Author: ffang
Date: Mon Feb 20 10:10:21 2012
New Revision: 1291176
URL: http://svn.apache.org/viewvc?rev=1291176&view=rev
Log:
Merged revisions 1291166-1291167 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1291166 | ffang | 2012-02-20 17:51:20 +0800 (一, 20 2 2012) | 1 line
[CXF-4119]support Certificates revocation check before encrypt when use CXF
WS-SecurityPolicy
........
r1291167 | ffang | 2012-02-20 18:01:32 +0800 (一, 20 2 2012) | 1 line
[CXF-4119]support Certificates revocation check before encrypt when use CXF
WS-SecurityPolicy
........
Added:
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
- copied unchanged from r1291167,
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/revocation.properties
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks
- copied unchanged from r1291167,
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CA.jks
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
- copied unchanged from r1291167,
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40CACRL.pem
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks
- copied unchanged from r1291167,
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/wss40rev.jks
Modified:
cxf/branches/2.5.x-fixes/ (props changed)
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Modified:
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
URL:
http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
---
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
(original)
+++
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
Mon Feb 20 10:10:21 2012
@@ -386,6 +386,8 @@ public abstract class SPConstants {
public static final String MUST_SUPPORT_ISSUED_TOKENS =
"MustSupportIssuedTokens";
+ public static final String ENABLE_REVOCATION = "EnableRevocation";
+
public static final String REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION
= "RequireRequestSecurityTokenCollection";
Modified:
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
URL:
http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
---
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
(original)
+++
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS10Builder.java
Mon Feb 20 10:10:21 2012
@@ -65,6 +65,8 @@ public class WSS10Builder implements Ass
parent.setMustSupportRefExternalURI(true);
} else if
(SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN.equals(name)) {
parent.setMustSupportRefEmbeddedToken(true);
+ } else if (SPConstants.ENABLE_REVOCATION.equals(name)) {
+ parent.setEnableRevocation(true);
}
child = DOMUtils.getNextElement(child);
}
Modified:
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
URL:
http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
---
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
(original)
+++
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/WSS11Builder.java
Mon Feb 20 10:10:21 2012
@@ -75,6 +75,8 @@ public class WSS11Builder implements Ass
} else if
(SPConstants.REQUIRE_SIGNATURE_CONFIRMATION.equals(name)) {
parent.setRequireSignatureConfirmation(true);
+ } else if (SPConstants.ENABLE_REVOCATION.equals(name)) {
+ parent.setEnableRevocation(true);
}
child = DOMUtils.getNextElement(child);
}
Modified:
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
URL:
http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
---
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
(original)
+++
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss10.java
Mon Feb 20 10:10:21 2012
@@ -31,6 +31,7 @@ public class Wss10 extends AbstractSecur
private boolean mustSupportRefIssuerSerial;
private boolean mustSupportRefExternalURI;
private boolean mustSupportRefEmbeddedToken;
+ private boolean enableRevocation;
public Wss10(SPConstants version) {
super(version);
@@ -91,6 +92,20 @@ public class Wss10 extends AbstractSecur
public void setMustSupportRefKeyIdentifier(boolean
mustSupportRefKeyIdentifier) {
this.mustSupportRefKeyIdentifier = mustSupportRefKeyIdentifier;
}
+
+ /**
+ * @return Returns the enableRevocation.
+ */
+ public boolean isEnableRevocation() {
+ return enableRevocation;
+ }
+
+ /**
+ * @param enableRevocation The enableRevocation to set.
