Author: dkulp
Date: Fri Sep 26 10:52:59 2008
New Revision: 699436
URL: http://svn.apache.org/viewvc?rev=699436&view=rev
Log:
Updates to try and get the security headers in the right order.
Modified:
cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/EndpointImpl.java
cxf/trunk/rt/frontend/simple/src/main/java/org/apache/cxf/service/factory/ReflectionServiceFactoryBean.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Modified:
cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/EndpointImpl.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/EndpointImpl.java?rev=699436&r1=699435&r2=699436&view=diff
==============================================================================
---
cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/EndpointImpl.java
(original)
+++
cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/EndpointImpl.java
Fri Sep 26 10:52:59 2008
@@ -182,6 +182,9 @@
@Override
public Map<String, Object> getProperties() {
+ if (server != null) {
+ return server.getEndpoint();
+ }
return properties;
}
Modified:
cxf/trunk/rt/frontend/simple/src/main/java/org/apache/cxf/service/factory/ReflectionServiceFactoryBean.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/simple/src/main/java/org/apache/cxf/service/factory/ReflectionServiceFactoryBean.java?rev=699436&r1=699435&r2=699436&view=diff
==============================================================================
---
cxf/trunk/rt/frontend/simple/src/main/java/org/apache/cxf/service/factory/ReflectionServiceFactoryBean.java
(original)
+++
cxf/trunk/rt/frontend/simple/src/main/java/org/apache/cxf/service/factory/ReflectionServiceFactoryBean.java
Fri Sep 26 10:52:59 2008
@@ -304,8 +304,8 @@
}
protected void buildServiceFromWSDL(String url) {
- if (LOG.isLoggable(Level.FINE)) {
- LOG.fine("Creating Service " + getServiceQName() + " from WSDL: "
+ url);
+ if (LOG.isLoggable(Level.INFO)) {
+ LOG.info("Creating Service " + getServiceQName() + " from WSDL: "
+ url);
}
populateFromClass = false;
WSDLServiceFactory factory = new WSDLServiceFactory(getBus(), url,
getServiceQName());
@@ -325,8 +325,8 @@
}
protected void buildServiceFromClass() {
- if (LOG.isLoggable(Level.FINE)) {
- LOG.fine("Creating Service " + getServiceQName() + " from class "
+ getServiceClass().getName());
+ if (LOG.isLoggable(Level.INFO)) {
+ LOG.info("Creating Service " + getServiceQName() + " from class "
+ getServiceClass().getName());
}
populateFromClass = true;
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java?rev=699436&r1=699435&r2=699436&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
Fri Sep 26 10:52:59 2008
@@ -41,22 +41,32 @@
ASSERTION_TYPES.add(SP11Constants.WSS10);
ASSERTION_TYPES.add(SP11Constants.WSS11);
ASSERTION_TYPES.add(SP11Constants.TRUST_10);
- ASSERTION_TYPES.add(SP11Constants.SIGNED_SUPPORTING_TOKENS);
ASSERTION_TYPES.add(SP11Constants.USERNAME_TOKEN);
ASSERTION_TYPES.add(SP11Constants.TRANSPORT_TOKEN);
ASSERTION_TYPES.add(SP11Constants.SIGNED_PARTS);
ASSERTION_TYPES.add(SP11Constants.ENCRYPTED_PARTS);
+ ASSERTION_TYPES.add(SP11Constants.INSTANCE.getSupportingTokens());
+
ASSERTION_TYPES.add(SP11Constants.INSTANCE.getSignedSupportingTokens());
+
ASSERTION_TYPES.add(SP11Constants.INSTANCE.getEndorsingSupportingTokens());
+
ASSERTION_TYPES.add(SP11Constants.INSTANCE.getSignedEndorsingSupportingTokens());
ASSERTION_TYPES.add(SP12Constants.LAYOUT);
ASSERTION_TYPES.add(SP12Constants.INCLUDE_TIMESTAMP);
ASSERTION_TYPES.add(SP12Constants.ALGORITHM_SUITE);
ASSERTION_TYPES.add(SP12Constants.WSS10);
ASSERTION_TYPES.add(SP12Constants.WSS11);
- ASSERTION_TYPES.add(SP12Constants.SIGNED_SUPPORTING_TOKENS);
ASSERTION_TYPES.add(SP12Constants.USERNAME_TOKEN);
ASSERTION_TYPES.add(SP12Constants.TRANSPORT_TOKEN);
ASSERTION_TYPES.add(SP12Constants.SIGNED_PARTS);
ASSERTION_TYPES.add(SP12Constants.ENCRYPTED_PARTS);
+ ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSupportingTokens());
+
ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSignedSupportingTokens());
+
ASSERTION_TYPES.add(SP12Constants.INSTANCE.getEndorsingSupportingTokens());
+
ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSignedEndorsingSupportingTokens());
+ ASSERTION_TYPES.add(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
+ ASSERTION_TYPES.add(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+
ASSERTION_TYPES.add(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+
ASSERTION_TYPES.add(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
}
public WSSecurityPolicyInterceptorProvider() {
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java?rev=699436&r1=699435&r2=699436&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
Fri Sep 26 10:52:59 2008
@@ -51,6 +51,7 @@
import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.policy.model.UsernameToken;
+import org.apache.cxf.ws.security.policy.model.Wss11;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandler;
@@ -287,6 +288,9 @@
}
Object s =
message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
Object e =
message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+ if (abinding.getProtectionToken() != null) {
+ s = e;
+ }
if (isRequestor(message)) {
message.put("SignaturePropRefId", "SigRefId");
message.put("SigRefId", getProps(e, message));
@@ -308,7 +312,39 @@
}
return action;
}
-
+ void assertWSS11(AssertionInfoMap aim, SoapMessage message) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ Wss11 wss11 = (Wss11)ai.getAssertion();
+ if (isRequestor(message)) {
+
message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION,
+ wss11.isRequireSignatureConfirmation() ?
