Author: coheigea
Date: Fri Apr 8 07:52:34 2011
New Revision: 1090152
URL: http://svn.apache.org/viewvc?rev=1090152&view=rev
Log:
[CXF-3432] - Support WS-SecurityPolicy SamlToken expressions (Part V)
- Added support for validating IssuedToken policies against received
Assertions.
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1090152&r1=1090151&r2=1090152&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Fri Apr 8 07:52:34 2011
@@ -48,6 +48,7 @@ import org.apache.cxf.ws.security.trust.
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
+import
org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.handler.WSHandlerConstants;
@@ -203,21 +204,22 @@ public class IssuedTokenInterceptorProvi
return;
}
if (!isRequestor(message)) {
- boolean found = false;
List<WSHandlerResult> results =
CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
if (results != null) {
for (WSHandlerResult rResult : results) {
- SecurityToken token =
findIssuedToken(rResult.getResults());
- if (token != null) {
- found = true;
+ WSSecurityEngineResult wser =
+ findSecurityResult(rResult.getResults());
+ if (wser != null) {
+ IssuedTokenPolicyValidator issuedValidator =
+ new IssuedTokenPolicyValidator();
+ issuedValidator.validatePolicy(aim, wser);
+
+ SecurityToken token =
createSecurityToken(wser);
message.getExchange().put(SecurityConstants.TOKEN, token);
}
}
}
- for (AssertionInfo inf : ais) {
- inf.setAsserted(found);
- }
} else {
//client side should be checked on the way out
for (AssertionInfo ai : ais) {
@@ -227,7 +229,7 @@ public class IssuedTokenInterceptorProvi
}
}
- private SecurityToken findIssuedToken(
+ private WSSecurityEngineResult findSecurityResult(
List<WSSecurityEngineResult> wsSecEngineResults
) {
for (WSSecurityEngineResult wser : wsSecEngineResults) {
@@ -235,24 +237,33 @@ public class IssuedTokenInterceptorProvi
if (actInt.intValue() == WSConstants.ST_SIGNED) {
AssertionWrapper assertionWrapper =
(AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- SAMLKeyInfo subjectKeyInfo =
assertionWrapper.getSubjectKeyInfo();
- if (subjectKeyInfo != null) {
- SecurityToken token = new
SecurityToken(assertionWrapper.getId());
- token.setSecret(subjectKeyInfo.getSecret());
- X509Certificate[] certs = subjectKeyInfo.getCerts();
- if (certs != null && certs.length > 0) {
- token.setX509Certificate(certs[0], null);
- }
- if (assertionWrapper.getSaml1() != null) {
-
token.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
- } else if (assertionWrapper.getSaml2() != null) {
-
token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
- }
- return token;
+ if (assertionWrapper.getSubjectKeyInfo() != null) {
+ return wser;
}
}
}
return null;
}
+
+ private SecurityToken createSecurityToken(
+ WSSecurityEngineResult wser
+ ) {
+ AssertionWrapper assertionWrapper =
+
(AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
+
+ SecurityToken token = new SecurityToken(assertionWrapper.getId());
+ token.setSecret(subjectKeyInfo.getSecret());
+ X509Certificate[] certs = subjectKeyInfo.getCerts();
+ if (certs != null && certs.length > 0) {
+ token.setX509Certificate(certs[0], null);
+ }
+ if (assertionWrapper.getSaml1() != null) {
+ token.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
+ } else if (assertionWrapper.getSaml2() != null) {
+ token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+ }
+ return token;
+ }
}
}
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1090152&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(added)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Fri Apr 8 07:52:34 2011
@@ -0,0 +1,101 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.Collection;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.IssuedToken;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+import org.opensaml.common.SAMLVersion;
+
+/**
+ * Validate a WSSecurityEngineResult corresponding to the processing of a SAML
Assertion
+ * against an IssuedToken policy.
+ */
+public class IssuedTokenPolicyValidator {
+
+ public boolean validatePolicy(
+ AssertionInfoMap aim,
+ WSSecurityEngineResult wser
+ ) {
+ Collection<AssertionInfo> issuedAis =
aim.get(SP12Constants.ISSUED_TOKEN);
+ if (issuedAis != null && !issuedAis.isEmpty()) {
+ for (AssertionInfo ai : issuedAis) {
+ AssertionWrapper assertionWrapper =
+
(AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
+ Element template = issuedToken.getRstTemplate();
+ if (template != null && !checkIssuedTokenTemplate(template,
assertionWrapper)) {
+ ai.setNotAsserted("Error in validating the IssuedToken
policy");
+ return false;
+ }
+
+ ai.setAsserted(true);
+ }
+ }
+ return true;
+ }
+
+ /**
+ * Check the issued token template against the received assertion
+ */
+ private boolean checkIssuedTokenTemplate(Element template,
AssertionWrapper assertionWrapper) {
+ Element child = DOMUtils.getFirstElement(template);
+ while (child != null) {
+ if ("TokenType".equals(child.getLocalName())) {
+ String content = child.getTextContent();
+ if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(content)
+ && assertionWrapper.getSamlVersion() !=
SAMLVersion.VERSION_11) {
+ return false;
+ } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(content)
+ && assertionWrapper.getSamlVersion() !=
SAMLVersion.VERSION_20) {
+ return false;
+ }
+ } else if ("KeyType".equals(child.getLocalName())) {
+ String content = child.getTextContent();
+ if (content.endsWith("SymmetricKey")) {
+ SAMLKeyInfo subjectKeyInfo =
assertionWrapper.getSubjectKeyInfo();
+ if (subjectKeyInfo == null || subjectKeyInfo.getSecret()
== null) {
+ return false;
+ }
+ } else if (content.endsWith("PublicKey")) {
+ SAMLKeyInfo subjectKeyInfo =
assertionWrapper.getSubjectKeyInfo();
+ if (subjectKeyInfo == null ||
(subjectKeyInfo.getPublicKey() == null
+ && subjectKeyInfo.getCerts() == null)) {
+ return false;
+ }
+ }
+ }
+ child = DOMUtils.getNextElement(child);
+ }
+ return true;
+ }
+
+}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1090152&r1=1090151&r2=1090152&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Fri Apr 8 07:52:34 2011
@@ -36,7 +36,7 @@ import org.opensaml.common.SAMLVersion;
*/
public class SamlTokenPolicyValidator {
- public void validatePolicy(
+ public boolean validatePolicy(
AssertionInfoMap aim,
WSSecurityEngineResult wser
) {
@@ -50,7 +50,7 @@ public class SamlTokenPolicyValidator {
if (!checkVersion(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
- return;
+ return false;
}
/*
if (!checkIssuerName(samlToken, assertionWrapper)) {
@@ -59,6 +59,7 @@ public class SamlTokenPolicyValidator {
*/
}
}
+ return true;
}
/**
