rampart-inte...

veithen Wed, 16 Jul 2014 11:15:07 -0700

Author: veithen
Date: Wed Jul 16 18:14:24 2014
New Revision: 1611122

URL: http://svn.apache.org/r1611122
Log:
RAMPART-415: Applied Detelin Yordanov's patch to restore support for 
UsernameToken assertions with no password requirement.


Added:
    
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml
   (with props)
    
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml
   (with props)
Modified:
    
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
    
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
    axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml
    
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java

Modified: 
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java?rev=1611122&r1=1611121&r2=1611122&view=diff
==============================================================================
--- 
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
 (original)
+++ 
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
 Wed Jul 16 18:14:24 2014
@@ -32,6 +32,7 @@ import org.apache.rampart.saml.SAMLAsser
 import org.apache.rampart.util.Axis2Util;
 import org.apache.rampart.util.RampartUtil;
 import org.apache.ws.secpolicy.WSSPolicyException;
+import org.apache.ws.secpolicy.model.UsernameToken;
 import org.apache.ws.security.*;
 import org.apache.ws.security.components.crypto.Crypto;
 
@@ -117,6 +118,19 @@ public class RampartEngine {
                        t0 = System.currentTimeMillis();
                }
 
+               //wss4j does not allow username tokens with no password per 
default, see https://issues.apache.org/jira/browse/WSS-420
+               //configure it to allow them explicitly if at least one 
username token assertion with no password requirement is found
+               if (!rmd.isInitiator()) {
+                   Collection<UsernameToken> usernameTokens = 
RampartUtil.getUsernameTokens(rpd);
+                   for (UsernameToken usernameTok : usernameTokens) {
+                       if (usernameTok.isNoPassword()) {
+                           log.debug("Found UsernameToken with no password 
assertion in policy, configuring ws security processing to allow username 
tokens without password." );
+                           
engine.getWssConfig().setAllowUsernameTokenNoPassword(true);
+                           break;
+                       }
+                   }
+               }
+               
                String actorValue = secHeader.getAttributeValue(new QName(rmd
                                .getSoapConstants().getEnvelopeURI(), "actor"));
 

Modified: 
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?rev=1611122&r1=1611121&r2=1611122&view=diff
==============================================================================
--- 
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
 (original)
+++ 
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
 Wed Jul 16 18:14:24 2014
@@ -1929,4 +1929,60 @@ public class RampartUtil {
         QName value = code.getValueAsQName();
         return value == null ? false : 
value.getNamespaceURI().equals(WSConstants.WSSE_NS);
     }
+    
+    /**
+     * @param rpd Rampart policy data instance. Must not be null.
+     * @return A collection of all {@link UsernameToken} supporting token 
assertions in the specified Rampart policy instance. The method will check the 
following lists:
+     * <ul>
+     *     <li>{@link RampartPolicyData#getSupportingTokensList()}</li>
+     *     <li>{@link RampartPolicyData#getSignedSupportingTokens()}</li>
+     *     <li>{@link 
RampartPolicyData#getSignedEndorsingSupportingTokens()}</li>
+     *     <li>{@link RampartPolicyData#getEndorsingSupportingTokens()}</li>
+     *     <li>{@link RampartPolicyData#getEncryptedSupportingTokens()}</li>
+     *     <li>{@link 
RampartPolicyData#getSignedEncryptedSupportingTokens()}</li>
+     *     <li>{@link 
RampartPolicyData#getEndorsingEncryptedSupportingTokens()}</li>
+     *     <li>{@link 
RampartPolicyData#getSignedEndorsingEncryptedSupportingTokens()}</li>
+     * </ul>
+     */
+    public static Collection<UsernameToken> 
getUsernameTokens(RampartPolicyData rpd) {
+        Collection<UsernameToken> usernameTokens = new 
ArrayList<UsernameToken>();
+        
+        List<SupportingToken> supportingToks = rpd.getSupportingTokensList();
+        for (SupportingToken suppTok : supportingToks) {
+            usernameTokens.addAll(getUsernameTokens(suppTok));
+        }
+        
+        
usernameTokens.addAll(getUsernameTokens(rpd.getSignedSupportingTokens()));
+        
usernameTokens.addAll(getUsernameTokens(rpd.getSignedEndorsingSupportingTokens()));
+        
usernameTokens.addAll(getUsernameTokens(rpd.getEndorsingSupportingTokens()));
+        
usernameTokens.addAll(getUsernameTokens(rpd.getEncryptedSupportingTokens()));
+        
usernameTokens.addAll(getUsernameTokens(rpd.getSignedEncryptedSupportingTokens()));
+        
usernameTokens.addAll(getUsernameTokens(rpd.getEndorsingEncryptedSupportingTokens()));
+        
usernameTokens.addAll(getUsernameTokens(rpd.getSignedEndorsingEncryptedSupportingTokens()));
+
+        return usernameTokens;
+    }
+    
+    /**
+     * @param suppTok The {@link SupportingToken} assertion to check for 
username tokens.
+     * @return A collection of all tokens in the specified 
<code>suppTok</code> SupportingToken assertion which are instances of {@link 
UsernameToken}.
+     * If the specified  <code>suppTok</code> SupportingToken assertion is 
<code>null</code>, an empty collection will be returned.
+     */
+    public static Collection<UsernameToken> getUsernameTokens(SupportingToken 
suppTok) {
+        
+        if (suppTok == null) {
+            return new ArrayList<UsernameToken>();
+        }
+        
+        Collection<UsernameToken> usernameTokens = new 
ArrayList<UsernameToken>();
+        ArrayList tokens = suppTok.getTokens();
+        for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+            org.apache.ws.secpolicy.model.Token token = 
(org.apache.ws.secpolicy.model.Token) iter.next();
+            if (token instanceof UsernameToken) {
+                usernameTokens.add((UsernameToken)token);
+            }
+        }
+        
+        return usernameTokens;
+    }
 }

