svn commit: r1550401 - /webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java

Thu, 12 Dec 2013 04:00:56 -0800 

Author: coheigea
Date: Thu Dec 12 11:57:50 2013
New Revision: 1550401

URL: http://svn.apache.org/r1550401
Log:
[WSS-486] - Weaken policy validation for an initiator + no security header + 
soap fault

Modified:
    
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java

Modified: 
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1550401&r1=1550400&r2=1550401&view=diff
==============================================================================
--- 
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
 (original)
+++ 
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
 Thu Dec 12 11:57:50 2013
@@ -91,6 +91,7 @@ import org.apache.wss4j.policy.stax.asse
 import 
org.apache.wss4j.policy.stax.assertionStates.UsernameTokenAssertionState;
 import org.apache.wss4j.policy.stax.assertionStates.X509TokenAssertionState;
 import org.apache.wss4j.stax.ext.WSSConstants;
+import org.apache.wss4j.stax.securityEvent.NoSecuritySecurityEvent;
 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 import org.apache.xml.security.exceptions.XMLSecurityException;
@@ -116,6 +117,9 @@ public class PolicyEnforcer implements S
 
     protected static final transient org.slf4j.Logger log = 
         org.slf4j.LoggerFactory.getLogger(PolicyEnforcer.class);
+    
+    private static final QName SOAP11_FAULT = new 
QName(WSSConstants.NS_SOAP11, "Fault");
+    private static final QName SOAP12_FAULT = new 
QName(WSSConstants.NS_SOAP12, "Fault");
 
     private final List<OperationPolicy> operationPolicies;
     private OperationPolicy effectivePolicy;
@@ -127,6 +131,8 @@ public class PolicyEnforcer implements S
     private boolean initiator;
     private String actorOrRole;
     private int attachmentCount;
+    private boolean noSecurityHeader;
+    private boolean faultOccurred;
 
     public PolicyEnforcer(List<OperationPolicy> operationPolicies, String 
soapAction, boolean initiator,
                           String actorOrRole, int attachmentCount) throws 
WSSPolicyException {
@@ -426,7 +432,7 @@ public class PolicyEnforcer implements S
         }
         //if the assertionStateMap is empty (the size of the list is equal to 
the alternatives)
         //then we could not satisfy any alternative
-        if (assertionStateMap.isEmpty()) {
+        if (assertionStateMap.isEmpty() && !(faultOccurred && noSecurityHeader 
&& initiator)) {
             logFailedAssertions();
             throw new PolicyViolationException(assertionMessage);
         }
@@ -464,7 +470,7 @@ public class PolicyEnforcer implements S
                 }
             }
         }
-        if (assertionStateMap.isEmpty()) {
+        if (assertionStateMap.isEmpty() && !(faultOccurred && noSecurityHeader 
&& initiator)) {
             logFailedAssertions();
             throw new WSSPolicyException(assertionMessage);
         }
@@ -526,7 +532,7 @@ public class PolicyEnforcer implements S
                 }
             }
         }
-        if (assertionStateMap.isEmpty()) {
+        if (assertionStateMap.isEmpty() && !(faultOccurred && noSecurityHeader 
&& initiator)) {
             logFailedAssertions();
             throw new WSSPolicyException(assertionMessage);
         }
@@ -562,6 +568,10 @@ public class PolicyEnforcer implements S
     @Override
     public synchronized void registerSecurityEvent(SecurityEvent 
securityEvent) throws WSSecurityException {
 
+        if (securityEvent instanceof NoSecuritySecurityEvent) {
+            noSecurityHeader = true;
+        }
+        
         if (operationSecurityEventOccured) {
             try {
                 verifyPolicy(securityEvent);
@@ -575,6 +585,11 @@ public class PolicyEnforcer implements S
         if 
(WSSecurityEventConstants.Operation.equals(securityEvent.getSecurityEventType()))
 {
             operationSecurityEventOccured = true;
             final OperationSecurityEvent operationSecurityEvent = 
(OperationSecurityEvent) securityEvent;
+            if (SOAP11_FAULT.equals(operationSecurityEvent.getOperation())
+                || SOAP12_FAULT.equals(operationSecurityEvent.getOperation())) 
{
+                faultOccurred = true;
+            }
+            
             if (effectivePolicy == null) {
                 effectivePolicy = 
findPolicyBySOAPOperationName(operationPolicies, 
operationSecurityEvent.getOperation().getLocalPart());
                 if (effectivePolicy == null) {

Reply via email to