If the WS-SC client does not send a SOAPAction, degrade to the old DOM based
processing.
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/88e44fd0
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/88e44fd0
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/88e44fd0
Branch: refs/heads/2.7.x-fixes
Commit: 88e44fd0801fc65df50b00ef3c035d5ea699f701
Parents: 7e4353e
Author: Daniel Kulp <[email protected]>
Authored: Tue Aug 12 16:08:03 2014 -0400
Committer: Daniel Kulp <[email protected]>
Committed: Tue Aug 12 16:35:24 2014 -0400
----------------------------------------------------------------------
.../SecureConversationInInterceptor.java | 187 +++++++++++--------
.../ws/security/wss4j/WSS4JInInterceptor.java | 3 +
.../apache/cxf/systest/ws/wssc/WSSCTest.java | 41 +++-
3 files changed, 150 insertions(+), 81 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/88e44fd0/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
index 72ae8bb..8189052 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
@@ -40,6 +40,7 @@ import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.W3CDOMStreamWriter;
import org.apache.cxf.ws.addressing.AddressingProperties;
import org.apache.cxf.ws.addressing.JAXWSAConstants;
+import org.apache.cxf.ws.addressing.soap.MAPCodec;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.policy.PolicyBuilder;
@@ -58,6 +59,7 @@ import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.trust.STSClient;
import org.apache.cxf.ws.security.trust.STSUtils;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
import org.apache.neethi.All;
import org.apache.neethi.Assertion;
@@ -92,10 +94,10 @@ class SecureConversationInInterceptor extends
AbstractPhaseInterceptor<SoapMessa
}
public void handleMessage(SoapMessage message) throws Fault {
- AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+ final AssertionInfoMap aim = message.get(AssertionInfoMap.class);
// extract Assertion information
if (aim != null) {
- Collection<AssertionInfo> ais =
aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
+ final Collection<AssertionInfo> ais =
aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
if (ais == null || ais.isEmpty()) {
return;
}
@@ -115,91 +117,116 @@ class SecureConversationInInterceptor extends
AbstractPhaseInterceptor<SoapMessa
if (s == null) {
s = SoapActionInInterceptor.getSoapAction(message);
}
- String addNs = null;
- AddressingProperties inProps = (AddressingProperties)message
-
.getContextualProperty(JAXWSAConstants.ADDRESSING_PROPERTIES_INBOUND);
- if (inProps != null) {
- addNs = inProps.getNamespaceURI();
- if (s == null) {
- //MS/WCF doesn't put a soap action out for this, must
check the headers
- s = inProps.getAction().getValue();
- }
+
+ if (s != null) {
+ handleMessageForAction(message, s, aim, ais);
+ } else {
+ // could not get an action, we have to delay until after the
WS-A headers are read and
+ // processed
+ AbstractPhaseInterceptor<SoapMessage> post
+ = new
AbstractPhaseInterceptor<SoapMessage>(Phase.PRE_PROTOCOL) {
+ public void handleMessage(SoapMessage message) throws
Fault {
+ String s =
(String)message.get(SoapBindingConstants.SOAP_ACTION);
+ if (s == null) {
+ s =
SoapActionInInterceptor.getSoapAction(message);
+ }
+ handleMessageForAction(message, s, aim, ais);
+ }
+ };
+ post.addAfter(MAPCodec.class.getName());
+ post.addBefore(PolicyBasedWSS4JInInterceptor.class.getName());
+ message.getInterceptorChain().add(post);
+ }
+ }
+ }
+
+ void handleMessageForAction(SoapMessage message, String s,
+ AssertionInfoMap aim,
+ Collection<AssertionInfo> ais) {
+ String addNs = null;
+ AddressingProperties inProps = (AddressingProperties)message
+
.getContextualProperty(JAXWSAConstants.ADDRESSING_PROPERTIES_INBOUND);
+ if (inProps != null) {
+ addNs = inProps.getNamespaceURI();
+ if (s == null) {
+ //MS/WCF doesn't put a soap action out for this, must check
the headers
+ s = inProps.getAction().getValue();
}
+ }
- if (s != null
- && s.contains("/RST/SCT")
- && (s.startsWith(STSUtils.WST_NS_05_02)
- || s.startsWith(STSUtils.WST_NS_05_12))) {
+ if (s != null
+ && s.contains("/RST/SCT")
+ && (s.startsWith(STSUtils.WST_NS_05_02)
+ || s.startsWith(STSUtils.WST_NS_05_12))) {
- SecureConversationToken tok =
(SecureConversationToken)ais.iterator()
- .next().getAssertion();
- Policy pol = tok.getBootstrapPolicy();
- if (s.endsWith("Cancel") || s.endsWith("/Renew")) {
