Author: dkulp Date: Mon Nov 15 16:05:26 2010 New Revision: 1035331 URL: http://svn.apache.org/viewvc?rev=1035331&view=rev Log: Merged revisions 1035309 via svnmerge from https://svn.apache.org/repos/asf/cxf/branches/2.3.x-fixes
................ r1035309 | dkulp | 2010-11-15 10:32:12 -0500 (Mon, 15 Nov 2010) | 10 lines Merged revisions 1035302 via svnmerge from https://svn.apache.org/repos/asf/cxf/trunk ........ r1035302 | dkulp | 2010-11-15 10:26:52 -0500 (Mon, 15 Nov 2010) | 2 lines [CXF-3041, CXF-3042] Cleanup to checks for various request only or response only security cases ........ ................ Modified: cxf/branches/2.2.x-fixes/ (props changed) cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl Propchange: cxf/branches/2.2.x-fixes/ ------------------------------------------------------------------------------ Binary property 'svnmerge-integrated' - no diff available. Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1035331&r1=1035330&r2=1035331&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original) +++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Mon Nov 15 16:05:26 2010 @@ -192,7 +192,11 @@ public class PolicyBasedWSS4JInIntercept } return false; } - private void assertPolicy(AssertionInfoMap aim, Token token, boolean derived) { + private void assertPolicy(AssertionInfoMap aim, Token token, Boolean derived) { + if (derived == null) { + //no keys were needed for anything + return; + } if (!derived && token instanceof X509Token && token.isDerivedKeys()) { notAssertPolicy(aim, token, "No derived keys found."); } @@ -461,7 +465,7 @@ public class PolicyBasedWSS4JInIntercept AssertionInfoMap aim = msg.get(AssertionInfoMap.class); Collection<WSDataRef> signed = new HashSet<WSDataRef>(); Collection<WSDataRef> encrypted = new HashSet<WSDataRef>(); - boolean hasDerivedKeys = false; + Boolean hasDerivedKeys = null; boolean hasEndorsement = false; Protections prots = Protections.NONE; @@ -471,6 +475,9 @@ public class PolicyBasedWSS4JInIntercept Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); switch (actInt.intValue()) { case WSConstants.SIGN: + if (hasDerivedKeys == null) { + hasDerivedKeys = Boolean.FALSE; + } List<WSDataRef> sl = CastUtils.cast((List<?>)wser .get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); if (sl != null) { @@ -487,6 +494,9 @@ public class PolicyBasedWSS4JInIntercept } break; case WSConstants.ENCR: + if (hasDerivedKeys == null) { + hasDerivedKeys = Boolean.FALSE; + } List<WSDataRef> el = CastUtils.cast((List<?>)wser .get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); if (el != null) { @@ -516,7 +526,7 @@ public class PolicyBasedWSS4JInIntercept assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP); break; case WSConstants.DKT: - hasDerivedKeys = true; + hasDerivedKeys = Boolean.TRUE; break; case WSConstants.SC: assertPolicy(aim, SP12Constants.WSS11); @@ -608,7 +618,7 @@ public class PolicyBasedWSS4JInIntercept SoapMessage message, SOAPMessage doc, Protections prots, - boolean derived) { + Boolean derived) { Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING); if (ais == null) { return true; @@ -649,7 +659,7 @@ public class PolicyBasedWSS4JInIntercept SoapMessage message, SOAPMessage doc, Protections prots, - boolean derived) { + Boolean derived) { Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING); if (ais == null) { return true; Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1035331&r1=1035330&r2=1035331&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original) +++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Mon Nov 15 16:05:26 2010 @@ -348,7 +348,10 @@ public class AsymmetricBindingHandler ex assertUnusedTokens(abinding.getInitiatorToken()); } sigToken = wrapper.getToken(); - + sigParts.addAll(this.getSignedParts()); + if (sigParts.isEmpty()) { + return; + } if (sigToken.isDerivedKeys()) { // Set up the encrypted key to use setupEncryptedKey(wrapper, sigToken); @@ -388,6 +391,7 @@ public class AsymmetricBindingHandler ex e.printStackTrace(); } } else { + WSSecSignature sig = getSignatureBuider(wrapper, sigToken, false); // This action must occur before sig.prependBSTElementToHeader @@ -398,7 +402,6 @@ public class AsymmetricBindingHandler ex sig.prependBSTElementToHeader(secHeader); insertBeforeBottomUp(sig.getSignatureElement()); - sigParts.addAll(this.getSignedParts()); sig.addReferencesToSign(sigParts, secHeader); sig.computeSignature(); Modified: cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1035331&r1=1035330&r2=1035331&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java (original) +++ cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java Mon Nov 15 16:05:26 2010 @@ -74,6 +74,9 @@ public class SecurityPolicyTest extends public static final String POLICY_XPATH_ADDRESS = "http://localhost:"; + PORT + "/SecPolTestXPath"; public static final String POLICY_SIGNONLY_ADDRESS = "http://localhost:"; + PORT + "/SecPolTestSignedOnly"; + public static