"true" : "false");
+ }
+ }
+ }
+ }
+
+ protected PolicyAssertion findAndAssertPolicy(AssertionInfoMap aim, QName
n) {
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
+ if (ais != null && !ais.isEmpty()) {
+ AssertionInfo ai = ais.iterator().next();
+ ai.setAsserted(true);
+ return ai.getAssertion();
+ }
+ return null;
+ }
+ protected String assertSupportingTokens(AssertionInfoMap aim,
+ SoapMessage message,
+ String action,
+ QName n) {
+ SupportingToken sp = (SupportingToken)findAndAssertPolicy(aim, n);
+ if (sp != null) {
+ action = doTokens(sp.getTokens(), action, aim, message);
+ }
+ return action;
+ }
protected void checkPolicies(SoapMessage message, RequestData data) {
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
@@ -324,16 +360,26 @@
assertPolicy(aim, SP12Constants.TRANSPORT_BINDING);
action = assertAsymetricBinding(aim, action, message);
action = assertSymetricBinding(aim, action, message);
- Collection<AssertionInfo> ais =
aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
- if (ais != null) {
- for (AssertionInfo ai : ais) {
- SupportingToken sp = (SupportingToken)ai.getAssertion();
- action = doTokens(sp.getTokens(), action, aim, message);
- ai.setAsserted(true);
- }
- }
+
+ action = assertSupportingTokens(aim, message,
+ action,
SP12Constants.SIGNED_SUPPORTING_TOKENS);
+ action = assertSupportingTokens(aim, message,
+ action,
SP12Constants.ENDORSING_SUPPORTING_TOKENS);
+ action = assertSupportingTokens(aim, message,
+ action,
SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+ action = assertSupportingTokens(aim, message,
+ action,
SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+ action = assertSupportingTokens(aim, message,
+ action,
SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ action = assertSupportingTokens(aim, message,
+ action,
+
SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ action = assertSupportingTokens(aim, message,
+ action,
SP12Constants.SUPPORTING_TOKENS);
+ action = assertSupportingTokens(aim, message,
+ action,
SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
+ assertWSS11(aim, message);
assertPolicy(aim, SP12Constants.WSS10);
- assertPolicy(aim, SP12Constants.WSS11);
assertPolicy(aim, SP12Constants.TRUST_13);
assertPolicy(aim, SP11Constants.TRUST_10);
message.put(WSHandlerConstants.ACTION, action.trim());
@@ -358,6 +404,15 @@
}
}
}
+ } else {
+ Collection<AssertionInfo> ais2 = aim.get(token.getName());
+ if (ais2 != null && !ais2.isEmpty()) {
+ for (AssertionInfo ai2 : ais2) {
+ if (ai2.getAssertion() == token) {
+ ai2.setAsserted(true);
+ }
+ }
+ }
}
}
return action;
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java?rev=699436&r1=699435&r2=699436&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
Fri Sep 26 10:52:59 2008
@@ -22,8 +22,11 @@
import java.util.Collections;
import java.util.Set;
+import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
+import org.w3c.dom.Element;
+
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor;
import org.apache.cxf.interceptor.Fault;
@@ -81,8 +84,14 @@
String actor = null;
WSSecHeader secHeader = new WSSecHeader(actor, mustUnderstand);
- secHeader.insertSecurityHeader(saaj.getSOAPPart());
-
+ Element el = secHeader.insertSecurityHeader(saaj.getSOAPPart());
+ try {
+ //move to end
+ saaj.getSOAPHeader().removeChild(el);
+ saaj.getSOAPHeader().appendChild(el);
+ } catch (SOAPException e) {
+ //ignore
+ }
AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=699436&r1=699435&r2=699436&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Fri Sep 26 10:52:59 2008
@@ -74,13 +74,13 @@
