Author: coheigea Date: Thu Aug 2 15:24:07 2012 New Revision: 1368529 URL: http://svn.apache.org/viewvc?rev=1368529&view=rev Log: Merged revisions 1368499 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/branches/2.5.x-fixes
........ r1368499 | coheigea | 2012-08-02 15:54:30 +0100 (Thu, 02 Aug 2012) | 18 lines Merged revisions 1368492 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes ........ r1368492 | coheigea | 2012-08-02 15:41:04 +0100 (Thu, 02 Aug 2012) | 10 lines Merged revisions 1368484 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/trunk ........ r1368484 | coheigea | 2012-08-02 15:25:12 +0100 (Thu, 02 Aug 2012) | 2 lines [CXF-4453] - Make the CryptoCoverageChecker easier to use for common signature verification use-cases ........ ........ ........ Added: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SignatureCoverageChecker.java cxf/branches/2.4.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SignatureCheckerTest.java cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/SignatureCoverageCheckerTest.java cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/server/ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/server/Server.java cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java?rev=1368529&r1=1368528&r2=1368529&view=diff ============================================================================== --- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java (original) +++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java Thu Aug 2 15:24:07 2012 @@ -216,6 +216,18 @@ public class CryptoCoverageChecker exten this.xPaths.addAll(xpaths); } } + + /** + * Adds the XPath expressions to check for, adding to any previously + * set expressions. + * + * @param xPaths the XPath expressions to check for + */ + public final void addXPaths(List<XPathExpression> xpaths) { + if (xpaths != null) { + this.xPaths.addAll(xpaths); + } + } /** * Sets the mapping of namespace prefixes to namespace URIs, clearing all previously @@ -229,6 +241,18 @@ public class CryptoCoverageChecker exten this.prefixMap.putAll(prefixes); } } + + /** + * Adds the mapping of namespace prefixes to namespace URIs, adding to any previously + * set mappings. + * + * @param prefixes the mapping of namespace prefixes to namespace URIs + */ + public final void addPrefixes(Map<String, String> prefixes) { + if (prefixes != null) { + this.prefixMap.putAll(prefixes); + } + } /** * A simple wrapper for an XPath expression and coverage type / scope @@ -254,6 +278,23 @@ public class CryptoCoverageChecker exten /** * Create a new expression indicating a cryptographic coverage + * requirement with {@code scope} {@link CoverageScope#ELEMENT}. + * + * @param xPath + * the XPath expression + * @param type + * the type of coverage that the expression is meant to + * enforce + * + * @throws NullPointerException + * if {@code xPath} or {@code type} is {@code null} + */ + public XPathExpression(String xPath, CoverageType type) { + this(xPath, type, CoverageScope.ELEMENT); + } + + /** + * Create a new expression indicating a cryptographic coverage * requirement. If {@code type} is {@link CoverageType#SIGNED}, the * {@code scope} {@link CoverageScope#CONTENT} does not represent a * configuration supported in WS-Security. Added: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SignatureCoverageChecker.java URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SignatureCoverageChecker.java?rev=1368529&view=auto ============================================================================== --- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SignatureCoverageChecker.java (added) +++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SignatureCoverageChecker.java Thu Aug 2 15:24:07 2012 @@ -0,0 +1,74 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.ws.security.wss4j; + + +import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType; +import org.apache.ws.security.WSConstants; + +/** + * This utility extends the CryptoCoverageChecker to provide an easy way to check to see + * if the SOAP (1.1 + 1.2) Body and Timestamp were signed. + */ +public class SignatureCoverageChecker extends CryptoCoverageChecker { + + public static final String SOAP_NS = WSConstants.URI_SOAP11_ENV; + public static final String SOAP12_NS = WSConstants.URI_SOAP12_ENV; + public static final String WSU_NS = WSConstants.WSU_NS; + public static final String WSSE_NS = WSConstants.WSSE_NS; + + /** + * Creates a new instance. Enforces that the SOAP Body and Timestamp must be signed + * (if they exist in the message body). + */ + public SignatureCoverageChecker( + boolean signBody, boolean signTimestamp + ) { + super(null, null); + + if (signBody) { + XPathExpression bodyExpression = + new XPathExpression("/soapenv:Envelope/soapenv:Body", CoverageType.SIGNED); + xPaths.add(bodyExpression); + bodyExpression = + new XPathExpression("/soapenv12:Envelope/soapenv12:Body", CoverageType.SIGNED); + xPaths.add(bodyExpression); + } + if (signTimestamp) { + XPathExpression timestampExpression = + new XPathExpression( + "/soapenv:Envelope/soapenv:Header/wsse:Security/wsu:Timestamp", + CoverageType.SIGNED + ); + xPaths.add(timestampExpression); + timestampExpression = + new XPathExpression( + "/soapenv12:Envelope/soapenv12:Header/wsse:Security/wsu:Timestamp", + CoverageType.SIGNED + ); + xPaths.add(timestampExpression); + } + + prefixMap.put("soapenv", SOAP_NS); + prefixMap.put("soapenv12", SOAP12_NS); + prefixMap.put("wsu", WSU_NS); + prefixMap.put("wsse", WSSE_NS); + } + +} Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1368529&r1=1368528&r2=1368529&view=diff ============================================================================== --- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original) +++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Thu Aug 2 15:24:07 2012 @@ -348,13 +348,26 @@ public class WSS4JInInterceptor extends List<WSSecurityEngineResult> wsResult, List<Integer> actions ) throws WSSecurityException { - /* - * now check the security actions: do they match, in any order? - */ - if (!ignoreActions && !checkReceiverResultsAnyOrder(wsResult, actions)) { + if (ignoreActions) { + // Not applicable for the WS-SecurityPolicy case + return; + } + + // now check the security actions: do they match, in any order? + if (!checkReceiverResultsAnyOrder(wsResult, actions)) { LOG.warning("Security processing failed (actions mismatch)"); throw new WSSecurityException(WSSecurityException.INVALID_SECURITY); } + + // Now check to see if SIGNATURE_PARTS are specified + String signatureParts = + (String)getProperty(msg, WSHandlerConstants.SIGNATURE_PARTS); + if (signatureParts != null) { + String warning = "To enforce that particular elements were signed you must either " + + "use WS-SecurityPolicy, or else use the CryptoCoverageChecker or " + + "SignatureCoverageChecker"; + LOG.warning(warning); + } } private void storeSignature( Added: cxf/branches/2.4.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SignatureCheckerTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SignatureCheckerTest.java?rev=1368529&view=auto ============================================================================== --- cxf/branches/2.4.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SignatureCheckerTest.java (added) +++ cxf/branches/2.4.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SignatureCheckerTest.java Thu Aug 2 15:24:07 2012 @@ -0,0 +1,137 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.ws.security.wss4j; + + +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.w3c.dom.Document; + +import org.apache.cxf.binding.soap.SoapMessage; +import org.apache.cxf.interceptor.Fault; +import org.apache.cxf.phase.PhaseInterceptor; +import org.apache.cxf.ws.security.wss4j.CryptoCoverageChecker.XPathExpression; +import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope; +import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType; +import org.apache.ws.security.handler.WSHandlerConstants; +import org.junit.Test; + +/** + * Test the SignatureCoverageChecker, which extends the CryptoCoverageChecker to provide + * an easier way to check to see if the SOAP Body and Timestamp were signed. + */ +public class SignatureCheckerTest extends AbstractSecurityTest { + + @Test + public void testSignedWithIncompleteCoverage() throws Exception { + this.runInterceptorAndValidate( + "signed_x509_issuer_serial_missing_signed_header.xml", + this.getPrefixes(), + Arrays.asList(new XPathExpression( + "//ser:Header", CoverageType.SIGNED, CoverageScope.ELEMENT)), + false); + + // This is mostly testing that things work with no prefixes. + this.runInterceptorAndValidate( + "signed_x509_issuer_serial_missing_signed_header.xml", + null, + Arrays.asList(new XPathExpression( + "//*", CoverageType.SIGNED, CoverageScope.ELEMENT)), + false); + + // This fails as the SOAP Body is not signed + this.runInterceptorAndValidate( + "signed_x509_issuer_serial_missing_signed_header.xml", + null, + null, + false); + } + + @Test + public void testSignedWithCompleteCoverage() throws Exception { + this.runInterceptorAndValidate( + "signed_x509_issuer_serial.xml", + null, + null, + true); + + this.runInterceptorAndValidate( + "signed_x509_issuer_serial.xml", + this.getPrefixes(), + Arrays.asList(new XPathExpression( + "//ser:Header", CoverageType.SIGNED, CoverageScope.ELEMENT)), + true); + } + + private Map<String, String> getPrefixes() { + final Map<String, String> prefixes = new HashMap<String, String>(); + prefixes.put("ser", "http://www.sdj.pl";); + + return prefixes; + } + + private void runInterceptorAndValidate( + String document, + Map<String, String> prefixes, + List<XPathExpression> xpaths, + boolean pass) throws Exception { + + final Document doc = this.readDocument(document); + final SoapMessage msg = this.getSoapMessageForDom(doc); + final SignatureCoverageChecker checker = + new SignatureCoverageChecker(true, true); + checker.addPrefixes(prefixes); + checker.addXPaths(xpaths); + final PhaseInterceptor<SoapMessage> wss4jInInterceptor = this.getWss4jInInterceptor(); + + wss4jInInterceptor.handleMessage(msg); + + try { + checker.handleMessage(msg); + if (!pass) { + fail("Passed interceptor erroneously."); + } + } catch (Fault e) { + if (pass) { + fail("Failed interceptor erroneously."); + } + + assertTrue(e.getMessage().contains("element found matching XPath")); + } + } + + private PhaseInterceptor<SoapMessage> getWss4jInInterceptor() { + final WSS4JInInterceptor inHandler = new WSS4JInInterceptor(true); + final String action = WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT; + + inHandler.setProperty(WSHandlerConstants.ACTION, action); + inHandler.setProperty(WSHandlerConstants.SIG_PROP_FILE, + "insecurity.properties"); + inHandler.setProperty(WSHandlerConstants.DEC_PROP_FILE, + "insecurity.properties"); + inHandler.