Return-Path: Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: (qmail 9748 invoked from network); 6 Apr 2009 20:27:44 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 6 Apr 2009 20:27:44 -0000 Received: (qmail 40063 invoked by uid 500); 6 Apr 2009 20:27:44 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 39976 invoked by uid 500); 6 Apr 2009 20:27:44 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 39967 invoked by uid 99); 6 Apr 2009 20:27:44 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Apr 2009 20:27:44 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 Apr 2009 20:27:42 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 1C6F52388B05; Mon, 6 Apr 2009 20:27:21 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r762495 - in /cxf/trunk/rt: transports/http/src/main/java/org/apache/cxf/transport/https/ ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ Date: Mon, 06 Apr 2009 20:27:20 -0000 To: commits@cxf.apache.org From: dkulp@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20090406202721.1C6F52388B05@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: dkulp Date: Mon Apr 6 20:27:20 2009 New Revision: 762495 URL: http://svn.apache.org/viewvc?rev=762495&view=rev Log: [CXF-2158] Fix problem of referencing a token via ID instead of wsu:Id Fix validation of trandport binding things that usually won't have sigs If username/tokens are required, but not provided a username, throw exception. Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java?rev=762495&r1=762494&r2=762495&view=diff ============================================================================== --- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java (original) +++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java Mon Apr 6 20:27:20 2009 @@ -35,6 +35,7 @@ import javax.net.ssl.HttpsURLConnection; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.configuration.jsse.TLSClientParameters; @@ -147,8 +148,6 @@ throw new IIOException("Error while initializing secure socket", ex); } } - } else { - assert false; } return connection; @@ -187,9 +186,27 @@ ? SSLContext.getInstance(protocol) : SSLContext.getInstance(protocol, provider); + + + TrustManager[] trustAllCerts = tlsClientParameters.getTrustManagers(); + /* + TrustManager[] trustAllCerts = new TrustManager[] { + new javax.net.ssl.X509TrustManager() { + public java.security.cert.X509Certificate[] getAcceptedIssuers() { + return null; + } + public void checkClientTrusted( + java.security.cert.X509Certificate[] certs, String authType) { + } + public void checkServerTrusted( + java.security.cert.X509Certificate[] certs, String authType) { + } + } + }; + */ ctx.init( - tlsClientParameters.getKeyManagers(), - tlsClientParameters.getTrustManagers(), + tlsClientParameters.getKeyManagers(), + trustAllCerts, tlsClientParameters.getSecureRandom()); // The "false" argument means opposite of exclude. Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=762495&r1=762494&r2=762495&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Mon Apr 6 20:27:20 2009 @@ -531,6 +531,7 @@ private boolean assertTransportBinding(AssertionInfoMap aim) { assertPolicy(aim, SP12Constants.TRANSPORT_TOKEN); assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS); + assertPolicy(aim, SP12Constants.SIGNED_PARTS); return !assertPolicy(aim, SP12Constants.TRANSPORT_BINDING); } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=762495&r1=762494&r2=762495&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Mon Apr 6 20:27:20 2009 @@ -594,10 +594,10 @@ info.setAsserted(true); return utBuilder; } else { - info.setNotAsserted("No password available"); + policyNotAsserted(token, "No username available"); } } else { - info.setNotAsserted("No username available"); + policyNotAsserted(token, "No username available"); } return null; } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=762495&r1=762494&r2=762495&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Mon Apr 6 20:27:20 2009 @@ -385,12 +385,21 @@ return dkSign.getSignatureValue(); } else { WSSecSignature sig = new WSSecSignature(); - sig.setCustomTokenId(secTok.getId()); if (secTok.getTokenType() == null) { + sig.setCustomTokenId(secTok.getId()); sig.setCustomTokenValueType(WSConstants.WSS_SAML_NS + WSConstants.SAML_ASSERTION_ID); sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } else { + String id = secTok.getWsuId(); + if (id == null) { + sig.setCustomTokenId(secTok.getId()); + sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT); + } else { + sig.setCustomTokenId(secTok.getWsuId()); + sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING); + } + sig.setCustomTokenValueType(secTok.getTokenType()); sig.setCustomTokenValueType(secTok.getTokenType()); sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING); }