Author: dkulp
Date: Wed Mar 17 02:55:57 2010
New Revision: 924117
URL: http://svn.apache.org/viewvc?rev=924117&view=rev
Log:
Optimize the UsernameToken only case where there isn't any type of
policy defining a Binding.
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java
- copied, changed from r923895,
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client.xml
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server.xml
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10.wsdl
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy.wsdl
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy_restricted.wsdl
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_restricted.wsdl
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
Wed Mar 17 02:55:57 2010
@@ -19,6 +19,11 @@
package org.apache.cxf.ws.security.policy;
+import java.util.Arrays;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
import org.apache.cxf.Bus;
import org.apache.cxf.common.injection.NoJSR250Annotations;
import org.apache.cxf.ws.policy.AssertionBuilderLoader;
@@ -26,6 +31,7 @@ import org.apache.cxf.ws.policy.Assertio
import org.apache.cxf.ws.policy.PolicyBuilder;
import org.apache.cxf.ws.policy.PolicyInterceptorProviderLoader;
import org.apache.cxf.ws.policy.PolicyInterceptorProviderRegistry;
+import org.apache.cxf.ws.policy.builder.xml.XMLPrimitiveAssertionBuilder;
import org.apache.cxf.ws.security.policy.builders.AlgorithmSuiteBuilder;
import org.apache.cxf.ws.security.policy.builders.AsymmetricBindingBuilder;
import
org.apache.cxf.ws.security.policy.builders.ContentEncryptedElementsBuilder;
@@ -58,6 +64,7 @@ import org.apache.cxf.ws.security.policy
import
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider;
import
org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider;
import
org.apache.cxf.ws.security.policy.interceptors.SecureConversationTokenInterceptorProvider;
+import
org.apache.cxf.ws.security.policy.interceptors.UsernameTokenInterceptorProvider;
import
org.apache.cxf.ws.security.policy.interceptors.WSSecurityInterceptorProvider;
import
org.apache.cxf.ws.security.policy.interceptors.WSSecurityPolicyInterceptorProvider;
@@ -112,6 +119,33 @@ public final class WSSecurityPolicyLoade
reg.register(new WSS10Builder());
reg.register(new WSS11Builder());
reg.register(new X509TokenBuilder(pbuild));
+
+ //add generic assertions for these known things to prevent warnings
+ List<QName> others = Arrays.asList(new QName[] {
+ SP12Constants.INCLUDE_TIMESTAMP, SP11Constants.INCLUDE_TIMESTAMP,
+ SP12Constants.ENCRYPT_SIGNATURE, SP11Constants.ENCRYPT_SIGNATURE,
+ SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY,
+ new QName(SP11Constants.SP_NS,
SP11Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY),
+ SP12Constants.WSS_X509_V1_TOKEN_10,
+ SP12Constants.WSS_X509_V1_TOKEN_11,
+ SP12Constants.WSS_X509_V3_TOKEN_10,
+ SP12Constants.WSS_X509_V3_TOKEN_11,
+ SP11Constants.WSS_X509_V1_TOKEN_10,
+ SP11Constants.WSS_X509_V1_TOKEN_11,
+ SP11Constants.WSS_X509_V3_TOKEN_10,
+ SP11Constants.WSS_X509_V3_TOKEN_11,
+ SP12Constants.WSS_X509_PKCS7_TOKEN_11,
+ SP12Constants.WSS_X509_PKI_PATH_V1_TOKEN_11,
+ SP11Constants.WSS_X509_PKCS7_TOKEN_11,
+ SP11Constants.WSS_X509_PKI_PATH_V1_TOKEN_11,
+ SP12Constants.REQUIRE_THUMBPRINT_REFERENCE,
+ SP11Constants.REQUIRE_THUMBPRINT_REFERENCE,
+ SP12Constants.REQUIRE_DERIVED_KEYS,
+ SP11Constants.REQUIRE_DERIVED_KEYS,
+ new QName(SP12Constants.SP_NS,
SP12Constants.ENCRYPT_BEFORE_SIGNING),
+ new QName(SP11Constants.SP_NS,
SP11Constants.ENCRYPT_BEFORE_SIGNING),
+ });
+ reg.register(new XMLPrimitiveAssertionBuilder(others));
}
public void registerProviders() {
@@ -124,6 +158,7 @@ public final class WSSecurityPolicyLoade
reg.register(new WSSecurityInterceptorProvider());
reg.register(new HttpsTokenInterceptorProvider());
reg.register(new IssuedTokenInterceptorProvider());
+ reg.register(new UsernameTokenInterceptorProvider());
reg.register(new SecureConversationTokenInterceptorProvider());
}
Copied:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java
(from r923895,
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java)