- //Cancel and Renew just sign with the token
- Policy p = new Policy();
- ExactlyOne ea = new ExactlyOne();
- p.addPolicyComponent(ea);
- All all = new All();
- Assertion ass = NegotiationUtils.getAddressingPolicy(aim,
false);
- all.addPolicyComponent(ass);
- ea.addPolicyComponent(all);
- PolicyBuilder pbuilder = message.getExchange().getBus()
- .getExtension(PolicyBuilder.class);
- SymmetricBinding binding = new
SymmetricBinding(SP12Constants.INSTANCE, pbuilder);
- binding.setIncludeTimestamp(true);
- ProtectionToken token = new
ProtectionToken(SP12Constants.INSTANCE, pbuilder);
-
- SecureConversationToken scToken =
- new SecureConversationToken(SP12Constants.INSTANCE);
-
scToken.setInclusion(SP12Constants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT);
- token.setToken(scToken);
- binding.setProtectionToken(token);
- binding.setEntireHeadersAndBodySignatures(true);
-
- Binding origBinding = getBinding(aim);
- binding.setAlgorithmSuite(origBinding.getAlgorithmSuite());
- all.addPolicyComponent(binding);
-
- SignedEncryptedParts parts = new
SignedEncryptedParts(true,
-
SP12Constants.INSTANCE);
- parts.setBody(true);
- if (addNs != null) {
- parts.addHeader(new Header("To", addNs));
- parts.addHeader(new Header("From", addNs));
- parts.addHeader(new Header("FaultTo", addNs));
- parts.addHeader(new Header("ReplyTO", addNs));
- parts.addHeader(new Header("MessageID", addNs));
- parts.addHeader(new Header("RelatesTo", addNs));
- parts.addHeader(new Header("Action", addNs));
- }
- all.addPolicyComponent(parts);
- pol = p;
-
message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
- } else {
- Policy p = new Policy();
- ExactlyOne ea = new ExactlyOne();
- p.addPolicyComponent(ea);
- All all = new All();
- Assertion ass = NegotiationUtils.getAddressingPolicy(aim,
false);
- all.addPolicyComponent(ass);
- ea.addPolicyComponent(all);
- pol = p.merge(pol);
- }
+ SecureConversationToken tok =
(SecureConversationToken)ais.iterator()
+ .next().getAssertion();
+ Policy pol = tok.getBootstrapPolicy();
+ if (s.endsWith("Cancel") || s.endsWith("/Renew")) {
+ //Cancel and Renew just sign with the token
+ Policy p = new Policy();
+ ExactlyOne ea = new ExactlyOne();
+ p.addPolicyComponent(ea);
+ All all = new All();
+ Assertion ass = NegotiationUtils.getAddressingPolicy(aim,
false);
+ all.addPolicyComponent(ass);
+ ea.addPolicyComponent(all);
+ PolicyBuilder pbuilder = message.getExchange().getBus()
+ .getExtension(PolicyBuilder.class);
+ SymmetricBinding binding = new
SymmetricBinding(SP12Constants.INSTANCE, pbuilder);
+ binding.setIncludeTimestamp(true);
+ ProtectionToken token = new
ProtectionToken(SP12Constants.INSTANCE, pbuilder);
- //setup SCT endpoint and forward to it.
- unmapSecurityProps(message);
- String ns = STSUtils.WST_NS_05_12;
- if (s.startsWith(STSUtils.WST_NS_05_02)) {
- ns = STSUtils.WST_NS_05_02;
+ SecureConversationToken scToken =
+ new SecureConversationToken(SP12Constants.INSTANCE);
+
scToken.setInclusion(SP12Constants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT);
+ token.setToken(scToken);
+ binding.setProtectionToken(token);
+ binding.setEntireHeadersAndBodySignatures(true);
+
+ Binding origBinding = getBinding(aim);
+ binding.setAlgorithmSuite(origBinding.getAlgorithmSuite());
+ all.addPolicyComponent(binding);
+
+ SignedEncryptedParts parts = new SignedEncryptedParts(true,
+
SP12Constants.INSTANCE);
+ parts.setBody(true);
+ if (addNs != null) {
+ parts.addHeader(new Header("To", addNs));
+ parts.addHeader(new Header("From", addNs));
+ parts.addHeader(new Header("FaultTo", addNs));
+ parts.addHeader(new Header("ReplyTO", addNs));
+ parts.addHeader(new Header("MessageID", addNs));
+ parts.addHeader(new Header("RelatesTo", addNs));
+ parts.addHeader(new Header("Action", addNs));
}
- NegotiationUtils.recalcEffectivePolicy(message, ns, pol,
- new
SecureConversationSTSInvoker(),
- true);
- //recalc based on new endpoint
- SoapActionInInterceptor.getAndSetOperation(message, s);
- } else {
+ all.addPolicyComponent(parts);
+ pol = p;
message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
+ } else {
+ Policy p = new Policy();
+ ExactlyOne ea = new ExactlyOne();
+ p.addPolicyComponent(ea);
+ All all = new All();
+ Assertion ass = NegotiationUtils.getAddressingPolicy(aim,
false);
+ all.addPolicyComponent(ass);
+ ea.addPolicyComponent(all);
+ pol = p.merge(pol);
+ }
+
+ //setup SCT endpoint and forward to it.