public void handleBinding() {
WSSecTimestamp timestamp = createTimestamp();
+ handleLayout(timestamp);
if (abinding.getProtectionOrder() ==
SPConstants.ProtectionOrder.EncryptBeforeSigning) {
doEncryptBeforeSign();
} else {
doSignBeforeEncrypt();
}
- handleLayout(timestamp);
}
@@ -96,10 +96,13 @@
}
addSupportingTokens(sigs);
- doSignature(sigs, null);
+ doSignature(sigs);
doEndorse();
} else {
//confirm sig
+ assertSupportingTokens(sigs);
+
+
//Add timestamp
if (timestampEl != null) {
Element el = timestampEl.getElement();
@@ -107,7 +110,7 @@
}
addSignatureConfirmation(sigs);
- doSignature(sigs, null);
+ doSignature(sigs);
}
Vector<WSEncryptionPart> enc = getEncryptedParts();
@@ -181,13 +184,7 @@
&& abinding.getInitiatorToken() != null)
|| (!isRequestor() && abinding.getRecipientToken() != null)) {
try {
- Element appendEl = null;
- if (encryptionToken.isDerivedKeys()) {
- appendEl = ((WSSecDKEncrypt)encrBase).getdktElement();
- } else {
- appendEl =
((WSSecEncrypt)encrBase).getEncryptedKeyElement();
- }
- doSignature(sigParts, appendEl);
+ doSignature(sigParts);
} catch (WSSecurityException e) {
//REVISIT - exception
e.printStackTrace();
@@ -224,10 +221,11 @@
} else {
try {
// Encrypt, get hold of the ref list and add it
- Element secondRefList
- =
((WSSecEncrypt)encrBase).encryptForExternalRef(null, secondEncrParts);
- insertAfter(secondRefList,
secHeader.getSecurityHeader(),
-
((WSSecEncrypt)encrBase).getEncryptedKeyElement());
+ Element secondRefList = saaj.getSOAPPart()
+ .createElementNS(WSConstants.ENC_NS,
+ WSConstants.ENC_PREFIX +
":ReferenceList");
+ this.insertBeforeBottomUp(secondRefList);
+
((WSSecEncrypt)encrBase).encryptForExternalRef(secondRefList, secondEncrParts);
} catch (WSSecurityException e) {
//REVISIT - exception
@@ -300,9 +298,9 @@
dkEncr.setDerivedKeyLength(algorithmSuite.getEncryptionDerivedKeyLength() / 8);
dkEncr.prepare(saaj.getSOAPPart());
- dkEncr.prependDKElementToHeader(secHeader);
+ addDerivedKeyElement(dkEncr.getdktElement());
Element refList = dkEncr.encryptForExternalRef(null,
encrParts);
- dkEncr.addExternalRefElement(refList, secHeader);
+ insertBeforeBottomUp(refList);
return dkEncr;
} catch (Exception e) {
policyNotAsserted(recToken, e);
@@ -322,7 +320,7 @@
getEncryptionCrypto(recToken));
if (encr.getBSTTokenId() != null) {
- encr.appendBSTElementToHeader(secHeader);
+ encr.prependBSTElementToHeader(secHeader);
}
@@ -331,14 +329,14 @@
//Encrypt, get hold of the ref list and add it
if (externalRef) {
Element refList = encr.encryptForExternalRef(null,
encrParts);
- secHeader.getSecurityHeader().appendChild(refList);
+ insertBeforeBottomUp(refList);
} else {
Element refList = encr.encryptForInternalRef(null,
encrParts);
// Add internal refs
encryptedKeyElement.appendChild(refList);
}
- encr.prependToHeader(secHeader);
+ this.addEncyptedKeyElement(encryptedKeyElement);
return encr;
} catch (WSSecurityException e) {
policyNotAsserted(recToken, e.getMessage());
@@ -362,8 +360,7 @@
}
}
}
- private void doSignature(Vector<WSEncryptionPart> sigParts,
- Element appendAfter) throws WSSecurityException {
+ private void doSignature(Vector<WSEncryptionPart> sigParts) throws
WSSecurityException {
Token sigToken = null;
TokenWrapper wrapper = null;
if (isRequestor()) {
@@ -404,9 +401,8 @@
dkSign.computeSignature();
// Add elements to header
- dkSign.appendDKElementToHeader(secHeader);
- dkSign.appendSigToHeader(secHeader);
-
+ addDerivedKeyElement(dkSign.getdktElement());
+ insertBeforeBottomUp(dkSign.getSignatureElement());
mainSigId = addWsuIdToElement(dkSign.getSignatureElement());
