Author: giger
Date: Mon May 20 16:08:18 2013
New Revision: 1484511
URL: http://svn.apache.org/r1484511
Log:
fix for WSS-443
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/TransportBindingIntegrationTest.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/InboundWSSecurityContextImplTest.java
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java?rev=1484511&r1=1484510&r2=1484511&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
Mon May 20 16:08:18 2013
@@ -99,14 +99,23 @@ public abstract class TokenAssertionStat
continue loop;
}
- SupportingTokens supportingTokens = (SupportingTokens)
parentAssertion;
-
- // Allow *SupportingToken policies which are processed as
Signed*SupportingTokens
- if (!(tokenUsage.getName().startsWith("Signed")
- &&
!supportingTokens.getName().getLocalPart().contains("Signed"))
- &&
!tokenUsage.getName().equals(supportingTokens.getName().getLocalPart())) {
- ignoreToken++;
- continue loop;
+ // Allow *SupportingToken policies which are processed as
Signed|Encrypted*SupportingTokens
+ final SupportingTokens supportingTokens = (SupportingTokens)
parentAssertion;
+ final String tokenUsageName = tokenUsage.getName();
+ final String supportingTokensName =
supportingTokens.getName().getLocalPart();
+ if (!tokenUsageName.equals(supportingTokensName)) {
+ if (supportingTokensName.contains("Endorsing") &&
!tokenUsageName.contains("Endorsing")) {
+ ignoreToken++;
+ continue loop;
+ }
+ if (supportingTokensName.startsWith("Signed") &&
!tokenUsageName.startsWith("Signed")) {
+ ignoreToken++;
+ continue loop;
+ }
+ if (supportingTokensName.contains("Encrypted") &&
!tokenUsageName.contains("Encrypted")) {
+ ignoreToken++;
+ continue loop;
+ }
}
}
}
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/TransportBindingIntegrationTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/TransportBindingIntegrationTest.java?rev=1484511&r1=1484510&r2=1484511&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/TransportBindingIntegrationTest.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/TransportBindingIntegrationTest.java
Mon May 20 16:08:18 2013
@@ -486,6 +486,218 @@ public class TransportBindingIntegration
}
@Test
+ public void
testIncludeTimestampAndSignedUsernameSupportingTokenPolicyNegativeTest_2()
throws Exception {
+
+ String policyString =
+ "<wsp:ExactlyOne
xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\"; " +
+
"xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\";>\n" +
+ " <wsp:All>\n" +
+ " <sp:TransportBinding>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:TransportToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:HttpsToken>\n" +
+ "
<!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
+ "
<sp:IssuerName>transmitter</sp:IssuerName>\n" +
+ " <wsp:Policy>\n" +
+ "
<sp:HttpBasicAuthentication/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:HttpsToken>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:TransportToken>\n" +
+ " <sp:AlgorithmSuite>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Basic256/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:AlgorithmSuite>\n" +
+ " <sp:Layout>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Lax/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:Layout>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:TransportBinding>\n" +
+ " <sp:SignedSupportingTokens>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:UsernameToken
IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\";>\n"
+
+ " <wsp:Policy>\n" +
+ " <sp:NoPassword/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:UsernameToken>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:SignedSupportingTokens>\n" +
+ " </wsp:All>\n" +
+ " </wsp:ExactlyOne>";
+
+ WSSSecurityProperties outSecurityProperties = new
WSSSecurityProperties();
+ outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ outSecurityProperties.setEncryptionUser("receiver");
+
outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
+ outSecurityProperties.setSignatureUser("transmitter");
+ outSecurityProperties.setTokenUser("transmitter");
+
outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
+
outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
+
+ WSSConstants.Action[] actions = new
WSSConstants.Action[]{WSSConstants.USERNAMETOKEN, WSSConstants.SIGNATURE,
WSSConstants.ENCRYPT};
+ outSecurityProperties.setOutAction(actions);
+
+ InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties,
sourceDocument);
+
+ WSSSecurityProperties inSecurityProperties = new
WSSSecurityProperties();
+ inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+
inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+
+ PolicyEnforcer policyEnforcer =
buildAndStartPolicyEngine(policyString);
+ inSecurityProperties.addInputProcessor(new
PolicyInputProcessor(policyEnforcer, inSecurityProperties));
+
+/*
+ HttpsTokenSecurityEvent httpsTokenSecurityEvent = new
HttpsTokenSecurityEvent();
