Author: coheigea
Date: Fri May 13 16:14:57 2011
New Revision: 1102804
URL: http://svn.apache.org/viewvc?rev=1102804&view=rev
Log:
Made some improvements to how token inclusion types are handled inbound +
outbound.
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Fri May 13 16:14:57 2011
@@ -285,6 +285,7 @@ public class IssuedTokenInterceptorProvi
} else if (assertionWrapper.getSaml2() != null) {
token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
}
+ token.setToken(assertionWrapper.getElement());
return token;
}
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Fri May 13 16:14:57 2011
@@ -1615,11 +1615,7 @@ public abstract class AbstractBindingBui
//Check for whether the token is attached in the message or not
boolean attached = false;
-
- if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS ==
policyToken.getInclusion()
- || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE ==
policyToken.getInclusion()
- || (isRequestor() &&
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- == policyToken.getInclusion())) {
+ if (includeToken(policyToken.getInclusion())) {
attached = true;
}
@@ -1939,5 +1935,22 @@ public abstract class AbstractBindingBui
return part;
}
+ protected boolean includeToken(SPConstants.IncludeTokenType inclusion) {
+ if (inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
+ return true;
+ }
+ if (isRequestor()) {
+ if (inclusion ==
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
+ || inclusion ==
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE) {
+ return true;
+ }
+ } else {
+ if (inclusion ==
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR) {
+ return true;
+ }
+ }
+ return false;
+ }
+
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Fri May 13 16:14:57 2011
@@ -38,7 +38,6 @@ import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
import org.apache.cxf.ws.security.policy.model.IssuedToken;
@@ -112,13 +111,7 @@ public class AsymmetricBindingHandler ex
} else {
policyAsserted(initiatorToken);
- IncludeTokenType inclusion =
initiatorToken.getInclusion();
- if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS
== inclusion
- || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE
== inclusion
- || (isRequestor()
- &&
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- == inclusion)) {
-
+ if (includeToken(initiatorToken.getInclusion())) {
Element el = secToken.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
@@ -202,13 +195,7 @@ public class AsymmetricBindingHandler ex
} else {
policyAsserted(initiatorToken);
- IncludeTokenType inclusion = initiatorToken.getInclusion();
- if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS ==
inclusion
- || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE ==
inclusion
- || (isRequestor()
- &&
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- == inclusion)) {
-
+ if (includeToken(initiatorToken.getInclusion())) {
Element el = secToken.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Fri May 13 16:14:57 2011
@@ -178,12 +178,7 @@ public class SymmetricBindingHandler ext
boolean attached = false;
- if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS ==
encryptionToken.getInclusion()
- || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE ==
encryptionToken.getInclusion()
- || (isRequestor()
- &&
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- == encryptionToken.getInclusion())) {
-
+ if (includeToken(encryptionToken.getInclusion())) {
Element el = tok.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
@@ -298,21 +293,17 @@ public class SymmetricBindingHandler ext
if (sigTok == null) {
//REVISIT - no token?
}
+
boolean tokIncluded = true;
- if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS ==
sigToken.getInclusion()
- || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE ==
sigToken.getInclusion()
- || (isRequestor()
- &&
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- == sigToken.getInclusion())) {
-
+ if (includeToken(sigToken.getInclusion())) {
Element el = sigTok.getToken();
sigTokElem = cloneElement(el);
- this.addEncryptedKeyElement((Element)sigTokElem);
+ this.addEncryptedKeyElement(sigTokElem);
} else if (isRequestor() && sigToken instanceof X509Token) {
Element el = sigTok.getToken();
sigTokElem =
(Element)secHeader.getSecurityHeader().getOwnerDocument()
.importNode(el, true);
- this.addEncryptedKeyElement((Element)sigTokElem);
+ this.addEncryptedKeyElement(sigTokElem);
} else {
tokIncluded = false;
}
@@ -351,11 +342,7 @@ public class SymmetricBindingHandler ext
//REVISIT - issued token from trust?