} catch (Exception e) {
//REVISIT
@@ -424,14 +420,7 @@
sig.addReferencesToSign(sigParts, secHeader);
sig.computeSignature();
- if (appendAfter != null) {
- insertAfter(sig.getSignatureElement(),
- secHeader.getSecurityHeader(),
- appendAfter);
- } else {
- sig.prependToHeader(secHeader);
- }
-
+ insertBeforeBottomUp(sig.getSignatureElement());
mainSigId = addWsuIdToElement(sig.getSignatureElement());
}
}
@@ -529,7 +518,7 @@
}
// Add the EncryptedKey
- encrKey.prependToHeader(secHeader);
+ this.addEncyptedKeyElement(encrKey.getEncryptedKeyElement());
encryptedKeyValue = encrKey.getEphemeralKey();
encryptedKeyId = encrKey.getId();
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java?rev=699436&r1=699435&r2=699436&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/BindingBuilder.java
Fri Sep 26 10:52:59 2008
@@ -122,6 +122,11 @@
protected Vector<byte[]> signatures = new Vector<byte[]>();
+ Element lastSupportingTokenElement;
+ Element lastEncryptedKeyElement;
+ Element lastDerivedKeyElement;
+ Element bottomUpElement;
+ Element topDownElement;
public BindingBuilder(Binding binding,
SOAPMessage saaj,
@@ -135,14 +140,87 @@
this.message = message;
message.getExchange().put(WSHandlerConstants.SEND_SIGV, signatures);
}
-
+
+ private void insertAfter(Element child, Element sib) {
+ if (sib.getNextSibling() == null) {
+ secHeader.getSecurityHeader().appendChild(child);
+ } else {
+ secHeader.getSecurityHeader().insertBefore(child,
sib.getNextSibling());
+ }
+ }
+ protected void addDerivedKeyElement(Element el) {
+ if (lastDerivedKeyElement != null) {
+ insertAfter(el, lastDerivedKeyElement);
+ } else if (lastEncryptedKeyElement != null) {
+ insertAfter(el, lastEncryptedKeyElement);
+ } else if (topDownElement != null) {
+ insertAfter(el, topDownElement);
+ } else if (secHeader.getSecurityHeader().getFirstChild() != null) {
+ secHeader.getSecurityHeader().insertBefore(el,
secHeader.getSecurityHeader().getFirstChild());
+ } else {
+ secHeader.getSecurityHeader().appendChild(el);
+ }
+ lastEncryptedKeyElement = el;
+ }
+ protected void addEncyptedKeyElement(Element el) {
+ if (lastEncryptedKeyElement != null) {
+ insertAfter(el, lastEncryptedKeyElement);
+ } else if (lastDerivedKeyElement != null) {
+ secHeader.getSecurityHeader().insertBefore(el,
lastDerivedKeyElement);
+ } else if (topDownElement != null) {
+ insertAfter(el, topDownElement);
+ } else if (secHeader.getSecurityHeader().getFirstChild() != null) {
+ secHeader.getSecurityHeader().insertBefore(el,
secHeader.getSecurityHeader().getFirstChild());
+ } else {
+ secHeader.getSecurityHeader().appendChild(el);
+ }
+ lastEncryptedKeyElement = el;
+ }
+ protected void addSupportingElement(Element el) {
+ if (lastSupportingTokenElement != null) {
+ insertAfter(el, lastSupportingTokenElement);
+ } else if (lastDerivedKeyElement != null) {
+ insertAfter(el, lastDerivedKeyElement);
+ } else if (lastEncryptedKeyElement != null) {
+ insertAfter(el, lastEncryptedKeyElement);
+ } else if (topDownElement != null) {
+ insertAfter(el, topDownElement);
+ } else if (bottomUpElement != null) {
+ secHeader.getSecurityHeader().insertBefore(el, bottomUpElement);
+ } else {
+ secHeader.getSecurityHeader().appendChild(el);
+ }
+ lastSupportingTokenElement = el;
+ }
+ protected void insertBeforeBottomUp(Element el) {
+ if (bottomUpElement == null) {
+ secHeader.getSecurityHeader().appendChild(el);
+ } else {
+ secHeader.getSecurityHeader().insertBefore(el, bottomUpElement);
+ }
+ bottomUpElement = el;
+ }
+ protected void addTopDownElement(Element el) {
+ if (topDownElement == null) {