+ httpsTokenSecurityEvent.setIssuerName("transmitter");
+
httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
+ HttpsSecurityTokenImpl httpsSecurityToken = new
HttpsSecurityTokenImpl(true, "transmitter");
+
httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+ httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
+*/
+
+ List<SecurityEvent> securityEventList = new ArrayList<SecurityEvent>();
+ //securityEventList.add(httpsTokenSecurityEvent);
+
+ try {
+ Document document = doInboundSecurity(inSecurityProperties, new
ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
+
+ //read the whole stream:
+ Transformer transformer =
TransformerFactory.newInstance().newTransformer();
+ transformer.transform(new DOMSource(document), new StreamResult(
+ new OutputStream() {
+ @Override
+ public void write(int b) throws IOException {
+ // > /dev/null
+ }
+ }
+ ));
+ Assert.fail("Exception expected");
+ } catch (XMLStreamException e) {
+ Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+ Assert.assertEquals(e.getCause().getMessage(),
+ "Assertion
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken not
satisfied");
+ Assert.assertEquals(((WSSecurityException)
e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
+ }
+ }
+
+ @Test
+ public void
testIncludeTimestampAndSignedEncryptedUsernameSupportingTokenPolicy() throws
Exception {
+
+ String policyString =
+ "<wsp:ExactlyOne
xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\"; " +
+
"xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\";>\n" +
+ " <wsp:All>\n" +
+ " <sp:TransportBinding>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:TransportToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:HttpsToken>\n" +
+ "
<!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
+ "
<sp:IssuerName>transmitter</sp:IssuerName>\n" +
+ " <wsp:Policy>\n" +
+ "
<sp:HttpBasicAuthentication/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:HttpsToken>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:TransportToken>\n" +
+ " <sp:AlgorithmSuite>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Basic256/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:AlgorithmSuite>\n" +
+ " <sp:Layout>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Lax/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:Layout>\n" +
+ " <sp:IncludeTimestamp/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:TransportBinding>\n" +
+ " <sp:SignedParts>\n" +
+ " <sp:Body/>\n" +
+ " <sp:Header Name=\"Header1\"
Namespace=\"...\"/>\n" +
+ " <sp:Header
Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n"
+
+ " </sp:SignedParts>\n" +
+ " <sp:SignedElements>\n" +
+ " <sp:XPath
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";>wsu:Created</sp:XPath>\n"
+
+ " </sp:SignedElements>\n" +
+ " <sp:EncryptedParts>\n" +
+ " <sp:Body/>\n" +
+ " <sp:Header Name=\"Header2\"
Namespace=\"...\"/>\n" +
+ " <sp:Header
Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n"
+
+ " </sp:EncryptedParts>\n" +
+ " <sp:EncryptedElements>\n" +
+ " <sp:XPath
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";>wsu:Created</sp:XPath>\n"
+
+ " </sp:EncryptedElements>\n" +
+ " <sp:ContentEncryptedElements>\n" +
+ " <sp:XPath
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";>wsu:Expires</sp:XPath>\n"
+
+ " </sp:ContentEncryptedElements>\n" +
+ "
<sp:SignedEncryptedSupportingTokens>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:UsernameToken
IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\";>\n"
+
+ " <wsp:Policy>\n" +
+ " <sp:NoPassword/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:UsernameToken>\n" +
+ " </wsp:Policy>\n" +
+ "
</sp:SignedEncryptedSupportingTokens>\n" +
+ " </wsp:All>\n" +
+ " </wsp:ExactlyOne>";
+
+ WSSSecurityProperties outSecurityProperties = new
WSSSecurityProperties();
+ outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ outSecurityProperties.setEncryptionUser("receiver");
+
outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
+ outSecurityProperties.setSignatureUser("transmitter");
+ outSecurityProperties.setTokenUser("transmitter");
+
outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
+
outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
+
+ WSSConstants.Action[] actions = new
WSSConstants.Action[]{WSSConstants.USERNAMETOKEN, WSSConstants.TIMESTAMP,
WSSConstants.SIGNATURE, WSSConstants.ENCRYPT};
+ outSecurityProperties.setOutAction(actions);
+
+ InputStream sourceDocument =
this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties,
sourceDocument);
+
+ WSSSecurityProperties inSecurityProperties = new
WSSSecurityProperties();
+ inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+
inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+
+ PolicyEnforcer policyEnforcer =
buildAndStartPolicyEngine(policyString);
+ inSecurityProperties.addInputProcessor(new
PolicyInputProcessor(policyEnforcer, null));
+
+ HttpsTokenSecurityEvent httpsTokenSecurityEvent = new
HttpsTokenSecurityEvent();
