Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4881517353 for ; Fri, 20 Mar 2015 16:55:17 +0000 (UTC) Received: (qmail 90169 invoked by uid 500); 20 Mar 2015 16:48:37 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 90008 invoked by uid 500); 20 Mar 2015 16:48:37 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 89949 invoked by uid 99); 20 Mar 2015 16:48:37 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Mar 2015 16:48:37 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 6CEAAE1820; Fri, 20 Mar 2015 16:48:37 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Fri, 20 Mar 2015 16:48:39 -0000 Message-Id: In-Reply-To: <81bd51aab6be4d1c8b3d7f2634d2b815@git.apache.org> References: <81bd51aab6be4d1c8b3d7f2634d2b815@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [3/3] cxf git commit: Refactor of policy validators Refactor of policy validators Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9de88cce Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9de88cce Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9de88cce Branch: refs/heads/master Commit: 9de88cce894ca9ea746abf27943635467e23c153 Parents: 3f975fa Author: Colm O hEigeartaigh Authored: Fri Mar 20 16:47:34 2015 +0000 Committer: Colm O hEigeartaigh Committed: Fri Mar 20 16:48:07 2015 +0000 ---------------------------------------------------------------------- .../IssuedTokenInterceptorProvider.java | 104 ++----- .../KerberosTokenInterceptorProvider.java | 64 +--- .../wss4j/PolicyBasedWSS4JInInterceptor.java | 216 ++++++-------- .../AbstractBindingPolicyValidator.java | 2 +- .../AbstractSamlPolicyValidator.java | 2 +- .../AbstractSecurityPolicyValidator.java | 59 ++++ .../AbstractSupportingTokenPolicyValidator.java | 298 +++++++++---------- .../AbstractTokenPolicyValidator.java | 59 ---- .../AlgorithmSuitePolicyValidator.java | 50 ++-- .../AsymmetricBindingPolicyValidator.java | 53 ++-- .../BindingPolicyValidator.java | 46 --- .../ConcreteSupportingTokenPolicyValidator.java | 70 ++--- .../EncryptedTokenPolicyValidator.java | 68 ++--- .../EndorsingEncryptedTokenPolicyValidator.java | 77 ++--- .../EndorsingTokenPolicyValidator.java | 75 ++--- .../IssuedTokenPolicyValidator.java | 159 +++++++--- .../KerberosTokenPolicyValidator.java | 137 ++++++--- .../policyvalidators/LayoutPolicyValidator.java | 49 ++- .../PolicyValidatorParameters.java | 125 ++++++++ .../SamlTokenPolicyValidator.java | 76 ++--- .../SecurityContextTokenPolicyValidator.java | 46 ++- .../SecurityPolicyValidator.java | 41 +++ .../SignedEncryptedTokenPolicyValidator.java | 68 ++--- ...dEndorsingEncryptedTokenPolicyValidator.java | 77 ++--- .../SignedEndorsingTokenPolicyValidator.java | 75 ++--- .../SignedTokenPolicyValidator.java | 71 ++--- .../SupportingTokenPolicyValidator.java | 60 ---- .../SymmetricBindingPolicyValidator.java | 53 ++-- .../policyvalidators/TokenPolicyValidator.java | 45 --- .../TransportBindingPolicyValidator.java | 65 ++-- .../UsernameTokenPolicyValidator.java | 58 ++-- .../policyvalidators/WSS11PolicyValidator.java | 46 ++- .../X509TokenPolicyValidator.java | 50 ++-- .../cxf/sts/token/renewer/SAMLTokenRenewer.java | 8 +- 34 files changed, 1257 insertions(+), 1295 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java index 5761f78..867bcae 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java @@ -19,7 +19,6 @@ package org.apache.cxf.ws.security.policy.interceptors; -import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -44,13 +43,12 @@ import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor; import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator; -import org.apache.wss4j.common.saml.SAMLKeyInfo; -import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters; +import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSecurityEngineResult; import org.apache.wss4j.dom.handler.WSHandlerConstants; import org.apache.wss4j.dom.handler.WSHandlerResult; -import org.apache.wss4j.dom.message.token.BinarySecurity; import org.apache.wss4j.dom.util.WSSecurityUtil; import org.apache.wss4j.policy.SP11Constants; import org.apache.wss4j.policy.SP12Constants; @@ -186,88 +184,26 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro Message message, Collection issuedAis ) { + PolicyValidatorParameters parameters = new PolicyValidatorParameters(); + parameters.setAssertionInfoMap(message.get(AssertionInfoMap.class)); + parameters.setMessage(message); + parameters.setResults(rResult.getResults()); + + final List actions = new ArrayList<>(1); + actions.add(WSConstants.SIGN); List signedResults = - WSSecurityUtil.fetchAllActionResults(rResult.getResults(), WSConstants.SIGN); + WSSecurityUtil.fetchAllActionResults(rResult.getResults(), actions); + parameters.setSignedResults(signedResults); - IssuedTokenPolicyValidator issuedValidator = - new IssuedTokenPolicyValidator(signedResults, message); - - for (SamlAssertionWrapper assertionWrapper : findSamlTokenResults(rResult.getResults())) { - boolean valid = issuedValidator.validatePolicy(issuedAis, assertionWrapper); - if (valid) { - SecurityToken token = createSecurityToken(assertionWrapper); - message.getExchange().put(SecurityConstants.TOKEN, token); - return; - } - } - for (BinarySecurity binarySecurityToken : findBinarySecurityTokenResults(rResult.getResults())) { - boolean valid = issuedValidator.validatePolicy(issuedAis, binarySecurityToken); - if (valid) { - SecurityToken token = createSecurityToken(binarySecurityToken); - message.getExchange().put(SecurityConstants.TOKEN, token); - return; - } - } - } - - private List findSamlTokenResults( - List wsSecEngineResults - ) { - List results = new ArrayList(); - for (WSSecurityEngineResult wser : wsSecEngineResults) { - Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); - if (actInt.intValue() == WSConstants.ST_SIGNED - || actInt.intValue() == WSConstants.ST_UNSIGNED) { - results.add((SamlAssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION)); - } - } - return results; - } - - private List findBinarySecurityTokenResults( - List wsSecEngineResults - ) { - List results = new ArrayList(); - for (WSSecurityEngineResult wser : wsSecEngineResults) { - Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); - if (actInt.intValue() == WSConstants.BST - && Boolean.TRUE.equals(wser.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN))) { - results.add((BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN)); - } - } - return results; - } - - private SecurityToken createSecurityToken( - SamlAssertionWrapper assertionWrapper - ) { - SecurityToken token = new SecurityToken(assertionWrapper.getId()); - - SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo(); - if (subjectKeyInfo != null) { - token.setSecret(subjectKeyInfo.getSecret()); - X509Certificate[] certs = subjectKeyInfo.getCerts(); - if (certs != null && certs.length > 0) { - token.setX509Certificate(certs[0], null); - } - } - if (assertionWrapper.getSaml1() != null) { - token.