[CXF-5609] - Won't pass verification of explicit WSS Policy AsymmetricBinding
-> Layout -> Policy -> Lax
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/594ca433
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/594ca433
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/594ca433
Branch: refs/heads/2.7.x-fixes
Commit: 594ca4338a8b4605434368c74dcea5e72c6b9743
Parents: d7d452b
Author: Colm O hEigeartaigh <[email protected]>
Authored: Thu Mar 13 14:52:10 2014 +0000
Committer: Colm O hEigeartaigh <[email protected]>
Committed: Thu Mar 13 16:43:02 2014 +0000
----------------------------------------------------------------------
.../wss4j/PolicyBasedWSS4JInInterceptor.java | 5 ++
.../AbstractBindingPolicyValidator.java | 12 ----
.../policyvalidators/LayoutPolicyValidator.java | 69 +++++++++++++++-----
.../TransportBindingPolicyValidator.java | 12 ----
.../cxf/systest/ws/x509/DoubleItX509.wsdl | 10 +--
5 files changed, 62 insertions(+), 46 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/594ca433/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index ae40012..a9b1245 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -75,6 +75,7 @@ import
org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingToken
import
org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.LayoutPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator;
@@ -776,6 +777,10 @@ public class PolicyBasedWSS4JInInterceptor extends
WSS4JInInterceptor {
aim, msg, soapBody, results, signedResults, encryptedResults
);
+ // Check Layout that might not be tied to a binding
+ LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator();
+ check &= layoutValidator.validatePolicy(aim, msg, soapBody, results,
signedResults);
+
return check;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/594ca433/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index d54956a..5cf16ae 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -36,7 +36,6 @@ import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.EncryptionToken;
-import org.apache.cxf.ws.security.policy.model.Layout;
import org.apache.cxf.ws.security.policy.model.ProtectionToken;
import org.apache.cxf.ws.security.policy.model.SignatureToken;
import org.apache.cxf.ws.security.policy.model.SymmetricAsymmetricBindingBase;
@@ -172,17 +171,6 @@ public abstract class AbstractBindingPolicyValidator
implements BindingPolicyVal
}
assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
- // Check the Layout
- Layout layout = binding.getLayout();
- LayoutPolicyValidator layoutValidator = new
LayoutPolicyValidator(results, signedResults);
- if (!layoutValidator.validatePolicy(layout)) {
- String error = "Layout does not match the requirements";
- notAssertPolicy(aim, layout, error);
- ai.setNotAsserted(error);
- return false;
- }
- assertPolicy(aim, layout);
-
// Check the EntireHeaderAndBodySignatures property
if (binding.isEntireHeadersAndBodySignatures()
&& !validateEntireHeaderAndBodySignatures(signedResults)) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/594ca433/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
index 997dd47..3762921 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
@@ -21,14 +21,18 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
+import java.util.Collection;
import java.util.List;
import javax.xml.namespace.QName;
import org.w3c.dom.Element;
-
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.Layout;
import org.apache.ws.security.WSConstants;
@@ -46,17 +50,44 @@ import org.apache.ws.security.saml.ext.AssertionWrapper;
*/
public class LayoutPolicyValidator {
- private List<WSSecurityEngineResult> results;
- private List<WSSecurityEngineResult> signedResults;
+ public boolean validatePolicy(
+ AssertionInfoMap aim,
+ Message message,
+ Element soapBody,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ ) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.LAYOUT);
+ if (ais != null && !ais.isEmpty()) {
+ parsePolicies(aim, ais, message, results, signedResults);
+ }
- public LayoutPolicyValidator(
- List<WSSecurityEngineResult> results, List<WSSecurityEngineResult>
signedResults
+ return true;
+ }
+
+ private void parsePolicies(
+ AssertionInfoMap aim,
+ Collection<AssertionInfo> ais,
+ Message message,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
) {
- this.results = results;
- this.signedResults = signedResults;
+ for (AssertionInfo ai : ais) {