+ if (secHeader.getSecurityHeader().getFirstChild() == null) {
+ secHeader.getSecurityHeader().appendChild(el);
+ } else {
+ secHeader.getSecurityHeader().insertBefore(el, secHeader
+
.getSecurityHeader()
+
.getFirstChild());
+ }
+ } else {
+ insertAfter(el, topDownElement);
+ }
+ topDownElement = el;
+ }
protected boolean isRequestor() {
return Boolean.TRUE.equals(message.containsKey(
org.apache.cxf.message.Message.REQUESTOR_ROLE));
}
protected void policyNotAsserted(PolicyAssertion assertion, Exception
reason) {
- LOG.log(Level.INFO, "Not asserting " + assertion.getName(), reason);
+ LOG.log(Level.INFO, "Not asserting " + assertion.getName() + ": " +
reason);
Collection<AssertionInfo> ais;
ais = aim.get(assertion.getName());
if (ais != null) {
@@ -154,7 +232,7 @@
}
}
protected void policyNotAsserted(PolicyAssertion assertion, String reason)
{
- LOG.log(Level.INFO, "Not asserting " + assertion.getName(), reason);
+ LOG.log(Level.INFO, "Not asserting " + assertion.getName() + ": " +
reason);
Collection<AssertionInfo> ais;
ais = aim.get(assertion.getName());
if (ais != null) {
@@ -193,15 +271,16 @@
}
return null;
}
-
- protected void insertAfter(Element child, Element parent, Element sib) {
- if (sib.getNextSibling() == null) {
- parent.appendChild(child);
- } else {
- parent.insertBefore(child, sib.getNextSibling());
+ protected PolicyAssertion findAndAssertPolicy(QName n) {
+ Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
+ if (ais != null && !ais.isEmpty()) {
+ AssertionInfo ai = ais.iterator().next();
+ ai.setAsserted(true);
+ return ai.getAssertion();
}
- }
-
+ return null;
+ }
+
protected WSSecTimestamp createTimestamp() {
Collection<AssertionInfo> ais;
ais = aim.get(SP12Constants.INCLUDE_TIMESTAMP);
@@ -212,7 +291,6 @@
ai.setAsserted(true);
}
}
- timestampEl.prependToHeader(secHeader);
return timestampEl;
}
@@ -229,24 +307,33 @@
} else {
ai.setAsserted(true);
Element el = timestamp.getElement();
- secHeader.getSecurityHeader().removeChild(el);
secHeader.getSecurityHeader().appendChild(el);
+ if (bottomUpElement == null) {
+ bottomUpElement = el;
+ }
}
} else if (SPConstants.Layout.LaxTimestampFirst ==
layout.getValue()) {
if (timestamp == null) {
ai.setNotAsserted(SPConstants.Layout.LaxTimestampLast
+ " requires a timestamp");
} else {
- Element el = timestamp.getElement();
- secHeader.getSecurityHeader().removeChild(el);
- secHeader.getSecurityHeader().insertBefore(el,
-
secHeader.getSecurityHeader()
-
.getFirstChild());
+ addTopDownElement(timestampEl.getElement());
}
+ } else if (timestampEl != null) {
+ addTopDownElement(timestampEl.getElement());
}
}
+ } else if (timestampEl != null) {
+ addTopDownElement(timestampEl.getElement());
}
return timestamp;
}
+ protected void assertSupportingTokens(PolicyAssertion suppTokens) {
+ if (suppTokens instanceof SupportingToken) {
+ for (Token token : ((SupportingToken)suppTokens).getTokens()) {
+ this.policyAsserted(token);
+ }
+ }
+ }
protected Map<Token, WSSecBase> handleSupportingTokens(SupportingToken
suppTokens) {
Map<Token, WSSecBase> ret = new HashMap<Token, WSSecBase>();
@@ -258,22 +345,23 @@
WSSecUsernameToken utBuilder =
addUsernameToken((UsernameToken)token);
if (utBuilder != null) {
utBuilder.prepare(saaj.getSOAPPart());
- utBuilder.appendToHeader(secHeader);
+ addSupportingElement(utBuilder.getUsernameTokenElement());
ret.put(token, utBuilder);
- encryptedTokensIdList.add(utBuilder.getId());
+ if (suppTokens.isEncryptedToken()) {
+ encryptedTokensIdList.add(utBuilder.getId());
+ }
}
} else if (token instanceof IssuedToken && isRequestor()) {
//ws-trust stuff.......