final String POLICY_CXF3041_ADDRESS = "http://localhost:"; + PORT + "/SecPolTestCXF3041"; + public static final String POLICY_CXF3042_ADDRESS = "http://localhost:"; + PORT + "/SecPolTestCXF3042"; + public static class ServerPasswordCallback implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, @@ -88,7 +91,8 @@ public class SecurityPolicyTest extends } } - + private DoubleItService service = new DoubleItService(); + @BeforeClass public static void init() throws Exception { @@ -159,11 +163,30 @@ public class SecurityPolicyTest extends SecurityPolicyTest.class.getResource("bob.properties").toString()); ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES, SecurityPolicyTest.class.getResource("alice.properties").toString()); + + + ep = (EndpointImpl)Endpoint.publish(POLICY_CXF3041_ADDRESS, + new DoubleItImplCXF3041()); + ei = ep.getServer().getEndpoint().getEndpointInfo(); + ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback()); + ei.setProperty(SecurityConstants.SIGNATURE_PROPERTIES, + SecurityPolicyTest.class.getResource("bob.properties").toString()); + ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES, + SecurityPolicyTest.class.getResource("alice.properties").toString()); + + ep = (EndpointImpl)Endpoint.publish(POLICY_CXF3042_ADDRESS, + new DoubleItImplCXF3042()); + ei = ep.getServer().getEndpoint().getEndpointInfo(); + ei.setProperty(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback()); + ei.setProperty(SecurityConstants.SIGNATURE_PROPERTIES, + SecurityPolicyTest.class.getResource("alice.properties").toString()); + ei.setProperty(SecurityConstants.ENCRYPT_PROPERTIES, + SecurityPolicyTest.class.getResource("alice.properties").toString()); + } @Test public void testPolicy() throws Exception { - DoubleItService service = new DoubleItService(); DoubleItPortType pt; pt = service.getDoubleItPortXPath(); @@ -246,7 +269,6 @@ public class SecurityPolicyTest extends @Test public void testSignedOnlyWithUnsignedMessage() throws Exception { //CXF-2244 - DoubleItService service = new DoubleItService(); DoubleItPortType pt; pt = service.getDoubleItPortSignedOnly(); @@ -277,7 +299,6 @@ public class SecurityPolicyTest extends @Test public void testDispatchClient() throws Exception { - DoubleItService service = new DoubleItService(); Dispatch<Source> disp = service.createDispatch(DoubleItService.DoubleItPortEncryptThenSign, Source.class, Mode.PAYLOAD); @@ -418,4 +439,58 @@ public class SecurityPolicyTest extends } } + + + + @WebService(targetNamespace = "http://cxf.apache.org/policytest/DoubleIt";, + portName = "DoubleItPortCXF3041", + serviceName = "DoubleItService", + endpointInterface = "org.apache.cxf.policytest.doubleit.DoubleItPortType", + wsdlLocation = "classpath:/wsdl_systest_wsspec/DoubleIt.wsdl") + public static class DoubleItImplCXF3041 implements DoubleItPortType { + /** {...@inheritdoc}*/ + public BigInteger doubleIt(BigInteger numberToDouble) { + return numberToDouble.multiply(new BigInteger("2")); + } + } + @WebService(targetNamespace = "http://cxf.apache.org/policytest/DoubleIt";, + portName = "DoubleItPortCXF3042", + serviceName = "DoubleItService", + endpointInterface = "org.apache.cxf.policytest.doubleit.DoubleItPortType", + wsdlLocation = "classpath:/wsdl_systest_wsspec/DoubleIt.wsdl") + public static class DoubleItImplCXF3042 implements DoubleItPortType { + /** {...@inheritdoc}*/ + public BigInteger doubleIt(BigInteger numberToDouble) { + return numberToDouble.multiply(new BigInteger("2")); + } + } + + @Test + public void testCXF3041() throws Exception { + DoubleItPortType pt; + + pt = service.getDoubleItPortCXF3041(); + updateAddressPort(pt, PORT); + ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER, + new KeystorePasswordCallback()); + ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES, + getClass().getResource("alice.properties")); + ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES, + getClass().getResource("bob.properties")); + assertEquals(BigInteger.valueOf(10), pt.doubleIt(BigInteger.valueOf(5))); + } + + @Test + public void testCXF3042() throws Exception { + DoubleItPortType pt; + pt = service.getDoubleItPortCXF3042(); + updateAddressPort(pt, PORT); + ((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER, + new KeystorePasswordCallback()); + ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES, + getClass().getResource("alice.properties")); + ((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES, + getClass().getResource("alice.properties")); + assertEquals(BigInteger.valueOf(10), pt.doubleIt(BigInteger.valueOf(5))); + } } Modified: cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl?rev=1035331&r1=1035330&r2=1035331&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl (original) +++ cxf/branches/2.2.x-fixes/systests/ws-specs/src/test/resources/wsdl_systest_wsspec/DoubleIt.wsdl Mon Nov 15 16:05:26 2010 @@ -149,6 +149,39 @@ </wsdl:output> </wsdl:operation> </wsdl:binding> + + <wsdl:binding