+ Layout layout = (Layout)ai.getAssertion();
+ ai.setAsserted(true);
+
+ if (!validatePolicy(layout, results, signedResults)) {
+ String error = "Layout does not match the requirements";
+ ai.setNotAsserted(error);
+ }
+ }
}
-
- public boolean validatePolicy(Layout layout) {
+
+ public boolean validatePolicy(
+ Layout layout,
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ ) {
boolean timestampFirst = layout.getValue() ==
SPConstants.Layout.LaxTsFirst;
boolean timestampLast = layout.getValue() ==
SPConstants.Layout.LaxTsLast;
boolean strict = layout.getValue() == SPConstants.Layout.Strict;
@@ -78,16 +109,19 @@ public class LayoutPolicyValidator {
if (lastAction.intValue() != WSConstants.TS) {
return false;
}
- } else if (strict && (!validateStrictSignaturePlacement()
- || !validateStrictSignatureTokenPlacement()
- || !checkSignatureIsSignedPlacement())) {
+ } else if (strict && (!validateStrictSignaturePlacement(results,
signedResults)
+ || !validateStrictSignatureTokenPlacement(results)
+ || !checkSignatureIsSignedPlacement(signedResults))) {
return false;
}
return true;
}
- private boolean validateStrictSignaturePlacement() {
+ private boolean validateStrictSignaturePlacement(
+ List<WSSecurityEngineResult> results,
+ List<WSSecurityEngineResult> signedResults
+ ) {
// Go through each Signature and check any security header token is
before the Signature
for (WSSecurityEngineResult signedResult : signedResults) {
List<WSDataRef> sl =
@@ -125,13 +159,13 @@ public class LayoutPolicyValidator {
return true;
}
- private boolean validateStrictSignatureTokenPlacement() {
+ private boolean
validateStrictSignatureTokenPlacement(List<WSSecurityEngineResult> results) {
// Go through each Signature and check that the Signing Token appears
before the Signature
for (int i = 0; i < results.size(); i++) {
WSSecurityEngineResult result = results.get(i);
Integer actInt =
(Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt == WSConstants.SIGN) {
- int correspondingIndex = findCorrespondingTokenIndex(result);
+ int correspondingIndex = findCorrespondingTokenIndex(result,
results);
if (correspondingIndex > 0 && correspondingIndex < i) {
return false;
}
@@ -141,7 +175,7 @@ public class LayoutPolicyValidator {
return true;
}
- private boolean checkSignatureIsSignedPlacement() {
+ private boolean
checkSignatureIsSignedPlacement(List<WSSecurityEngineResult> signedResults) {
for (int i = 0; i < signedResults.size(); i++) {
WSSecurityEngineResult signedResult = signedResults.get(i);
List<WSDataRef> sl =
@@ -181,7 +215,8 @@ public class LayoutPolicyValidator {
* to sign the "signatureResult" argument.
*/
private int findCorrespondingTokenIndex(
- WSSecurityEngineResult signatureResult
+ WSSecurityEngineResult signatureResult,
+ List<WSSecurityEngineResult> results
) {
// See what was used to sign this result
X509Certificate cert =
http://git-wip-us.apache.org/repos/asf/cxf/blob/594ca433/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
index c28d739..359a7fe 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
@@ -30,7 +30,6 @@ import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Layout;
import org.apache.cxf.ws.security.policy.model.TransportBinding;
import org.apache.ws.security.WSSecurityEngineResult;
@@ -83,17 +82,6 @@ public class TransportBindingPolicyValidator extends
AbstractBindingPolicyValida
continue;
}
assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
-
- // Check the Layout
- Layout layout = binding.getLayout();
- LayoutPolicyValidator layoutValidator = new
LayoutPolicyValidator(results, signedResults);
- if (!layoutValidator.validatePolicy(layout)) {
- String error = "Layout does not match the requirements";
- notAssertPolicy(aim, layout, error);
- ai.setNotAsserted(error);
- continue;
- }
- assertPolicy(aim, layout);
}
// We don't need to check these policies for the Transport binding
http://git-wip-us.apache.org/repos/asf/cxf/blob/594ca433/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
----------------------------------------------------------------------
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
index 5cb3652..3d4134c 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
@@ -856,11 +856,6 @@
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
- <sp:Layout>
- <wsp:Policy>
- <sp:Lax/>
- </wsp:Policy>
- </sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
@@ -870,6 +865,11 @@
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
