Author: coheigea
Date: Mon Sep 12 12:03:42 2011
New Revision: 1169706
URL: http://svn.apache.org/viewvc?rev=1169706&view=rev
Log:
[CXF-2924] - Added a policy validator for AlgorithmSuites
- Only checks signatures for the moment.
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java?rev=1169706&r1=1169705&r2=1169706&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java
Mon Sep 12 12:03:42 2011
@@ -69,12 +69,21 @@ public class SamlTokenBuilder implements
if (policyChild instanceof Element) {
QName qname =
new QName(policyChild.getNamespaceURI(),
policyChild.getLocalName());
- if
(SPConstants.SAML_11_TOKEN_10.equals(qname.getLocalPart())) {
+ String localname = qname.getLocalPart();
+ if
(SPConstants.SAML_11_TOKEN_10.equals(localname)) {
samlToken.setUseSamlVersion11Profile10(true);
- } else if
(SPConstants.SAML_11_TOKEN_11.equals(qname.getLocalPart())) {
+ } else if
(SPConstants.SAML_11_TOKEN_11.equals(localname)) {
samlToken.setUseSamlVersion11Profile11(true);
- } else if
(SPConstants.SAML_20_TOKEN_11.equals(qname.getLocalPart())) {
+ } else if
(SPConstants.SAML_20_TOKEN_11.equals(localname)) {
samlToken.setUseSamlVersion20Profile11(true);
+ } else if
(SPConstants.REQUIRE_DERIVED_KEYS.equals(localname)) {
+ samlToken.setDerivedKeys(true);
+ } else if
(SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS.equals(localname)) {
+ samlToken.setExplicitDerivedKeys(true);
+ } else if
(SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS.equals(localname)) {
+ samlToken.setImpliedDerivedKeys(true);
+ } else if
(SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE.equals(localname)) {
+
samlToken.setRequireKeyIdentifierReference(true);
}
}
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java?rev=1169706&r1=1169705&r2=1169706&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java
Mon Sep 12 12:03:42 2011
@@ -29,6 +29,7 @@ public class SamlToken extends Token {
private boolean useSamlVersion11Profile10;
private boolean useSamlVersion11Profile11;
private boolean useSamlVersion20Profile11;
+ private boolean requireKeyIdentifierReference;
public SamlToken(SPConstants version) {
super(version);
@@ -58,6 +59,14 @@ public class SamlToken extends Token {
this.useSamlVersion20Profile11 = useSamlVersion20Profile11;
}
+ public boolean isRequireKeyIdentifierReference() {
+ return requireKeyIdentifierReference;
+ }
+
+ public void setRequireKeyIdentifierReference(boolean
requireKeyIdentifierReference) {
+ this.requireKeyIdentifierReference = requireKeyIdentifierReference;
+ }
+
public QName getName() {
return SP12Constants.INSTANCE.getSamlToken();
}
@@ -106,9 +115,25 @@ public class SamlToken extends Token {
// <sp:WssSamlV11Token11 />
writer.writeStartElement(prefix, SPConstants.SAML_11_TOKEN_11,
namespaceURI);
} else {
- // <sp:WssSamlV20Token11 />
+ // <sp:WssSamlV20Token11 />
writer.writeStartElement(prefix, SPConstants.SAML_20_TOKEN_11,
namespaceURI);
}
+
+ if (isDerivedKeys()) {
+ writer.writeStartElement(prefix,
SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI);
+ writer.writeEndElement();
+ } else if (isExplicitDerivedKeys()) {
+ writer.writeStartElement(prefix,
SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS, namespaceURI);
+ writer.writeEndElement();
+ } else if (isImpliedDerivedKeys()) {
+ writer.writeStartElement(prefix,
SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS, namespaceURI);
+ writer.writeEndElement();
+ }
+
+ if (isRequireKeyIdentifierReference()) {
+ writer.writeStartElement(prefix,
SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE, namespaceURI);
+ writer.writeEndElement();
+ }
writer.writeEndElement();
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1169706&r1=1169705&r2=1169706&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Mon Sep 12 12:03:42 2011
@@ -73,6 +73,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.X509Token;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
+import
org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
@@ -617,9 +618,9 @@ public class PolicyBasedWSS4JInIntercept
assertHeadersExists(aim, msg, soapHeader);
- assertAsymetricBinding(aim, msg, prots, hasDerivedKeys);
- assertSymetricBinding(aim, msg, prots, hasDerivedKeys);
- assertTransportBinding(aim);
+ assertAsymetricBinding(aim, msg, prots, results, hasDerivedKeys);
+ assertSymmetricBinding(aim, msg, prots, results, hasDerivedKeys);
+ assertTransportBinding(aim, results);
X509TokenPolicyValidator x509Validator = new
X509TokenPolicyValidator(msg, results);
x509Validator.validatePolicy(aim);
@@ -689,9 +690,10 @@ public class PolicyBasedWSS4JInIntercept
}
- private boolean assertSymetricBinding(AssertionInfoMap aim,
+ private boolean assertSymmetricBinding(AssertionInfoMap aim,
SoapMessage message,
Protections prots,
+ List<WSSecurityEngineResult>
results,
Boolean derived) {
Collection<AssertionInfo> ais =
aim.get(SP12Constants.SYMMETRIC_BINDING);
if (ais == null) {
@@ -706,12 +708,20 @@ public class PolicyBasedWSS4JInIntercept
if (prots == Protections.ENCRYPT_SIGN
|| prots == Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not encrypted before signed and