Modified: axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml?rev=1611122&r1=1611121&r2=1611122&view=diff
==============================================================================
--- axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml (original)
+++ axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml Wed Jul 
16 18:14:24 2014
@@ -284,6 +284,10 @@
                                 <!-- Service 34 -->
                                 <copy overwrite="yes" 
file="src/test/resources/rampart/services-34.xml" 
tofile="target/temp-ramp/META-INF/services.xml" />
                                 <jar 
jarfile="target/test-resources/rampart_service_repo/services/SecureService34.aar"
 basedir="target/temp-ramp" />
+                                
+                                <!-- Service 35 -->
+                                <copy overwrite="yes" 
file="src/test/resources/rampart/services-35.xml" 
tofile="target/temp-ramp/META-INF/services.xml" />
+                                <jar 
jarfile="target/test-resources/rampart_service_repo/services/SecureService35.aar"
 basedir="target/temp-ramp" />
 
 
                                 <!-- Service SC-1 -->

Modified: 
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java?rev=1611122&r1=1611121&r2=1611122&view=diff
==============================================================================
--- 
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
 (original)
+++ 
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
 Wed Jul 16 18:14:24 2014
@@ -96,7 +96,7 @@ public class RampartTest extends TestCas
             }
 
             //for (int i = 34; i <= 34; i++) { //<-The number of tests we have
-            for (int i = 1; i <= 34; i++) { //<-The number of tests we have
+            for (int i = 1; i <= 35; i++) { //<-The number of tests we have
                 if(!basic256Supported && (i == 3 || i == 4 || i == 5)) {
                     //Skip the Basic256 tests
                     continue;

Added: 
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml?rev=1611122&view=auto
==============================================================================
--- 
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml
 (added)
+++ 
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml
 Wed Jul 16 18:14:24 2014
@@ -0,0 +1,76 @@
+<wsp:Policy wsu:Id="EncrSupTokensUTNoPasswd"
+    
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
+    xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
+    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
+    <wsp:ExactlyOne>
+        <wsp:All>
+            <sp:SymmetricBinding>
+                <wsp:Policy>
+                    <sp:ProtectionToken>
+                        <wsp:Policy>
+                            <sp:X509Token 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
+                                <wsp:Policy>
+                                    <sp:RequireThumbprintReference />
+                                    <sp:WssX509V3Token10 />
+                                </wsp:Policy>
+                            </sp:X509Token>
+                        </wsp:Policy>
+                    </sp:ProtectionToken>
+                    <sp:AlgorithmSuite>
+                        <wsp:Policy>
+                            <sp:Basic128 />
+                        </wsp:Policy>
+                    </sp:AlgorithmSuite>
+                    <sp:Layout>
+                        <wsp:Policy>
+                            <sp:Lax />
+                        </wsp:Policy>
+                    </sp:Layout>
+                    <sp:OnlySignEntireHeadersAndBody />
+                </wsp:Policy>
+            </sp:SymmetricBinding>
+            <sp:EncryptedParts>
+                <sp:Body />
+            </sp:EncryptedParts>
+            <sp:SignedParts>
+                <sp:Body />
+            </sp:SignedParts>
+            <sp:EncryptedSupportingTokens>
+                <wsp:Policy>
+                    <sp:UsernameToken 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+                        <wsp:Policy>
+                            <wsp:ExactlyOne>
+                                <wsp:All>
+                                    <sp:WssUsernameToken11 />
+                                    <sp:NoPassword />
+                                </wsp:All>
+                            </wsp:ExactlyOne>
+                        </wsp:Policy>
+                    </sp:UsernameToken>
+                </wsp:Policy>
+            </sp:EncryptedSupportingTokens>
+            
+            <ramp:RampartConfig 
xmlns:ramp="http://ws.apache.org/rampart/policy";>
+                <ramp:user>alice</ramp:user>
+                <ramp:encryptionUser>bob</ramp:encryptionUser>
+                
<ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass>
+
+                <ramp:signatureCrypto>
+                    <ramp:crypto 
provider="org.apache.ws.security.components.crypto.Merlin">
+                        <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+                        <ramp:property 
name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+                        <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+                    </ramp:crypto>
+                </ramp:signatureCrypto>
+                <ramp:encryptionCypto>
+                    <ramp:crypto 
provider="org.apache.ws.security.components.crypto.Merlin">
+                        <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+                        <ramp:property 
name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+                        <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+                    </ramp:crypto>
+                </ramp:encryptionCypto>
+            </ramp:RampartConfig>
+        </wsp:All>
+    </wsp:ExactlyOne>
+</wsp:Policy>