+ unmapSecurityProps(message);
+ String ns = STSUtils.WST_NS_05_12;
+ if (s.startsWith(STSUtils.WST_NS_05_02)) {
+ ns = STSUtils.WST_NS_05_02;
}
+ NegotiationUtils.recalcEffectivePolicy(message, ns, pol,
+ new
SecureConversationSTSInvoker(),
+ true);
+ //recalc based on new endpoint
+ SoapActionInInterceptor.getAndSetOperation(message, s);
+ } else {
+
message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/88e44fd0/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index fb22431..ed4d7bc 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -45,6 +45,7 @@ import javax.xml.transform.dom.DOMSource;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
+
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
@@ -66,6 +67,7 @@ import org.apache.cxf.phase.Phase;
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.StaxUtils;
+import org.apache.cxf.ws.addressing.soap.MAPCodec;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.interceptors.NegotiationUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -122,6 +124,7 @@ public class WSS4JInInterceptor extends
AbstractWSS4JInterceptor {
setPhase(Phase.PRE_PROTOCOL);
getAfter().add(SAAJInInterceptor.class.getName());
+ getAfter().add(MAPCodec.class.getName());
}
public WSS4JInInterceptor(boolean ignore) {
this();
http://git-wip-us.apache.org/repos/asf/cxf/blob/88e44fd0/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
----------------------------------------------------------------------
diff --git
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
index b6c75e2..9d0e508 100644
---
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
+++
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssc/WSSCTest.java
@@ -24,11 +24,21 @@ import javax.xml.ws.BindingProvider;
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
+import org.apache.cxf.binding.soap.SoapBindingConstants;
+import org.apache.cxf.binding.soap.interceptor.SoapActionInInterceptor;
+import org.apache.cxf.binding.soap.interceptor.SoapPreProtocolOutInterceptor;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.AbstractPhaseInterceptor;
+import org.apache.cxf.phase.Phase;
import org.apache.cxf.systest.ws.common.SecurityTestUtil;
import org.apache.cxf.systest.ws.wssc.server.Server;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.trust.STSClient;
+import org.apache.cxf.ws.security.trust.STSUtils;
import org.junit.BeforeClass;
import org.junit.Test;
@@ -186,8 +196,17 @@ public class WSSCTest extends
AbstractBusClientServerTestBase {
public void testXDESIPingService() throws Exception {
runTest("_XD-ES_IPingService");
}
+
+
+ @Test
+ public void testACIPingServiceNoAction() throws Exception {
+ runTest(true, "AC_IPingService");
+ }
- private void runTest(String ... argv) throws Exception {
+ void runTest(String ... argv) throws Exception {
+ runTest(false, argv);
+ }
+ void runTest(boolean clearAction, String ... argv) throws Exception {
for (String portPrefix : argv) {
final wssec.wssc.IPingService port =
svc.getPort(
@@ -211,6 +230,26 @@ public class WSSCTest extends
AbstractBusClientServerTestBase {
((BindingProvider)port).getRequestContext()
.put(SecurityConstants.STS_TOKEN_DO_CANCEL, Boolean.TRUE);
}
+ if (clearAction) {
+ AbstractPhaseInterceptor<Message> clearActionInterceptor
+ = new
AbstractPhaseInterceptor<Message>(Phase.POST_LOGICAL) {
+ public void handleMessage(Message message) throws
Fault {
+ STSClient client = STSUtils.getClient(message,
"sct");
+ client.getOutInterceptors().add(this);
+ message.put(SecurityConstants.STS_CLIENT, client);
+ String s =
(String)message.get(SoapBindingConstants.SOAP_ACTION);
+ if (s == null) {
+ s =
SoapActionInInterceptor.getSoapAction(message);
+ }
+ if (s != null && s.contains("RST/SCT")) {
+ message.put(SoapBindingConstants.SOAP_ACTION,
"");
+ }
+ }
+ };
+
clearActionInterceptor.addBefore(SoapPreProtocolOutInterceptor.class.getName());
+
ClientProxy.getClient(port).getOutInterceptors().add(clearActionInterceptor);
+ }
+
wssec.wssc.PingRequest params = new wssec.wssc.PingRequest();
org.xmlsoap.ping.Ping ping = new org.xmlsoap.ping.Ping();
ping.setOrigin("CXF");
