Author: coheigea
Date: Fri Jul 8 17:38:51 2011
New Revision: 1144400
URL: http://svn.apache.org/viewvc?rev=1144400&view=rev
Log:
[CXF-3624] - BinarySecurityToken validated by STSTokenValidator doesn't satisfy
IssuedToken policy
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1144400&r1=1144399&r2=1144400&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Fri Jul 8 17:38:51 2011
@@ -54,6 +54,7 @@ import org.apache.ws.security.WSConstant
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.util.WSSecurityUtil;
@@ -237,51 +238,69 @@ public class IssuedTokenInterceptorProvi
) {
if (results != null) {
for (WSHandlerResult rResult : results) {
- WSSecurityEngineResult wser =
- findSecurityResult(rResult.getResults());
- if (wser != null) {
- List<WSSecurityEngineResult> signedResults =
- new ArrayList<WSSecurityEngineResult>();
- WSSecurityUtil.fetchAllActionResults(
- rResult.getResults(), WSConstants.SIGN,
signedResults
- );
-
- //
- // Validate the Issued Token policy
- //
- IssuedTokenPolicyValidator issuedValidator =
- new IssuedTokenPolicyValidator(signedResults,
message);
- if (!issuedValidator.validatePolicy(aim, wser)) {
- break;
- }
-
- SecurityToken token = createSecurityToken(wser);
- message.getExchange().put(SecurityConstants.TOKEN,
token);
+ List<WSSecurityEngineResult> signedResults =
+ new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(
+ rResult.getResults(), WSConstants.SIGN, signedResults
+ );
+ IssuedTokenPolicyValidator issuedValidator =
+ new IssuedTokenPolicyValidator(signedResults, message);
+ Collection<AssertionInfo> issuedAis =
aim.get(SP12Constants.ISSUED_TOKEN);
+
+ for (AssertionWrapper assertionWrapper
+ : findSamlTokenResults(rResult.getResults())) {
+ boolean valid =
issuedValidator.validatePolicy(issuedAis, assertionWrapper);
+ if (valid) {
+ SecurityToken token =
createSecurityToken(assertionWrapper);
+ message.getExchange().put(SecurityConstants.TOKEN,
token);
+ return;
+ }
+ }
+ for (BinarySecurity binarySecurityToken
+ :
findBinarySecurityTokenResults(rResult.getResults())) {
+ boolean valid =
issuedValidator.validatePolicy(issuedAis, binarySecurityToken);
+ if (valid) {
+ SecurityToken token =
createSecurityToken(binarySecurityToken);
+ message.getExchange().put(SecurityConstants.TOKEN,
token);
+ return;
+ }
}
}
}
}
- private WSSecurityEngineResult findSecurityResult(
+ private List<AssertionWrapper> findSamlTokenResults(
List<WSSecurityEngineResult> wsSecEngineResults
) {
+ List<AssertionWrapper> results = new ArrayList<AssertionWrapper>();
for (WSSecurityEngineResult wser : wsSecEngineResults) {
Integer actInt =
(Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.ST_SIGNED
|| actInt.intValue() == WSConstants.ST_UNSIGNED) {
- return wser;
+
results.add((AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION));
+ }
+ }
+ return results;
+ }
+
+ private List<BinarySecurity> findBinarySecurityTokenResults(
+ List<WSSecurityEngineResult> wsSecEngineResults
+ ) {
+ List<BinarySecurity> results = new ArrayList<BinarySecurity>();
+ for (WSSecurityEngineResult wser : wsSecEngineResults) {
+ Integer actInt =
(Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.BST) {
+
results.add((BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN));
}
}
- return null;
+ return results;
}
private SecurityToken createSecurityToken(
- WSSecurityEngineResult wser
+ AssertionWrapper assertionWrapper
) {
- AssertionWrapper assertionWrapper =
-
(AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
SecurityToken token = new SecurityToken(assertionWrapper.getId());
-
+
SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
if (subjectKeyInfo != null) {
token.setSecret(subjectKeyInfo.getSecret());
@@ -296,7 +315,19 @@ public class IssuedTokenInterceptorProvi
token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
}
token.setToken(assertionWrapper.getElement());
+
+ return token;
+ }
+
+ private SecurityToken createSecurityToken(BinarySecurity
binarySecurityToken) {
+ SecurityToken token = new
SecurityToken(binarySecurityToken.getID());