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE); - } else if (assertionWrapper.getSaml2() != null) { - token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE); - } - token.setToken(assertionWrapper.getElement()); - - return token; - } - - private SecurityToken createSecurityToken(BinarySecurity binarySecurityToken) { - SecurityToken token = new SecurityToken(binarySecurityToken.getID()); - token.setToken(binarySecurityToken.getElement()); - token.setSecret(binarySecurityToken.getToken()); - token.setTokenType(binarySecurityToken.getValueType()); - - return token; + final List samlActions = new ArrayList<>(2); + samlActions.add(WSConstants.ST_SIGNED); + samlActions.add(WSConstants.ST_UNSIGNED); + List samlResults = + WSSecurityUtil.fetchAllActionResults(rResult.getResults(), samlActions); + parameters.setSamlResults(samlResults); + + SecurityPolicyValidator issuedValidator = new IssuedTokenPolicyValidator(); + issuedValidator.validatePolicies(parameters, issuedAis); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java index 2c14dd3..7c03bb2 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java @@ -20,7 +20,6 @@ package org.apache.cxf.ws.security.policy.interceptors; import java.security.Key; -import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.List; @@ -53,13 +52,11 @@ import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor; import org.apache.cxf.ws.security.wss4j.StaxSecurityContextInInterceptor; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; import org.apache.cxf.ws.security.wss4j.policyvalidators.KerberosTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters; +import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator; import org.apache.wss4j.common.ext.WSSecurityException; -import org.apache.wss4j.dom.WSConstants; -import org.apache.wss4j.dom.WSSecurityEngineResult; import org.apache.wss4j.dom.handler.WSHandlerConstants; import org.apache.wss4j.dom.handler.WSHandlerResult; -import org.apache.wss4j.dom.message.token.BinarySecurity; -import org.apache.wss4j.dom.message.token.KerberosSecurity; import org.apache.wss4j.dom.util.WSSecurityUtil; import org.apache.wss4j.policy.SP11Constants; import org.apache.wss4j.policy.SP12Constants; @@ -175,7 +172,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP List results = CastUtils.cast((List)message.get(WSHandlerConstants.RECV_RESULTS)); if (results != null && results.size() > 0) { - parseHandlerResults(results.get(0), message, aim); + parseHandlerResults(results.get(0), message, aim, ais); } } else { //client side should be checked on the way out @@ -192,41 +189,19 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP private void parseHandlerResults( WSHandlerResult rResult, Message message, - AssertionInfoMap aim + AssertionInfoMap aim, + Collection ais ) { - List kerberosResults = findKerberosResults(rResult.getResults()); - for (WSSecurityEngineResult wser : kerberosResults) { - KerberosSecurity kerberosToken = - (KerberosSecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN); - KerberosTokenPolicyValidator kerberosValidator = - new KerberosTokenPolicyValidator(message); - boolean valid = kerberosValidator.validatePolicy(aim, kerberosToken); - if (valid) { - SecurityToken token = createSecurityToken(kerberosToken); - token.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET)); - SecurityUtils.getTokenStore(message).add(token); - message.getExchange().put(SecurityConstants.TOKEN_ID, token.getId()); - return; - } - } + + PolicyValidatorParameters parameters = new PolicyValidatorParameters(); + parameters.setAssertionInfoMap(message.get(AssertionInfoMap.class)); + parameters.setMessage(message); + parameters.setResults(rResult.getResults()); + + SecurityPolicyValidator kerberosValidator = new KerberosTokenPolicyValidator(); + kerberosValidator.validatePolicies(parameters, ais); } - private List findKerberosResults( - List wsSecEngineResults - ) { - List results = new ArrayList(); - for (WSSecurityEngineResult wser : wsSecEngineResults) { - Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); - if (actInt.intValue() == WSConstants.BST) { - BinarySecurity binarySecurity = - (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN); - if (binarySecurity instanceof KerberosSecurity) { - results.add(wser); - } - } - } - return results; - } } static class KerberosTokenStaxInInterceptor extends AbstractPhaseInterceptor { @@ -334,17 +309,4 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP } } - private static SecurityToken createSecurityToken(KerberosSecurity binarySecurityToken) { - SecurityToken token = new SecurityToken(binarySecurityToken.getID()); - token.setToken(binarySecurityToken.getElement()); - token.setTokenType(binarySecurityToken.getValueType()); - byte[] tokenBytes = binarySecurityToken.getToken(); - try { - token.setSHA1(Base64.encode(WSSecurityUtil.generateDigest(tokenBytes))); - } catch (WSSecurityException e) { - // Just consume this for now as it isn't critical... - } - return token; - } - } http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java index d96ecba..8dd7243 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java @@ -54,21 +54,20 @@ import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope; import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType; import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.BindingPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.LayoutPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters; import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingEncryptedTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SupportingTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.TokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator; @@ -641,16 +640,47 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { LOG.fine("Incoming request failed signed-encrypted policy validation"); } - if (!checkTokenCoverage(aim, msg, soapBody, results, signedResults)) { + PolicyValidatorParameters parameters = new PolicyValidatorParameters(); + parameters.setAssertionInfoMap(aim); + parameters.setMessage(msg); + parameters.setSoapBody(soapBody); + parameters.setResults(results); + parameters.setSignedResults(signedResults); + parameters.setEncryptedResults(encryptResults); + parameters.setUtWithCallbacks(utWithCallbacks); + + final List utActions = new ArrayList<>(2); + utActions.add(WSConstants.UT); + utActions.add(WSConstants.UT_NOPASSWORD); + List utResults = + WSSecurityUtil.fetchAllActionResults(results, utActions); + parameters.setUsernameTokenResults(utResults); + + final List samlActions = new ArrayList<>(2); + samlActions.add(WSConstants.ST_SIGNED); + samlActions.add(WSConstants.ST_UNSIGNED); + List samlResults = + WSSecurityUtil.fetchAllActionResults(results, samlActions); + parameters.setSamlResults(samlResults); + + // Store the timestamp element + WSSecurityEngineResult tsResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS); + Element timestamp = null; + if (tsResult != null) { + Timestamp ts = (Timestamp)tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP); + timestamp = ts.getElement(); + } + parameters.setTimestampElement(timestamp); + + if (!checkTokenCoverage(parameters)) { LOG.fine("Incoming request failed token policy validation"); } - if (!checkBindingCoverage(aim, msg, soapBody, results, signedResults, encryptResults)) { + if (!checkBindingCoverage(parameters)) { LOG.fine("Incoming request failed binding policy validation"); } - if (!checkSupportingTokenCoverage(aim, msg, results, signedResults, - encryptResults, utWithCallbacks)) { + if (!checkSupportingTokenCoverage(parameters)) { LOG.fine("Incoming request failed supporting token policy validation"); } @@ -704,28 +734,31 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { /** * Check the token coverage */ - private boolean checkTokenCoverage( - AssertionInfoMap aim, - SoapMessage msg, - Element soapBody, - List results, - List signedResults - ) { + private boolean checkTokenCoverage(PolicyValidatorParameters parameters) { + boolean check = true; - TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(); - check &= x509Validator.validatePolicy(aim, msg, soapBody, results, signedResults); + AssertionInfoMap aim = parameters.getAssertionInfoMap(); - TokenPolicyValidator utValidator = new UsernameTokenPolicyValidator(); - check &= utValidator.validatePolicy(aim, msg, soapBody, results, signedResults); + Collection ais = + PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN); + SecurityPolicyValidator x509Validator = new X509TokenPolicyValidator(); + check &= x509Validator.validatePolicies(parameters, ais); - TokenPolicyValidator samlValidator = new SamlTokenPolicyValidator(); - check &= samlValidator.validatePolicy(aim, msg, soapBody, results, signedResults); + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN); + SecurityPolicyValidator utValidator = new UsernameTokenPolicyValidator(); + check &= utValidator.validatePolicies(parameters, ais); - TokenPolicyValidator sctValidator = new SecurityContextTokenPolicyValidator(); - check &= sctValidator.validatePolicy(aim, msg, soapBody, results, signedResults); + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN); + SecurityPolicyValidator samlValidator = new SamlTokenPolicyValidator(); + check &= samlValidator.validatePolicies(parameters, ais); - TokenPolicyValidator wss11Validator = new WSS11PolicyValidator(); - check &= wss11Validator.validatePolicy(aim, msg, soapBody, results, signedResults); + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN); + SecurityPolicyValidator sctValidator = new SecurityContextTokenPolicyValidator(); + check &= sctValidator.validatePolicies(parameters, ais); + + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11); + SecurityPolicyValidator wss11Validator = new WSS11PolicyValidator(); + check &= wss11Validator.validatePolicies(parameters, ais); return check; } @@ -733,41 +766,31 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { /** * Check the binding coverage */ - private boolean checkBindingCoverage( - AssertionInfoMap aim, - SoapMessage msg, - Element soapBody, - List results, - List signedResults, - List encryptedResults - ) { + private boolean checkBindingCoverage(PolicyValidatorParameters parameters) { boolean check = true; + AssertionInfoMap aim = parameters.getAssertionInfoMap(); - BindingPolicyValidator transportValidator = new TransportBindingPolicyValidator(); - check &= - transportValidator.validatePolicy( - aim, msg, soapBody, results, signedResults, encryptedResults - ); + Collection ais = + PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING); + SecurityPolicyValidator transportValidator = new TransportBindingPolicyValidator(); + check &= transportValidator.validatePolicies(parameters, ais); - BindingPolicyValidator symmetricValidator = new SymmetricBindingPolicyValidator(); - check &= - symmetricValidator.validatePolicy( - aim, msg, soapBody, results, signedResults, encryptedResults - ); + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING); + SecurityPolicyValidator symmetricValidator = new SymmetricBindingPolicyValidator(); + check &= symmetricValidator.validatePolicies(parameters, ais); - BindingPolicyValidator asymmetricValidator = new AsymmetricBindingPolicyValidator(); - check &= - asymmetricValidator.validatePolicy( - aim, msg, soapBody, results, signedResults, encryptedResults - ); + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING); + SecurityPolicyValidator asymmetricValidator = new AsymmetricBindingPolicyValidator(); + check &= asymmetricValidator.validatePolicies(parameters, ais); // Check AlgorithmSuite + Layout that might not be tied to a binding - AlgorithmSuitePolicyValidator algorithmSuiteValidator = new AlgorithmSuitePolicyValidator(); - check &= - algorithmSuiteValidator.validatePolicy(aim, msg, soapBody, results, signedResults); + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE); + SecurityPolicyValidator algorithmSuiteValidator = new AlgorithmSuitePolicyValidator(); + check &= algorithmSuiteValidator.validatePolicies(parameters, ais); + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.LAYOUT); LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(); - check &= layoutValidator.validatePolicy(aim, msg, soapBody, results, signedResults); + check &= layoutValidator.validatePolicies(parameters, ais); return check; } @@ -775,83 +798,42 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { /** * Check the supporting token coverage */ - private boolean checkSupportingTokenCoverage( - AssertionInfoMap aim, - SoapMessage msg, - List results, - List signedResults, - List encryptedResults, - boolean utWithCallbacks - ) { - final List utActions = new ArrayList<>(2); - utActions.add(WSConstants.UT); - utActions.add(WSConstants.UT_NOPASSWORD); - List utResults = - WSSecurityUtil.fetchAllActionResults(results, utActions); - - final List samlActions = new ArrayList<>(2); - samlActions.add(WSConstants.ST_SIGNED); - samlActions.add(WSConstants.ST_UNSIGNED); - List samlResults = - WSSecurityUtil.fetchAllActionResults(results, samlActions); - - // Store the timestamp element - WSSecurityEngineResult tsResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS); - Element timestamp = null; - if (tsResult != null) { - Timestamp ts = (Timestamp)tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP); - timestamp = ts.getElement(); - } - + private boolean checkSupportingTokenCoverage(PolicyValidatorParameters parameters) { boolean check = true; + AssertionInfoMap aim = parameters.getAssertionInfoMap(); - SupportingTokenPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator(); - validator.setUsernameTokenResults(utResults, utWithCallbacks); - validator.setSAMLTokenResults(samlResults); - validator.setTimestampElement(timestamp); - check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults); + Collection