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, + TestPwdCallback.class.getName()); + inHandler.setProperty(WSHandlerConstants.IS_BSP_COMPLIANT, "false"); + + return inHandler; + } +} Added: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/SignatureCoverageCheckerTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/SignatureCoverageCheckerTest.java?rev=1368529&view=auto ============================================================================== --- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/SignatureCoverageCheckerTest.java (added) +++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/SignatureCoverageCheckerTest.java Thu Aug 2 15:24:07 2012 @@ -0,0 +1,335 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ws.coverage_checker; + +import java.net.URL; +import java.util.HashMap; +import java.util.Map; + +import javax.crypto.Cipher; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import javax.xml.namespace.QName; +import javax.xml.ws.Service; + +import org.apache.cxf.Bus; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.systest.ws.common.SecurityTestUtil; +import org.apache.cxf.systest.ws.coverage_checker.server.Server; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor; +import org.example.contract.doubleit.DoubleItPortType; +import org.junit.BeforeClass; + +/** + * A set of tests for the SignatureCoverageChecker. + */ +public class SignatureCoverageCheckerTest extends AbstractBusClientServerTestBase { + public static final String PORT = allocatePort(Server.class); + + private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";; + private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); + + private boolean unrestrictedPoliciesInstalled = checkUnrestrictedPoliciesInstalled(); + + @BeforeClass + public static void startServers() throws Exception { + assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + launchServer(Server.class, true) + ); + } + + @org.junit.AfterClass + public static void cleanup() throws Exception { + SecurityTestUtil.cleanup(); + stopAllServers(); + } + + @org.junit.Test + public void testSignedBodyTimestamp() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SignatureCoverageCheckerTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SignatureCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItBodyTimestampPort"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + Map<String, Object> outProps = new HashMap<String, Object>(); + outProps.put("action", "Timestamp Signature"); + outProps.put("signaturePropFile", + "org/apache/cxf/systest/ws/wssec10/client/alice.properties"); + outProps.put("user", "alice"); + outProps.put("passwordCallbackClass", + "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"); + outProps.put("signatureParts", + "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;"; + + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-"; + + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"); + + bus.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); + + port.doubleIt(25); + + bus.shutdown(true); + } + + @org.junit.Test + public void testSignedBodyOnly() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SignatureCoverageCheckerTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SignatureCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItBodyTimestampPort"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + Map<String, Object> outProps = new HashMap<String, Object>(); + outProps.put("action", "Timestamp Signature"); + outProps.put("signaturePropFile", + "org/apache/cxf/systest/ws/wssec10/client/alice.properties"); + outProps.put("user", "alice"); + outProps.put("passwordCallbackClass", + "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"); + outProps.put("signatureParts", + "{}{http://schemas.xmlsoap.org/soap/envelope/}Body;";); + + bus.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); + + try { + port.doubleIt(25); + fail("Failure expected on not signing the Timestamp"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + @org.junit.Test + public void testSignedTimestampOnly() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SignatureCoverageCheckerTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SignatureCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItBodyTimestampPort"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + Map<String, Object> outProps = new HashMap<String, Object>(); + outProps.put("action", "Timestamp Signature"); + outProps.put("signaturePropFile", + "org/apache/cxf/systest/ws/wssec10/client/alice.properties"); + outProps.put("user", "alice"); + outProps.put("passwordCallbackClass", + "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"); + outProps.put("signatureParts", + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-"; + + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"); + + bus.