streaming-w...

giger Thu, 22 Mar 2012 13:22:56 -0700

Author: giger
Date: Thu Mar 22 20:22:29 2012
New Revision: 1304029

URL: http://svn.apache.org/viewvc?rev=1304029&view=rev
Log:
Allow more than one supporting token of the same type. It is legal per policy 
spec to have
more tokens as specified in the policy as long as one of them fulfills the 
policy.


Added:
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SupportingTokensTest.java
   (with props)
Modified:
    
webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/AssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/IssuedTokenAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KerberosTokenAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RelTokenAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecureConversationTokenAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecurityContextTokenAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SpnegoContextTokenAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenProtectionAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SpnegoContextTokenTest.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/WSP13SpecTest.java
    
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/X509TokenTest.java
    
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java
    
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java
    
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/KeyValueTokenSecurityEvent.java
    
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/DerivedKeyTokenTest.java
    
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/EncDecryptionTest.java
    
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/InteroperabilityTest.java

Modified: 
webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/AssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/AssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/AssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/rampart-policy/src/main/java/org/apache/ws/secpolicy/AssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -47,7 +47,7 @@ public class AssertionState {
     }
 
     public synchronized void setAsserted(boolean asserted) {
-        //don't allow to toogle back once the assertion is explicitly marked 
as failed;
+        //don't allow to toggle back once the assertion is explicitly marked 
as failed;
         if (this.state == State.HARD_FAILURE) {
             return;
         }

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/PolicyEnforcer.java
 Thu Mar 22 20:22:29 2012
@@ -367,6 +367,58 @@ public class PolicyEnforcer implements S
         }
     }
 
+    /**
+     * verifies the policy after the OperationSecurityEvent occured. This 
allows to
+     * stop further processing after the header is processed when the policy 
is not fulfilled.
+     *
+     * @throws WSSPolicyException       throws when the policy is invalid
+     * @throws PolicyViolationException thrown when no alternative could be 
satisifed
+     */
+    private void verifyPolicyAfterOperationSecurityEvent() throws 
WSSPolicyException {
+        String assertionMessage = null;
+        Iterator<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> 
assertionStateMapIterator = this.assertionStateMap.iterator();
+        alternative:
+        while (assertionStateMapIterator.hasNext()) {
+            Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>> map = 
assertionStateMapIterator.next();
+            Iterator<Map.Entry<SecurityEvent.Event, Map<Assertion, 
List<Assertable>>>> iterator = map.entrySet().iterator();
+            while (iterator.hasNext()) {
+                Map.Entry<SecurityEvent.Event, Map<Assertion, 
List<Assertable>>> mapEntry = iterator.next();
+                Iterator<Map.Entry<Assertion, List<Assertable>>> 
assertionStateIterator = mapEntry.getValue().entrySet().iterator();
+                while (assertionStateIterator.hasNext()) {
+                    Map.Entry<Assertion, List<Assertable>> assertionListEntry 
= assertionStateIterator.next();
+                    List<Assertable> assertableList = 
assertionListEntry.getValue();
+                    Iterator<Assertable> assertableIterator = 
assertableList.iterator();
+                    while (assertableIterator.hasNext()) {
+                        Assertable assertable = assertableIterator.next();
+
+                        boolean doAssert = false;
+                        if (assertable instanceof TokenAssertionState) {
+                            TokenAssertionState tokenAssertionState = 
(TokenAssertionState) assertable;
+                            AbstractToken abstractToken = (AbstractToken) 
tokenAssertionState.getAssertion();
+                            AbstractSecurityAssertion assertion = 
abstractToken.getParentAssertion();
+                            if (assertion instanceof SupportingTokens) {
+                                doAssert = true;
+                            }
+                        } else if (assertable instanceof 
TokenProtectionAssertionState) {
+                            doAssert = true;
+                        }
+
+                        if (doAssert && !assertable.isAsserted()) {
+                            assertionMessage = assertable.getErrorMessage();
+                            failedAssertionStateMap.add(map);
+                            assertionStateMapIterator.remove();
+                            continue alternative;
+                        }
+                    }
+                }
+            }
+        }
+        if (assertionStateMap.isEmpty()) {
+            logFailedAssertions();
+            throw new WSSPolicyException(assertionMessage);
+        }
+    }
+
     private void logFailedAssertions() {
         Iterator<Map<SecurityEvent.Event, Map<Assertion, List<Assertable>>>> 
assertionStateMapIterator = this.failedAssertionStateMap.iterator();
         while (assertionStateMapIterator.hasNext()) {
@@ -433,7 +485,10 @@ public class PolicyEnforcer implements S
                     SecurityEvent prevSecurityEvent = 
securityEventIterator.next();
                     verifyPolicy(prevSecurityEvent);
                 }
+
                 verifyPolicy(securityEvent);
+
+                verifyPolicyAfterOperationSecurityEvent();
             } catch (WSSPolicyException e) {
                 throw new 
WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, e);
             } catch (XMLSecurityException e) {

