This is an automated email from the ASF dual-hosted git repository.
ffang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/main by this push:
new 802dc02039 [CXF-8940]ensure ws-security.must-understand property can
be honoured
new e8cc4610d6 Merge pull request #1473 from ffang/CXF-8940
802dc02039 is described below
commit 802dc02039930a92f229497ff0a475c30e36e66b
Author: Freeman Fang <[email protected]>
AuthorDate: Fri Oct 13 17:16:33 2023 -0400
[CXF-8940]ensure ws-security.must-understand property can be honoured
---
.../security/wss4j/AbstractTokenInterceptor.java | 6 ++-
.../cxf/systest/ws/ut/UsernameTokenPolicyTest.java | 62 +++++++++++++++++++++-
.../apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl | 3 ++
.../org/apache/cxf/systest/ws/ut/policy-client.xml | 13 ++++-
.../org/apache/cxf/systest/ws/ut/policy-server.xml | 12 ++++-
.../cxf/systest/ws/ut/stax-policy-server.xml | 13 ++++-
.../systest/ws/ut/utonly-plaintext-pass-policy.xml | 16 ++++++
.../cxf/systest/ws/wssec10/server_authorized.xml | 2 +-
8 files changed, 121 insertions(+), 6 deletions(-)
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
index 3a563a73f5..742c72be20 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
@@ -169,7 +169,11 @@ public abstract class AbstractTokenInterceptor extends
AbstractSoapInterceptor {
el.setAttributeNS(WSS4JConstants.XMLNS_NS, "xmlns:wsse",
WSS4JConstants.WSSE_NS);
SoapHeader sh = new SoapHeader(new QName(WSS4JConstants.WSSE_NS,
"Security"), el);
- sh.setMustUnderstand(true);
+ boolean mustUnderstand =
+ MessageUtils.getContextualBoolean(
+ message, SecurityConstants.MUST_UNDERSTAND, true
+ );
+ sh.setMustUnderstand(mustUnderstand);
if (actor != null && actor.length() > 0) {
sh.setActor(actor);
}
diff --git
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
index 00e9b9639a..f990946bcd 100644
---
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
+++
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenPolicyTest.java
@@ -28,10 +28,21 @@ import javax.xml.namespace.QName;
import jakarta.xml.ws.Service;
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
+import org.apache.cxf.binding.soap.SoapHeader;
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
+import
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.SoapOutEndingInterceptor;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.ext.logging.LoggingOutInterceptor;
+import org.apache.cxf.frontend.ClientProxy;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.phase.Phase;
import org.apache.cxf.systest.ws.common.SecurityTestUtil;
import org.apache.cxf.systest.ws.common.TestParam;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.SecurityConstants;
import org.example.contract.doubleit.DoubleItPortType;
import org.junit.BeforeClass;
@@ -195,6 +206,33 @@ public class UsernameTokenPolicyTest extends
AbstractBusClientServerTestBase {
((java.io.Closeable)port).close();
bus.shutdown(true);
}
+
+ @org.junit.Test
+ public void testOnlyHasUsernameTokenWithoutMustUnderstand() throws
Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
UsernameTokenPolicyTest.class.getResource("policy-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ BusFactory.setDefaultBus(bus);
+ BusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl =
UsernameTokenPolicyTest.class.getResource("DoubleItUtPolicy.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItPlaintextPort4");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, test.getPort());
+ Client client = ClientProxy.getClient(port);
+ client.getRequestContext().put(SecurityConstants.MUST_UNDERSTAND,
false);
+ client.getOutInterceptors().add(new CheckMustUnderstandHeader());
+ client.getOutInterceptors().add(new LoggingOutInterceptor());
+ assertEquals(50, port.doubleIt(25));
+ client.getRequestContext().put(SecurityConstants.MUST_UNDERSTAND,
true);
+ assertEquals(50, port.doubleIt(25));
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
@org.junit.Test
public void testHashPassword() throws Exception {
@@ -346,5 +384,27 @@ public class UsernameTokenPolicyTest extends
AbstractBusClientServerTestBase {
((java.io.Closeable)port).close();
bus.shutdown(true);
}
-
+
+ class CheckMustUnderstandHeader extends AbstractSoapInterceptor {
+
+ CheckMustUnderstandHeader() {
+ super(Phase.WRITE_ENDING);
+ addBefore(SoapOutEndingInterceptor.class.getName());
+ }
+
+ @Override
+ public void handleMessage(SoapMessage message) throws Fault {
+ SoapHeader securityHeader = (SoapHeader)message.getHeader(
+ new
QName("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";,
+ "Security"));
+ boolean mustUnderstand =
+ MessageUtils.getContextualBoolean(
+ message, SecurityConstants.MUST_UNDERSTAND, true
+ );
+ assertEquals(securityHeader.isMustUnderstand(), mustUnderstand);
+ }
+
+ }
+
+
}
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl
index 916bd56e72..9ae032212d 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl
@@ -50,6 +50,9 @@
<wsdl:port name="DoubleItPlaintextPort3"
binding="tns:DoubleItInlinePolicyBinding">
<soap:address
location="https://localhost:9009/DoubleItPlaintext3"/>