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); + + try { + port.doubleIt(25); + fail("Failure expected on not signing the Timestamp"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + @org.junit.Test + public void testSignedBodyTimestampSoap12() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SignatureCoverageCheckerTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SignatureCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItBodyTimestampSoap12Port"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + Map<String, Object> outProps = new HashMap<String, Object>(); + outProps.put("action", "Timestamp Signature"); + outProps.put("signaturePropFile", + "org/apache/cxf/systest/ws/wssec10/client/alice.properties"); + outProps.put("user", "alice"); + outProps.put("passwordCallbackClass", + "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"); + outProps.put("signatureParts", + "{}{http://www.w3.org/2003/05/soap-envelope}Body;"; + + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-"; + + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"); + + bus.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); + + port.doubleIt(25); + + bus.shutdown(true); + } + + @org.junit.Test + public void testSignedBodyOnlySoap12() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SignatureCoverageCheckerTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SignatureCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItBodyTimestampSoap12Port"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + Map<String, Object> outProps = new HashMap<String, Object>(); + outProps.put("action", "Timestamp Signature"); + outProps.put("signaturePropFile", + "org/apache/cxf/systest/ws/wssec10/client/alice.properties"); + outProps.put("user", "alice"); + outProps.put("passwordCallbackClass", + "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"); + outProps.put("signatureParts", + "{}{http://www.w3.org/2003/05/soap-envelope}Body;";); + + bus.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); + + try { + port.doubleIt(25); + fail("Failure expected on not signing the Timestamp"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + @org.junit.Test + public void testSignedTimestampOnlySoap12() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SignatureCoverageCheckerTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SignatureCoverageCheckerTest.class.getResource("DoubleItCoverageChecker.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItBodyTimestampSoap12Port"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + Map<String, Object> outProps = new HashMap<String, Object>(); + outProps.put("action", "Timestamp Signature"); + outProps.put("signaturePropFile", + "org/apache/cxf/systest/ws/wssec10/client/alice.properties"); + outProps.put("user", "alice"); + outProps.put("passwordCallbackClass", + "org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"); + outProps.put("signatureParts", + "{}{http://docs.oasis-open.org/wss/2004/01/oasis-"; + + "200401-wss-wssecurity-utility-1.0.xsd}Timestamp;"); + + bus.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); + + try { + port.doubleIt(25); + fail("Failure expected on not signing the Timestamp"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + private boolean checkUnrestrictedPoliciesInstalled() { + try { + byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07}; + + SecretKey key192 = new SecretKeySpec( + new byte[] {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17}, + "AES"); + Cipher c = Cipher.getInstance("AES"); + c.init(Cipher.ENCRYPT_MODE, key192); + c.doFinal(data); + return true; + } catch (Exception e) { + // + } + return false; + } + +} Added: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/server/Server.java URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/server/Server.java?rev=1368529&view=auto ============================================================================== --- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/server/Server.java (added) +++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/server/Server.java Thu Aug 2 15:24:07 2012 @@ -0,0 +1,41 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ws.coverage_checker.server; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; + +public class Server extends AbstractBusTestServerBase { + + public Server() { + + } + + protected void run() { + URL busFile = Server.class.getResource("server.xml"); + Bus busLocal = new SpringBusFactory().createBus(busFile); + BusFactory.setDefaultBus(busLocal); + setBus(busLocal); + } +} Added: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl?rev=1368529&view=auto ============================================================================== --- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl (added) +++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl Thu Aug 2 15:24:07 2012 @@ -0,0 +1,76 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<wsdl:definitions