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java?p2=cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java&p1=cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java&r1=923895&r2=924117&rev=924117&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java
Wed Mar 17 02:55:57 2010
@@ -26,29 +26,23 @@ import javax.xml.namespace.QName;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
-import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
+import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor;
/**
*
*/
-public class WSSecurityInterceptorProvider extends
AbstractPolicyInterceptorProvider {
+public class UsernameTokenInterceptorProvider extends
AbstractPolicyInterceptorProvider {
private static final Collection<QName> ASSERTION_TYPES;
static {
ASSERTION_TYPES = new ArrayList<QName>();
- ASSERTION_TYPES.add(SP12Constants.TRANSPORT_BINDING);
- ASSERTION_TYPES.add(SP12Constants.ASYMMETRIC_BINDING);
- ASSERTION_TYPES.add(SP12Constants.SYMMETRIC_BINDING);
-
ASSERTION_TYPES.add(SP12Constants.USERNAME_TOKEN);
}
- public WSSecurityInterceptorProvider() {
+ public UsernameTokenInterceptorProvider() {
super(ASSERTION_TYPES);
- this.getOutInterceptors().add(new PolicyBasedWSS4JOutInterceptor());
- this.getOutFaultInterceptors().add(new
PolicyBasedWSS4JOutInterceptor());
- this.getInInterceptors().add(new PolicyBasedWSS4JInInterceptor());
- this.getInFaultInterceptors().add(new PolicyBasedWSS4JInInterceptor());
+ this.getOutInterceptors().add(new UsernameTokenInterceptor());
+ this.getInInterceptors().add(new UsernameTokenInterceptor());
+ //not needed on fault chains
}
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
Wed Mar 17 02:55:57 2010
@@ -40,8 +40,6 @@ public class WSSecurityInterceptorProvid
ASSERTION_TYPES.add(SP12Constants.TRANSPORT_BINDING);
ASSERTION_TYPES.add(SP12Constants.ASYMMETRIC_BINDING);
ASSERTION_TYPES.add(SP12Constants.SYMMETRIC_BINDING);
-
- ASSERTION_TYPES.add(SP12Constants.USERNAME_TOKEN);
}
public WSSecurityInterceptorProvider() {
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
Wed Mar 17 02:55:57 2010
@@ -46,6 +46,8 @@ import org.apache.cxf.ws.security.wss4j.
import org.apache.ws.security.message.WSSecHeader;
public class PolicyBasedWSS4JOutInterceptor extends
AbstractPhaseInterceptor<SoapMessage> {
+ public static final String SECURITY_PROCESSED =
PolicyBasedWSS4JOutInterceptor.class.getName() + ".DONE";
+
private PolicyBasedWSS4JOutInterceptorInternal ending;
private SAAJOutInterceptor saajOut = new SAAJOutInterceptor();
@@ -60,6 +62,7 @@ public class PolicyBasedWSS4JOutIntercep
if (mc.getContent(SOAPMessage.class) == null) {
saajOut.handleMessage(mc);
}
+ mc.put(SECURITY_PROCESSED, Boolean.TRUE);
mc.getInterceptorChain().add(ending);
}
public void handleFault(SoapMessage message) {
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java?rev=924117&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
(added)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
Wed Mar 17 02:55:57 2010
@@ -0,0 +1,341 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j;
+
+import java.security.Principal;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.Vector;
+import java.util.logging.Logger;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.binding.soap.SoapHeader;
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.common.i18n.Message;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.headers.Header;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.UsernameToken;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.WSUsernameTokenPrincipal;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.processor.UsernameTokenProcessor;
+
+/**
+ *
+ */
+public class UsernameTokenInterceptor extends AbstractSoapInterceptor {
+ private static final Logger LOG =
LogUtils.getL7dLogger(UsernameTokenInterceptor.class);
+ private static final Set<QName> HEADERS = new HashSet<QName>();
+ static {
+ HEADERS.add(new QName(WSConstants.WSSE_NS, "Security"));
+ HEADERS.add(new QName(WSConstants.WSSE11_NS, "Security"));
+ }
+
+
+ /**
+ * @param p
+ */
+ public UsernameTokenInterceptor() {
+ super(Phase.PRE_PROTOCOL);
+ addAfter(PolicyBasedWSS4JInInterceptor.class.getName());
+ addAfter(PolicyBasedWSS4JOutInterceptor.class.getName());
+ }
+ public Set<QName> getUnderstoodHeaders() {
+ return HEADERS;
+ }