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/IssuedTokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/IssuedTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/IssuedTokenAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/IssuedTokenAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -54,18 +54,19 @@ public class IssuedTokenAssertionState e
             throw new WSSPolicyException("Expected a IssuedTokenSecurityEvent 
but got " + tokenSecurityEvent.getClass().getName());
         }
 
-        setAsserted(true);
-
         IssuedToken issuedToken = (IssuedToken) abstractToken;
         IssuedTokenSecurityEvent issuedTokenSecurityEvent = 
(IssuedTokenSecurityEvent) tokenSecurityEvent;
         if (issuedToken.getIssuerName() != null) {
             if 
(!issuedToken.getIssuerName().equals(issuedTokenSecurityEvent.getIssuerName())) 
{
-                setAsserted(false);
                 setErrorMessage("IssuerName in Policy (" + 
issuedToken.getIssuerName() + ") didn't match with the one in the IssuedToken 
(" + issuedTokenSecurityEvent.getIssuerName() + ")");
+                return false;
             }
         }
         //todo internal/external reference?
 
-        return isAsserted();
+        setAsserted(true);
+        //always return true to prevent false alarm in case additional tokens 
with the same usage
+        //appears in the message but do not fulfill the policy and are also 
not needed to fulfil the policy.
+        return true;
     }
 }

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KerberosTokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KerberosTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KerberosTokenAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KerberosTokenAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -52,33 +52,35 @@ public class KerberosTokenAssertionState
             throw new WSSPolicyException("Expected a 
KerberosTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
         }
 
-        setAsserted(true);
-
         KerberosToken kerberosToken = (KerberosToken) abstractToken;
         KerberosTokenSecurityEvent kerberosTokenSecurityEvent = 
(KerberosTokenSecurityEvent) tokenSecurityEvent;
         if (kerberosToken.getIssuerName() != null) {
             if 
(!kerberosToken.getIssuerName().equals(kerberosTokenSecurityEvent.getIssuerName()))
 {
-                setAsserted(false);
                 setErrorMessage("IssuerName in Policy (" + 
kerberosToken.getIssuerName() + ") didn't match with the one in the IssuedToken 
(" + kerberosTokenSecurityEvent.getIssuerName() + ")");
+                return false;
             }
         }
         if (kerberosToken.getApReqTokenType() != null) {
             switch (kerberosToken.getApReqTokenType()) {
                 case WssKerberosV5ApReqToken11:
                     if 
(!kerberosTokenSecurityEvent.isKerberosV5ApReqToken11()) {
-                        setAsserted(false);
                         setErrorMessage("Policy enforces " + 
kerberosToken.getApReqTokenType());
+                        return false;
                     }
                     break;
                 case WssGssKerberosV5ApReqToken11:
                     if 
(!kerberosTokenSecurityEvent.isGssKerberosV5ApReqToken11()) {
-                        setAsserted(false);
                         setErrorMessage("Policy enforces " + 
kerberosToken.getApReqTokenType());
+                        return false;
                     }
                     break;
             }
         }
         //todo
-        return isAsserted();
+
+        setAsserted(true);
+        //always return true to prevent false alarm in case additional tokens 
with the same usage
+        //appears in the message but do not fulfill the policy and are also 
not needed to fulfil the policy.
+        return true;
     }
 }