name="DoubleIt" + xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; + xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:tns="http://www.example.org/contract/DoubleIt"; + targetNamespace="http://www.example.org/contract/DoubleIt"; + xmlns:wsp="http://www.w3.org/ns/ws-policy"; + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; + xmlns:wsaws="http://www.w3.org/2005/08/addressing"; + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; + xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"; + xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802";> + + <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" + namespace="http://www.example.org/contract/DoubleIt"/> + + <wsdl:binding name="DoubleItSoapBinding" type="tns:DoubleItPortType"> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http"; /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <soap:body use="literal" /> + </wsdl:input> + <wsdl:output> + <soap:body use="literal" /> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault" /> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> + <wsdl:binding name="DoubleItSoap12Binding" type="tns:DoubleItPortType"> + <soap12:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http"; /> + <wsdl:operation name="DoubleIt"> + <soap12:operation soapAction="" /> + <wsdl:input> + <soap12:body use="literal" /> + </wsdl:input> + <wsdl:output> + <soap12:body use="literal" /> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap12:body use="literal" name="DoubleItFault" /> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> + + <wsdl:service name="DoubleItService"> + <wsdl:port name="DoubleItBodyTimestampPort" binding="tns:DoubleItSoapBinding"> + <soap:address location="http://localhost:9001/DoubleItBodyTimestamp"; /> + </wsdl:port> + <wsdl:port name="DoubleItBodyTimestampSoap12Port" binding="tns:DoubleItSoap12Binding"> + <soap12:address location="http://localhost:9001/DoubleItBodyTimestampSoap12"; /> + </wsdl:port> + </wsdl:service> + +</wsdl:definitions> Added: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml?rev=1368529&view=auto ============================================================================== --- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml (added) +++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml Thu Aug 2 15:24:07 2012 @@ -0,0 +1,50 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:http="http://cxf.apache.org/transports/http/configuration"; + xmlns:jaxws="http://cxf.apache.org/jaxws"; + xmlns:cxf="http://cxf.apache.org/core"; + xmlns:p="http://cxf.apache.org/policy"; + xmlns:sec="http://cxf.apache.org/configuration/security"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd"; +> + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItBodyTimestampPort"; + createdFromAPI="true"> + </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItBodyTimestampSoap12Port"; + createdFromAPI="true"> + </jaxws:client> + +</beans> Added: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml?rev=1368529&view=auto ============================================================================== --- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml (added) +++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml Thu Aug 2 15:24:07 2012 @@ -0,0 +1,101 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:jaxws="http://cxf.apache.org/jaxws"; + xmlns:http="http://cxf.apache.org/transports/http/configuration"; + xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"; + xmlns:sec="http://cxf.apache.org/configuration/security"; + xmlns:cxf="http://cxf.apache.org/core"; + xmlns:p="http://cxf.apache.org/policy"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd + "> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <jaxws:endpoint + id="BodyTimestamp" + address="http://localhost:${testutil.ports.Server}/DoubleItBodyTimestamp"; + serviceName="s:DoubleItService" + endpointName="s:DoubleItBodyTimestampPort" + xmlns:s="http://www.example.org/contract/DoubleIt"; + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl"> + + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature Timestamp"/> + <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="passwordCallbackClass" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + <bean class="org.apache.cxf.ws.security.wss4j.SignatureCoverageChecker"> + <constructor-arg><value>true</value></constructor-arg> + <constructor-arg><value>true</value></constructor-arg> + </bean> + </jaxws:inInterceptors> + </jaxws:endpoint> + + <jaxws:endpoint + id="BodyTimestampSoap12" + address="http://localhost:${testutil.ports.Server}/DoubleItBodyTimestampSoap12"; + serviceName="s:DoubleItService" + endpointName="s:DoubleItBodyTimestampSoap12Port" + xmlns:s="http://www.example.org/contract/DoubleIt"; + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/coverage_checker/DoubleItCoverageChecker.wsdl"> + + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature Timestamp"/> + <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="passwordCallbackClass" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + <bean class="org.apache.cxf.ws.security.wss4j.SignatureCoverageChecker"> + <constructor-arg><value>true</value></constructor-arg> + <constructor-arg><value>true</value></constructor-arg> + </bean> + </jaxws:inInterceptors> + </jaxws:endpoint> + + +</beans>