+
+
+ public void handleMessage(SoapMessage message) throws Fault {
+
+ boolean isReq = MessageUtils.isRequestor(message);
+ boolean isOut = MessageUtils.isOutbound(message);
+ if (isReq != isOut) {
+ //outbound on server side and inbound on client side doesn't need
+ //any username token stuff, assert policies and return
+ assertUsernameTokens(message, null);
+ return;
+ }
+ if (isReq) {
+ if
(message.containsKey(PolicyBasedWSS4JOutInterceptor.SECURITY_PROCESSED)) {
+ //The full policy interceptors handled this
+ return;
+ }
+ addUsernameToken(message);
+ } else {
+ if (message.containsKey(WSS4JInInterceptor.SECURITY_PROCESSED)) {
+ //The full policy interceptors handled this
+ return;
+ }
+ processUsernameToken(message);
+ }
+ }
+
+
+ private void processUsernameToken(SoapMessage message) {
+ Header h = findSecurityHeader(message, false);
+ if (h == null) {
+ return;
+ }
+ Element el = (Element)h.getObject();
+ Element child = DOMUtils.getFirstElement(el);
+ while (child != null) {
+ if (SPConstants.USERNAME_TOKEN.equals(child.getLocalName())) {
+ UsernameTokenProcessor p = new UsernameTokenProcessor();
+
+ try {
+ final WSUsernameTokenPrincipal princ =
p.handleUsernameToken(child,
+
getCallback(message));
+ if (princ != null) {
+ Vector<WSSecurityEngineResult>v = new
Vector<WSSecurityEngineResult>();
+ v.add(0, new WSSecurityEngineResult(WSConstants.UT,
princ, null, null, null));
+ List<Object> results = CastUtils.cast((List)message
+
.get(WSHandlerConstants.RECV_RESULTS));
+ if (results == null) {
+ results = new Vector<Object>();
+ message.put(WSHandlerConstants.RECV_RESULTS,
results);
+ }
+ WSHandlerResult rResult = new WSHandlerResult(null, v);
+ results.add(0, rResult);
+
+ assertUsernameTokens(message, princ);
+ message.put(WSS4JInInterceptor.PRINCIPAL_RESULT,
princ);
+ SecurityContext sc =
message.get(SecurityContext.class);
+ if (sc == null || sc.getUserPrincipal() == null) {
+ SecurityContext c = new SecurityContext() {
+ public Principal getUserPrincipal() {
+ return princ;
+ }
+ public boolean isUserInRole(String role) {
+ return false;
+ }
+ };
+ message.put(SecurityContext.class, c);
+ }
+
+ }
+ } catch (WSSecurityException ex) {
+ throw new Fault(ex);
+ }
+ }
+ child = DOMUtils.getNextElement(child);
+ }
+ }
+
+ private UsernameToken assertUsernameTokens(SoapMessage message,
WSUsernameTokenPrincipal princ) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> ais =
aim.getAssertionInfo(SP12Constants.USERNAME_TOKEN);
+ UsernameToken tok = null;
+ for (AssertionInfo ai : ais) {
+ tok = (UsernameToken)ai.getAssertion();
+ if (princ != null && tok.isHashPassword() !=
princ.isPasswordDigest()) {
+ ai.setNotAsserted("Password hashing policy not enforced");
+ } else {
+ ai.setAsserted(true);
+ }
+ }
+ ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+ for (AssertionInfo ai : ais) {
+ ai.setAsserted(true);
+ }
+ return tok;
+ }
+
+ private void addUsernameToken(SoapMessage message) {
+ UsernameToken tok = assertUsernameTokens(message, null);
+
+ Header h = findSecurityHeader(message, true);
+ WSSecUsernameToken utBuilder =
+ addUsernameToken(message, tok);
+ if (utBuilder == null) {
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> ais =
aim.getAssertionInfo(SP12Constants.USERNAME_TOKEN);
+ for (AssertionInfo ai : ais) {
+ if (ai.isAsserted()) {
+ ai.setAsserted(false);
+ }
+ }
+ return;
+ }
+ Element el = (Element)h.getObject();
+ utBuilder.prepare(el.getOwnerDocument());
+ el.appendChild(utBuilder.getUsernameTokenElement());
+ }
+
+
+ private Header findSecurityHeader(SoapMessage message, boolean create) {
+ for (Header h : message.getHeaders()) {
+ QName n = h.getName();
+ if (n.getLocalPart().equals("Security")
+ && (n.getNamespaceURI().equals(WSConstants.WSSE_NS)
+ || n.getNamespaceURI().equals(WSConstants.WSSE11_NS))) {
+ return h;
+ }
+ }
+ if (!create) {
+ return null;
+ }
+ Document doc = DOMUtils.createDocument();
+ Element el = doc.createElementNS(WSConstants.WSSE_NS, "wsse:Security");
+ el.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:wsse",
WSConstants.WSSE_NS);
+ SoapHeader sh = new SoapHeader(new QName(WSConstants.WSSE_NS,
"Security"), el);
+ sh.setMustUnderstand(true);
+ message.getHeaders().add(sh);
