Author: coheigea Date: Wed Mar 20 13:55:32 2013 New Revision: 1458829 URL: http://svn.apache.org/r1458829 Log: Merged revisions 1458826 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/branches/2.6.x-fixes
........ r1458826 | coheigea | 2013-03-20 13:51:21 +0000 (Wed, 20 Mar 2013) | 18 lines Merged revisions 1458808 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/branches/2.7.x-fixes ........ r1458808 | coheigea | 2013-03-20 12:48:18 +0000 (Wed, 20 Mar 2013) | 10 lines Merged revisions 1458778 via git cherry-pick from https://svn.apache.org/repos/asf/cxf/trunk ........ r1458778 | coheigea | 2013-03-20 12:03:08 +0000 (Wed, 20 Mar 2013) | 2 lines Added a @Ignore'd test and some (not-used) functionality to validate ProtectTokens policies ........ ........ ........ Added: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlTokenTest.java cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1458829&r1=1458828&r2=1458829&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java (original) +++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java Wed Mar 20 13:55:32 2013 @@ -19,6 +19,8 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators; +import java.security.PublicKey; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.List; @@ -45,7 +47,12 @@ import org.apache.neethi.Assertion; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSDataRef; import org.apache.ws.security.WSSecurityEngineResult; +import org.apache.ws.security.message.token.BinarySecurity; +import org.apache.ws.security.message.token.PKIPathSecurity; import org.apache.ws.security.message.token.Timestamp; +import org.apache.ws.security.message.token.X509Security; +import org.apache.ws.security.saml.SAMLKeyInfo; +import org.apache.ws.security.saml.ext.AssertionWrapper; import org.apache.ws.security.util.WSSecurityUtil; /** @@ -221,6 +228,14 @@ public abstract class AbstractBindingPol return false; } + /* + // Check ProtectTokens + if (binding.isTokenProtection() && !isTokenProtected(results, signedResults)) { + ai.setNotAsserted("The token protection property is not valid"); + return false; + } + */ + return true; } @@ -324,6 +339,99 @@ public abstract class AbstractBindingPol } /** + * Check whether the token protection policy is followed. In other words, check that the + * signature token was itself signed. + */ + protected boolean isTokenProtected( + List<WSSecurityEngineResult> results, + List<WSSecurityEngineResult> signedResults + ) { + for (int i = 0; i < signedResults.size(); i++) { + WSSecurityEngineResult result = signedResults.get(i); + + // Get the Token result that was used for the signature + WSSecurityEngineResult tokenResult = + findCorrespondingToken(result, results); + if (tokenResult == null) { + return false; + } + + // Now go through what was signed and see if the token itself was signed + List<WSDataRef> sl = + CastUtils.cast((List<?>)result.get( + WSSecurityEngineResult.TAG_DATA_REF_URIS + )); + boolean found = false; + if (sl != null) { + for (WSDataRef dataRef : sl) { + Element referenceElement = dataRef.getProtectedElement(); + if (referenceElement != null + && referenceElement.equals(tokenResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT))) { + found = true; + } + } + } + if (!found) { + return false; + } + + } + return true; + } + + /** + * Find the token corresponding to either the X509Certificate or PublicKey used to sign + * the "signatureResult" argument. + */ + private WSSecurityEngineResult findCorrespondingToken( + WSSecurityEngineResult signatureResult, + List<WSSecurityEngineResult> results + ) { + // See what was used to sign this result + X509Certificate cert = + (X509Certificate)signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); + PublicKey publicKey = + (PublicKey)signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY); + + for (WSSecurityEngineResult token : results) { + Integer actInt = (Integer)token.get(WSSecurityEngineResult.TAG_ACTION); + if (actInt == WSConstants.SIGN) { + continue; + } + + BinarySecurity binarySecurity = + (BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN); + PublicKey foundPublicKey = + (PublicKey)token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY); + if (binarySecurity instanceof X509Security + || binarySecurity instanceof PKIPathSecurity) { + X509Certificate foundCert = + (X509Certificate)token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); + if (foundCert.equals(cert)) { + return token; + } + } else if (actInt.intValue() == WSConstants.ST_SIGNED + || actInt.intValue() == WSConstants.ST_UNSIGNED) { + AssertionWrapper assertionWrapper = + (AssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo(); + if (samlKeyInfo != null) { + X509Certificate[] subjectCerts = samlKeyInfo.getCerts(); + PublicKey subjectPublicKey = samlKeyInfo.getPublicKey(); + if ((cert != null && subjectCerts != null + && cert.equals(subjectCerts[0])) + || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) { + return token; + } + } + } else if (publicKey != null && publicKey.equals(foundPublicKey)) { + return token; + } + } + return null; + } + + /** * Check whether the primary Signature (and all SignatureConfirmation) elements were encrypted */ protected boolean isSignatureEncrypted(List<WSSecurityEngineResult> results) { Modified: cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlTokenTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlTokenTest.java?rev=1458829&r1=1458828&r2=1458829&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlTokenTest.java (original) +++ cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlTokenTest.java Wed Mar 20 13:55:32 2013 @@ -100,7 +100,6 @@ public class SamlTokenTest extends Abstr /** * 2.3.1.2 (WSS1.0) SAML1.1 Assertion (Sender Vouches) over SSL - */ @org.junit.Test public void testTLSSenderVouches() throws Exception { @@ -126,7 +125,6 @@ public class SamlTokenTest extends Abstr /** * 2.3.1.3 (WSS1.0) SAML1.1 Assertion (HK) over SSL - */ @org.junit.Test public void testTLSHOKSignedEndorsing() throws Exception { @@ -152,7 +150,6 @@ public class SamlTokenTest extends Abstr /** * 2.3.1.4 (WSS1.0) SAML1.1 Sender Vouches with X.509 Certificates, Sign, Optional Encrypt - */ @org.junit.Test public void testAsymmetricSigned() throws Exception { @@ -178,7 +175,6 @@ public class SamlTokenTest extends Abstr /** * 2.3.1.5 (WSS1.0) SAML1.1 Holder of Key, Sign, Optional Encrypt - */ @org.junit.Test public void testAsymmetricInitiator() throws Exception { @@ -205,7 +201,6 @@ public class SamlTokenTest extends Abstr /** * 2.3.2.1 (WSS1.1) SAML 2.0 Bearer - */ @org.junit.Test public void testAsymmetricSaml2Bearer() throws Exception { @@ -231,7 +226,6 @@ public class SamlTokenTest extends Abstr /** * 2.3.2.2 (WSS1.1) SAML2.0 Sender Vouches over SSL - */ @org.junit.Test public void testTLSSenderVouchesSaml2() throws Exception { @@ -257,7 +251,6 @@ public class SamlTokenTest extends Abstr /** * 2.3.2.3 (WSS1.1) SAML2.0 HoK over SSL - */ @org.junit.Test public void testTLSHOKSignedEndorsingSaml2() throws Exception { @@ -283,7 +276,6 @@ public class SamlTokenTest extends Abstr /** * 2.3.2.4 (WSS1.1) SAML1.1/2.0 Sender Vouches with X.509 Certificate, Sign, Encrypt - */ @org.junit.Test public void testSymmetricSV() throws Exception { @@ -309,7 +301,6 @@ public class SamlTokenTest extends Abstr /** * 2.3.2.5 (WSS1.1) SAML1.1/2.0 Holder of Key, Sign, Encrypt - */ @org.junit.Test public void testSymmetricIssuedToken() throws Exception { @@ -333,6 +324,7 @@ public class SamlTokenTest extends Abstr ((java.io.Closeable)samlPort).close(); bus.shutdown(true); } + */ private static void updateSTSPort(BindingProvider p, String port) { STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT); Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java?rev=1458829&r1=1458828&r2=1458829&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java (original) +++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java Wed Mar 20 13:55:32 2013 @@ -314,4 +314,43 @@ public class BindingPropertiesTest exten bus.shutdown(true); } + // TODO + @org.junit.Test + @org.junit.Ignore + public void testTokenProtection() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = BindingPropertiesTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = BindingPropertiesTest.class.getResource("DoubleItBindings.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + + // Successful invocation + QName portQName = new QName(NAMESPACE, "DoubleItTokenProtectionPort"); + DoubleItPortType port = service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + port.doubleIt(25); + + // This should fail, as the property is not enabled + portQName = new QName(NAMESPACE, "DoubleItTokenProtectionPort2"); + port = service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + try { + port.doubleIt(25); + fail("Failure expected on not protecting the token"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + // String error = "Layout does not match the requirements"; + // assertTrue(ex.getMessage().contains(error)); + System.out.println("EX: " + ex.getMessage()); + } + + ((java.io.Closeable)port).close(); + bus.shutdown(true); + } + } Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl?rev=1458829&r1=1458828&r2=1458829&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl (original) +++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl Wed Mar 20 13:55:32 2013 @@ -110,6 +110,12 @@ <wsdl:port name="DoubleItTimestampLastPort2" binding="tns:DoubleItStandardBinding"> <soap:address location="http://localhost:9010/DoubleItTimestampLast2"; /> </wsdl:port> + <wsdl:port name="DoubleItTokenProtectionPort" binding="tns:DoubleItStandardBinding"> + <soap:address location="http://localhost:9010/DoubleItTokenProtection"; /> + </wsdl:port> + <wsdl:port