Return-Path: X-Original-To: apmail-ws-commits-archive@minotaur.apache.org Delivered-To: apmail-ws-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 78F21D0EE for ; Thu, 6 Sep 2012 16:23:29 +0000 (UTC) Received: (qmail 99373 invoked by uid 500); 6 Sep 2012 16:23:29 -0000 Delivered-To: apmail-ws-commits-archive@ws.apache.org Received: (qmail 99339 invoked by uid 500); 6 Sep 2012 16:23:29 -0000 Mailing-List: contact commits-help@ws.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ws.apache.org Delivered-To: mailing list commits@ws.apache.org Received: (qmail 99331 invoked by uid 99); 6 Sep 2012 16:23:29 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Sep 2012 16:23:29 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Sep 2012 16:23:25 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id D325D23889E3; Thu, 6 Sep 2012 16:22:41 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1381663 - in /webservices/wss4j/trunk: ws-security-dom/src/main/java/org/apache/ws/security/dom/str/STRParserUtil.java ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java Date: Thu, 06 Sep 2012 16:22:41 -0000 To: commits@ws.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120906162241.D325D23889E3@eris.apache.org> Author: coheigea Date: Thu Sep 6 16:22:41 2012 New Revision: 1381663 URL: http://svn.apache.org/viewvc?rev=1381663&view=rev Log: [WSS-360] - Finished remaining Stax BSP rules Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/str/STRParserUtil.java webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/str/STRParserUtil.java URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/str/STRParserUtil.java?rev=1381663&r1=1381662&r2=1381663&view=diff ============================================================================== --- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/str/STRParserUtil.java (original) +++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/str/STRParserUtil.java Thu Sep 6 16:22:41 2012 @@ -127,13 +127,10 @@ public final class STRParserUtil { if (secRef.containsReference()) { // Check the ValueType attributes String valueType = secRef.getReference().getValueType(); - if ((valueType == null || "".equals(valueType)) && (token instanceof KerberosSecurity)) { - bspEnforcer.handleBSPRule(BSPRule.R3059); - } - if (((token instanceof X509Security) && !X509Security.X509_V3_TYPE.equals(valueType)) || ((token instanceof PKIPathSecurity) && !PKIPathSecurity.PKI_TYPE.equals(valueType)) || ((token instanceof KerberosSecurity) + && !(valueType == null || "".equals(valueType)) && !WSConstants.WSS_GSS_KRB_V5_AP_REQ.equals(valueType))) { bspEnforcer.handleBSPRule(BSPRule.R3058); } Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java?rev=1381663&r1=1381662&r2=1381663&view=diff ============================================================================== --- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java (original) +++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/securityToken/SecurityTokenFactoryImpl.java Thu Sep 6 16:22:41 2012 @@ -34,6 +34,7 @@ import org.apache.xml.security.stax.impl import org.apache.xml.security.stax.impl.securityToken.ECKeyValueSecurityToken; import org.apache.xml.security.stax.impl.securityToken.RsaKeyValueSecurityToken; import org.apache.xml.security.stax.impl.securityToken.SecurityTokenFactory; +import org.opensaml.common.SAMLVersion; import javax.security.auth.callback.CallbackHandler; import java.util.Deque; @@ -94,7 +95,7 @@ public class SecurityTokenFactoryImpl ex if (securityTokenReferenceType.getAny().size() > 1) { ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R3061); } - + //todo BSP.R3027 KeyName? not supported ATM //todo BSP.R3060,BSP.R3025,BSP.R3056 only one Embedded element? Not supported ATM final X509DataType x509DataType @@ -104,6 +105,11 @@ public class SecurityTokenFactoryImpl ex x509DataType, securityTokenReferenceType.getId(), WSSConstants.WSSKeyIdentifierType.ISSUER_SERIAL); } + + String tokenType = + XMLSecurityUtils.getQNameAttribute( + securityTokenReferenceType.getOtherAttributes(), + WSSConstants.ATT_wsse11_TokenType); final