Author: coheigea
Date: Fri Sep 23 14:11:29 2011
New Revision: 1174790
URL: http://svn.apache.org/viewvc?rev=1174790&view=rev
Log:
Add support for the SecurityContextToken policy
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1174790&r1=1174789&r2=1174790&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Fri Sep 23 14:11:29 2011
@@ -76,6 +76,7 @@ import org.apache.cxf.ws.security.wss4j.
import
org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
+import
org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
import org.apache.neethi.Assertion;
@@ -625,6 +626,10 @@ public class PolicyBasedWSS4JInIntercept
X509TokenPolicyValidator x509Validator = new
X509TokenPolicyValidator(msg, results);
x509Validator.validatePolicy(aim);
+ SecurityContextTokenPolicyValidator sctValidator =
+ new SecurityContextTokenPolicyValidator(msg, results);
+ sctValidator.validatePolicy(aim);
+
//REVISIT - probably can verify some of these like if UT is encrypted
and/or signed, etc...
assertPolicy(aim, SP12Constants.SIGNED_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1174790&r1=1174789&r2=1174790&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Fri Sep 23 14:11:29 2011
@@ -84,6 +84,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.Layout;
import org.apache.cxf.ws.security.policy.model.SamlToken;
import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
@@ -487,6 +488,7 @@ public abstract class AbstractBindingBui
} else if (isRequestor()
&& (token instanceof IssuedToken
|| token instanceof SecureConversationToken
+ || token instanceof SecurityContextToken
|| token instanceof KerberosToken)) {
//ws-trust/ws-sc stuff.......
SecurityToken secToken = getSecurityToken();
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1174790&r1=1174789&r2=1174790&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Fri Sep 23 14:11:29 2011
@@ -42,6 +42,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.IssuedToken;
import org.apache.cxf.ws.security.policy.model.KerberosToken;
import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.policy.model.TokenWrapper;
@@ -156,7 +157,8 @@ public class SymmetricBindingHandler ext
SecurityToken tok = null;
if (encryptionToken instanceof IssuedToken || encryptionToken
instanceof KerberosToken) {
tok = getSecurityToken();
- } else if (encryptionToken instanceof SecureConversationToken)
{
+ } else if (encryptionToken instanceof SecureConversationToken
+ || encryptionToken instanceof SecurityContextToken) {
tok = getSecurityToken();
} else if (encryptionToken instanceof X509Token) {
if (isRequestor()) {
@@ -268,7 +270,8 @@ public class SymmetricBindingHandler ext
try {
SecurityToken sigTok = null;
if (sigToken != null) {
- if (sigToken instanceof SecureConversationToken) {
+ if (sigToken instanceof SecureConversationToken
+ || sigToken instanceof SecurityContextToken) {
sigTok = getSecurityToken();
} else if (sigToken instanceof IssuedToken || sigToken
instanceof KerberosToken) {
sigTok = getSecurityToken();
@@ -411,7 +414,9 @@ public class SymmetricBindingHandler ext
} else {
if (attached) {
String id = encrTok.getWsuId();
- if (id == null && encrToken instanceof
SecureConversationToken) {
+ if (id == null
+ && (encrToken instanceof SecureConversationToken
+ || encrToken instanceof SecurityContextToken)) {
dkEncr.setTokenIdDirectId(true);
id = encrTok.getId();
} else if (id == null) {
@@ -488,7 +493,9 @@ public class SymmetricBindingHandler ext
String encrTokId = encrTok.getId();
if (attached) {
encrTokId = encrTok.getWsuId();
- if (encrTokId == null && encrToken instanceof
SecureConversationToken) {
+ if (encrTokId == null
+ && (encrToken instanceof SecureConversationToken
+ || encrToken instanceof SecurityContextToken))
{
encr.setEncKeyIdDirectId(true);
encrTokId = encrTok.getId();
} else if (encrTokId == null) {
@@ -614,7 +621,8 @@ public class SymmetricBindingHandler ext
}
dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
} else {
- if (!attached || policyToken instanceof SecureConversationToken) {
+ if (!attached || policyToken instanceof SecureConversationToken
+ || policyToken instanceof SecurityContextToken) {
dkSign.setTokenIdDirectId(true);
}
dkSign.setExternalKey(tok.getSecret(), tok.getId());
@@ -745,7 +753,8 @@ public class SymmetricBindingHandler ext
if (included) {
sigTokId = tok.getWsuId();
if (sigTokId == null) {
- if (policyToken instanceof SecureConversationToken) {
+ if (policyToken instanceof SecureConversationToken
+ || policyToken instanceof SecurityContextToken) {
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
}
sigTokId = tok.getId();
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1174790&r1=1174789&r2=1174790&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Fri Sep 23 14:11:29 2011
@@ -42,6 +42,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.KeyValueToken;
import org.apache.cxf.ws.security.policy.model.SamlToken;
import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
import org.apache.cxf.ws.security.policy.model.Token;
@@ -166,6 +167,7 @@ public class TransportBindingHandler ext
for (Token token : sgndSuppTokens.getTokens()) {
if (token instanceof IssuedToken
|| token instanceof SecureConversationToken
+ || token instanceof SecurityContextToken
|| token instanceof KeyValueToken
|| token instanceof KerberosToken) {
addSig(signatureValues,
doIssuedTokenSignature(token, signdParts,
@@ -203,6 +205,7 @@ public class TransportBindingHandler ext
for (Token token : endSuppTokens.getTokens()) {
if (token instanceof IssuedToken
|| token instanceof SecureConversationToken
+ || token instanceof SecurityContextToken
|| token instanceof KerberosToken) {
addSig(signatureValues,
doIssuedTokenSignature(token,
endSuppTokens
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java?rev=1174790&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
(added)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
Fri Sep 23 14:11:29 2011
@@ -0,0 +1,74 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+/**
+ * Validate a WSSecurityEngineResult corresponding to the processing of a
SecurityContextToken
+ * against the appropriate policy.
+ */
+public class SecurityContextTokenPolicyValidator extends
AbstractTokenPolicyValidator {
+
+ private List<WSSecurityEngineResult> sctResults;
+ private Message message;
+
+ public SecurityContextTokenPolicyValidator(Message message,
List<WSSecurityEngineResult> results) {
+ this.message = message;
+ sctResults = new ArrayList<WSSecurityEngineResult>();
+ WSSecurityUtil.fetchAllActionResults(results, WSConstants.SCT,
sctResults);
+ }
+
+ public boolean validatePolicy(AssertionInfoMap aim) {
+ Collection<AssertionInfo> sctAis =
aim.get(SP12Constants.SECURITY_CONTEXT_TOKEN);
+ if (sctAis != null && !sctAis.isEmpty()) {
+ for (AssertionInfo ai : sctAis) {
+ SecurityContextToken sctPolicy =
(SecurityContextToken)ai.getAssertion();
+ ai.setAsserted(true);
+
+ boolean tokenRequired = isTokenRequired(sctPolicy, message);
+
+ if (!tokenRequired) {
+ continue;
+ }
+
+ if (sctResults.isEmpty()) {
+ ai.setNotAsserted(
+ "The received token does not match the token inclusion
requirement"
+ );
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+}