Repository: cxf Updated Branches: refs/heads/3.0.x-fixes e802824d9 -> b9bdfa1f2
Fixing merge Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b9bdfa1f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b9bdfa1f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b9bdfa1f Branch: refs/heads/3.0.x-fixes Commit: b9bdfa1f224ea0615f64fefbe0d6e4feea261312 Parents: 4afe08f Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Oct 14 18:23:30 2016 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Oct 14 18:23:39 2016 +0100 ---------------------------------------------------------------------- .../AbstractSupportingTokenPolicyValidator.java | 21 +++++++++++++++----- .../EncryptedTokenPolicyValidator.java | 11 ++++------ .../EndorsingEncryptedTokenPolicyValidator.java | 17 ++-------------- .../SignedEncryptedTokenPolicyValidator.java | 21 ++++---------------- ...dEndorsingEncryptedTokenPolicyValidator.java | 17 ++-------------- 5 files changed, 28 insertions(+), 59 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/b9bdfa1f/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java index 3dfbead..4f49c79 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java @@ -95,10 +95,6 @@ public abstract class AbstractSupportingTokenPolicyValidator private EncryptedParts encryptedParts; private boolean enforceEncryptedTokens = true; - protected abstract boolean isSigned(); - protected abstract boolean isEncrypted(); - protected abstract boolean isEndorsing(); - /** * Set the list of UsernameToken results */ @@ -468,7 +464,7 @@ public abstract class AbstractSupportingTokenPolicyValidator return null; } - private boolean isTLSInUse() { + protected boolean isTLSInUse() { // See whether TLS is in use or not TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class); if (tlsInfo != null) { @@ -934,4 +930,19 @@ public abstract class AbstractSupportingTokenPolicyValidator this.enforceEncryptedTokens = enforceEncryptedTokens; } + static AssertionInfo getFirstAssertionByLocalname( + AssertionInfoMap aim, String localname + ) { + Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname)); + if (sp11Ais != null && !sp11Ais.isEmpty()) { + return sp11Ais.iterator().next(); + } + + Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname)); + if (sp12Ais != null && !sp12Ais.isEmpty()) { + return sp12Ais.iterator().next(); + } + + return null; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/b9bdfa1f/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java index 1452bee..f1ea095 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java @@ -26,8 +26,6 @@ import org.apache.cxf.message.Message; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.wss4j.dom.WSSecurityEngineResult; -import org.apache.cxf.ws.security.policy.PolicyUtils; -import org.apache.wss4j.policy.SP12Constants; import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.AbstractToken; import org.apache.wss4j.policy.model.IssuedToken; @@ -63,18 +61,17 @@ public class EncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicy setSignedResults(signedResults); setEncryptedResults(encryptedResults); - parsePolicies(ais, message); + parsePolicies(aim, ais, message); } return true; } - private void parsePolicies(Collection<AssertionInfo> ais, Message message) { + private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais, Message message) { // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available - if (isTLSInUse(parameters.getMessage())) { + if (isTLSInUse()) { AssertionInfo transportAi = - PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), - SPConstants.TRANSPORT_BINDING); + getFirstAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING); super.setEnforceEncryptedTokens(transportAi == null); } http://git-wip-us.apache.org/repos/asf/cxf/blob/b9bdfa1f/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java index a131429..6f93577 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java @@ -24,13 +24,8 @@ import java.util.List; import org.apache.cxf.message.Message; import org.apache.cxf.ws.policy.AssertionInfo; -<<<<<<< HEAD import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.wss4j.dom.WSSecurityEngineResult; -======= -import org.apache.cxf.ws.security.policy.PolicyUtils; -import org.apache.wss4j.policy.SP12Constants; ->>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.AbstractToken; import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys; @@ -54,7 +49,6 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo setEncrypted(true); } -<<<<<<< HEAD public boolean validatePolicy( AssertionInfoMap aim, Message message, @@ -77,20 +71,13 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo } private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais, Message message) { -======= - /** - * Validate policies. - */ - public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) { // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available - if (isTLSInUse(parameters.getMessage())) { + if (isTLSInUse()) { AssertionInfo transportAi = - PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), - SPConstants.TRANSPORT_BINDING); + getFirstAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING); super.setEnforceEncryptedTokens(transportAi == null); } ->>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted for (AssertionInfo ai : ais) { SupportingTokens binding = (SupportingTokens)ai.getAssertion(); ai.setAsserted(true); http://git-wip-us.apache.org/repos/asf/cxf/blob/b9bdfa1f/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java index 32d6b37..e5ac0c1 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java @@ -24,13 +24,8 @@ import java.util.List; import org.apache.cxf.message.Message; import org.apache.cxf.ws.policy.AssertionInfo; -<<<<<<< HEAD import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.wss4j.dom.WSSecurityEngineResult; -======= -import org.apache.cxf.ws.security.policy.PolicyUtils; -import org.apache.wss4j.policy.SP12Constants; ->>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.AbstractToken; import org.apache.wss4j.policy.model.IssuedToken; @@ -53,7 +48,6 @@ public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingToken setEncrypted(true); } -<<<<<<< HEAD public boolean validatePolicy( AssertionInfoMap aim, Message message, @@ -69,27 +63,20 @@ public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingToken setSignedResults(signedResults); setEncryptedResults(encryptedResults); - parsePolicies(ais, message); + parsePolicies(aim, ais, message); } return true; } - private void parsePolicies(Collection<AssertionInfo> ais, Message message) { -======= - /** - * Validate policies. - */ - public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) { + private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais, Message message) { // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available - if (isTLSInUse(parameters.getMessage())) { + if (isTLSInUse()) { AssertionInfo transportAi = - PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), - SPConstants.TRANSPORT_BINDING); + getFirstAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING); super.setEnforceEncryptedTokens(transportAi == null); } ->>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted for (AssertionInfo ai : ais) { SupportingTokens binding = (SupportingTokens)ai.getAssertion(); ai.setAsserted(true); http://git-wip-us.apache.org/repos/asf/cxf/blob/b9bdfa1f/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java index 3242dbf..9db1ae8 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java @@ -24,13 +24,8 @@ import java.util.List; import org.apache.cxf.message.Message; import org.apache.cxf.ws.policy.AssertionInfo; -<<<<<<< HEAD import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.wss4j.dom.WSSecurityEngineResult; -======= -import org.apache.cxf.ws.security.policy.PolicyUtils; -import org.apache.wss4j.policy.SP12Constants; ->>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.AbstractToken; import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys; @@ -55,7 +50,6 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor setEncrypted(true); } -<<<<<<< HEAD public boolean validatePolicy( AssertionInfoMap aim, Message message, @@ -78,20 +72,13 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor } private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais, Message message) { -======= - /** - * Validate policies. - */ - public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) { // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available - if (isTLSInUse(parameters.getMessage())) { + if (isTLSInUse()) { AssertionInfo transportAi = - PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), - SPConstants.TRANSPORT_BINDING); + getFirstAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING); super.setEnforceEncryptedTokens(transportAi == null); } ->>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted for (AssertionInfo ai : ais) { SupportingTokens binding = (SupportingTokens)ai.getAssertion(); ai.setAsserted(true);