</wsdl:port>
+ <wsdl:port name="DoubleItPlaintextPort4"
binding="tns:DoubleItInlinePolicyBinding">
+ <soap:address
location="https://localhost:9009/DoubleItPlaintext4"/>
+ </wsdl:port>
<wsdl:port name="DoubleItHashPort"
binding="tns:DoubleItInlinePolicyBinding">
<soap:address location="https://localhost:9009/DoubleItHash"/>
</wsdl:port>
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-client.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-client.xml
index f94d95380d..884d795b78 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-client.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-client.xml
@@ -93,6 +93,17 @@
</p:policies>
</jaxws:features>
</jaxws:client>
+ <jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItPlaintextPort4";
createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="security.username" value="Alice"/>
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference
xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="classpath:/org/apache/cxf/systest/ws/ut/utonly-plaintext-pass-policy.xml"/>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:client>
<jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItHashPort";
createdFromAPI="true">
<jaxws:properties>
<entry key="security.username" value="Alice"/>
@@ -170,4 +181,4 @@
</p:policies>
</jaxws:features>
</jaxws:client>
-</beans>
\ No newline at end of file
+</beans>
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-server.xml
index aa731aded0..5b22a3d18f 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-server.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/policy-server.xml
@@ -100,6 +100,16 @@
</p:policies>
</jaxws:features>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="PlainText4"
address="https://localhost:${testutil.ports.PolicyServer}/DoubleItPlaintext4";
serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextPort4"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl">
+ <jaxws:properties>
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference
xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="classpath:/org/apache/cxf/systest/ws/ut/utonly-plaintext-pass-policy.xml"/>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Hash"
address="https://localhost:${testutil.ports.PolicyServer}/DoubleItHash";
serviceName="s:DoubleItService" endpointName="s:DoubleItHashPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl"
depends-on="tls-settings">
<jaxws:properties>
<entry key="security.callback-handler"
value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
@@ -170,4 +180,4 @@
</p:policies>
</jaxws:features>
</jaxws:endpoint>
-</beans>
\ No newline at end of file
+</beans>
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-policy-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-policy-server.xml
index 3cb14790c8..48842318cf 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-policy-server.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-policy-server.xml
@@ -105,6 +105,17 @@
</p:policies>
</jaxws:features>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="PlainText4"
address="https://localhost:${testutil.ports.StaxPolicyServer}/DoubleItPlaintext4";
serviceName="s:DoubleItService" endpointName="s:DoubleItPlaintextPort4"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl">
+ <jaxws:properties>
+ <entry key="security.callback-handler"
value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference
xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="classpath:/org/apache/cxf/systest/ws/ut/utonly-plaintext-pass-policy.xml"/>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Hash"
address="https://localhost:${testutil.ports.StaxPolicyServer}/DoubleItHash";
serviceName="s:DoubleItService" endpointName="s:DoubleItHashPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtPolicy.wsdl"
depends-on="tls-settings">
<jaxws:properties>
<entry key="security.callback-handler"
value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
@@ -182,4 +193,4 @@
</p:policies>
</jaxws:features>
</jaxws:endpoint>
-</beans>
\ No newline at end of file
+</beans>
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/utonly-plaintext-pass-policy.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/utonly-plaintext-pass-policy.xml
new file mode 100644
index 0000000000..776bb0f54c
--- /dev/null
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/utonly-plaintext-pass-policy.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
wsu:Id="TransportUsernameTokenPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
+ <wsp:Policy>
+ <sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssUsernameToken10/>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+</wsp:Policy>
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized.xml
index 962eeeb5cf..980e4f1e0b 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized.xml
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server_authorized.xml
@@ -88,4 +88,4 @@
<ref bean="authorizationInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
-</beans>
\ No newline at end of file
+</beans>