ais = + PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS); + SecurityPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator(); + check &= validator.validatePolicies(parameters, ais); + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS); validator = new SignedTokenPolicyValidator(); - validator.setUsernameTokenResults(utResults, utWithCallbacks); - validator.setSAMLTokenResults(samlResults); - validator.setTimestampElement(timestamp); - check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults); - + check &= validator.validatePolicies(parameters, ais); + + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS); validator = new EndorsingTokenPolicyValidator(); - validator.setUsernameTokenResults(utResults, utWithCallbacks); - validator.setSAMLTokenResults(samlResults); - validator.setTimestampElement(timestamp); - check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults); - + check &= validator.validatePolicies(parameters, ais); + + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS); validator = new SignedEndorsingTokenPolicyValidator(); - validator.setUsernameTokenResults(utResults, utWithCallbacks); - validator.setSAMLTokenResults(samlResults); - validator.setTimestampElement(timestamp); - check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults); - + check &= validator.validatePolicies(parameters, ais); + + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS); validator = new SignedEncryptedTokenPolicyValidator(); - validator.setUsernameTokenResults(utResults, utWithCallbacks); - validator.setSAMLTokenResults(samlResults); - validator.setTimestampElement(timestamp); - check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults); - + check &= validator.validatePolicies(parameters, ais); + + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS); validator = new EncryptedTokenPolicyValidator(); - validator.setUsernameTokenResults(utResults, utWithCallbacks); - validator.setSAMLTokenResults(samlResults); - validator.setTimestampElement(timestamp); - check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults); - + check &= validator.validatePolicies(parameters, ais); + + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS); validator = new EndorsingEncryptedTokenPolicyValidator(); - validator.setUsernameTokenResults(utResults, utWithCallbacks); - validator.setSAMLTokenResults(samlResults); - validator.setTimestampElement(timestamp); - check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults); + check &= validator.validatePolicies(parameters, ais); + ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS); validator = new SignedEndorsingEncryptedTokenPolicyValidator(); - validator.setUsernameTokenResults(utResults, utWithCallbacks); - validator.setSAMLTokenResults(samlResults); - validator.setTimestampElement(timestamp); - check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults); + check &= validator.validatePolicies(parameters, ais); return check; } http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java index 5eb7eea..b35a49b 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java @@ -58,7 +58,7 @@ import org.apache.wss4j.policy.model.X509Token; /** * Some abstract functionality for validating a security binding. */ -public abstract class AbstractBindingPolicyValidator implements BindingPolicyValidator { +public abstract class AbstractBindingPolicyValidator implements SecurityPolicyValidator { private static final QName SIG_QNAME = new QName(WSConstants.SIG_NS, WSConstants.SIG_LN); http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java index a0a8e9f..993f8e6 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java @@ -30,7 +30,7 @@ import org.apache.wss4j.dom.saml.DOMSAMLUtil; /** * Some abstract functionality for validating SAML Assertions */ -public abstract class AbstractSamlPolicyValidator extends AbstractTokenPolicyValidator { +public abstract class AbstractSamlPolicyValidator extends AbstractSecurityPolicyValidator { /** * Check the holder-of-key requirements against the received assertion. The subject http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSecurityPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSecurityPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSecurityPolicyValidator.java new file mode 100644 index 0000000..2b7d73b --- /dev/null +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSecurityPolicyValidator.java @@ -0,0 +1,59 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.ws.security.wss4j.policyvalidators; + +import org.apache.cxf.message.Message; +import org.apache.cxf.message.MessageUtils; +import org.apache.wss4j.policy.SPConstants.IncludeTokenType; +import org.apache.wss4j.policy.model.AbstractToken; + +/** + * Some abstract functionality for validating policies + */ +public abstract class AbstractSecurityPolicyValidator implements SecurityPolicyValidator { + + /** + * Check to see if a token is required or not. + * @param token the token + * @param message The message + * @return true if the token is required + */ + protected boolean isTokenRequired( + AbstractToken token, + Message message + ) { + IncludeTokenType inclusion = token.getIncludeTokenType(); + if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) { + return false; + } else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) { + return true; + } else { + boolean initiator = MessageUtils.isRequestor(message); + if (initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR)) { + return true; + } else if (!initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ONCE + || inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT)) { + return true; + } + return false; + } + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java index e9023eb..93d60c2 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java @@ -70,100 +70,35 @@ import org.apache.wss4j.policy.model.SupportingTokens; /** * A base class to use to validate various SupportingToken policies. */ -public abstract class AbstractSupportingTokenPolicyValidator - extends AbstractTokenPolicyValidator implements SupportingTokenPolicyValidator { +public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSecurityPolicyValidator { private static final Logger LOG = LogUtils.getL7dLogger(AbstractSupportingTokenPolicyValidator.class); - private Message message; - private List results; - private List signedResults; - private List encryptedResults; - private List utResults; - private List samlResults; - private boolean validateUsernameToken = true; - private Element timestamp; - private boolean signed; - private boolean encrypted; - private boolean derived; - private boolean endorsed; private SignedElements signedElements; private EncryptedElements encryptedElements; private SignedParts signedParts; private EncryptedParts encryptedParts; - - /** - * Set