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -51,15 +51,17 @@ public class KeyValueTokenAssertionState
         if (!(tokenSecurityEvent instanceof KeyValueTokenSecurityEvent)) {
             throw new WSSPolicyException("Expected a 
KeyValueTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
         }
-        setAsserted(true);
 
         KeyValueTokenSecurityEvent keyValueTokenSecurityEvent = 
(KeyValueTokenSecurityEvent) tokenSecurityEvent;
         KeyValueToken keyValueToken = (KeyValueToken) abstractToken;
-        if (keyValueToken.isRsaKeyValue() && 
!keyValueTokenSecurityEvent.hasRsaKeyValue()) {
-            setAsserted(false);
+        if (keyValueToken.isRsaKeyValue() && 
!keyValueTokenSecurityEvent.isRsaKeyValue()) {
             setErrorMessage("Policy enforces that a RsaKeyValue must be 
present in the KeyValueToken");
+            return false;
         }
 
-        return isAsserted();
+        setAsserted(true);
+        //always return true to prevent false alarm in case additional tokens 
with the same usage
+        //appears in the message but do not fulfill the policy and are also 
not needed to fulfil the policy.
+        return true;
     }
 }

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RelTokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RelTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RelTokenAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RelTokenAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -55,16 +55,17 @@ public class RelTokenAssertionState exte
         RelTokenSecurityEvent relTokenSecurityEvent = (RelTokenSecurityEvent) 
tokenSecurityEvent;
         RelToken relToken = (RelToken) abstractToken;
 
-        setAsserted(true);
-
         if (relToken.getIssuerName() != null && 
!relToken.getIssuerName().equals(relTokenSecurityEvent.getIssuerName())) {
-            setAsserted(false);
             setErrorMessage("IssuerName in Policy (" + 
relToken.getIssuerName() + ") didn't match with the one in the RelToken (" + 
relTokenSecurityEvent.getIssuerName() + ")");
+            return false;
         }
 
         //todo RequireKeyIdentifierReference
         //todo WssRelV*
 
-        return isAsserted();
+        setAsserted(true);
+        //always return true to prevent false alarm in case additional tokens 
with the same usage
+        //appears in the message but do not fulfill the policy and are also 
not needed to fulfil the policy.
+        return true;
     }
 }

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -58,42 +58,43 @@ public class SamlTokenAssertionState ext
         SamlTokenSecurityEvent samlTokenSecurityEvent = 
(SamlTokenSecurityEvent) tokenSecurityEvent;
         SamlToken samlToken = (SamlToken) abstractToken;
 