Propchange: 
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/35.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Added: 
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml?rev=1611122&view=auto
==============================================================================
--- 
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml
 (added)
+++ 
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml
 Wed Jul 16 18:14:24 2014
@@ -0,0 +1,94 @@
+<service name="SecureService35">
+
+       <module ref="addressing"/>
+       <module ref="rampart"/>
+
+       <parameter locked="false" 
name="ServiceClass">org.apache.rampart.Service</parameter>
+
+       <operation name="echo">
+               <messageReceiver 
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
+               <actionMapping>urn:echo</actionMapping>
+       </operation>
+
+        <operation name="returnError">
+        <messageReceiver 
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
+        <actionMapping>urn:returnError</actionMapping>
+    </operation>
+
+    <wsp:Policy wsu:Id="EncrSupTokensUTNoPasswd"
+        
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+        xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
+        xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
+        xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:SymmetricBinding>
+                    <wsp:Policy>
+                        <sp:ProtectionToken>
+                            <wsp:Policy>
+                                <sp:X509Token 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
+                                    <wsp:Policy>
+                                        <sp:RequireThumbprintReference />
+                                        <sp:WssX509V3Token10 />
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:ProtectionToken>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:OnlySignEntireHeadersAndBody />
+                    </wsp:Policy>
+                </sp:SymmetricBinding>
+                <sp:EncryptedParts>
+                    <sp:Body />
+                </sp:EncryptedParts>
+                <sp:SignedParts>
+                    <sp:Body />
+                </sp:SignedParts>
+                <sp:EncryptedSupportingTokens>
+                    <wsp:Policy>
+                        <sp:UsernameToken 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+                            <wsp:Policy>
+                                <wsp:ExactlyOne>
+                                    <wsp:All>
+                                        <sp:WssUsernameToken11 />
+                                        <sp:NoPassword />
+                                    </wsp:All>
+                                </wsp:ExactlyOne>
+                            </wsp:Policy>
+                        </sp:UsernameToken>
+                    </wsp:Policy>
+                </sp:EncryptedSupportingTokens>
+                
+                <ramp:RampartConfig 
xmlns:ramp="http://ws.apache.org/rampart/policy";>
+                    <ramp:user>bob</ramp:user>
+                    <ramp:encryptionUser>alice</ramp:encryptionUser>
+                    
<ramp:passwordCallbackClass>org.apache.rampart.PWCallback</ramp:passwordCallbackClass>
+
+                    <ramp:signatureCrypto>
+                        <ramp:crypto 
provider="org.apache.ws.security.components.crypto.Merlin">
+                            <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+                            <ramp:property 
name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+                            <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+                        </ramp:crypto>
+                    </ramp:signatureCrypto>
+                    <ramp:encryptionCypto>
+                        <ramp:crypto 
provider="org.apache.ws.security.components.crypto.Merlin">
+                            <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
+                            <ramp:property 
name="org.apache.ws.security.crypto.merlin.file">rampart/store.jks</ramp:property>
+                            <ramp:property 
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>
+                        </ramp:crypto>
+                    </ramp:encryptionCypto>
+                </ramp:RampartConfig>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+</service>

Propchange: 
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-35.xml
------------------------------------------------------------------------------
    svn:eol-style = native

svn commit: r1611122 - in /axis/axis2/java/rampart/trunk/modules: rampart-core/src/main/java/org/apache/rampart/ rampart-core/src/main/java/org/apache/rampart/util/ rampart-integration/ rampart-integration/src/test/java/org/apache/rampart/ rampart-inte...

Reply via email to