Author: veithen Date: Wed Jul 16 18:14:24 2014 New Revision: 1611122 URL: http://svn.apache.org/r1611122 Log: RAMPART-415: Applied Detelin Yordanov's patch to restore support for UsernameToken assertions with no password requirement.
Added: axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml (with props) axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml (with props) Modified: axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java Modified: axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java?rev=1611122&r1=1611121&r2=1611122&view=diff ============================================================================== --- axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java (original) +++ axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java Wed Jul 16 18:14:24 2014 @@ -32,6 +32,7 @@ import org.apache.rampart.saml.SAMLAsser import org.apache.rampart.util.Axis2Util; import org.apache.rampart.util.RampartUtil; import org.apache.ws.secpolicy.WSSPolicyException; +import org.apache.ws.secpolicy.model.UsernameToken; import org.apache.ws.security.*; import org.apache.ws.security.components.crypto.Crypto; @@ -117,6 +118,19 @@ public class RampartEngine { t0 = System.currentTimeMillis(); } + //wss4j does not allow username tokens with no password per default, see https://issues.apache.org/jira/browse/WSS-420 + //configure it to allow them explicitly if at least one username token assertion with no password requirement is found + if (!rmd.isInitiator()) { + Collection<UsernameToken> usernameTokens = RampartUtil.getUsernameTokens(rpd); + for (UsernameToken usernameTok : usernameTokens) { + if (usernameTok.isNoPassword()) { + log.debug("Found UsernameToken with no password assertion in policy, configuring ws security processing to allow username tokens without password." ); + engine.getWssConfig().setAllowUsernameTokenNoPassword(true); + break; + } + } + } + String actorValue = secHeader.getAttributeValue(new QName(rmd .getSoapConstants().getEnvelopeURI(), "actor")); Modified: axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?rev=1611122&r1=1611121&r2=1611122&view=diff ============================================================================== --- axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java (original) +++ axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java Wed Jul 16 18:14:24 2014 @@ -1929,4 +1929,60 @@ public class RampartUtil { QName value = code.getValueAsQName(); return value == null ? false : value.getNamespaceURI().equals(WSConstants.WSSE_NS); } + + /** + * @param rpd Rampart policy data instance. Must not be null. + * @return A collection of all {@link UsernameToken} supporting token assertions in the specified Rampart policy instance. The method will check the following lists: + * <ul> + * <li>{@link RampartPolicyData#getSupportingTokensList()}</li> + * <li>{@link RampartPolicyData#getSignedSupportingTokens()}</li> + * <li>{@link RampartPolicyData#getSignedEndorsingSupportingTokens()}</li> + * <li>{@link RampartPolicyData#getEndorsingSupportingTokens()}</li> + * <li>{@link RampartPolicyData#getEncryptedSupportingTokens()}</li> + * <li>{@link RampartPolicyData#getSignedEncryptedSupportingTokens()}</li> + * <li>{@link RampartPolicyData#getEndorsingEncryptedSupportingTokens()}</li> + * <li>{@link RampartPolicyData#getSignedEndorsingEncryptedSupportingTokens()}</li> + * </ul> + */ + public static Collection<UsernameToken> getUsernameTokens(RampartPolicyData rpd) { + Collection<UsernameToken> usernameTokens = new ArrayList<UsernameToken>(); + + List<SupportingToken> supportingToks = rpd.getSupportingTokensList(); + for (SupportingToken suppTok : supportingToks) { + usernameTokens.addAll(getUsernameTokens(suppTok)); + } + + usernameTokens.addAll(getUsernameTokens(rpd.getSignedSupportingTokens())); + usernameTokens.addAll(getUsernameTokens(rpd.getSignedEndorsingSupportingTokens())); + usernameTokens.addAll(getUsernameTokens(rpd.getEndorsingSupportingTokens())); + usernameTokens.addAll(getUsernameTokens(rpd.getEncryptedSupportingTokens())); + usernameTokens.addAll(getUsernameTokens(rpd.getSignedEncryptedSupportingTokens())); + usernameTokens.addAll(getUsernameTokens(rpd.getEndorsingEncryptedSupportingTokens())); + usernameTokens.addAll(getUsernameTokens(rpd.getSignedEndorsingEncryptedSupportingTokens())); + + return usernameTokens; + } + + /** + * @param suppTok The {@link SupportingToken} assertion to check for username tokens. + * @return A collection of all tokens in the specified <code>suppTok</code> SupportingToken assertion which are instances of {@link UsernameToken}. + * If the specified <code>suppTok</code> SupportingToken assertion is <code>null</code>, an empty collection will be returned. + */ + public static Collection<UsernameToken> getUsernameTokens(SupportingToken suppTok) { + + if (suppTok == null) { + return new ArrayList<UsernameToken>(); + } + + Collection<UsernameToken> usernameTokens = new ArrayList<UsernameToken>(); + ArrayList tokens = suppTok.getTokens(); + for (Iterator iter = tokens.iterator(); iter.hasNext();) { + org.apache.ws.secpolicy.model.Token token = (org.apache.ws.secpolicy.model.Token) iter.next(); + if (token instanceof UsernameToken) { + usernameTokens.add((UsernameToken)token); + } + } + + return usernameTokens; + } } Modified: axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml?rev=1611122&r1=1611121&r2=1611122&view=diff ============================================================================== --- axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml (original) +++ axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml Wed Jul 16 18:14:24 2014 @@ -284,6 +284,10 @@ <!