Author: coheigea Date: Mon Jul 9 10:57:26 2012 New Revision: 1359055 URL: http://svn.apache.org/viewvc?rev=1359055&view=rev Log: Merged revisions 1359043 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes
........ r1359043 | coheigea | 2012-07-09 11:45:42 +0100 (Mon, 09 Jul 2012) | 10 lines Merged revisions 1359033 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/trunk ........ r1359033 | coheigea | 2012-07-09 11:27:52 +0100 (Mon, 09 Jul 2012) | 2 lines [CXF-4410] - sp:EncryptSignature policy validation should only check to see if the primary signature is encrypted ........ ........ Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-client.xml cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-service.xml Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1359055&r1=1359054&r2=1359055&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java (original) +++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java Mon Jul 9 10:57:26 2012 @@ -313,13 +313,20 @@ public abstract class AbstractBindingPol } /** - * Check whether all Signature (and SignatureConfirmation) elements were encrypted + * Check whether the primary Signature (and all SignatureConfirmation) elements were encrypted */ protected boolean isSignatureEncrypted(List<WSSecurityEngineResult> results) { - for (WSSecurityEngineResult result : results) { + boolean foundPrimarySignature = false; + for (int i = results.size() - 1; i >= 0; i--) { + WSSecurityEngineResult result = results.get(i); Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION); - if (actInt.intValue() == WSConstants.SIGN - || actInt.intValue() == WSConstants.SC) { + if (actInt.intValue() == WSConstants.SIGN && !foundPrimarySignature) { + foundPrimarySignature = true; + String sigId = (String)result.get(WSSecurityEngineResult.TAG_ID); + if (sigId == null || !isIdEncrypted(sigId, results)) { + return false; + } + } else if (actInt.intValue() == WSConstants.SC) { String sigId = (String)result.get(WSSecurityEngineResult.TAG_ID); if (sigId == null || !isIdEncrypted(sigId, results)) { return false; Modified: cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java?rev=1359055&r1=1359054&r2=1359055&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java (original) +++ cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/x509_symmetric/X509SymmetricBindingTest.java Mon Jul 9 10:57:26 2012 @@ -129,6 +129,31 @@ public class X509SymmetricBindingTest ex bus.shutdown(true); } + + @org.junit.Test + public void testX509SAML2Endorsing() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = X509SymmetricBindingTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = X509SymmetricBindingTest.class.getResource("DoubleIt.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSAML2EndorsingPort"); + DoubleItPortType symmetricSaml2Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(symmetricSaml2Port, PORT); + if (standalone) { + TokenTestUtils.updateSTSPort((BindingProvider)symmetricSaml2Port, STSPORT2); + } + + doubleIt(symmetricSaml2Port, 30); + + bus.shutdown(true); + } private static void doubleIt(DoubleItPortType port, int numToDouble) { int resp = port.doubleIt(numToDouble); Modified: cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl?rev=1359055&r1=1359054&r2=1359055&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl (original) +++ cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl Mon Jul 9 10:57:26 2012 @@ -60,6 +60,22 @@ </wsdl:output> </wsdl:operation> </wsdl:binding> + <wsdl:binding name="DoubleItSymmetricSAML2EndorsingBinding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItSymmetricBindingSAML2EndorsingPolicy" /> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http"; /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <soap:body use="literal" /> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy" /> + </wsdl:input> + <wsdl:output> + <soap:body use="literal" /> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy" /> + </wsdl:output> + </wsdl:operation> + </wsdl:binding> <wsdl:service name="DoubleItService"> <wsdl:port name="DoubleItSymmetricSAML1Port" binding="tns:DoubleItSymmetricSAML1Binding"> @@ -70,6 +86,11 @@ <soap:address location="http://localhost:8082/doubleit/services/doubleitsymmetricsaml2"; /> </wsdl:port> + <wsdl:port name="DoubleItSymmetricSAML2EndorsingPort" + binding="tns:DoubleItSymmetricSAML2EndorsingBinding"> + <soap:address + location="http://localhost:8082/doubleit/services/doubleitsymmetricsaml2endorsing"; /> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="DoubleItSymmetricBindingSAML1Policy"> @@ -209,6 +230,87 @@ </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItSymmetricBindingSAML2EndorsingPolicy"> + <wsp:ExactlyOne> + <wsp:All> + <wsam:Addressing wsp:Optional="false"> + <wsp:Policy /> + </wsam:Addressing> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> + <wsp:Policy> + <sp:RequireThumbprintReference/> + <sp:WssX509V3Token10/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp /> + <sp:OnlySignEntireHeadersAndBody /> + <sp:EncryptSignature /> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:SymmetricBinding> + <sp:EndorsingSupportingTokens> + <wsp:Policy> + <sp:IssuedToken + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> + <sp:RequestSecurityTokenTemplate> + <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType> + <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType> + <t:KeySize>128</t:KeySize> + </sp:RequestSecurityTokenTemplate> + <wsp:Policy> + <sp:RequireInternalReference /> + </wsp:Policy> + <sp:Issuer> + <wsaw:Address>http://localhost:8080/SecurityTokenService/UT + </wsaw:Address> + <wsaw:Metadata> + <wsx:Metadata> + <wsx:MetadataSection> + <wsx:MetadataReference> + <wsaw:Address>http://localhost:8080/SecurityTokenService/UT/mex + </wsaw:Address> + </wsx:MetadataReference> + </wsx:MetadataSection> + </wsx:Metadata> + </wsaw:Metadata> + </sp:Issuer> + </sp:IssuedToken> + </wsp:Policy> + </sp:EndorsingSupportingTokens> + <sp:Wss11> + <wsp:Policy> + <sp:MustSupportRefIssuerSerial /> + <sp:MustSupportRefThumbprint /> + <sp:MustSupportRefEncryptedKey /> + </wsp:Policy> + </sp:Wss11> + <sp:Trust13> + <wsp:Policy> + <sp:MustSupportIssuedTokens /> + <sp:RequireClientEntropy /> + <sp:RequireServerEntropy /> + </wsp:Policy> + </sp:Trust13> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy"> <wsp:ExactlyOne> <wsp:All> Modified: cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-client.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-client.xml?rev=1359055&r1=1359054&r2=1359055&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-client.xml (original) +++ cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-client.xml Mon Jul 9 10:57:26 2012 @@ -89,5 +89,34 @@ http://cxf.apache.org/configuration/secu </jaxws:properties> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricSAML2EndorsingPort"; + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.encryption.properties" value="clientKeystore.properties"/> + <entry key="ws-security.encryption.username" value="myservicekey"/> + <entry key="ws-security.sts.client"> + <bean class="org.apache.cxf.ws.security.trust.STSClient"> + <constructor-arg ref="cxf"/> + <property name="wsdlLocation" + value="http://localhost:8080/SecurityTokenService/X509?wsdl"/> + <property name="serviceName" + value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/> + <property name="endpointName" + value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}X509_Port"/> + <property name="properties"> + <map> + <entry key="ws-security.signature.username" value="myclientkey"/> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + <entry key="ws-security.signature.properties" value="clientKeystore.properties"/> + <entry key="ws-security.encryption.properties" value="clientKeystore.properties"/> + <entry key="ws-security.encryption.username" value="mystskey"/> + </map> + </property> + </bean> + </entry> + </jaxws:properties> + </jaxws:client> + </beans> Modified: cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-service.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-service.xml?rev=1359055&r1=1359054&r2=1359055&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-service.xml (original) +++ cxf/branches/2.5.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/x509_symmetric/cxf-service.xml Mon Jul 9 10:57:26 2012 @@ -77,5 +77,21 @@ </jaxws:properties> </jaxws:endpoint> + <jaxws:endpoint id="doubleitsymmetricsaml2endorsing" + implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" + endpointName="s:DoubleItSymmetricSAML2EndorsingPort" + serviceName="s:DoubleItService" + address="http://localhost:${testutil.ports.Server}/doubleit/services/doubleitsymmetricsaml2endorsing"; + wsdlLocation="org/apache/cxf/systest/sts/x509_symmetric/DoubleIt.wsdl" + xmlns:s="http://www.example.org/contract/DoubleIt";> + + <jaxws:properties> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/> + <entry key="ws-security.is-bsp-compliant" value="false"/> + </jaxws:properties> + </jaxws:endpoint> + </beans>