name="DoubleItTokenProtectionPort2" binding="tns:DoubleItStandardBinding"> + <soap:address location="http://localhost:9010/DoubleItTokenProtection2"; /> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="SignBodyChildPolicy"> Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml?rev=1458829&r1=1458828&r2=1458829&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml (original) +++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml Wed Mar 20 13:55:32 2013 @@ -347,5 +347,49 @@ </p:policies> </jaxws:features> </jaxws:client> + + <jaxws:client + name="{http://www.example.org/contract/DoubleIt}DoubleItTokenProtectionPort"; + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.username" value="Alice" /> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" /> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" /> + <entry key="ws-security.encryption.username" value="bob" /> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties" /> + <entry key="ws-security.signature.username" value="alice" /> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; + URI="classpath:/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml" /> + </p:policies> + </jaxws:features> + </jaxws:client> + + <jaxws:client + name="{http://www.example.org/contract/DoubleIt}DoubleItTokenProtectionPort2"; + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.username" value="Alice" /> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" /> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" /> + <entry key="ws-security.encryption.username" value="bob" /> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties" /> + <entry key="ws-security.signature.username" value="alice" /> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; + URI="classpath:/org/apache/cxf/systest/ws/bindings/clean-policy.xml" /> + </p:policies> + </jaxws:features> + </jaxws:client> </beans> Added: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml?rev=1458829&view=auto ============================================================================== --- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml (added) +++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml Wed Mar 20 13:55:32 2013 @@ -0,0 +1,45 @@ +<wsp:Policy wsu:Id="EncryptSignaturePolicy" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; + xmlns:wsp="http://www.w3.org/ns/ws-policy";> + <wsp:ExactlyOne> + <wsp:All> + <sp:AsymmetricBinding + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> + <wsp:Policy> + <sp:InitiatorToken> + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> + <wsp:Policy> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:InitiatorToken> + <sp:RecipientToken> + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> + <wsp:Policy> + <sp:WssX509V3Token10 /> + <sp:RequireIssuerSerialReference /> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:RecipientToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:ProtectTokens /> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:AsymmetricBinding> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> \ No newline at end of file Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml?rev=1458829&r1=1458828&r2=1458829&view=diff ============================================================================== --- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml (original) +++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml Wed Mar 20 13:55:32 2013 @@ -366,5 +366,52 @@ </jaxws:endpoint> + <jaxws:endpoint id="TokenProtectionEndpoint" + address="http://localhost:${testutil.ports.Server}/DoubleItTokenProtection"; + serviceName="s:DoubleItService" endpointName="s:DoubleItTokenProtectionPort" + xmlns:s="http://www.example.org/contract/DoubleIt"; implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl"> + + <jaxws:properties> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" /> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" /> + <entry key="ws-security.encryption.username" value="useReqSigCert" /> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; + URI="classpath:/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml" /> + </p:policies> + </jaxws:features> + + </jaxws:endpoint> + + <jaxws:endpoint id="TokenProtectionEndpoint2" + address="http://localhost:${testutil.ports.Server}/DoubleItTokenProtection2"; + serviceName="s:DoubleItService" endpointName="s:DoubleItTokenProtectionPort2" + xmlns:s="http://www.example.org/contract/DoubleIt"; implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl"> + + <jaxws:properties> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" /> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" /> + <entry key="ws-security.encryption.username" value="useReqSigCert" /> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; + URI="classpath:/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml" /> + </p:policies> + </jaxws:features> + + </jaxws:endpoint> + + </beans>
