Author: coheigea
Date: Wed May 22 09:49:31 2013
New Revision: 1485135
URL: http://svn.apache.org/r1485135
Log:
Only enforce token policies that are targetted at recipients + initiators
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1485135&r1=1485134&r2=1485135&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
Wed May 22 09:49:31 2013
@@ -36,7 +36,9 @@ import org.apache.neethi.PolicyContainin
import org.apache.neethi.PolicyOperator;
import org.apache.neethi.builders.PrimitiveAssertion;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.WSSPolicyException;
+import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
@@ -120,8 +122,9 @@ public class PolicyEnforcer implements S
private final Deque<SecurityEvent> securityEventQueue = new
LinkedList<SecurityEvent>();
private boolean operationSecurityEventOccured = false;
+ private boolean initiator;
- public PolicyEnforcer(List<OperationPolicy> operationPolicies, String
soapAction) throws WSSPolicyException {
+ public PolicyEnforcer(List<OperationPolicy> operationPolicies, String
soapAction, boolean initiator) throws WSSPolicyException {
this.operationPolicies = operationPolicies;
assertionStateMap = new LinkedList<Map<SecurityEventConstants.Event,
Map<Assertion, List<Assertable>>>>();
failedAssertionStateMap = new
LinkedList<Map<SecurityEventConstants.Event, Map<Assertion,
List<Assertable>>>>();
@@ -132,6 +135,7 @@ public class PolicyEnforcer implements S
buildAssertionStateMap(effectivePolicy.getPolicy(),
assertionStateMap);
}
}
+ this.initiator = initiator;
}
private OperationPolicy findPolicyBySOAPAction(List<OperationPolicy>
operationPolicies, String soapAction) {
@@ -229,6 +233,19 @@ public class PolicyEnforcer implements S
protected List<Assertable>
getAssertableForAssertion(AbstractSecurityAssertion abstractSecurityAssertion)
throws WSSPolicyException {
List<Assertable> assertableList = new LinkedList<Assertable>();
+ if (abstractSecurityAssertion instanceof AbstractToken) {
+ // Don't return a Token that is not required
+ SPConstants.IncludeTokenType includeTokenType =
+
((AbstractToken)abstractSecurityAssertion).getIncludeTokenType();
+ if (initiator
+ && includeTokenType ==
IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT) {
+ return assertableList;
+ } else if (!initiator
+ && includeTokenType ==
IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR) {
+ return assertableList;
+ }
+ }
+
if (abstractSecurityAssertion instanceof ContentEncryptedElements) {
//initialized with asserted=true because it could be that parent
elements are encrypted and therefore these element are also encrypted
//the test if it is really encrypted is done via the
PolicyInputProcessor which emits EncryptedElementEvents for unencrypted
elements with the unencrypted flag
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java?rev=1485135&r1=1485134&r2=1485135&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java
Wed May 22 09:49:31 2013
@@ -416,7 +416,7 @@ public class PolicyEnforcerFactory {
}
}
- public PolicyEnforcer newPolicyEnforcer(String soapAction) throws
WSSPolicyException {
- return new PolicyEnforcer(this.operationPolicies, soapAction);
+ public PolicyEnforcer newPolicyEnforcer(String soapAction, boolean
initiator) throws WSSPolicyException {
+ return new PolicyEnforcer(this.operationPolicies, soapAction,
initiator);
}
}
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java?rev=1485135&r1=1485134&r2=1485135&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java
Wed May 22 09:49:31 2013
@@ -91,7 +91,7 @@ public class AbstractPolicyTestBase exte
element.appendChild(policyNode);
}
PolicyEnforcerFactory policyEnforcerFactory =
PolicyEnforcerFactory.newInstance(document, customAssertionBuilders);
- PolicyEnforcer policyEnforcer =
policyEnforcerFactory.newPolicyEnforcer("");
+ PolicyEnforcer policyEnforcer =
policyEnforcerFactory.newPolicyEnforcer("", false);
return policyEnforcer;
}
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java?rev=1485135&r1=1485134&r2=1485135&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
Wed May 22 09:49:31 2013
@@ -74,7 +74,7 @@ public class VulnerabliltyVectorsTest ex
inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
PolicyEnforcerFactory policyEnforcerFactory =
PolicyEnforcerFactory.newInstance(this.getClass().getClassLoader().getResource("testdata/wsdl/actionSpoofing.wsdl"));
- PolicyEnforcer policyEnforcer =
policyEnforcerFactory.newPolicyEnforcer("emptyPolicy");
+ PolicyEnforcer policyEnforcer =
policyEnforcerFactory.newPolicyEnforcer("emptyPolicy", false);
inSecurityProperties.addInputProcessor(new
PolicyInputProcessor(policyEnforcer, inSecurityProperties));
try {
@@ -126,7 +126,7 @@ public class VulnerabliltyVectorsTest ex
inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
PolicyEnforcerFactory policyEnforcerFactory =
PolicyEnforcerFactory.newInstance(this.getClass().getClassLoader().getResource("testdata/wsdl/actionSpoofing.wsdl"));
- PolicyEnforcer policyEnforcer =
policyEnforcerFactory.newPolicyEnforcer("goodPolicy");
+ PolicyEnforcer policyEnforcer =
policyEnforcerFactory.newPolicyEnforcer("goodPolicy", false);
inSecurityProperties.addInputProcessor(new
PolicyInputProcessor(policyEnforcer, inSecurityProperties));
try {