+ token.setToken(binarySecurityToken.getElement());
+ token.setSecret(binarySecurityToken.getToken());
+ token.setTokenType(binarySecurityToken.getValueType());
+
return token;
}
+
}
+
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1144400&r1=1144399&r2=1144400&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Fri Jul 8 17:38:51 2011
@@ -29,11 +29,10 @@ import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.IssuedToken;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.ext.AssertionWrapper;
@@ -57,20 +56,16 @@ public class IssuedTokenPolicyValidator
}
public boolean validatePolicy(
- AssertionInfoMap aim,
- WSSecurityEngineResult wser
+ Collection<AssertionInfo> issuedAis,
+ AssertionWrapper assertionWrapper
) {
- Collection<AssertionInfo> issuedAis =
aim.get(SP12Constants.ISSUED_TOKEN);
- if (issuedAis != null && !issuedAis.isEmpty()) {
+ if (issuedAis != null) {
for (AssertionInfo ai : issuedAis) {
- AssertionWrapper assertionWrapper =
-
(AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
ai.setAsserted(true);
boolean tokenRequired = isTokenRequired(issuedToken, message);
- if ((tokenRequired && assertionWrapper == null)
- || (!tokenRequired && assertionWrapper != null)) {
+ if (tokenRequired && assertionWrapper == null) {
ai.setNotAsserted(
"The received token does not match the token inclusion
requirement"
);
@@ -100,6 +95,36 @@ public class IssuedTokenPolicyValidator
return true;
}
+ public boolean validatePolicy(
+ Collection<AssertionInfo> issuedAis,
+ BinarySecurity binarySecurityToken
+ ) {
+ if (issuedAis != null) {
+ for (AssertionInfo ai : issuedAis) {
+ IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
+ ai.setAsserted(true);
+
+ boolean tokenRequired = isTokenRequired(issuedToken, message);
+ if (tokenRequired && binarySecurityToken == null) {
+ ai.setNotAsserted(
+ "The received token does not match the token inclusion
requirement"
+ );
+ return false;
+ }
+ if (!tokenRequired) {
+ continue;
+ }
+
+ Element template = issuedToken.getRstTemplate();
+ if (template != null && !checkIssuedTokenTemplate(template,
binarySecurityToken)) {
+ ai.setNotAsserted("Error in validating the IssuedToken
policy");
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
/**
* Check the issued token template against the received assertion
*/
@@ -134,5 +159,23 @@ public class IssuedTokenPolicyValidator
}
return true;
}
+
+ /**
+ * Check the issued token template against the received BinarySecurityToken
+ */
+ private boolean checkIssuedTokenTemplate(Element template, BinarySecurity
binarySecurityToken) {
+ Element child = DOMUtils.getFirstElement(template);
+ while (child != null) {
+ if ("TokenType".equals(child.getLocalName())) {
+ String content = child.getTextContent();
+ String valueType = binarySecurityToken.getValueType();
+ if (!content.equals(valueType)) {
+ return false;
+ }
+ }
+ child = DOMUtils.getNextElement(child);
+ }
+ return true;
+ }
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1144400&r1=1144399&r2=1144400&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Fri Jul 8 17:38:51 2011
@@ -72,8 +72,7 @@ public class SamlTokenPolicyValidator ex
ai.setAsserted(true);
boolean tokenRequired = isTokenRequired(samlToken, message);
- if ((tokenRequired && assertionWrapper == null)
- || (!tokenRequired && assertionWrapper != null)) {
+ if (tokenRequired && assertionWrapper == null) {
ai.setNotAsserted(
"The received token does not match the token inclusion
requirement"
);
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java?rev=1144400&r1=1144399&r2=1144400&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
Fri Jul 8 17:38:51 2011
@@ -56,8 +56,7 @@ public class UsernameTokenPolicyValidato
ai.setAsserted(true);
boolean tokenRequired = isTokenRequired(usernameTokenPolicy,
message);
- if ((tokenRequired && usernameToken == null)
- || (!tokenRequired && usernameToken != null)) {
+ if (tokenRequired && usernameToken == null) {
ai.setNotAsserted(
"The received token does not match the token inclusion
requirement"
);