//REVISIT
policyNotAsserted(token, "Issued token not yet supported");
} else if (token instanceof X509Token) {
-
//We have to use a cert
//Prepare X509 signature
WSSecSignature sig = getSignatureBuider(suppTokens, token);
Element bstElem = sig.getBinarySecurityTokenElement();
if (bstElem != null) {
- sig.appendBSTElementToHeader(secHeader);
+ sig.prependBSTElementToHeader(secHeader);
}
if (suppTokens.isEncryptedToken()) {
encryptedTokensIdList.add(sig.getBSTTokenId());
@@ -286,7 +374,7 @@
}
protected void addSignatureParts(Map<Token, WSSecBase> tokenMap,
-
List<WSEncryptionPart> sigParts) {
+ List<WSEncryptionPart> sigParts) {
for (Map.Entry<Token, WSSecBase> entry : tokenMap.entrySet()) {
@@ -298,8 +386,11 @@
if (tempSig.getBSTTokenId() != null) {
part = new WSEncryptionPart(tempSig.getBSTTokenId());
}
+ } else if (tempTok instanceof WSSecUsernameToken) {
+ WSSecUsernameToken unt = (WSSecUsernameToken)tempTok;
+ part = new WSEncryptionPart(unt.getId());
} else {
- policyNotAsserted(entry.getKey(),
"UnsupportedTokenInSupportingToken");
+ policyNotAsserted(entry.getKey(),
"UnsupportedTokenInSupportingToken: " + tempTok);
}
if (part != null) {
sigParts.add(part);
@@ -836,13 +927,21 @@
}
protected WSSecSignature getSignatureBuider(TokenWrapper wrapper, Token
token) {
WSSecSignature sig = new WSSecSignature();
- checkForX509PkiPath(sig, token);
-
+ checkForX509PkiPath(sig, token);
setKeyIdentifierType(sig, wrapper, token);
- String user =
(String)message.getContextualProperty(SecurityConstants.USERNAME);
+ boolean encryptCrypto = false;
+ String userNameKey = SecurityConstants.USERNAME;
+ String type = "signature";
+ if (binding instanceof SymmetricBinding) {
+ encryptCrypto = ((SymmetricBinding)binding).getProtectionToken()
!= null;
+ userNameKey = SecurityConstants.ENCRYPT_USERNAME;
+ }
+
+
+ String user = (String)message.getContextualProperty(userNameKey);
if (StringUtils.isEmpty(user)) {
- policyNotAsserted(token, "No signature username found.");
+ policyNotAsserted(token, "No " + type + " username found.");
}
String password = getPassword(user, token,
WSPasswordCallback.SIGNATURE);
@@ -856,7 +955,7 @@
try {
sig.prepare(saaj.getSOAPPart(),
- getSignatureCrypto(wrapper),
+ encryptCrypto ? getEncryptionCrypto(wrapper) :
getSignatureCrypto(wrapper),
secHeader);
} catch (WSSecurityException e) {
policyNotAsserted(token, e);
@@ -892,44 +991,55 @@
}
}
}
-
+ protected void assertSupportingTokens(Vector<WSEncryptionPart> sigs) {
+
assertSupportingTokens(findAndAssertPolicy(SP12Constants.SIGNED_SUPPORTING_TOKENS));
+
assertSupportingTokens(findAndAssertPolicy(SP12Constants.ENDORSING_SUPPORTING_TOKENS));
+
assertSupportingTokens(findAndAssertPolicy(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS));
+
assertSupportingTokens(findAndAssertPolicy(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS));
+
assertSupportingTokens(findAndAssertPolicy(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS));
+ assertSupportingTokens(findAndAssertPolicy(SP12Constants
+
.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS));
+
assertSupportingTokens(findAndAssertPolicy(SP12Constants.SUPPORTING_TOKENS));
+
assertSupportingTokens(findAndAssertPolicy(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS));
+ }
protected void addSupportingTokens(Vector<WSEncryptionPart> sigs) {
SupportingToken sgndSuppTokens =
-
(SupportingToken)findPolicy(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+
(SupportingToken)findAndAssertPolicy(SP12Constants.SIGNED_SUPPORTING_TOKENS);
Map<Token, WSSecBase> sigSuppTokMap =
this.handleSupportingTokens(sgndSuppTokens);
SupportingToken endSuppTokens =
-
(SupportingToken)findPolicy(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
+
(SupportingToken)findAndAssertPolicy(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
endSuppTokMap = this.handleSupportingTokens(endSuppTokens);
SupportingToken sgndEndSuppTokens
- =
(SupportingToken)findPolicy(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+ =