the list of UsernameToken results - */ - public void setUsernameTokenResults( - List utResultsList, - boolean valUsernameToken - ) { - utResults = utResultsList; - validateUsernameToken = valUsernameToken; - } - - /** - * Set the list of SAMLToken results - */ - public void setSAMLTokenResults(List samlResultsList) { - samlResults = samlResultsList; - } - - /** - * Set the Timestamp element - */ - public void setTimestampElement(Element timestampElement) { - timestamp = timestampElement; - } - - public void setMessage(Message msg) { - message = msg; - } - - public void setResults(List results) { - this.results = results; - } - - public void setSignedResults(List signedResults) { - this.signedResults = signedResults; - } - - public void setEncryptedResults(List encryptedResults) { - this.encryptedResults = encryptedResults; - } - - public void setSigned(boolean signed) { - this.signed = signed; - } - - public void setEncrypted(boolean encrypted) { - this.encrypted = encrypted; - } - - public void setDerived(boolean derived) { - this.derived = derived; - } - - public void setEndorsed(boolean endorsed) { - this.endorsed = endorsed; - } + protected abstract boolean isSigned(); + protected abstract boolean isEncrypted(); + protected abstract boolean isEndorsing(); + /** * Process UsernameTokens. */ - protected boolean processUsernameTokens() { - if (!validateUsernameToken) { + protected boolean processUsernameTokens(PolicyValidatorParameters parameters, boolean derived) { + if (!parameters.isUtWithCallbacks()) { return true; } List tokenResults = new ArrayList<>(); - tokenResults.addAll(utResults); + tokenResults.addAll(parameters.getUsernameTokenResults()); List dktResults = new ArrayList<>(); - for (WSSecurityEngineResult wser : utResults) { + for (WSSecurityEngineResult wser : parameters.getUsernameTokenResults()) { if (derived) { byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET); - WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret); + WSSecurityEngineResult dktResult = + getMatchingDerivedKey(secret, parameters.getResults()); if (dktResult != null) { dktResults.add(dktResult); } @@ -174,14 +109,22 @@ public abstract class AbstractSupportingTokenPolicyValidator return false; } - if (signed && !areTokensSigned(tokenResults)) { + if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } - if (encrypted && !areTokensEncrypted(tokenResults)) { + if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } tokenResults.addAll(dktResults); - if ((endorsed && !checkEndorsed(tokenResults)) || !validateSignedEncryptedPolicies(tokenResults)) { + if ((isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), + parameters.getMessage(), + parameters.getTimestampElement())) + || !validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } @@ -192,22 +135,30 @@ public abstract class AbstractSupportingTokenPolicyValidator /** * Process SAML Tokens. Only signed results are supported. */ - protected boolean processSAMLTokens() { - if (samlResults.isEmpty()) { + protected boolean processSAMLTokens(PolicyValidatorParameters parameters) { + if (parameters.getSamlResults().isEmpty()) { return false; } - if (signed && !areTokensSigned(samlResults)) { + if (isSigned() && !areTokensSigned(parameters.getSamlResults(), parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } - if (encrypted && !areTokensEncrypted(samlResults)) { + if (isEncrypted() && !areTokensEncrypted(parameters.getSamlResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } - if (endorsed && !checkEndorsed(samlResults)) { + if (isEndorsing() && !checkEndorsed(parameters.getSamlResults(), parameters.getSignedResults(), + parameters.getMessage(), + parameters.getTimestampElement())) { return false; } - if (!validateSignedEncryptedPolicies(samlResults)) { + if (!validateSignedEncryptedPolicies(parameters.getSamlResults(), parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } @@ -218,10 +169,10 @@ public abstract class AbstractSupportingTokenPolicyValidator /** * Process Kerberos Tokens. */ - protected boolean processKerberosTokens() { + protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean derived) { List tokenResults = new ArrayList<>(); List dktResults = new ArrayList<>(); - for (WSSecurityEngineResult wser : results) { + for (WSSecurityEngineResult wser : parameters.getResults()) { Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); if (actInt.intValue() == WSConstants.BST) { BinarySecurity binarySecurity = @@ -229,7 +180,8 @@ public abstract class AbstractSupportingTokenPolicyValidator if (binarySecurity instanceof KerberosSecurity) { if (derived) { byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET); - WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret); + WSSecurityEngineResult dktResult = + getMatchingDerivedKey(secret, parameters.getResults()); if (dktResult != null) { dktResults.add(dktResult); } @@ -243,18 +195,25 @@ public abstract class AbstractSupportingTokenPolicyValidator return false; } - if (signed && !areTokensSigned(tokenResults)) { + if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } - if (encrypted && !areTokensEncrypted(tokenResults)) { + if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } tokenResults.addAll(dktResults); - if (endorsed && !checkEndorsed(tokenResults)) { + if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), + parameters.getMessage(), + parameters.getTimestampElement())) { return false; } - if (!validateSignedEncryptedPolicies(tokenResults)) { + if (!validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } @@ -265,10 +224,10 @@ public abstract class AbstractSupportingTokenPolicyValidator /** * Process X509 Tokens. */ - protected boolean processX509Tokens() { + protected boolean processX509Tokens(PolicyValidatorParameters parameters, boolean derived) { List tokenResults = new ArrayList<>(); List dktResults = new ArrayList<>(); - for (WSSecurityEngineResult wser : results) { + for (WSSecurityEngineResult wser : parameters.getResults()) { Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); if (actInt.intValue() == WSConstants.BST) { BinarySecurity binarySecurity = @@ -276,7 +235,8 @@ public abstract class AbstractSupportingTokenPolicyValidator if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) { if (derived) { - WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser); + WSSecurityEngineResult resultToStore = + processX509DerivedTokenResult(wser, parameters.getResults()); if (resultToStore != null) { dktResults.add(resultToStore); } @@ -290,18 +250,25 @@ public abstract class AbstractSupportingTokenPolicyValidator return false; } - if (signed && !areTokensSigned(tokenResults)) { + if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } - if (encrypted && !areTokensEncrypted(tokenResults)) { + if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } tokenResults.addAll(dktResults); - if (endorsed && !checkEndorsed(tokenResults)) { + if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), + parameters.getMessage(), + parameters.getTimestampElement())) { return false; } - if (!validateSignedEncryptedPolicies(tokenResults)) { + if (!validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } @@ -311,9 +278,9 @@ public abstract class AbstractSupportingTokenPolicyValidator /** * Process KeyValue Tokens. */ - protected boolean processKeyValueTokens() { + protected boolean processKeyValueTokens(PolicyValidatorParameters parameters) { List tokenResults = new ArrayList<>(); - for (WSSecurityEngineResult wser : signedResults) { + for (WSSecurityEngineResult wser : parameters.getSignedResults()) { PublicKey publicKey = (PublicKey)wser.get(WSSecurityEngineResult.TAG_PUBLIC_KEY); if (publicKey != null) { @@ -325,17 +292,24 @@ public abstract class AbstractSupportingTokenPolicyValidator return false; } - if (signed && !areTokensSigned(tokenResults)) { + if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } - if (encrypted && !areTokensEncrypted(tokenResults)) { + if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } - if (endorsed && !checkEndorsed(tokenResults)) { + if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), + parameters.getMessage(), + parameters.getTimestampElement())) { return false; } - if (!validateSignedEncryptedPolicies(tokenResults)) { + if (!validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } @@ -346,20 +320,24 @@ public abstract class AbstractSupportingTokenPolicyValidator * Validate (SignedParts|SignedElements|EncryptedParts|EncryptedElements) policies of this * SupportingToken. */ - private boolean validateSignedEncryptedPolicies(List tokenResults) { - if (!validateSignedEncryptedParts(signedParts, false, signedResults, tokenResults)) { + private boolean validateSignedEncryptedPolicies(List tokenResults, + List signedResults, + List encryptedResults, + Message message) { + if (!validateSignedEncryptedParts(signedParts, false, signedResults, tokenResults, message)) { return false; } - if (!validateSignedEncryptedParts(encryptedParts, true, encryptedResults, tokenResults)) { + if (!validateSignedEncryptedParts(encryptedParts, true, encryptedResults, tokenResults, message)) { return false; } - if (!validateSignedEncryptedElements(signedElements, false, signedResults, tokenResults)) { + if (!validateSignedEncryptedElements(signedElements, false, signedResults, tokenResults, message)) { return false; } - if (!validateSignedEncryptedElements(encryptedElements, false, encryptedResults, tokenResults)) { + if (!validateSignedEncryptedElements(encryptedElements, false, encryptedResults, tokenResults, + message)) { return false; } @@ -370,15 +348,15 @@ public abstract class AbstractSupportingTokenPolicyValidator /** * Process Security Context Tokens. */ - protected boolean processSCTokens() { + protected boolean processSCTokens(PolicyValidatorParameters parameters, boolean derived) { List tokenResults = new ArrayList<>(); List dktResults = new ArrayList<>(); - for (WSSecurityEngineResult wser : results) { + for (WSSecurityEngineResult wser : parameters.getResults()) { Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); if (actInt.intValue() == WSConstants.SCT) { if (derived) { byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET); - WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret); + WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, parameters.getResults()); if (dktResult != null) { dktResults.add(dktResult); } @@ -391,18 +369,25 @@ public abstract class AbstractSupportingTokenPolicyValidator return false; } - if (signed && !areTokensSigned(tokenResults)) { + if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } - if (encrypted && !areTokensEncrypted(tokenResults)) { + if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } tokenResults.addAll(dktResults); - if (endorsed && !checkEndorsed(tokenResults)) { + if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(), + parameters.getMessage(), + parameters.getTimestampElement())) { return false; } - if (!validateSignedEncryptedPolicies(tokenResults)) { + if (!validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(), + parameters.getEncryptedResults(), + parameters.getMessage())) { return false; } @@ -413,13 +398,14 @@ public abstract class AbstractSupportingTokenPolicyValidator * Find an EncryptedKey element that has a cert that matches the cert of the signature, then * find a DerivedKey element that matches that EncryptedKey element. */ - private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result) { + private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result, + List results) { X509Certificate cert = (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); - WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert); + WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert, results); if (encrResult != null) { byte[] secret = (byte[])encrResult.get(WSSecurityEngineResult.TAG_SECRET); - WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret); + WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, results); if (dktResult != null) { return dktResult; } @@ -431,7 +417,8 @@ public abstract class AbstractSupportingTokenPolicyValidator * Get a security result representing a Derived Key that has a secret key that * matches the parameter. */ - private WSSecurityEngineResult getMatchingDerivedKey(byte[] secret) { + private WSSecurityEngineResult getMatchingDerivedKey(byte[] secret, + List results) { for (WSSecurityEngineResult wser : results) { Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); if (actInt.intValue() == WSConstants.DKT) { @@ -447,7 +434,8 @@ public abstract class AbstractSupportingTokenPolicyValidator /** * Get a security result representing an EncryptedKey that matches the parameter. */ - private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate cert) { + private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate cert, + List results) { for (WSSecurityEngineResult wser : results) { Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); if (actInt.intValue() == WSConstants.ENCR) { @@ -461,7 +449,7 @@ public abstract class AbstractSupportingTokenPolicyValidator return null; } - private boolean isTLSInUse() { + private boolean isTLSInUse(Message message) { // See whether TLS is in use or not TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class); if (tlsInfo != null) { @@ -475,13 +463,16 @@ public abstract class AbstractSupportingTokenPolicyValidator * check that the Timestamp is signed. Otherwise, check that the signature is signed. * @return true if the endorsed supporting token policy is correct */ - private boolean checkEndorsed(List tokenResults) { + private boolean checkEndorsed(List tokenResults, + List signedResults, + Message message, + Element timestamp) { boolean endorsingSatisfied = false; - if (isTLSInUse()) { - endorsingSatisfied = checkTimestampIsSigned(tokenResults); + if (isTLSInUse(message)) { + endorsingSatisfied = checkTimestampIsSigned(tokenResults, signedResults, timestamp); } if (!endorsingSatisfied) { - endorsingSatisfied = checkSignatureIsSigned(tokenResults); + endorsingSatisfied = checkSignatureIsSigned(tokenResults, signedResults); } return endorsingSatisfied; } @@ -490,11 +481,15 @@ public abstract class AbstractSupportingTokenPolicyValidator /** * Return true if a list of tokens were signed, false otherwise. */ - private boolean areTokensSigned(List tokens) { - if (!isTLSInUse()) { + private boolean areTokensSigned(List tokens, + List signedResults, + List encryptedResults, + Message message) { + if (!isTLSInUse(message)) { for (WSSecurityEngineResult wser : tokens) { Element tokenElement = (Element)wser.