KeyIdentifierType keyIdentifierType = XMLSecurityUtils.getQNameType(securityTokenReferenceType.getAny(), WSSConstants.TAG_wsse_KeyIdentifier); @@ -123,6 +129,9 @@ public class SecurityTokenFactoryImpl ex } else { ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R3071); } + } else if (encodingType != null + && (WSSConstants.NS_SAML10_TYPE.equals(valueType) || WSSConstants.NS_SAML20_TYPE.equals(valueType))) { + ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R6604); } if (WSSConstants.NS_X509_V3_TYPE.equals(valueType)) { @@ -138,6 +147,11 @@ public class SecurityTokenFactoryImpl ex (WSSecurityContext) securityContext, crypto, callbackHandler, binaryContent, securityTokenReferenceType.getId(), WSSConstants.WSSKeyIdentifierType.THUMBPRINT_IDENTIFIER); } else if (WSSConstants.NS_SAML10_TYPE.equals(valueType) || WSSConstants.NS_SAML20_TYPE.equals(valueType)) { + if (WSSConstants.NS_SAML20_TYPE.equals(valueType) && !WSSConstants.NS_SAML20_TOKEN_PROFILE_TYPE.equals(tokenType)) { + ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R6617); + } else if (WSSConstants.NS_SAML10_TYPE.equals(valueType) && !WSSConstants.NS_SAML11_TOKEN_PROFILE_TYPE.equals(tokenType)) { + ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R6611); + } SecurityTokenProvider securityTokenProvider = securityContext.getSecurityTokenProvider(keyIdentifierType.getValue()); if (securityTokenProvider == null) { throw new WSSecurityException( @@ -153,7 +167,7 @@ public class SecurityTokenFactoryImpl ex final org.apache.ws.security.binding.wss10.ReferenceType referenceType = XMLSecurityUtils.getQNameType(securityTokenReferenceType.getAny(), WSSConstants.TAG_wsse_Reference); if (referenceType != null) { - //We do not check for BSP.R3023, BSP.R3022, BSP.R3066, BSP.R3067, BSP.R3024, BSP.R3064, BSP.R3211, BSP.R3058, BSP.R3059 + //We do not check for BSP.R3023, BSP.R3022, BSP.R3066, BSP.R3067, BSP.R3024, BSP.R3064, BSP.R3211, BSP.R3059 String uri = referenceType.getURI(); if (uri == null) { @@ -186,7 +200,41 @@ public class SecurityTokenFactoryImpl ex } if (securityTokenProvider.getSecurityToken() instanceof SecurityTokenReference) { ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R3057); - } + } else if (securityTokenProvider.getSecurityToken() instanceof X509PKIPathv1SecurityToken) { + String valueType = referenceType.getValueType(); + if (!WSSConstants.NS_X509PKIPathv1.equals(valueType)) { + ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R3058); + } + if (!WSSConstants.NS_X509PKIPathv1.equals(tokenType)) { + ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R5215); + } + } else if (securityTokenProvider.getSecurityToken() instanceof X509SecurityToken) { + String valueType = referenceType.getValueType(); + if (!WSSConstants.NS_X509_V3_TYPE.equals(valueType)) { + ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R3058); + } + } else if (securityTokenProvider.getSecurityToken() instanceof UsernameSecurityToken) { + String valueType = referenceType.getValueType(); + if (!WSSConstants.NS_USERNAMETOKEN_PROFILE_UsernameToken.equals(valueType)) { + ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R4214); + } + } else if (securityTokenProvider.getSecurityToken() instanceof SAMLSecurityToken) { + SAMLVersion samlVersion = + ((SAMLSecurityToken)securityTokenProvider.getSecurityToken()).getSamlVersion(); + if (samlVersion == SAMLVersion.VERSION_20) { + String valueType = referenceType.getValueType(); + if (valueType != null && !"".equals(valueType)) { + ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R6614); + } + if (!WSSConstants.NS_SAML20_TOKEN_PROFILE_TYPE.equals(tokenType)) { + ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R6617); + } + } else if (samlVersion == SAMLVersion.VERSION_10 && !WSSConstants.NS_SAML11_TOKEN_PROFILE_TYPE.equals(tokenType)) { + ((WSSecurityContext) securityContext).handleBSPRule(BSPRule.R6611); + } + } + + return securityTokenProvider.getSecurityToken(); } throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noKeyinfo");