+ httpsTokenSecurityEvent.setIssuerName("transmitter");
+
httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
+ HttpsSecurityTokenImpl httpsSecurityToken = new
HttpsSecurityTokenImpl(true, "transmitter");
+
httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+ httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
+
+ List<SecurityEvent> securityEventList = new ArrayList<SecurityEvent>();
+ securityEventList.add(httpsTokenSecurityEvent);
+
+ Document document = doInboundSecurity(inSecurityProperties, new
ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
+
+ //read the whole stream:
+ Transformer transformer =
TransformerFactory.newInstance().newTransformer();
+ transformer.transform(new DOMSource(document), new StreamResult(
+ new OutputStream() {
+ @Override
+ public void write(int b) throws IOException {
+ // > /dev/null
+ }
+ }
+ ));
+ }
+
+ @Test
public void
testIncludeTimestampAndProtectionOrderEncryptBeforeSignAndSignedUsernameSupportingTokenPolicyTest()
throws Exception {
String policyString =
Modified:
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java?rev=1484511&r1=1484510&r2=1484511&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
(original)
+++
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
Mon May 20 16:08:18 2013
@@ -238,7 +238,7 @@ public class InboundWSSecurityContextImp
boolean transportSecurityActive = Boolean.TRUE ==
get(WSSConstants.TRANSPORT_SECURITY_ACTIVE);
- List<InboundSecurityToken> encryptingSecurityTokens =
isEncryptedToken(tokenSecurityEvent, securityEventDeque);
+ List<InboundSecurityToken> encryptingSecurityTokens =
isEncryptedToken(tokenSecurityEvent, securityEventDeque,
httpsTokenSecurityEvent);
boolean signatureUsage =
tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_Signature);
boolean encryptionUsage =
tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_Encryption);
@@ -483,9 +483,14 @@ public class InboundWSSecurityContextImp
}
private List<InboundSecurityToken> isEncryptedToken(TokenSecurityEvent
tokenSecurityEvent,
- Deque<SecurityEvent>
securityEventDeque) throws XMLSecurityException {
+ Deque<SecurityEvent>
securityEventDeque,
+ HttpsTokenSecurityEvent
httpsTokenSecurityEvent) throws XMLSecurityException {
List<InboundSecurityToken> securityTokenList = new
ArrayList<InboundSecurityToken>();
+ if (httpsTokenSecurityEvent != null) {
+ securityTokenList.add(httpsTokenSecurityEvent.getSecurityToken());
+ return securityTokenList;
+ }
for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator();
iterator.hasNext(); ) {
SecurityEvent securityEvent = iterator.next();
if
(WSSecurityEventConstants.EncryptedElement.equals(securityEvent.getSecurityEventType()))
{
Modified:
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/InboundWSSecurityContextImplTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/InboundWSSecurityContextImplTest.java?rev=1484511&r1=1484510&r2=1484511&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/InboundWSSecurityContextImplTest.java
(original)
+++
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/InboundWSSecurityContextImplTest.java
Mon May 20 16:08:18 2013
@@ -18,10 +18,12 @@
*/
package org.apache.wss4j.stax.test;
+import org.apache.wss4j.common.crypto.WSProviderConfig;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SAMLCallback;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.bean.SubjectBean;
+import org.apache.wss4j.stax.WSSec;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.impl.InboundWSSecurityContextImpl;
import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
@@ -32,12 +34,14 @@ import org.apache.wss4j.stax.impl.securi
import org.apache.wss4j.stax.securityEvent.*;
import org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent;
import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.config.Init;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.ext.stax.XMLSecEventFactory;
import org.apache.xml.security.stax.securityEvent.*;
import org.opensaml.common.SAMLVersion;
import org.testng.Assert;
+import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import javax.xml.namespace.QName;
@@ -50,6 +54,12 @@ import java.util.List;
public class InboundWSSecurityContextImplTest {
+ @BeforeClass
+ public void setUp() throws Exception {
+ WSProviderConfig.init();
+
Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+ }
+
@Test
public void testTokenIdentificationTransportSecurity() throws Exception {
@@ -71,7 +81,7 @@ public class InboundWSSecurityContextImp
} else if (securityEvent instanceof UsernameTokenSecurityEvent) {
UsernameTokenSecurityEvent tokenSecurityEvent =
(UsernameTokenSecurityEvent) securityEvent;
Assert.assertEquals(tokenSecurityEvent.getSecurityToken().getTokenUsages().size(),
1);
-
Assert.assertTrue(tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_SignedSupportingTokens));
+
Assert.assertTrue(tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_SignedEncryptedSupportingTokens));
}
}
}
