Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 173BB17419 for ; Wed, 7 Oct 2015 10:04:40 +0000 (UTC) Received: (qmail 57663 invoked by uid 500); 7 Oct 2015 10:04:33 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 57604 invoked by uid 500); 7 Oct 2015 10:04:33 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 57595 invoked by uid 99); 7 Oct 2015 10:04:33 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Oct 2015 10:04:33 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 951DFE0061; Wed, 7 Oct 2015 10:04:33 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: Minor refactor Date: Wed, 7 Oct 2015 10:04:33 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master bdad3fe6b -> 8bd6dd23e Minor refactor Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8bd6dd23 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8bd6dd23 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8bd6dd23 Branch: refs/heads/master Commit: 8bd6dd23e162946fff6596948129a7cfba6aa753 Parents: bdad3fe Author: Colm O hEigeartaigh Authored: Wed Oct 7 11:04:23 2015 +0100 Committer: Colm O hEigeartaigh Committed: Wed Oct 7 11:04:23 2015 +0100 ---------------------------------------------------------------------- .../cxf/ws/security/policy/PolicyUtils.java | 151 ----------------- .../IssuedTokenInterceptorProvider.java | 3 +- .../KerberosTokenInterceptorProvider.java | 3 +- .../wss4j/PolicyBasedWSS4JInInterceptor.java | 3 +- .../wss4j/policyvalidators/ValidatorUtils.java | 162 +++++++++++++++++++ 5 files changed, 168 insertions(+), 154 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/8bd6dd23/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java index 495a1ef..4c34d50 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java @@ -20,44 +20,12 @@ package org.apache.cxf.ws.security.policy; import java.util.Collection; import java.util.Collections; -import java.util.HashMap; import java.util.HashSet; -import java.util.Map; import javax.xml.namespace.QName; -import org.apache.cxf.helpers.CastUtils; -import org.apache.cxf.message.Message; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; -import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope; -import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType; -import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.KerberosTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.LayoutPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.RequiredElementsPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.RequiredPartsPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SecuredElementsPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SecuredPartsPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingEncryptedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator; import org.apache.wss4j.policy.SP11Constants; import org.apache.wss4j.policy.SP12Constants; import org.apache.wss4j.policy.SPConstants; @@ -68,117 +36,10 @@ import org.apache.wss4j.policy.model.AbstractBinding; */ public final class PolicyUtils { - // The default security policy validators - private static final Map DEFAULT_SECURITY_POLICY_VALIDATORS = - new HashMap<>(); - - static { - configureTokenValidators(); - configureBindingValidators(); - configureSupportingTokenValidators(); - configurePartsValidators(); - } - private PolicyUtils() { // complete } - private static void configureTokenValidators() { - SecurityPolicyValidator validator = new X509TokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.X509_TOKEN, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.X509_TOKEN, validator); - validator = new UsernameTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.USERNAME_TOKEN, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.USERNAME_TOKEN, validator); - validator = new SamlTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SAML_TOKEN, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SAML_TOKEN, validator); - validator = new SecurityContextTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SECURITY_CONTEXT_TOKEN, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SECURITY_CONTEXT_TOKEN, validator); - validator = new WSS11PolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.WSS11, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.WSS11, validator); - validator = new IssuedTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ISSUED_TOKEN, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ISSUED_TOKEN, validator); - validator = new KerberosTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.KERBEROS_TOKEN, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.KERBEROS_TOKEN, validator); - } - - private static void configureBindingValidators() { - SecurityPolicyValidator validator = new TransportBindingPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.TRANSPORT_BINDING, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.TRANSPORT_BINDING, validator); - validator = new SymmetricBindingPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SYMMETRIC_BINDING, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SYMMETRIC_BINDING, validator); - validator = new AsymmetricBindingPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ASYMMETRIC_BINDING, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ASYMMETRIC_BINDING, validator); - validator = new AlgorithmSuitePolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ALGORITHM_SUITE, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ALGORITHM_SUITE, validator); - validator = new LayoutPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.LAYOUT, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.LAYOUT, validator); - } - - private static void configureSupportingTokenValidators() { - SecurityPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SUPPORTING_TOKENS, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SUPPORTING_TOKENS, validator); - validator = new SignedTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_SUPPORTING_TOKENS, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_SUPPORTING_TOKENS, validator); - validator = new EndorsingTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENDORSING_SUPPORTING_TOKENS, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ENDORSING_SUPPORTING_TOKENS, validator); - validator = new SignedEndorsingTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS, validator); - validator = new EncryptedTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS, validator); - validator = new SignedEncryptedTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS, validator); - validator = new EndorsingEncryptedTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS, validator); - validator = new SignedEndorsingEncryptedTokenPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS, validator); - } - - private static void configurePartsValidators() { - SecurityPolicyValidator validator = new SecuredPartsPolicyValidator(); - ((SecuredPartsPolicyValidator)validator).setCoverageType(CoverageType.SIGNED); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_PARTS, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_PARTS, validator); - validator = new SecuredPartsPolicyValidator(); - ((SecuredPartsPolicyValidator)validator).setCoverageType(CoverageType.ENCRYPTED); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENCRYPTED_PARTS, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ENCRYPTED_PARTS, validator); - validator = new SecuredElementsPolicyValidator(); - ((SecuredElementsPolicyValidator)validator).setCoverageType(CoverageType.SIGNED); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ELEMENTS, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_ELEMENTS, validator); - validator = new SecuredElementsPolicyValidator(); - ((SecuredElementsPolicyValidator)validator).setCoverageType(CoverageType.ENCRYPTED); - ((SecuredElementsPolicyValidator)validator).setCoverageScope(CoverageScope.ELEMENT); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENCRYPTED_ELEMENTS, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ENCRYPTED_ELEMENTS, validator); - validator = new SecuredElementsPolicyValidator(); - ((SecuredElementsPolicyValidator)validator).setCoverageType(CoverageType.ENCRYPTED); - ((SecuredElementsPolicyValidator)validator).setCoverageScope(CoverageScope.CONTENT); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.CONTENT_ENCRYPTED_ELEMENTS, validator); - validator = new RequiredPartsPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.REQUIRED_PARTS, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.REQUIRED_PARTS, validator); - validator = new RequiredElementsPolicyValidator(); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.REQUIRED_ELEMENTS, validator); - DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.REQUIRED_ELEMENTS, validator); - } - public static Collection getAllAssertionsByLocalname( AssertionInfoMap aim, String localname ) { @@ -269,16 +130,4 @@ public final class PolicyUtils { return null; } - public static Map getSecurityPolicyValidators(Message message) { - Map mapToReturn = new HashMap<>(DEFAULT_SECURITY_POLICY_VALIDATORS); - Map policyMap = - CastUtils.cast((Map)message.getContextualProperty(SecurityConstants.POLICY_VALIDATOR_MAP)); - - // Allow overriding the default policies - if (policyMap != null && !policyMap.isEmpty()) { - mapToReturn.putAll(policyMap); - } - - return mapToReturn; - } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8bd6dd23/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java index f8a4475..73095f9 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java @@ -47,6 +47,7 @@ import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters; import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.ValidatorUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSecurityEngineResult; import org.apache.wss4j.dom.handler.WSHandlerConstants; @@ -207,7 +208,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro QName qName = issuedAis.iterator().next().getAssertion().getName(); Map validators = - PolicyUtils.getSecurityPolicyValidators(message); + ValidatorUtils.getSecurityPolicyValidators(message); if (validators.containsKey(qName)) { validators.get(qName).validatePolicies(parameters, issuedAis); } http://git-wip-us.apache.org/repos/asf/cxf/blob/8bd6dd23/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java index 7d93cb3..823c4be 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java @@ -53,6 +53,7 @@ import org.apache.cxf.ws.security.wss4j.StaxSecurityContextInInterceptor; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters; import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.ValidatorUtils; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.handler.WSHandlerConstants; @@ -201,7 +202,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP QName qName = ais.iterator().next().getAssertion().getName(); Map validators = - PolicyUtils.getSecurityPolicyValidators(message); + ValidatorUtils.getSecurityPolicyValidators(message); if (validators.containsKey(qName)) { validators.get(qName).validatePolicies(parameters, ais); } http://git-wip-us.apache.org/repos/asf/cxf/blob/8bd6dd23/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java index 5cc1886..b18857f 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java @@ -41,6 +41,7 @@ import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.policy.PolicyUtils; import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters; import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.ValidatorUtils; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.crypto.PasswordEncryptor; import org.apache.wss4j.common.ext.WSSecurityException; @@ -571,7 +572,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { parameters.setTimestampElement(timestamp); // Validate security policies - Map validators = PolicyUtils.getSecurityPolicyValidators(msg); + Map validators = ValidatorUtils.getSecurityPolicyValidators(msg); for (Map.Entry> entry : aim.entrySet()) { // Check to see if we have a security policy + if we can validate it if (validators.containsKey(entry.getKey())) { http://git-wip-us.apache.org/repos/asf/cxf/blob/8bd6dd23/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ValidatorUtils.