+ return sh;
+ }
+ protected WSSecUsernameToken addUsernameToken(SoapMessage message,
UsernameToken token) {
+ String userName =
(String)message.getContextualProperty(SecurityConstants.USERNAME);
+
+ if (!StringUtils.isEmpty(userName)) {
+ // If NoPassword property is set we don't need to set the password
+ if (token.isNoPassword()) {
+ WSSecUsernameToken utBuilder = new WSSecUsernameToken();
+ utBuilder.setUserInfo(userName, null);
+ utBuilder.setPasswordType(null);
+ return utBuilder;
+ }
+
+ String password =
(String)message.getContextualProperty(SecurityConstants.PASSWORD);
+ if (StringUtils.isEmpty(password)) {
+ password = getPassword(userName, token,
WSPasswordCallback.USERNAME_TOKEN, message);
+ }
+
+ if (!StringUtils.isEmpty(password)) {
+ //If the password is available then build the token
+ WSSecUsernameToken utBuilder = new WSSecUsernameToken();
+ if (token.isHashPassword()) {
+ utBuilder.setPasswordType(WSConstants.PASSWORD_DIGEST);
+ } else {
+ utBuilder.setPasswordType(WSConstants.PASSWORD_TEXT);
+ }
+
+ utBuilder.setUserInfo(userName, password);
+ return utBuilder;
+ } else {
+ policyNotAsserted(token, "No username available", message);
+ }
+ } else {
+ policyNotAsserted(token, "No username available", message);
+ }
+ return null;
+ }
+ private CallbackHandler getCallback(SoapMessage message) {
+ //Then try to get the password from the given callback handler
+ Object o =
message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER);
+
+ CallbackHandler handler = null;
+ if (o instanceof CallbackHandler) {
+ handler = (CallbackHandler)o;
+ } else if (o instanceof String) {
+ try {
+ handler = (CallbackHandler)ClassLoaderUtils
+ .loadClass((String)o, this.getClass()).newInstance();
+ } catch (Exception e) {
+ handler = null;
+ }
+ }
+ return handler;
+ }
+ public String getPassword(String userName, UsernameToken info, int type,
SoapMessage message) {
+ //Then try to get the password from the given callback handler
+
+ CallbackHandler handler = getCallback(message);
+ if (handler == null) {
+ policyNotAsserted(info, "No callback handler and no password
available", message);
+ return null;
+ }
+
+ WSPasswordCallback[] cb = {new WSPasswordCallback(userName,
+ type)};
+ try {
+ handler.handle(cb);
+ } catch (Exception e) {
+ policyNotAsserted(info, e, message);
+ }
+
+ //get the password
+ return cb[0].getPassword();
+ }
+ protected void policyNotAsserted(UsernameToken assertion, String reason,
SoapMessage message) {
+ if (assertion == null) {
+ return;
+ }
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+
+ Collection<AssertionInfo> ais;
+ ais = aim.get(assertion.getName());
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ if (ai.getAssertion() == assertion) {
+ ai.setNotAsserted(reason);
+ }
+ }
+ }
+ if (!assertion.isOptional()) {
+ throw new PolicyException(new Message(reason, LOG));
+ }
+ }
+ protected void policyNotAsserted(UsernameToken assertion, Exception
reason, SoapMessage message) {
+ if (assertion == null) {
+ return;
+ }
+ AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ Collection<AssertionInfo> ais;
+ ais = aim.get(assertion.getName());
+ if (ais != null) {
+ for (AssertionInfo ai : ais) {
+ if (ai.getAssertion() == assertion) {
+ ai.setNotAsserted(reason.getMessage());
+ }
+ }
+ }
+ throw new PolicyException(reason);
+ }
+}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Wed Mar 17 02:55:57 2010
@@ -82,7 +82,7 @@ public class WSS4JInInterceptor extends
public static final String PRINCIPAL_RESULT = "wss4j.principal.result";
public static final String PROCESSOR_MAP = "wss4j.processor.map";
- private static final String SECURITY_PROCESSED =
WSS4JInInterceptor.class.getName() + ".DONE";
+ public static final String SECURITY_PROCESSED =
WSS4JInInterceptor.class.getName() + ".DONE";
private static final Logger LOG =
LogUtils.getL7dLogger(WSS4JInInterceptor.class);
private static final Logger TIME_LOG =
LogUtils.getL7dLogger(WSS4JInInterceptor.class,
Modified:
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
(original)
+++
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/WSSecurity10Test.java
Wed Mar 17 02:55:57 2010
@@ -65,6 +65,7 @@ public class WSSecurity10Test extends Ab