name="DoubleItBindingCXF3041" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#CXF3041"/> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http"; /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <soap:body use="literal" /> + </wsdl:input> + <wsdl:output> + <wsp:PolicyReference URI="#SignBody"/> + <soap:body use="literal" /> + </wsdl:output> + </wsdl:operation> + </wsdl:binding> + <wsdl:binding name="DoubleItBindingCXF3042" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#CXF3042"/> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http"; /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <wsp:PolicyReference URI="#EncrBody"/> + <soap:body use="literal" /> + </wsdl:input> + <wsdl:output> + <soap:body use="literal" /> + </wsdl:output> + </wsdl:operation> + </wsdl:binding> + + <wsdl:service name="DoubleItService"> <wsdl:port name="DoubleItPortHttps" binding="tns:DoubleItBinding"> <soap:address location="https://localhost:9009/SecPolTest"; /> @@ -174,6 +207,12 @@ <wsdl:port name="DoubleItPortTimestampOnly" binding="tns:DoubleItBindingTimestampOnly"> <soap:address location="http://localhost:9010/SecPolTestTimestampOnly"; /> </wsdl:port> + <wsdl:port name="DoubleItPortCXF3041" binding="tns:DoubleItBindingCXF3041"> + <soap:address location="http://localhost:9010/SecPolTestCXF3041"; /> + </wsdl:port> + <wsdl:port name="DoubleItPortCXF3042" binding="tns:DoubleItBindingCXF3042"> + <soap:address location="http://localhost:9010/SecPolTestCXF3042"; /> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="DoubleItBindingPolicy"> @@ -542,5 +581,133 @@ </wsp:ExactlyOne> </wsp:Policy> + + + <!-- Policy for asymmetric binding with the certificate included in the message from + client to server but only a thumbprint on messages from the server to the client. --> + <wsp:Policy wsu:Id="AsymmBinding" xmlns:wsu= + "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; + xmlns:wsp="http://www.w3.org/ns/ws-policy"; + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> + <sp:AsymmetricBinding> + <wsp:Policy> + <sp:InitiatorToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> + <wsp:Policy> + <sp:RequireThumbprintReference/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:InitiatorToken> + <sp:RecipientToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> + <wsp:Policy> + <sp:RequireThumbprintReference/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:RecipientToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128Rsa15/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:AsymmetricBinding> + </wsp:Policy> + <!-- Policy for signing the message body. --> + <wsp:Policy wsu:Id="SignBody" xmlns:wsu= + "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; + xmlns:wsp="http://www.w3.org/ns/ws-policy"; + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:Policy> + <!-- Policy for encrypting the message body. --> + <wsp:Policy wsu:Id="EncrBody" xmlns:wsu= + "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; + xmlns:wsp="http://www.w3.org/ns/ws-policy"; + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + </wsp:Policy> + + <!-- Policy for asymmetric binding with the certificate included in the message from + client to server but only a thumbprint on messages from the server to the client. --> + <wsp:Policy wsu:Id="CXF3041" xmlns:wsu= + "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; + xmlns:wsp="http://www.w3.org/ns/ws-policy"; + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> + <sp:AsymmetricBinding> + <wsp:Policy> + <sp:InitiatorToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> + <wsp:Policy> + <sp:RequireThumbprintReference/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:InitiatorToken> + <sp:RecipientToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> + <wsp:Policy> + <sp:RequireThumbprintReference/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:RecipientToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128Rsa15/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:AsymmetricBinding> + </wsp:Policy> + + + + <!-- Policy for symmetric binding, using an ephemeral key generated by the client and + sent to the server as part of the request, using asymmetric encryption with the server + public key to secure the symmetric key. --> + <wsp:Policy wsu:Id="CXF3042" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; + xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"; + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> + <wsp:Policy> + <sp:RequireDerivedKeys/> + <sp:RequireThumbprintReference/> + <sp:WssX509V3Token10/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128Rsa15/> + </wsp:Policy> + </sp:AlgorithmSuite> + <sp:OnlySignEntireHeadersAndBody/> + </wsp:Policy> + </sp:SymmetricBinding> + <sp:Wss11> + <wsp:Policy> + <sp:MustSupportRefKeyIdentifier/> + <sp:MustSupportRefThumbprint/> + <sp:MustSupportRefEncryptedKey/> + </wsp:Policy> + </sp:Wss11> + </wsp:Policy> </wsdl:definitions>