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ValidatorUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ValidatorUtils.java new file mode 100644 index 0000000..f7dc679 --- /dev/null +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ValidatorUtils.java @@ -0,0 +1,162 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.ws.security.wss4j.policyvalidators; + +import java.util.HashMap; +import java.util.Map; + +import javax.xml.namespace.QName; + +import org.apache.cxf.helpers.CastUtils; +import org.apache.cxf.message.Message; +import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope; +import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType; +import org.apache.wss4j.policy.SP11Constants; +import org.apache.wss4j.policy.SP12Constants; + +/** + * Configure the Validators + */ +public final class ValidatorUtils { + + // The default security policy validators + private static final Map DEFAULT_SECURITY_POLICY_VALIDATORS = + new HashMap<>(); + + static { + configureTokenValidators(); + configureBindingValidators(); + configureSupportingTokenValidators(); + configurePartsValidators(); + } + + private ValidatorUtils() { + // complete + } + + private static void configureTokenValidators() { + SecurityPolicyValidator validator = new X509TokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.X509_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.X509_TOKEN, validator); + validator = new UsernameTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.USERNAME_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.USERNAME_TOKEN, validator); + validator = new SamlTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SAML_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SAML_TOKEN, validator); + validator = new SecurityContextTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SECURITY_CONTEXT_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SECURITY_CONTEXT_TOKEN, validator); + validator = new WSS11PolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.WSS11, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.WSS11, validator); + validator = new IssuedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ISSUED_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ISSUED_TOKEN, validator); + validator = new KerberosTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.KERBEROS_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.KERBEROS_TOKEN, validator); + } + + private static void configureBindingValidators() { + SecurityPolicyValidator validator = new TransportBindingPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.TRANSPORT_BINDING, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.TRANSPORT_BINDING, validator); + validator = new SymmetricBindingPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SYMMETRIC_BINDING, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SYMMETRIC_BINDING, validator); + validator = new AsymmetricBindingPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ASYMMETRIC_BINDING, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ASYMMETRIC_BINDING, validator); + validator = new AlgorithmSuitePolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ALGORITHM_SUITE, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ALGORITHM_SUITE, validator); + validator = new LayoutPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.LAYOUT, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.LAYOUT, validator); + } + + private static void configureSupportingTokenValidators() { + SecurityPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SUPPORTING_TOKENS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SUPPORTING_TOKENS, validator); + validator = new SignedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_SUPPORTING_TOKENS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_SUPPORTING_TOKENS, validator); + validator = new EndorsingTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENDORSING_SUPPORTING_TOKENS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ENDORSING_SUPPORTING_TOKENS, validator); + validator = new SignedEndorsingTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS, validator); + validator = new EncryptedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS, validator); + validator = new SignedEncryptedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS, validator); + validator = new EndorsingEncryptedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS, validator); + validator = new SignedEndorsingEncryptedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS, validator); + } + + private static void configurePartsValidators() { + SecurityPolicyValidator validator = new SecuredPartsPolicyValidator(); + ((SecuredPartsPolicyValidator)validator).setCoverageType(CoverageType.SIGNED); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_PARTS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_PARTS, validator); + validator = new SecuredPartsPolicyValidator(); + ((SecuredPartsPolicyValidator)validator).setCoverageType(CoverageType.ENCRYPTED); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENCRYPTED_PARTS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ENCRYPTED_PARTS, validator); + validator = new SecuredElementsPolicyValidator(); + ((SecuredElementsPolicyValidator)validator).setCoverageType(CoverageType.SIGNED); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ELEMENTS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_ELEMENTS, validator); + validator = new SecuredElementsPolicyValidator(); + ((SecuredElementsPolicyValidator)validator).setCoverageType(CoverageType.ENCRYPTED); + ((SecuredElementsPolicyValidator)validator).setCoverageScope(CoverageScope.ELEMENT); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENCRYPTED_ELEMENTS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ENCRYPTED_ELEMENTS, validator); + validator = new SecuredElementsPolicyValidator(); + ((SecuredElementsPolicyValidator)validator).setCoverageType(CoverageType.ENCRYPTED); + ((SecuredElementsPolicyValidator)validator).setCoverageScope(CoverageScope.CONTENT); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.CONTENT_ENCRYPTED_ELEMENTS, validator); + validator = new RequiredPartsPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.REQUIRED_PARTS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.REQUIRED_PARTS, validator); + validator = new RequiredElementsPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.REQUIRED_ELEMENTS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.REQUIRED_ELEMENTS, validator); + } + + public static Map getSecurityPolicyValidators(Message message) { + Map mapToReturn = new HashMap<>(DEFAULT_SECURITY_POLICY_VALIDATORS); + Map policyMap = + CastUtils.cast((Map)message.getContextualProperty(SecurityConstants.POLICY_VALIDATOR_MAP)); + + // Allow overriding the default policies + if (policyMap != null && !policyMap.isEmpty()) { + mapToReturn.putAll(policyMap); + } + + return mapToReturn; + } +}