-        setAsserted(true);
         if (samlToken.getIssuerName() != null && 
!samlToken.getIssuerName().equals(samlTokenSecurityEvent.getIssuerName())) {
-            setAsserted(false);
             setErrorMessage("IssuerName in Policy (" + 
samlToken.getIssuerName() + ") didn't match with the one in the SamlToken (" + 
samlTokenSecurityEvent.getIssuerName() + ")");
+            return false;
         }
         if (samlToken.isRequireKeyIdentifierReference() && 
((AbstractSecurityToken) 
samlTokenSecurityEvent.getSecurityToken()).getKeyIdentifierType() != 
WSSConstants.KeyIdentifierType.X509_KEY_IDENTIFIER) {
-            setAsserted(false);
             setErrorMessage("Policy enforces KeyIdentifierReference but we got 
" + samlTokenSecurityEvent.getSecurityToken().getTokenType());
+            return false;
         }
         if (samlToken.getSamlTokenType() != null) {
             switch (samlToken.getSamlTokenType()) {
                 case WssSamlV11Token10:
                     if (samlTokenSecurityEvent.getSamlVersion() != 
SAMLVersion.VERSION_10) {
-                        setAsserted(false);
                         setErrorMessage("Policy enforces 
SamlVersion11Profile10 but we got " + samlTokenSecurityEvent.getSamlVersion());
+                        return false;
                     }
                     break;
                 case WssSamlV11Token11:
                     if (samlTokenSecurityEvent.getSamlVersion() != 
SAMLVersion.VERSION_11) {
-                        setAsserted(false);
                         setErrorMessage("Policy enforces 
SamlVersion11Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
+                        return false;
                     }
                     break;
                 case WssSamlV20Token11:
                     if (samlTokenSecurityEvent.getSamlVersion() != 
SAMLVersion.VERSION_20) {
-                        setAsserted(false);
                         setErrorMessage("Policy enforces 
SamlVersion20Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
+                        return false;
                     }
                     break;
                 case WssSamlV10Token10:
                 case WssSamlV10Token11:
-                    setAsserted(false);
                     setErrorMessage("Unsupported token type: " + 
samlToken.getSamlTokenType());
-                    break;
+                    return false;
             }
         }
-        return isAsserted();
+        setAsserted(true);
+        //always return true to prevent false alarm in case additional tokens 
with the same usage
+        //appears in the message but do not fulfill the policy and are also 
not needed to fulfil the policy.
+        return true;
     }
 }

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecureConversationTokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecureConversationTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecureConversationTokenAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecureConversationTokenAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -54,19 +54,19 @@ public class SecureConversationTokenAsse
         SecureConversationTokenSecurityEvent secureConversationSecurityEvent = 
(SecureConversationTokenSecurityEvent) tokenSecurityEvent;
         SecureConversationToken secureConversationToken = 
(SecureConversationToken) abstractToken;
 
-        setAsserted(true);
-
         if (secureConversationToken.getIssuerName() != null && 
!secureConversationToken.getIssuerName().equals(secureConversationSecurityEvent.getIssuerName()))
 {
-            setAsserted(false);
             setErrorMessage("IssuerName in Policy (" + 
secureConversationToken.getIssuerName() + ") didn't match with the one in the 
SecureConversationToken (" + secureConversationSecurityEvent.getIssuerName() + 
")");
+            return false;
         }
         if (secureConversationToken.isRequireExternalUriReference() && 
!secureConversationSecurityEvent.isExternalUriRef()) {
-            setAsserted(false);
             setErrorMessage("Policy enforces externalUriRef but we didn't got 
one");
+            return false;
         }
         //todo sp:SC13SecurityContextToken:
-        //if (securityContextToken.isSc10SecurityContextToken() && )
         //todo MustNotSendCancel etc...
-        return isAsserted();
+        setAsserted(true);
+        //always return true to prevent false alarm in case additional tokens 
with the same usage
+        //appears in the message but do not fulfill the policy and are also 
not needed to fulfil the policy.
+        return true;
     }
 }

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecurityContextTokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecurityContextTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecurityContextTokenAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SecurityContextTokenAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -54,18 +54,19 @@ public class SecurityContextTokenAsserti
         SecurityContextTokenSecurityEvent securityContextTokenSecurityEvent = 
(SecurityContextTokenSecurityEvent) tokenSecurityEvent;
         SecurityContextToken securityContextToken = (SecurityContextToken) 
abstractToken;
 
