Author: dvaleri
Date: Fri Jul 30 17:53:49 2010
New Revision: 980898
URL: http://svn.apache.org/viewvc?rev=980898&view=rev
Log:
[CXF-2921] Changed interceptor behavior for case where there is no WS-S header.
Now allows for policy interceptor to process results even when there is no
header.
Added:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml
(with props)
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=980898&r1=980897&r2=980898&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Fri Jul 30 17:53:49 2010
@@ -217,27 +217,39 @@ public class WSS4JInInterceptor extends
t2 = System.currentTimeMillis();
}
- if (wsResult == null) { // no security header found
- if (doAction == WSConstants.NO_SECURITY) {
- return;
- } else if
(doc.getSOAPPart().getEnvelope().getBody().hasFault()) {
- LOG.warning("Request does not contain required Security
header, "
+ if (wsResult != null) { // security header found
+ if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
+ checkSignatureConfirmation(reqData, wsResult);
+ }
+
+ checkSignatures(msg, reqData, wsResult);
+ checkTimestamps(msg, reqData, wsResult);
+ checkActions(msg, reqData, wsResult, actions);
+ doResults(msg, actor, doc, wsResult);
+ } else { // no security header found
+ // Create an empty result vector to pass into the required
validation
+ // methods.
+ wsResult = new Vector<Object>();
+
+ if (doc.getSOAPPart().getEnvelope().getBody().hasFault()) {
+ LOG.warning("Request does not contain Security header, "
+ "but it's a fault.");
- return;
+ // We allow lax action matching here for backwards
compatibility
+ // with manually configured WSS4JInInterceptors that
previously
+ // allowed faults to pass through even if their actions
aren't
+ // a strict match against those configured. In the WS-SP
case,
+ // we will want to still call doResults as it handles
asserting
+ // certain assertions that do not require a WS-S header
such as
+ // a sp:TransportBinding assertion. In the case of WS-SP,
+ // the unasserted assertions will provide confirmation that
+ // security was not sufficient.
+ // checkActions(msg, reqData, wsResult, actions);
+ doResults(msg, actor, doc, wsResult);
} else {
- LOG.warning("Request does not contain required Security
header");
- throw new
WSSecurityException(WSSecurityException.INVALID_SECURITY);
+ checkActions(msg, reqData, wsResult, actions);
+ doResults(msg, actor, doc, wsResult);
}
}
- if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
- checkSignatureConfirmation(reqData, wsResult);
- }
-
- checkSignatures(msg, reqData, wsResult);
- checkTimestamps(msg, reqData, wsResult);
- checkActions(msg, reqData, wsResult, actions);
-
- doResults(msg, actor, doc, wsResult);
if (doTimeLog) {
t3 = System.currentTimeMillis();
Modified:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=980898&r1=980897&r2=980898&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
(original)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Fri Jul 30 17:53:49 2010
@@ -19,6 +19,7 @@
package org.apache.cxf.ws.security.wss4j;
+import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
@@ -101,6 +102,27 @@ public class PolicyBasedWss4JInOutTest e
null,
Arrays.asList(CoverageType.SIGNED));
}
+
+ @Test
+ public void testTransportBinding() throws Exception {
+ this.runInInterceptorAndValidate(
+ "wsse-request-clean.xml",
+ "transport_binding_policy.xml",
+ Arrays.asList(SP12Constants.TRANSPORT_BINDING,
+ SP12Constants.TRANSPORT_TOKEN),
+ null,
+ new ArrayList<CoverageType>());
+
+ this.runAndValidate(
+ "wsse-request-clean.xml",
+ "transport_binding_policy.xml",
+ Arrays.asList(SP12Constants.TRANSPORT_BINDING),
+ null,
+ Arrays.asList(SP12Constants.TRANSPORT_BINDING,
+ SP12Constants.TRANSPORT_TOKEN),
+ null,
+ new ArrayList<CoverageType>());
+ }
// TODO this test does not follow the traditional pattern as no
server-side enforcement
// of algorithm suites yet exists. This support is blocked on WSS4J
patches. In the interim
@@ -621,6 +643,7 @@ public class PolicyBasedWss4JInOutTest e
t.transform(new DOMSource(inDoc), new StreamResult(System.out));
*/
+
this.runInInterceptorAndValidate(inDoc,
inPolicy, inAssertions.getAssertedAssertions(),
inAssertions.getNotAssertedAssertions(), types);
Added:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml?rev=980898&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml
(added)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml
Fri Jul 30 17:53:49 2010
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<wsp:Policy
+ xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
+ xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsp:Policy>
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy>
+ <sp:RequireClientCertificate/>
+ </wsp:Policy>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ </wsp:Policy>
+ </wsp:All>
+ </wsp:ExactlyOne>
+</wsp:Policy>
Propchange:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/transport_binding_policy.xml
------------------------------------------------------------------------------
svn:eol-style = native