(SupportingToken)findAndAssertPolicy(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
sgndEndSuppTokMap = this.handleSupportingTokens(sgndEndSuppTokens);
SupportingToken sgndEncryptedSuppTokens
- =
(SupportingToken)findPolicy(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+ =
(SupportingToken)findAndAssertPolicy(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
Map<Token, WSSecBase> sgndEncSuppTokMap
= this.handleSupportingTokens(sgndEncryptedSuppTokens);
SupportingToken endorsingEncryptedSuppTokens
- =
(SupportingToken)findPolicy(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ =
(SupportingToken)findAndAssertPolicy(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
endEncSuppTokMap
= this.handleSupportingTokens(endorsingEncryptedSuppTokens);
SupportingToken sgndEndEncSuppTokens
- =
(SupportingToken)findPolicy(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ = (SupportingToken)findAndAssertPolicy(SP12Constants
+
.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
sgndEndEncSuppTokMap
= this.handleSupportingTokens(sgndEndEncSuppTokens);
SupportingToken supportingToks
- = (SupportingToken)findPolicy(SP12Constants.SUPPORTING_TOKENS);
+ =
(SupportingToken)findAndAssertPolicy(SP12Constants.SUPPORTING_TOKENS);
this.handleSupportingTokens(supportingToks);
SupportingToken encryptedSupportingToks
- =
(SupportingToken)findPolicy(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
+ =
(SupportingToken)findAndAssertPolicy(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
this.handleSupportingTokens(encryptedSupportingToks);
//Setup signature parts
@@ -995,7 +1105,7 @@
byte[] sigVal = (byte[])
wsr.get(WSSecurityEngineResult.TAG_SIGNATURE_VALUE);
wsc.setSignatureValue(sigVal);
wsc.prepare(saaj.getSOAPPart());
- wsc.prependToHeader(secHeader);
+ addSupportingElement(wsc.getSignatureConfirmationElement());
if (sigParts != null) {
sigParts.add(new WSEncryptionPart(wsc.getId()));
}
@@ -1003,7 +1113,7 @@
} else {
//No Sig value
wsc.prepare(saaj.getSOAPPart());
- wsc.prependToHeader(secHeader);
+ addSupportingElement(wsc.getSignatureConfirmationElement());
if (sigParts != null) {
sigParts.add(new WSEncryptionPart(wsc.getId()));
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=699436&r1=699435&r2=699436&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Fri Sep 26 10:52:59 2008
@@ -29,7 +29,6 @@
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-import org.w3c.dom.Node;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.util.StringUtils;
@@ -103,6 +102,7 @@
public void handleBinding() {
WSSecTimestamp timestamp = createTimestamp();
+ handleLayout(timestamp);
if (isRequestor()) {
//Setup required tokens
@@ -116,7 +116,6 @@
doSignBeforeEncrypt();
}
- handleLayout(timestamp);
}
@@ -178,9 +177,16 @@
|| (isRequestor()
&&
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
== sigToken.getInclusion())) {
- sigTokElem = appendChildToSecHeader(sigTok.getToken());
+
+ Element el = sigTok.getToken();
+ sigTokElem =
(Element)secHeader.getSecurityHeader().getOwnerDocument()
+ .importNode(el, true);
+ this.addEncyptedKeyElement((Element)sigTokElem);
} else if (isRequestor() && sigToken instanceof X509Token) {
- sigTokElem = appendChildToSecHeader(sigTok.getToken());
+ Element el = sigTok.getToken();
+ sigTokElem =
(Element)secHeader.getSecurityHeader().getOwnerDocument()
+ .importNode(el, true);
+ this.addEncyptedKeyElement((Element)sigTokElem);
}
@@ -193,12 +199,13 @@
if (isRequestor()) {
addSupportingTokens(sigs);
- signatures.add(doSignature(sigs, sigTokenWrapper, sigToken,
sigTok, sigTokElem));
+ signatures.add(doSignature(sigs, sigTokenWrapper, sigToken,
sigTok));
doEndorse();
} else {
//confirm sig
+ assertSupportingTokens(sigs);
addSignatureConfirmation(sigs);
- doSignature(sigs, sigTokenWrapper, sigToken, sigTok, null);
+ doSignature(sigs, sigTokenWrapper, sigToken, sigTok);
}
//REVIST - what to do with these policies?