-        setAsserted(true);
-
         if (securityContextToken.getIssuerName() != null && 
!securityContextToken.getIssuerName().equals(securityContextTokenSecurityEvent.getIssuerName()))
 {
-            setAsserted(false);
             setErrorMessage("IssuerName in Policy (" + 
securityContextToken.getIssuerName() + ") didn't match with the one in the 
SecurityContextToken (" + securityContextTokenSecurityEvent.getIssuerName() + 
")");
+            return false;
         }
         if (securityContextToken.isRequireExternalUriReference() && 
!securityContextTokenSecurityEvent.isExternalUriRef()) {
-            setAsserted(false);
             setErrorMessage("Policy enforces externalUriRef but we didn't got 
one");
+            return false;
         }
         //todo sp:SC13SecurityContextToken:
-        //if (securityContextToken.isSc10SecurityContextToken() && )
-        return isAsserted();
+
+        setAsserted(true);
+        //always return true to prevent false alarm in case additional tokens 
with the same usage
+        //appears in the message but do not fulfill the policy and are also 
not needed to fulfil the policy.
+        return true;
     }
 }

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SpnegoContextTokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SpnegoContextTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SpnegoContextTokenAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SpnegoContextTokenAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -51,11 +51,20 @@ public class SpnegoContextTokenAssertion
         if (!(tokenSecurityEvent instanceof SpnegoContextTokenSecurityEvent)) {
             throw new WSSPolicyException("Expected a 
SpnegoContextTokenSecurityEvent but got " + 
tokenSecurityEvent.getClass().getName());
         }
-        setAsserted(true);
 
         SpnegoContextToken spnegoContextToken = (SpnegoContextToken) 
abstractToken;
         SpnegoContextTokenSecurityEvent spnegoContextTokenSecurityEvent = 
(SpnegoContextTokenSecurityEvent) tokenSecurityEvent;
+        if (spnegoContextToken.getIssuerName() != null) {
+            if 
(!spnegoContextToken.getIssuerName().equals(spnegoContextTokenSecurityEvent.getIssuerName()))
 {
+                setErrorMessage("IssuerName in Policy (" + 
spnegoContextToken.getIssuerName() + ") didn't match with the one in the 
IssuedToken (" + spnegoContextTokenSecurityEvent.getIssuerName() + ")");
+                return false;
+            }
+        }
         //todo MustNotSend*
-        return isAsserted();
+
+        setAsserted(true);
+        //always return true to prevent false alarm in case additional tokens 
with the same usage
+        //appears in the message but do not fulfill the policy and are also 
not needed to fulfil the policy.
+        return true;
     }
 }

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -30,6 +30,7 @@ import org.swssf.xmlsec.ext.SecurityToke
 import org.swssf.xmlsec.ext.XMLSecurityException;
 
 import java.util.Iterator;
+import java.util.List;
 
 /**
  * WSP1.3, 5 Token Assertions
@@ -50,12 +51,18 @@ public abstract class TokenAssertionStat
     @Override
     public boolean assertEvent(SecurityEvent securityEvent) throws 
WSSPolicyException, XMLSecurityException {
 
+        if (isAsserted()) {
+            //just return true when this token assertion is already fulfilled.
+            return true;
+        }
+
         TokenSecurityEvent tokenSecurityEvent = (TokenSecurityEvent) 
securityEvent;
         AbstractToken abstractToken = (AbstractToken) getAssertion();
         final AbstractSecurityAssertion parentAssertion = 
abstractToken.getParentAssertion();
 
         int ignoreToken = 0;
-        Iterator<SecurityToken.TokenUsage> tokenUsageIterator = 
tokenSecurityEvent.getSecurityToken().getTokenUsages().iterator();
+        final List<SecurityToken.TokenUsage> tokenUsages = 
tokenSecurityEvent.getSecurityToken().getTokenUsages();
+        Iterator<SecurityToken.TokenUsage> tokenUsageIterator = 
tokenUsages.iterator();
         while (tokenUsageIterator.hasNext()) {
             SecurityToken.TokenUsage tokenUsage = tokenUsageIterator.next();
             switch (tokenUsage) {
@@ -105,7 +112,7 @@ public abstract class TokenAssertionStat
                     break;
             }
         }
-        if (ignoreToken >= 
tokenSecurityEvent.getSecurityToken().getTokenUsages().size()) {
+        if (ignoreToken >= tokenUsages.size()) {
             //token is not for us, so return true to prevent false alarm
             return true;
         }
@@ -139,7 +146,15 @@ public abstract class TokenAssertionStat
             }
         }
 