encrTok = tokenStore.getToken(encrTokId);
- if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS ==
encrToken.getInclusion()
- || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE ==
encrToken.getInclusion()
- || (isRequestor()
- &&
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- == encrToken.getInclusion())) {
+ if (includeToken(encrToken.getInclusion())) {
Element encrTokElem = (Element)encrTok.getToken();
//Add the encrToken element before the sigToken element
@@ -569,11 +556,7 @@ public class SymmetricBindingHandler ext
//Check for whether the token is attached in the message or not
boolean attached = false;
-
- if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS ==
policyToken.getInclusion()
- || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE ==
policyToken.getInclusion()
- || (isRequestor() &&
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- == policyToken.getInclusion())) {
+ if (includeToken(policyToken.getInclusion())) {
attached = true;
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Fri May 13 16:14:57 2011
@@ -35,8 +35,6 @@ import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
import org.apache.cxf.ws.security.policy.model.Header;
import org.apache.cxf.ws.security.policy.model.IssuedToken;
@@ -94,13 +92,7 @@ public class TransportBindingHandler ext
} else if (token instanceof IssuedToken) {
SecurityToken secTok = getSecurityToken();
- SPConstants.IncludeTokenType inclusion = token.getInclusion();
-
- if (inclusion ==
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS
- || ((inclusion ==
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- || inclusion ==
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE)
- && isRequestor())) {
-
+ if (includeToken(token.getInclusion())) {
//Add the token
addEncryptedKeyElement(cloneElement(secTok.getToken()));
}
@@ -140,13 +132,7 @@ public class TransportBindingHandler ext
} else {
policyAsserted(transportToken);
}
-
- IncludeTokenType inclusion =
transportToken.getInclusion();
- if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS
== inclusion
- || SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE
== inclusion
- ||
(SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- == inclusion)) {
-
+ if (includeToken(transportToken.getInclusion())) {
Element el = secToken.getToken();
addEncryptedKeyElement(cloneElement(el));
}
@@ -339,15 +325,10 @@ public class TransportBindingHandler ext
secTok = getSecurityToken();
}
- SPConstants.IncludeTokenType inclusion = token.getInclusion();
boolean tokenIncluded = false;
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
- if (inclusion == SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS
- || ((inclusion ==
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT
- || inclusion ==
SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE)
- && isRequestor())) {
-
+ if (includeToken(token.getInclusion())) {
//Add the token
Element el = cloneElement(secTok.getToken());
if (securityTok != null) {
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Fri May 13 16:14:57 2011
@@ -33,7 +33,7 @@ import org.apache.ws.security.saml.ext.O
/**
* Some abstract functionality for validating SAML Assertions
*/
-public abstract class AbstractSamlPolicyValidator {
+public abstract class AbstractSamlPolicyValidator extends
AbstractTokenPolicyValidator {
/**
* Check the holder-of-key requirements against the received assertion.
The subject
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java?rev=1102804&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
(added)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
Fri May 13 16:14:57 2011
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
+import org.apache.cxf.ws.security.policy.model.Token;
+
+/**
+ * Some abstract functionality for validating a Security Token.
+ */
+public abstract class AbstractTokenPolicyValidator {
+
+ /**
+ * Check to see if a token is required or not.
+ * @param token the token
+ * @param message The message
+ * @return true if the token is required
+ */
+ protected boolean isTokenRequired(
+ Token token,
+ Message message
+ ) {
+ IncludeTokenType inclusion = token.getInclusion();
+ if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
+ return false;
+ } else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
+ return true;
+ } else {
+ boolean initiator = MessageUtils.isRequestor(message);
+ if (initiator && (inclusion ==
IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR)) {
+ return true;
+ } else if (!initiator && (inclusion ==
IncludeTokenType.INCLUDE_TOKEN_ONCE
+ || inclusion ==
IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT)) {
+ return true;
+ }
+ return false;
+ }
+ }
+
+}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Fri May 13 16:14:57 2011
@@ -68,6 +68,18 @@ public class IssuedTokenPolicyValidator
IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
ai.setAsserted(true);
+ boolean tokenRequired = isTokenRequired(issuedToken, message);
+ if ((tokenRequired && assertionWrapper == null)
+ || (!tokenRequired && assertionWrapper != null)) {
+ ai.setNotAsserted(
+ "The received token does not match the token inclusion
requirement"
+ );
+ return false;
+ }
+ if (!tokenRequired) {
+ continue;
+ }
+
Element template = issuedToken.getRstTemplate();
if (template != null && !checkIssuedTokenTemplate(template,
assertionWrapper)) {
ai.setNotAsserted("Error in validating the IssuedToken
policy");
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1102804&r1=1102803&r2=1102804&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Fri May 13 16:14:57 2011
@@ -70,6 +70,18 @@ public class SamlTokenPolicyValidator ex
(AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SamlToken samlToken = (SamlToken)ai.getAssertion();
ai.setAsserted(true);
+
+ boolean tokenRequired = isTokenRequired(samlToken, message);
+ if ((tokenRequired && assertionWrapper == null)
+ || (!tokenRequired && assertionWrapper != null)) {
+ ai.setNotAsserted(
+ "The received token does not match the token inclusion
requirement"
+ );
+ return false;
+ }
+ if (!tokenRequired) {
+ continue;
+ }
if (!checkVersion(samlToken, assertionWrapper)) {
ai.setNotAsserted("Wrong SAML Version");