@@ -276,7 +283,7 @@
dkEncr.setExternalKey(encrTok.getSecret(),
(Element)saaj.getSOAPPart()
.importNode((Element)
encrTok.getUnattachedReference(),
true));
- } else if (!isRequestor() && encrToken.isDerivedKeys()) {
+ } else if (!isRequestor()) {
// If the Encrypted key used to create the derived key
is not
// attached use key identifier as defined in WSS1.1
section
// 7.7 Encrypted Key reference
@@ -300,16 +307,9 @@
dkEncr.prepare(saaj.getSOAPPart());
Element encrDKTokenElem = null;
encrDKTokenElem = dkEncr.getdktElement();
- if (encrElem != null) {
- insertAfter(encrDKTokenElem,
secHeader.getSecurityHeader(), encrElem);
- } else if (timestampEl != null) {
- insertAfter(encrDKTokenElem,
secHeader.getSecurityHeader(), timestampEl.getElement());
- } else {
- dkEncr.prependDKElementToHeader(secHeader);
- }
-
+ addDerivedKeyElement(encrDKTokenElem);
Element refList = dkEncr.encryptForExternalRef(null,
encrParts);
- insertAfter(refList, secHeader.getSecurityHeader(),
encrDKTokenElem);
+ this.addDerivedKeyElement(refList);
return dkEncr;
} catch (Exception e) {
policyNotAsserted(recToken, e);
@@ -340,12 +340,12 @@
getEncryptionCrypto(recToken));
if (encr.getBSTTokenId() != null) {
- encr.appendBSTElementToHeader(secHeader);
+ encr.prependBSTElementToHeader(secHeader);
}
Element refList = encr.encryptForExternalRef(null,
encrParts);
- insertAfter(refList, secHeader.getSecurityHeader(),
encrElem);
+ this.addDerivedKeyElement(refList);
return encr;
} catch (WSSecurityException e) {
@@ -359,8 +359,7 @@
private byte[] doSignatureDK(Vector<WSEncryptionPart> sigs,
TokenWrapper policyTokenWrapper,
Token policyToken,
- SecurityToken tok,
- Element appendAfter) throws WSSecurityException
{
+ SecurityToken tok) throws WSSecurityException {
Document doc = saaj.getSOAPPart();
WSSecDKSign dkSign = new WSSecDKSign();
@@ -429,16 +428,8 @@
//Add elements to header
Element el = dkSign.getdktElement();
- if (appendAfter != null) {
- insertAfter(el,
- secHeader.getSecurityHeader(),
- appendAfter);
- } else {
- dkSign.prependSigToHeader(secHeader);
- }
- insertAfter(dkSign.getSignatureElement(),
- secHeader.getSecurityHeader(),
- el);
+ addDerivedKeyElement(el);
+ insertBeforeBottomUp(dkSign.getSignatureElement());
this.mainSigId = addWsuIdToElement(dkSign.getSignatureElement());
return dkSign.getSignatureValue();
@@ -446,10 +437,9 @@
private byte[] doSignature(Vector<WSEncryptionPart> sigs,
TokenWrapper policyTokenWrapper,
Token policyToken,
- SecurityToken tok,
- Element appendAfter) throws WSSecurityException {
+ SecurityToken tok) throws WSSecurityException {
if (policyToken.isDerivedKeys()) {
- return doSignatureDK(sigs, policyTokenWrapper, policyToken, tok,
appendAfter);
+ return doSignatureDK(sigs, policyTokenWrapper, policyToken, tok);
} else {
WSSecSignature sig = new WSSecSignature();
// If a EncryptedKeyToken is used, set the correct value type to
@@ -495,8 +485,13 @@
sig.setSecretKey(tok.getSecret());
sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getAsymmetricSignature());
sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
- sig.prepare(saaj.getSOAPPart(),
getSignatureCrypto(policyTokenWrapper),
+ if (sbinding.getProtectionToken() != null) {
+ sig.prepare(saaj.getSOAPPart(),
getEncryptionCrypto(sbinding.getProtectionToken()),
secHeader);
+ } else {
+ sig.prepare(saaj.getSOAPPart(),
getSignatureCrypto(policyTokenWrapper),
+ secHeader);
+ }
sig.setParts(sigs);
sig.addReferencesToSign(sigs, secHeader);
@@ -504,15 +499,9 @@
//Do signature
sig.computeSignature();
- if (appendAfter != null) {
- insertAfter(sig.getSignatureElement(),
- secHeader.getSecurityHeader(),
- appendAfter);
- } else {
- sig.appendToHeader(secHeader);
- }
-
- this.mainSigId = addWsuIdToElement(sig.getSignatureElement());
+ Element mainSigElement = sig.getSignatureElement();
+ insertBeforeBottomUp(mainSigElement);
+ mainSigId = addWsuIdToElement(mainSigElement);
return sig.getSignatureValue();
}
}
@@ -544,7 +533,7 @@
//If direct ref is used to refer to the cert
//then add the cert to the sec header now
if (bstTokenId != null && bstTokenId.length() > 0) {
- encrKey.appendBSTElementToHeader(secHeader);
+ encrKey.prependBSTElementToHeader(secHeader);
}
return id;
}
@@ -599,11 +588,5 @@
}
return null;
}
- public Element appendChildToSecHeader(Element elem) {
- Element secHeaderElem = secHeader.getSecurityHeader();
- Node node = secHeaderElem.getOwnerDocument()
- .importNode(elem, true);
- return (Element)secHeaderElem.appendChild(node);
- }
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=699436&r1=699435&r2=699436&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Fri Sep 26 10:52:59 2008
@@ -50,6 +50,7 @@
public void handleBinding() {
Collection<AssertionInfo> ais;
WSSecTimestamp timestamp = createTimestamp();
+ handleLayout(timestamp);
ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
if (ais != null) {
@@ -63,8 +64,6 @@
handleSupportingTokens(sgndSuppTokens);
}
}
-
- handleLayout(timestamp);
}
}