-        return assertToken(tokenSecurityEvent, abstractToken);
+        boolean asserted = assertToken(tokenSecurityEvent, abstractToken);
+        if (!asserted && 
(tokenUsages.contains(SecurityToken.TokenUsage.MainSignature)
+                || 
tokenUsages.contains(SecurityToken.TokenUsage.MainEncryption))) {
+            //return false if not asserted for the main signature and 
encryption tokens
+            return false;
+        } else {
+            //always return true for supporting tokens.
+            return true;
+        }
     }
 
     public abstract boolean assertToken(TokenSecurityEvent tokenSecurityEvent, 
AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException;

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenProtectionAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenProtectionAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenProtectionAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenProtectionAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -212,14 +212,17 @@ public class TokenProtectionAssertionSta
 
     private boolean signsSignedSupportingTokens(SecurityToken securityToken) 
throws XMLSecurityException {
 
-        int numberOfSignedEndorsingSupportingTokens = 0;
+        List<SecurityToken> signedSupportingTokens = new 
LinkedList<SecurityToken>();
         List<SignedElementSecurityEvent> signedElements = new 
LinkedList<SignedElementSecurityEvent>();
         Iterator<TokenSecurityEvent> tokenSecurityEventIterator = 
tokenSecurityEvents.iterator();
         while (tokenSecurityEventIterator.hasNext()) {
             TokenSecurityEvent tokenSecurityEvent = 
tokenSecurityEventIterator.next();
             SecurityToken supportingToken = 
tokenSecurityEvent.getSecurityToken();
             if (isSignedSupportingToken(supportingToken)) {
-                numberOfSignedEndorsingSupportingTokens++;
+                if (signedSupportingTokens.contains(supportingToken)) {
+                    continue;
+                }
+                signedSupportingTokens.add(supportingToken);
                 List<QName> elementPath = supportingToken.getElementPath();
 
                 boolean found = false;
@@ -244,7 +247,7 @@ public class TokenProtectionAssertionSta
                 }
             }
         }
-        if (numberOfSignedEndorsingSupportingTokens > signedElements.size()) {
+        if (signedSupportingTokens.size() > signedElements.size()) {
             return false;
         }
 

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -58,47 +58,49 @@ public class UsernameTokenAssertionState
         UsernameTokenSecurityEvent usernameTokenSecurityEvent = 
(UsernameTokenSecurityEvent) tokenSecurityEvent;
         UsernameToken usernameToken = (UsernameToken) abstractToken;
 