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT); - if (tokenElement == null || !isTokenSigned(tokenElement)) { + if (tokenElement == null + || !isTokenSigned(tokenElement, signedResults, encryptedResults)) { return false; } } @@ -505,11 +500,13 @@ public abstract class AbstractSupportingTokenPolicyValidator /** * Return true if a list of tokens were encrypted, false otherwise. */ - private boolean areTokensEncrypted(List tokens) { - if (!isTLSInUse()) { + private boolean areTokensEncrypted(List tokens, + List encryptedResults, + Message message) { + if (!isTLSInUse(message)) { for (WSSecurityEngineResult wser : tokens) { Element tokenElement = (Element)wser.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT); - if (tokenElement == null || !isTokenEncrypted(tokenElement)) { + if (tokenElement == null || !isTokenEncrypted(tokenElement, encryptedResults)) { return false; } } @@ -522,7 +519,9 @@ public abstract class AbstractSupportingTokenPolicyValidator * @param tokenResults A list of WSSecurityEngineResults corresponding to tokens * @return true if the Timestamp is signed */ - private boolean checkTimestampIsSigned(List tokenResults) { + private boolean checkTimestampIsSigned(List tokenResults, + List signedResults, + Element timestamp) { for (WSSecurityEngineResult signedResult : signedResults) { List sl = CastUtils.cast((List)signedResult.get( @@ -545,7 +544,8 @@ public abstract class AbstractSupportingTokenPolicyValidator * @param tokenResults A list of WSSecurityEngineResults corresponding to tokens * @return true if the Signature is itself signed */ - private boolean checkSignatureIsSigned(List tokenResults) { + private boolean checkSignatureIsSigned(List tokenResults, + List signedResults) { for (WSSecurityEngineResult signedResult : signedResults) { List sl = CastUtils.cast((List)signedResult.get( @@ -636,7 +636,8 @@ public abstract class AbstractSupportingTokenPolicyValidator SignedParts parts, boolean content, List protResults, - List tokenResults + List tokenResults, + Message message ) { if (parts == null) { return true; @@ -716,7 +717,8 @@ public abstract class AbstractSupportingTokenPolicyValidator RequiredElements elements, boolean content, List protResults, - List tokenResults + List tokenResults, + Message message ) { if (elements == null) { return true; @@ -797,13 +799,14 @@ public abstract class AbstractSupportingTokenPolicyValidator /** * Return true if a token was signed, false otherwise. */ - private boolean isTokenSigned(Element token) { + private boolean isTokenSigned(Element token, List signedResults, + List encryptedResults) { for (WSSecurityEngineResult signedResult : signedResults) { List dataRefs = CastUtils.cast((List)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); for (WSDataRef dataRef : dataRefs) { if (token == dataRef.getProtectedElement() - || isEncryptedTokenSigned(token, dataRef)) { + || isEncryptedTokenSigned(token, dataRef, encryptedResults)) { return true; } } @@ -811,7 +814,8 @@ public abstract class AbstractSupportingTokenPolicyValidator return false; } - private boolean isEncryptedTokenSigned(Element token, WSDataRef signedRef) { + private boolean isEncryptedTokenSigned(Element token, WSDataRef signedRef, + List encryptedResults) { if (signedRef.getProtectedElement() != null && "EncryptedData".equals(signedRef.getProtectedElement().getLocalName()) && WSConstants.ENC_NS.equals(signedRef.getProtectedElement().getNamespaceURI())) { @@ -837,7 +841,7 @@ public abstract class AbstractSupportingTokenPolicyValidator /** * Return true if a token was encrypted, false otherwise. */ - private boolean isTokenEncrypted(Element token) { + private boolean isTokenEncrypted(Element token, List encryptedResults) { for (WSSecurityEngineResult result : encryptedResults) { List dataRefs = CastUtils.cast((List)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); @@ -853,18 +857,6 @@ public abstract class AbstractSupportingTokenPolicyValidator return false; } - public void setUtResults(List utResults) { - this.utResults = utResults; - } - - public void setValidateUsernameToken(boolean validateUsernameToken) { - this.validateUsernameToken = validateUsernameToken; - } - - public void setTimestamp(Element timestamp) { - this.timestamp = timestamp; - } - public void setSignedElements(SignedElements signedElements) { this.signedElements = signedElements; } http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java deleted file mode 100644 index ba046d6..0000000 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java +++ /dev/null @@ -1,59 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.ws.security.wss4j.policyvalidators; - -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; -import org.apache.wss4j.policy.SPConstants.IncludeTokenType; -import org.apache.wss4j.policy.model.AbstractToken; - -/** - * Some abstract functionality for validating a Security Token. - */ -public abstract class AbstractTokenPolicyValidator { - - /** - * Check to see if a token is required or not. - * @param token the token - * @param message The message - * @return true if the token is required - */ - protected boolean isTokenRequired( - AbstractToken token, - Message message - ) { - IncludeTokenType inclusion = token.getIncludeTokenType(); - if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) { - return false; - } else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) { - return true; - } else { - boolean initiator = MessageUtils.isRequestor(message); - if (initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR)) { - return true; - } else if (!initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ONCE - || inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT)) { - return true; - } - return false; - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java index 8f9ce14..08b1c5a 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java @@ -29,18 +29,15 @@ import java.util.List; import javax.xml.namespace.QName; -import org.w3c.dom.Element; import org.apache.cxf.helpers.CastUtils; -import org.apache.cxf.message.Message; import org.apache.cxf.ws.policy.AssertionInfo; -import