then protected");
+ return false;
}
} else if (prots == Protections.SIGN_ENCRYPT) {
- ai.setNotAsserted("Not encrypted before signed");
+ ai.setNotAsserted("Not encrypted before signed");
+ return false;
}
} else if (prots == Protections.ENCRYPT_SIGN) {
- ai.setNotAsserted("Not signed before encrypted");
+ ai.setNotAsserted("Not signed before encrypted");
+ return false;
+ }
+
+ AlgorithmSuitePolicyValidator algorithmValidator = new
AlgorithmSuitePolicyValidator(results);
+ if (!algorithmValidator.validatePolicy(ai,
abinding.getAlgorithmSuite())) {
+ return false;
}
if (abinding.getEncryptionToken() != null) {
@@ -732,6 +742,7 @@ public class PolicyBasedWSS4JInIntercept
private boolean assertAsymetricBinding(AssertionInfoMap aim,
SoapMessage message,
Protections prots,
+ List<WSSecurityEngineResult>
results,
Boolean derived) {
Collection<AssertionInfo> ais =
aim.get(SP12Constants.ASYMMETRIC_BINDING);
if (ais == null) {
@@ -745,13 +756,22 @@ public class PolicyBasedWSS4JInIntercept
if (prots == Protections.ENCRYPT_SIGN
|| prots == Protections.SIGN_ENCRYPT) {
ai.setNotAsserted("Not encrypted before signed and
then protected");
+ return false;
}
} else if (prots == Protections.SIGN_ENCRYPT) {
- ai.setNotAsserted("Not encrypted before signed");
+ ai.setNotAsserted("Not encrypted before signed");
+ return false;
}
} else if (prots == Protections.ENCRYPT_SIGN) {
- ai.setNotAsserted("Not signed before encrypted");
+ ai.setNotAsserted("Not signed before encrypted");
+ return false;
+ }
+
+ AlgorithmSuitePolicyValidator algorithmValidator = new
AlgorithmSuitePolicyValidator(results);
+ if (!algorithmValidator.validatePolicy(ai,
abinding.getAlgorithmSuite())) {
+ return false;
}
+
if (abinding.getInitiatorToken() != null) {
assertPolicy(aim, abinding.getInitiatorToken());
assertPolicy(aim, abinding.getInitiatorToken().getToken(),
derived);
@@ -763,7 +783,7 @@ public class PolicyBasedWSS4JInIntercept
}
return true;
}
- private boolean assertTransportBinding(AssertionInfoMap aim) {
+ private boolean assertTransportBinding(AssertionInfoMap aim,
List<WSSecurityEngineResult> results) {
Collection<AssertionInfo> ais =
aim.get(SP12Constants.TRANSPORT_BINDING);
if (ais == null) {
return true;
@@ -776,6 +796,11 @@ public class PolicyBasedWSS4JInIntercept
assertPolicy(aim, binding.getTransportToken());
assertPolicy(aim, binding.getTransportToken().getToken());
}
+
+ AlgorithmSuitePolicyValidator algorithmValidator = new
AlgorithmSuitePolicyValidator(results);
+ if (!algorithmValidator.validatePolicy(ai,
binding.getAlgorithmSuite())) {
+ return false;
+ }
}
assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java?rev=1169706&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
(added)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
Mon Sep 12 12:03:42 2011
@@ -0,0 +1,104 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+/**
+ * Validate a WSSecurityEngineResult corresponding to the processing of a
Signature, EncryptedKey,
+ * EncryptedData or DerivedKey structure against an AlgorithmSuite policy.
+ */
+public class AlgorithmSuitePolicyValidator extends
AbstractTokenPolicyValidator {
+
+ private List<WSSecurityEngineResult> algorithmResults;
+
+ public AlgorithmSuitePolicyValidator(
+ List<WSSecurityEngineResult> results
+ ) {
+ algorithmResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN,
algorithmResults);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.ENCR,
algorithmResults);
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.DKT,
algorithmResults);
+ }
+
+ public boolean validatePolicy(
+ AssertionInfo aiBinding, AlgorithmSuite algorithmPolicy
+ ) {
+ for (WSSecurityEngineResult result : algorithmResults) {
+ Integer actInt =
(Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ if (WSConstants.SIGN == actInt
+ && !checkSignatureAlgorithms(result, algorithmPolicy,
aiBinding)) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ /**
+ * Check the Signature Algorithms
+ */
+ private boolean checkSignatureAlgorithms(
+ WSSecurityEngineResult result,
+ AlgorithmSuite algorithmPolicy,
+ AssertionInfo ai
+ ) {
+ String signatureMethod =
+ (String)result.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
+ if (!algorithmPolicy.getAsymmetricSignature().equals(signatureMethod)
+ &&
!algorithmPolicy.getSymmetricSignature().equals(signatureMethod)) {
+ ai.setNotAsserted(
+ "The signature method does not match the requirement"
+ );
+ return false;
+ }
+ String c14nMethod =
+
(String)result.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
+ if (!algorithmPolicy.getInclusiveC14n().equals(c14nMethod)) {
+ ai.setNotAsserted(
+ "The c14n method does not match the requirement"
+ );
+ return false;
+ }
+
+ List<WSDataRef> dataRefs =
+
CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ for (WSDataRef dataRef : dataRefs) {
+ String digestMethod = dataRef.getDigestAlgorithm();
+ if (!algorithmPolicy.getDigest().equals(digestMethod)) {
+ ai.setNotAsserted(
+ "The digest method does not match the requirement"
+ );
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+}