-        setAsserted(true);
         if (usernameToken.getPasswordType() != null) {
             switch (usernameToken.getPasswordType()) {
                 case NoPassword:
                     if 
(usernameTokenSecurityEvent.getUsernameTokenPasswordType() != 
WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
-                        setAsserted(false);
                         setErrorMessage("UsernameToken contains a password but 
the policy prohibits it");
+                        return false;
                     }
                     break;
                 case HashPassword:
                     if 
(usernameTokenSecurityEvent.getUsernameTokenPasswordType() != 
WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
-                        setAsserted(false);
                         setErrorMessage("UsernameToken does not contain a 
hashed password");
+                        return false;
                     }
                     break;
             }
         }
         if (usernameToken.isCreated() && (usernameSecurityToken.getCreated() 
== null || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != 
WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT)) {
-            setAsserted(false);
             setErrorMessage("UsernameToken does not contain a created 
timestamp or password is not plain text");
+            return false;
         }
         if (usernameToken.isNonce() && (usernameSecurityToken.getNonce() == 
null || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != 
WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT)) {
-            setAsserted(false);
             setErrorMessage("UsernameToken does not contain a nonce or 
password is not plain text");
+            return false;
         }
         if (usernameToken.getUsernameTokenType() != null) {
             switch (usernameToken.getUsernameTokenType()) {
                 case WssUsernameToken10:
                     if 
(usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11))
 {
-                        setAsserted(false);
                         setErrorMessage("Policy enforces UsernameToken profile 
1.0 but we got 1.1");
+                        return false;
                     }
                     break;
                 case WssUsernameToken11:
                     if 
(!usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11))
 {
-                        setAsserted(false);
                         setErrorMessage("Policy enforces UsernameToken profile 
1.1 but we got 1.0");
+                        return false;
                     }
                     break;
             }
         }
-        return isAsserted();
+        setAsserted(true);
+        //always return true to prevent false alarm in case additional tokens 
with the same usage
+        //appears in the message but do not fulfill the policy and are also 
not needed to fulfil the policy.
+        return true;
     }
 }

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java
 Thu Mar 22 20:22:29 2012
@@ -68,66 +68,69 @@ public class X509TokenAssertionState ext
                 || WSSConstants.X509PkiPathV1Token.equals(tokenType))) {
             throw new WSSPolicyException("Invalid Token for this assertion");
         }
-        setAsserted(true);
+
         try {
             X509Certificate x509Certificate = 
securityToken.getX509Certificates()[0];
             if (x509Token.getIssuerName() != null) {
                 final String certificateIssuerName = 
x509Certificate.getIssuerX500Principal().getName();
                 if (!x509Token.getIssuerName().equals(certificateIssuerName)) {
-                    setAsserted(false);
                     setErrorMessage("IssuerName in Policy (" + 
x509Token.getIssuerName() + ") didn't match with the one in the certificate (" 
+ certificateIssuerName + ")");
+                    return false;
                 }
             }
             if (x509Token.isRequireKeyIdentifierReference() && 
securityToken.getKeyIdentifierType() != 
WSSConstants.KeyIdentifierType.X509_KEY_IDENTIFIER) {
-                setAsserted(false);
                 setErrorMessage("Policy enforces KeyIdentifierReference but we 
got " + securityToken.getKeyIdentifierType());
+                return false;
             } else if (x509Token.isRequireIssuerSerialReference() && 
securityToken.getKeyIdentifierType() != 
WSSConstants.KeyIdentifierType.ISSUER_SERIAL) {
-                setAsserted(false);
                 setErrorMessage("Policy enforces IssuerSerialReference but we 
got " + securityToken.getKeyIdentifierType());
+                return false;
             } else if (x509Token.isRequireEmbeddedTokenReference() && 
securityToken.getKeyIdentifierType() != 
WSSConstants.KeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE) {
-                setAsserted(false);
                 setErrorMessage("Policy enforces EmbeddedTokenReference but we 
got " + securityToken.getKeyIdentifierType());
+                return false;
             } else if (x509Token.isRequireThumbprintReference() && 
securityToken.getKeyIdentifierType() != 
WSSConstants.KeyIdentifierType.THUMBPRINT_IDENTIFIER) {
-                setAsserted(false);
                 setErrorMessage("Policy enforces ThumbprintReference but we 
got " + securityToken.getKeyIdentifierType());
+                return false;
             }
             if (x509Certificate.getVersion() == 2) {
-                setAsserted(false);
                 setErrorMessage("X509Certificate Version " + 
x509Certificate.getVersion() + " not supported");
+                return false;
             }
             if (x509Token.getTokenType() != null) {
                 switch (x509Token.getTokenType()) {
                     case WssX509V3Token10:
                     case WssX509V3Token11:
                         if (WSSConstants.X509V3Token != 
securityToken.getTokenType() || x509Certificate.getVersion() != 3) {
-                            setAsserted(false);
                             setErrorMessage("X509Certificate Version " + 
x509Certificate.getVersion() + " mismatch; Policy enforces " + 
x509Token.getTokenType());
+                            return false;
                         }
                         break;
                     case WssX509V1Token11:
                         if (WSSConstants.X509V1Token != 
securityToken.getTokenType() || x509Certificate.getVersion() != 1) {
-                            setAsserted(false);
                             setErrorMessage("X509Certificate Version " + 
x509Certificate.getVersion() + " mismatch; Policy enforces " + 
x509Token.getTokenType());
+                            return false;
                         }
                         break;
                     case WssX509PkiPathV1Token10:
                     case WssX509PkiPathV1Token11:
                         if (securityToken.getTokenType() != 
WSSConstants.X509PkiPathV1Token) {
-                            setAsserted(false);
                             setErrorMessage("Policy enforces " + 
x509Token.getTokenType() + " but we got " + securityToken.getTokenType());
+                            return false;
                         }
                         break;
                     case WssX509Pkcs7Token10:
                     case WssX509Pkcs7Token11:
-                        setAsserted(false);
                         setErrorMessage("Unsupported token type: " + 
securityToken.getTokenType());
-                        break;
+                        return false;
                 }
             }
         } catch (XMLSecurityException e) {
-            setAsserted(false);
             setErrorMessage(e.getMessage());
+            return false;
         }
-        return isAsserted();
+
+        setAsserted(true);
+        //always return true to prevent false alarm in case additional tokens 
with the same usage
+        //appears in the message but do not fulfill the policy and are also 
not needed to fulfil the policy.
+        return true;
     }
 }