public void testClientServer() {
String[] argv = new String[] {
+ "UserName",
"UserNameOverTransport",
"MutualCertificate10SignEncrypt",
"MutualCertificate10SignEncryptRsa15TripleDes"
@@ -102,6 +103,8 @@ public class WSSecurity10Test extends Ab
try {
if ("UserNameOverTransport".equals(portPrefix)) {
return new URL("https://localhost:9001/"; + portPrefix +
"?wsdl");
+ } else if ("UserName".equals(portPrefix)) {
+ return new URL("http://localhost:9003/"; + portPrefix +
"?wsdl");
} else if ("MutualCertificate10SignEncrypt".equals(portPrefix)) {
return new URL("http://localhost:9002/"; + portPrefix +
"?wsdl");
} else if
("MutualCertificate10SignEncryptRsa15TripleDes".equals(portPrefix)) {
Modified:
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client.xml?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client.xml
(original)
+++
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client.xml
Wed Mar 17 02:55:57 2010
@@ -49,6 +49,12 @@
<entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://WSSec/wssec10}UserName_IPingService";
createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="Alice"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
<http:conduit name="https://.*/UserNameOverTransport.*";>
<http:tlsClientParameters disableCNCheck="true">
<sec:keyManagers keyPassword="password">
Modified:
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml
(original)
+++
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/client/client_restricted.xml
Wed Mar 17 02:55:57 2010
@@ -49,6 +49,12 @@
<entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://WSSec/wssec10}UserName_IPingService";
createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="Alice"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
<http:conduit name="https://.*/UserNameOverTransport.*";>
<http:tlsClientParameters disableCNCheck="true">
<sec:keyManagers keyPassword="password">
Modified:
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server.xml?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server.xml
(original)
+++
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server.xml
Wed Mar 17 02:55:57 2010
@@ -90,7 +90,19 @@
</jaxws:properties>
</jaxws:endpoint>
-
+ <jaxws:endpoint
+ id="UserName"
+ address="http://localhost:9003/UserName";
+ serviceName="interop:PingService"
+ endpointName="interop:UserName_IPingService"
+
implementor="org.apache.cxf.systest.ws.wssec10.server.UserNameOverTransport">
+
+ <jaxws:properties>
+ <entry key="ws-security.username" value="Alice"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
<!-- -->
<!-- Scenario 3.3 -->
Modified:
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
(original)
+++
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
Wed Mar 17 02:55:57 2010
@@ -90,6 +90,20 @@
</jaxws:properties>
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="UserName"
+ address="https://localhost:9003/UserName";
+ serviceName="interop:PingService"
+ endpointName="interop:UserName_IPingService"
+
implementor="org.apache.cxf.systest.ws.wssec10.server.UserNameOverTransportRestricted"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.username" value="Alice"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
<!-- -->
Modified:
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10.wsdl
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10.wsdl?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10.wsdl
(original)
+++
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10.wsdl
Wed Mar 17 02:55:57 2010
@@ -74,6 +74,9 @@
<wsdl:port name="UserNameOverTransport_IPingService"
binding="wssec10test:UserNameOverTransport_IPingService">
<soap:address
location="https://localhost:9001/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/UserNameOverTransport"/>
</wsdl:port>
+ <wsdl:port name="UserName_IPingService"
binding="wssec10test:UserName_IPingService">
+ <soap:address
location="https://localhost:9003/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/UserName"/>
+ </wsdl:port>
<wsdl:port name="MutualCertificate10SignEncrypt_IPingService"
binding="wssec10test:MutualCertificate10SignEncrypt_IPingService">
<soap:address
location="http://localhost:9002/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/MutualCertificate10SignEncrypt"/>
