmapSecurityProps(message);
-                String ns = STSUtils.WST_NS_05_12;
-                if (s.startsWith(STSUtils.WST_NS_05_02)) {
-                    ns = STSUtils.WST_NS_05_02;
+                SecureConversationToken scToken = 
+                    new SecureConversationToken(SP12Constants.INSTANCE);
+                scToken.setInclusion(SP12Constants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT);
+                token.setToken(scToken);
+                binding.setProtectionToken(token);
+                binding.setEntireHeadersAndBodySignatures(true);
+                
+                Binding origBinding = getBinding(aim);
+                binding.setAlgorithmSuite(origBinding.getAlgorithmSuite());
+                all.addPolicyComponent(binding);
+                
+                SignedEncryptedParts parts = new SignedEncryptedParts(true, 
+                                                                      SP12Constants.INSTANCE);
+                parts.setBody(true);
+                if (addNs != null) {
+                    parts.addHeader(new Header("To", addNs));
+                    parts.addHeader(new Header("From", addNs));
+                    parts.addHeader(new Header("FaultTo", addNs));
+                    parts.addHeader(new Header("ReplyTO", addNs));
+                    parts.addHeader(new Header("MessageID", addNs));
+                    parts.addHeader(new Header("RelatesTo", addNs));
+                    parts.addHeader(new Header("Action", addNs));
                 }
-                NegotiationUtils.recalcEffectivePolicy(message, ns, pol, 
-                                                       new SecureConversationSTSInvoker(),
-                                                       true);
-                //recalc based on new endpoint
-                SoapActionInInterceptor.getAndSetOperation(message, s);
-            } else {
+                all.addPolicyComponent(parts);
+                pol = p;
                 message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
+            } else {
+                Policy p = new Policy();
+                ExactlyOne ea = new ExactlyOne();
+                p.addPolicyComponent(ea);
+                All all = new All();
+                Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
+                all.addPolicyComponent(ass);
+                ea.addPolicyComponent(all);
+                pol = p.merge(pol);
+            }
+            
+            //setup SCT endpoint and forward to it.
+            unmapSecurityProps(message);
+            String ns = STSUtils.WST_NS_05_12;
+            if (s.startsWith(STSUtils.WST_NS_05_02)) {
+                ns = STSUtils.WST_NS_05_02;
             }
+            NegotiationUtils.recalcEffectivePolicy(message, ns, pol, 
+                                                   new SecureConversationSTSInvoker(),
+                                                   true);
+            //recalc based on new endpoint
+            SoapActionInInterceptor.getAndSetOperation(message, s);
+        } else {
+            message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
         }
     }
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/88e44fd0/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index fb22431..ed4d7bc 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -45,6 +45,7 @@ import javax.xml.transform.dom.DOMSource;
 
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
+
 import org.apache.cxf.binding.soap.SoapFault;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.SoapVersion;
@@ -66,6 +67,7 @@ import org.apache.cxf.phase.Phase;
 import org.apache.cxf.phase.PhaseInterceptor;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.staxutils.StaxUtils;
+import org.apache.cxf.ws.addressing.soap.MAPCodec;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.interceptors.NegotiationUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -122,6 +124,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
 
         setPhase(Phase.PRE_PROTOCOL);
         getAfter().add(SAAJInInterceptor.class.getName());
+        getAfter().add(MAPCodec.class.getName());
     }
     public WSS4JInInterceptor(boolean ignore) {
         this();

http://git-wip-us.apache.org/repos/asf/cxf/blob/88e44fd0/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
index b6c75e2..9d0e508 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
@@ -24,11 +24,21 @@ import javax.xml.ws.BindingProvider;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
+import org.apache.cxf.binding.soap.SoapBindingConstants;
+import org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor;
+import org.apache.cxf.binding.soap.interceptor.SoapPreProtocolOutInterceptor;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
 import org.apache.cxf.systest.ws.common.SecurityTestUtil;
 import org.apache.cxf.systest.ws.wssc.server.Server;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.trust.STSClient;
+import org.apache.cxf.ws.security.trust.STSUtils;
 
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -186,8 +196,17 @@ public class WSSCTest extends AbstractBusClientServerTestBase {
     public void testXDESIPingService() throws Exception {
         runTest("_XD-ES_IPingService");
     }
+    
+    
+    @Test
+    public void testACIPingServiceNoAction() throws Exception {
+        runTest(true, "AC_IPingService");
+    }
 
-    private void runTest(String ... argv) throws Exception {
+    void runTest(String ... argv) throws Exception {
+        runTest(false, argv);
+    }
+    void runTest(boolean clearAction, String ... argv) throws Exception {
         for (String portPrefix : argv) {
             final wssec.wssc.IPingService port = 
                 svc.getPort(
@@ -211,6 +230,26 @@ public class WSSCTest extends AbstractBusClientServerTestBase {
                 ((BindingProvider)port).getRequestContext()
                     .put(SecurityConstants.STS_TOKEN_DO_CANCEL, Boolean.TRUE);
             }
+            if (clearAction) {
+                AbstractPhaseInterceptor<Message> clearActionInterceptor
+                    = new AbstractPhaseInterceptor<Message>(Phase.POST_LOGICAL) {
+                        public void handleMessage(Message message) throws Fault {
+                            STSClient client = STSUtils.getClient(message, "sct");
+                            client.getOutInterceptors().add(this);
+                            message.put(SecurityConstants.STS_CLIENT, client);
+                            String s = (String)message.get(SoapBindingConstants.SOAP_ACTION);
+                            if (s == null) {
+                                s = SoapActionInInterceptor.getSoapAction(message);
+                            }
+                            if (s != null && s.contains("RST/SCT")) {
+                                message.put(SoapBindingConstants.SOAP_ACTION, "");
+                            }
+                        }
+                    };
+                clearActionInterceptor.addBefore(SoapPreProtocolOutInterceptor.class.getName());
+                ClientProxy.getClient(port).getOutInterceptors().add(clearActionInterceptor);
+            }
+            
             wssec.wssc.PingRequest params = new wssec.wssc.PingRequest();
             org.xmlsoap.ping.Ping ping = new org.xmlsoap.ping.Ping();
             ping.setOrigin("CXF");


Mime
View raw message