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java
 Thu Mar 22 20:22:29 2012
@@ -67,12 +67,14 @@ public class KeyValueTokenTest extends A
 
         PolicyEnforcer policyEnforcer = 
buildAndStartPolicyEngine(policyString);
         KeyValueTokenSecurityEvent initiatorTokenSecurityEvent = new 
KeyValueTokenSecurityEvent();
+        initiatorTokenSecurityEvent.setRsaKeyValue(true);
         SecurityToken securityToken = getX509Token(WSSConstants.X509V3Token);
         securityToken.addTokenUsage(SecurityToken.TokenUsage.MainSignature);
         initiatorTokenSecurityEvent.setSecurityToken(securityToken);
         policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
 
         KeyValueTokenSecurityEvent recipientTokenSecurityEvent = new 
KeyValueTokenSecurityEvent();
+        recipientTokenSecurityEvent.setRsaKeyValue(true);
         securityToken = getX509Token(WSSConstants.X509V3Token);
         securityToken.addTokenUsage(SecurityToken.TokenUsage.MainEncryption);
         recipientTokenSecurityEvent.setSecurityToken(securityToken);

Modified: 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SpnegoContextTokenTest.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SpnegoContextTokenTest.java?rev=1304029&r1=1304028&r2=1304029&view=diff
==============================================================================
--- 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SpnegoContextTokenTest.java
 (original)
+++ 
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SpnegoContextTokenTest.java
 Thu Mar 22 20:22:29 2012
@@ -75,6 +75,7 @@ public class SpnegoContextTokenTest exte
         policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
 
         SpnegoContextTokenSecurityEvent recipientTokenSecurityEvent = new 
SpnegoContextTokenSecurityEvent();
+        recipientTokenSecurityEvent.setIssuerName("xs:anyURI");
         securityToken = getX509Token(WSSConstants.X509V3Token);
         securityToken.addTokenUsage(SecurityToken.TokenUsage.MainEncryption);
         recipientTokenSecurityEvent.setSecurityToken(securityToken);

svn commit: r1304029 [1/3] - in /webservices/wss4j/branches/swssf: rampart-policy/src/main/java/org/apache/ws/secpolicy/ streaming-ws-policy/src/main/java/org/swssf/policy/ streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ streaming-w...

Reply via email to