Author: coheigea
Date: Wed May 4 16:06:49 2011
New Revision: 1099502
URL: http://svn.apache.org/viewvc?rev=1099502&view=rev
Log:
[CXF-3461] - EndorsingSupportingTokens policy reports not satisfied when using
TLS with signed timestamp
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1099502&r1=1099501&r2=1099502&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Wed May 4 16:06:49 2011
@@ -74,6 +74,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
+import
org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
import org.apache.neethi.Assertion;
import org.apache.ws.security.WSConstants;
@@ -540,7 +541,6 @@ public class PolicyBasedWSS4JInIntercept
&& sl.get(0).getName().equals(new
QName(WSConstants.SIG_NS, WSConstants.SIG_LN))) {
//endorsing the signature
hasEndorsement = true;
- break;
}
for (WSDataRef r : sl) {
signed.add(r);
@@ -621,18 +621,24 @@ public class PolicyBasedWSS4JInIntercept
assertSymetricBinding(aim, msg, prots, hasDerivedKeys);
assertTransportBinding(aim);
-
//REVISIT - probably can verify some of these like if UT is encrypted
and/or signed, etc...
assertPolicy(aim, SP12Constants.SIGNED_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
if (hasEndorsement || isRequestor(msg)) {
- assertPolicy(aim, SP12Constants.ENDORSING_SUPPORTING_TOKENS);
assertPolicy(aim,
SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
assertPolicy(aim,
SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
assertPolicy(aim,
SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
}
+ if (isRequestor(msg)) {
+ assertPolicy(aim, SP12Constants.ENDORSING_SUPPORTING_TOKENS);
+ } else {
+ // TODO need to revisit all of the other endorsed policies
+ EndorsingTokenPolicyValidator endorsingValidator =
+ new EndorsingTokenPolicyValidator(signedResults, msg);
+ endorsingValidator.validatePolicy(aim);
+ }
super.doResults(msg, actor, soapHeader, soapBody, results,
utWithCallbacks);
}
private void assertHeadersExists(AssertionInfoMap aim, SoapMessage msg,
Node header)
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1099502&r1=1099501&r2=1099502&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
Wed May 4 16:06:49 2011
@@ -19,7 +19,6 @@
package org.apache.cxf.ws.security.wss4j.policyvalidators;
-import java.security.cert.Certificate;
import java.util.Collection;
import java.util.List;
@@ -60,11 +59,11 @@ public class EndorsingTokenPolicyValidat
ai.setAsserted(true);
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
- Certificate[] tlsCerts = null;
+ boolean transport = false;
if (tlsInfo != null) {
- tlsCerts = tlsInfo.getPeerCertificates();
+ transport = true;
}
- if (!checkEndorsed(tlsCerts)) {
+ if (!checkEndorsed(transport)) {
ai.setNotAsserted("Message fails endorsing supporting
tokens requirements");
return false;
}
@@ -77,11 +76,11 @@ public class EndorsingTokenPolicyValidat
/**
* Check the endorsing supporting token policy. If we're using the
Transport Binding then
* check that the Timestamp is signed. Otherwise, check that the signature
is signed.
- * @param tlsCerts
+ * @param transport
* @return true if the endorsed supporting token policy is correct
*/
- private boolean checkEndorsed(Certificate[] tlsCerts) {
- if (tlsCerts != null && tlsCerts.length > 0) {
+ private boolean checkEndorsed(boolean transport) {
+ if (transport) {
return checkTimestampIsSigned();
}
return checkSignatureIsSigned();