</wsdl:port>
Modified:
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy.wsdl
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy.wsdl?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy.wsdl
(original)
+++
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy.wsdl
Wed Mar 17 02:55:57 2010
@@ -34,6 +34,21 @@
xmlns:wsa10="http://www.w3.org/2005/08/addressing";
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";
targetNamespace="http://apache.cxf.org/";>
+ <wsp:Policy wsu:Id="UserName_IPingService_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssUsernameToken10/>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
<wsp:Policy wsu:Id="UserNameOverTransport_IPingService_policy">
<wsp:ExactlyOne>
<wsp:All>
@@ -271,6 +286,21 @@
<wsdl:import location="WsSecurity10.wsdl"
namespace="http://WSSec/wssec10"/>
<wsdl:types/>
+ <wsdl:binding name="UserName_IPingService" type="wssec10test:IPingService">
+ <wsp:PolicyReference URI="#UserName_IPingService_policy"/>
+ <soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
+
+ <wsdl:operation name="echo">
+ <soap:operation soapAction="http://WSSec/wssec10/echo";
style="document"/>
+ <wsdl:input>
+ <soap:body use="literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+
+ </wsdl:binding>
<wsdl:binding name="UserNameOverTransport_IPingService"
type="wssec10test:IPingService">
<wsp:PolicyReference
URI="#UserNameOverTransport_IPingService_policy"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
Modified:
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy_restricted.wsdl
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy_restricted.wsdl?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy_restricted.wsdl
(original)
+++
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_policy_restricted.wsdl
Wed Mar 17 02:55:57 2010
@@ -34,6 +34,21 @@
xmlns:wsa10="http://www.w3.org/2005/08/addressing";
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";
targetNamespace="http://apache.cxf.org/";>
+ <wsp:Policy wsu:Id="UserName_IPingService_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssUsernameToken10/>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
<wsp:Policy wsu:Id="UserNameOverTransport_IPingService_policy">
<wsp:ExactlyOne>
<wsp:All>
@@ -285,6 +300,21 @@
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="UserName_IPingService" type="wssec10test:IPingService">
+ <wsp:PolicyReference URI="#UserName_IPingService_policy"/>
+ <soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
+
+ <wsdl:operation name="echo">
+ <soap:operation soapAction="http://WSSec/wssec10/echo";
style="document"/>
+ <wsdl:input>
+ <soap:body use="literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+
+ </wsdl:binding>
<wsdl:binding name="MutualCertificate10SignEncrypt_IPingService"
type="wssec10test:IPingService">
<wsp:PolicyReference
URI="#MutualCertificate10SignEncrypt_IPingService_policy"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"/>
Modified:
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_restricted.wsdl
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_restricted.wsdl?rev=924117&r1=924116&r2=924117&view=diff
==============================================================================
---
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_restricted.wsdl
(original)
+++
cxf/trunk/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/wssec10/WsSecurity10_restricted.wsdl
Wed Mar 17 02:55:57 2010
@@ -74,6 +74,9 @@
<wsdl:port name="UserNameOverTransport_IPingService"
binding="wssec10test:UserNameOverTransport_IPingService">
<soap:address
location="https://localhost:9001/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/UserNameOverTransport"/>
</wsdl:port>
+ <wsdl:port name="UserName_IPingService"
binding="wssec10test:UserName_IPingService">
+ <soap:address
location="http://localhost:9003/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/UserName"/>
+ </wsdl:port>
<wsdl:port name="MutualCertificate10SignEncrypt_IPingService"
binding="wssec10test:MutualCertificate10SignEncrypt_IPingService">
<soap:address
location="http://localhost:9002/Security_WsSecurity_Service_Indigo/WsSecurity10.svc/MutualCertificate10SignEncrypt"/>
</wsdl:port>