org.apache.cxf.ws.policy.AssertionInfoMap; -import org.apache.cxf.ws.security.policy.PolicyUtils; import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSDataRef; import org.apache.wss4j.dom.WSSecurityEngineResult; import org.apache.wss4j.dom.transform.STRTransform; -import org.apache.wss4j.policy.SPConstants; +import org.apache.wss4j.policy.SP11Constants; +import org.apache.wss4j.policy.SP12Constants; import org.apache.wss4j.policy.model.AlgorithmSuite; import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType; @@ -48,39 +45,36 @@ import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType; * Validate results corresponding to the processing of a Signature, EncryptedKey or * EncryptedData structure against an AlgorithmSuite policy. */ -public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator { +public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidator { - public boolean validatePolicy( - AssertionInfoMap aim, - Message message, - Element soapBody, - List results, - List signedResults - ) { - Collection ais = - PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE); - if (!ais.isEmpty()) { - parsePolicies(aim, ais, message, results); + /** + * Return true if this SecurityPolicyValidator implementation is capable of validating a + * policy defined by the AssertionInfo parameter + */ + public boolean canValidatePolicy(AssertionInfo assertionInfo) { + if (assertionInfo.getAssertion() != null + && (SP12Constants.ALGORITHM_SUITE.equals(assertionInfo.getAssertion().getName()) + || SP11Constants.ALGORITHM_SUITE.equals(assertionInfo.getAssertion().getName()))) { + return true; } - - return true; + + return false; } - private void parsePolicies( - AssertionInfoMap aim, - Collection ais, - Message message, - List results - ) { + /** + * Validate policies. Return true if all of the policies are valid. + */ + public boolean validatePolicies(PolicyValidatorParameters parameters, Collection ais) { for (AssertionInfo ai : ais) { AlgorithmSuite algorithmSuite = (AlgorithmSuite)ai.getAssertion(); ai.setAsserted(true); - boolean valid = validatePolicy(ai, algorithmSuite, results); + boolean valid = validatePolicy(ai, algorithmSuite, parameters.getResults()); if (valid) { String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace(); String name = algorithmSuite.getAlgorithmSuiteType().getName(); - Collection algSuiteAis = aim.get(new QName(namespace, name)); + Collection algSuiteAis = + parameters.getAssertionInfoMap().get(new QName(namespace, name)); if (algSuiteAis != null) { for (AssertionInfo algSuiteAi : algSuiteAis) { algSuiteAi.setAsserted(true); @@ -90,6 +84,8 @@ public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator ai.setNotAsserted("Error in validating AlgorithmSuite policy"); } } + + return true; } public boolean validatePolicy( http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java index 45e008a..26cd466 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java @@ -25,14 +25,13 @@ import java.util.List; import javax.xml.namespace.QName; -import org.w3c.dom.Element; -import org.apache.cxf.message.Message; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.policy.PolicyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSecurityEngineResult; -import org.apache.wss4j.policy.SPConstants; +import org.apache.wss4j.policy.SP11Constants; +import org.apache.wss4j.policy.SP12Constants; import org.apache.wss4j.policy.model.AbstractToken; import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys; import org.apache.wss4j.policy.model.AbstractTokenWrapper; @@ -44,34 +43,26 @@ import org.apache.wss4j.policy.model.X509Token; */ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValidator { - public boolean validatePolicy( - AssertionInfoMap aim, - Message message, - Element soapBody, - List results, - List signedResults, - List encryptedResults - ) { - Collection ais = - PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING); - if (!ais.isEmpty()) { - parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults); + /** + * Return true if this SecurityPolicyValidator implementation is capable of validating a + * policy defined by the AssertionInfo parameter + */ + public boolean canValidatePolicy(AssertionInfo assertionInfo) { + if (assertionInfo.getAssertion() != null + && (SP12Constants.ASYMMETRIC_BINDING.equals(assertionInfo.getAssertion().getName()) + || SP11Constants.ASYMMETRIC_BINDING.equals(assertionInfo.getAssertion().getName()))) { + return true; } - return true; + return false; } - private void parsePolicies( - AssertionInfoMap aim, - Collection ais, - Message message, - Element soapBody, - List results, - List signedResults, - List encryptedResults - ) { + /** + * Validate policies. Return true if all of the policies are valid. + */ + public boolean validatePolicies(PolicyValidatorParameters parameters, Collection ais) { boolean hasDerivedKeys = false; - for (WSSecurityEngineResult result : results) { + for (WSSecurityEngineResult result : parameters.getResults()) { Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION); if (actInt.intValue() == WSConstants.DKT) { hasDerivedKeys = true; @@ -84,20 +75,24 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid ai.setAsserted(true); // Check the protection order - if (!checkProtectionOrder(binding, aim, ai, results)) { + if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai, parameters.getResults())) { continue; } // Check various properties of the binding - if (!checkProperties(binding, ai, aim, results, signedResults, message)) { + if (!checkProperties(binding, ai, parameters.getAssertionInfoMap(), parameters.getResults(), + parameters.getSignedResults(), parameters.getMessage())) { continue; } // Check various tokens of the binding - if (!checkTokens(binding, ai, aim, hasDerivedKeys, signedResults, encryptedResults)) { + if (!checkTokens(binding, ai, parameters.getAssertionInfoMap(), hasDerivedKeys, + parameters.getSignedResults(), parameters.getEncryptedResults())) { continue; } } + + return true; } /** http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java deleted file mode 100644 index a45a27e..0000000 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java +++ /dev/null @@ -1,46 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.ws.security.wss4j.policyvalidators; - -import java.util.List; - -import org.w3c.dom.Element; - -import org.apache.cxf.message.Message; -import org.apache.cxf.ws.policy.AssertionInfoMap; -import org.apache.wss4j.dom.WSSecurityEngineResult; - -/** - * Validate a WS-SecurityPolicy corresponding to a binding. - */ -public interface BindingPolicyValidator { - - /** - * Validate a particular policy from the AssertionInfoMap argument. Return true if the policy is valid. - */ - boolean validatePolicy( - AssertionInfoMap aim, - Message message, - Element soapBody, - List results, - List signedResults, - List encryptedResults - ); -}