+ */
+ public void setEnableRevocation(boolean enableRevocation) {
+ this.enableRevocation = enableRevocation;
+ }
public QName getRealName() {
return constants.getWSS10();
@@ -150,6 +165,13 @@ public class Wss10 extends AbstractSecur
writer.writeEndElement();
}
+
+ if (isEnableRevocation()) {
+ // <sp:EnableRevocation />
+ writer.writeStartElement(prefix, SPConstants.ENABLE_REVOCATION,
namespaceURI);
+ writer.writeEndElement();
+
+ }
// </wsp:Policy>
writer.writeEndElement();
Modified:
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
URL:
http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
---
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
(original)
+++
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Wss11.java
Mon Feb 20 10:10:21 2012
@@ -151,6 +151,13 @@ public class Wss11 extends Wss10 {
writer.writeStartElement(prefix,
SPConstants.REQUIRE_SIGNATURE_CONFIRMATION, namespaceURI);
writer.writeEndElement();
}
+
+ if (isEnableRevocation()) {
+ // <sp:EnableRevocation />
+ writer.writeStartElement(prefix, SPConstants.ENABLE_REVOCATION,
namespaceURI);
+ writer.writeEndElement();
+
+ }
// </wsp:Policy>
writer.writeEndElement();
Modified:
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL:
http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
---
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Mon Feb 20 10:10:21 2012
@@ -108,6 +108,7 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.conversation.ConversationConstants;
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.handler.WSHandlerConstants;
@@ -1371,9 +1372,31 @@ public abstract class AbstractBindingBui
public Crypto getEncryptionCrypto(TokenWrapper wrapper) throws
WSSecurityException {
- return getCrypto(wrapper,
- SecurityConstants.ENCRYPT_CRYPTO,
- SecurityConstants.ENCRYPT_PROPERTIES);
+ Crypto crypto = getCrypto(wrapper, SecurityConstants.ENCRYPT_CRYPTO,
+ SecurityConstants.ENCRYPT_PROPERTIES);
+ Wss10 wss10 = getWss10();
+ if (wss10 == null) {
+ return crypto;
+ }
+ boolean enableRevocation = wss10.isEnableRevocation();
+ if (enableRevocation && crypto != null) {
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ String encrUser =
(String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
+ if (crypto != null && encrUser == null) {
+ try {
+ encrUser = crypto.getDefaultX509Identifier();
+ } catch (WSSecurityException e1) {
+ throw new Fault(e1);
+ }
+ }
+ cryptoType.setAlias(encrUser);
+ X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
+ if (certs != null && certs.length > 0) {
+ crypto.verifyTrust(certs, enableRevocation);
+ }
+ }
+ return crypto;
+
}
public Crypto getCrypto(
Modified:
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
URL:
http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
---
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
(original)
+++
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/KeystorePasswordCallback.java
Mon Feb 20 10:10:21 2012
@@ -39,6 +39,7 @@ public class KeystorePasswordCallback im
public KeystorePasswordCallback() {
passwords.put("alice", "password");
passwords.put("bob", "password");
+ passwords.put("wss40rev", "security");
}
/**
Modified:
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL:
http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
---
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
(original)
+++
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
Mon Feb 20 10:10:21 2012
@@ -489,4 +489,42 @@ public class SecurityPolicyTest extends
di.setNumberToDouble(5);
assertEquals(10, pt.doubleIt(di, 1).getDoubledNumber());
}
+
+ @Test
+ public void testCXF4119() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+
+ Bus bus = bf.createBus();
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = SecurityPolicyTest.class.getResource("DoubleIt.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+
+ DoubleItPortTypeHeader pt;
+
+ QName portQName = new QName(NAMESPACE, "DoubleItPortCXF4119");
+ pt = service.getPort(portQName, DoubleItPortTypeHeader.class);
+
+ updateAddressPort(pt, PORT);
+
((BindingProvider)pt).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER,
+ new
KeystorePasswordCallback());
+
((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+
getClass().getResource("alice.properties"));
+
((BindingProvider)pt).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES,
+
getClass().getResource("revocation.properties"));
+
+ DoubleIt di = new DoubleIt();
+ di.setNumberToDouble(5);
+ try {
+ pt.doubleIt(di, 1);
+ fail("Failure expected on a revoked certificate");
+ } catch (Exception ex) {
+ String errorMessage = ex.getMessage();
+ // Different errors using different JDKs...
+ assertTrue(errorMessage.contains("Certificate has been revoked")
+ || errorMessage.contains("Certificate revocation")
+ || errorMessage.contains("Error during certificate path
validation"));
+ }
+ }
}
Modified:
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
URL:
http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl?rev=1291176&r1=1291175&r2=1291176&view=diff
==============================================================================
---
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
(original)
+++
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/security/DoubleIt.wsdl
Mon Feb 20 10:10:21 2012
@@ -205,6 +205,24 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItBindingCXF4119" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#CXF4119" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http"; />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
+
<wsdl:service name="DoubleItService">
@@ -241,6 +259,9 @@
<wsdl:port name="DoubleItPortCXF3452"
binding="tns:DoubleItBindingCXF3452">
<soap:address location="http://localhost:9010/SecPolTestCXF3452"; />
</wsdl:port>
+ <wsdl:port name="DoubleItPortCXF4119"
binding="tns:DoubleItBindingCXF4119">
+ <soap:address location="http://localhost:9010/SecPolTestCXF4119"; />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItBindingPolicy">
@@ -785,5 +806,63 @@
<sp:Header Namespace="http://cxf.apache.org/policytest/DoubleIt"/>
</sp:SignedParts>
</wsp:Policy>
-
+ <wsp:Policy wsu:Id="CXF4119">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding
+
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssX509V1Token11 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
+ <wsp:Policy>
+ <sp:WssX509V1Token11 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:TripleDesRsa15 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:EncryptSignature />
+ <sp:OnlySignEntireHeadersAndBody />
+ <sp:EncryptBeforeSigning />
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:SignedParts
+
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <sp:Body />
+ </sp:SignedParts>
+ <sp:EncryptedParts
+
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <sp:Body />
+ </sp:EncryptedParts>
+ <sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial />
+ <sp:EnableRevocation/>
+ </wsp:Policy>
+ </sp:Wss10>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
</wsdl:definitions>