-- Service 34 --> <copy overwrite="yes" file="src/test/resources/rampart/services-34.xml" tofile="target/temp-ramp/META-INF/services.xml" /> <jar jarfile="target/test-resources/rampart_service_repo/services/SecureService34.aar" basedir="target/temp-ramp" /> + + <!-- Service 35 --> + <copy overwrite="yes" file="src/test/resources/rampart/services-35.xml" tofile="target/temp-ramp/META-INF/services.xml" /> + <jar jarfile="target/test-resources/rampart_service_repo/services/SecureService35.aar" basedir="target/temp-ramp" /> <!-- Service SC-1 --> Modified: axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java?rev=1611122&r1=1611121&r2=1611122&view=diff ============================================================================== --- axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java (original) +++ axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java Wed Jul 16 18:14:24 2014 @@ -96,7 +96,7 @@ public class RampartTest extends TestCas } //for (int i = 34; i <= 34; i++) { //<-The number of tests we have - for (int i = 1; i <= 34; i++) { //<-The number of tests we have + for (int i = 1; i <= 35; i++) { //<-The number of tests we have if(!basic256Supported && (i == 3 || i == 4 || i == 5)) { //Skip the Basic256 tests continue; Added: axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml?rev=1611122&view=auto ============================================================================== --- axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml (added) +++ axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml Wed Jul 16 18:14:24 2014 @@ -0,0 +1,76 @@ +<wsp:Policy wsu:Id="EncrSupTokensUTNoPasswd" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" + xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> + <wsp:Policy> + <sp:RequireThumbprintReference /> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:OnlySignEntireHeadersAndBody /> + </wsp:Policy> + </sp:SymmetricBinding> + <sp:EncryptedParts> + <sp:Body /> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body /> + </sp:SignedParts> + <sp:EncryptedSupportingTokens> + <wsp:Policy> + <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <wsp:ExactlyOne> + <wsp:All> + <sp:WssUsernameToken11 /> + <sp:NoPassword /> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + </sp:UsernameToken> + </wsp:Policy> + </sp:EncryptedSupportingTokens> + + <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> + <ramp:user>alice</ramp:user> + <ramp:encryptionUser>bob</ramp:encryptionUser> + <ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass> + + <ramp:signatureCrypto> + <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property> + </ramp:crypto> + </ramp:signatureCrypto> + <ramp:encryptionCypto> + <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property> + </ramp:crypto> + </ramp:encryptionCypto> + </ramp:RampartConfig> + </wsp:All> + </wsp:ExactlyOne> +</wsp:Policy> Propchange: axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml ------------------------------------------------------------------------------ svn:eol-style = native Added: axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml?rev=1611122&view=auto ============================================================================== --- axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml (added) +++ axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml Wed Jul 16 18:14:24 2014 @@ -0,0 +1,94 @@ +<service name="SecureService35"> + + <module ref="addressing"/> + <module ref="rampart"/> + + <parameter locked="false" name="ServiceClass">org.apache.rampart.Service</parameter> + + <operation name="echo"> + <messageReceiver class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/> + <actionMapping>urn:echo</actionMapping> + </operation> + + <operation name="returnError"> + <messageReceiver class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/> + <actionMapping>urn:returnError</actionMapping> + </operation> + + <wsp:Policy wsu:Id="EncrSupTokensUTNoPasswd" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" + xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> + <wsp:Policy> + <sp:RequireThumbprintReference /> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:OnlySignEntireHeadersAndBody /> + </wsp:Policy> + </sp:SymmetricBinding> + <sp:EncryptedParts> + <sp:Body /> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body /> + </sp:SignedParts> + <sp:EncryptedSupportingTokens> + <wsp:Policy> + <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <wsp:ExactlyOne> + <wsp:All> + <sp:WssUsernameToken11 /> + <sp:NoPassword /> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + </sp:UsernameToken> + </wsp:Policy> + </sp:EncryptedSupportingTokens> + + <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy"> + <ramp:user>bob</ramp:user> + <ramp:encryptionUser>alice</ramp:encryptionUser> + <ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass> + + <ramp:signatureCrypto> + <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property> + </ramp:crypto> + </ramp:signatureCrypto> + <ramp:encryptionCypto> + <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property> + </ramp:crypto> + </ramp:encryptionCypto> + </ramp:RampartConfig> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> +</service> Propchange: axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml ------------------------------------------------------------------------------ svn:eol-style = native