Repository: cxf Updated Branches: refs/heads/master 581964426 -> 9fce658c4
[CXF-6334] - Add the ability to plug in custom security policy validators for various assertions Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9fce658c Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9fce658c Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9fce658c Branch: refs/heads/master Commit: 9fce658c4611f790983a3d5cef7312eec8771461 Parents: 5819644 Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Apr 8 13:27:58 2015 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Apr 8 13:30:47 2015 +0100 ---------------------------------------------------------------------- .../cxf/ws/security/SecurityConstants.java | 10 +- .../cxf/ws/security/policy/PolicyUtils.java | 106 +++++++++++++++ .../IssuedTokenInterceptorProvider.java | 10 +- .../KerberosTokenInterceptorProvider.java | 10 +- .../wss4j/PolicyBasedWSS4JInInterceptor.java | 128 ++----------------- .../wss4j/AbstractPolicySecurityTest.java | 2 +- 6 files changed, 139 insertions(+), 127 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index 0516853..805d69e 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -434,6 +434,14 @@ public final class SecurityConstants { */ public static final String SCT_TOKEN_VALIDATOR = "ws-security.sct.validator"; + /** + * This refers to a Map of QName, SecurityPolicyValidator, which retrieves a SecurityPolicyValidator + * implementation to validate a particular security policy, based on the QName of the policy. Any + * SecurityPolicyValidator implementation defined in this map will override the default value + * used internally for the corresponding QName. + */ + public static final String POLICY_VALIDATOR_MAP = "ws-security.policy.validator.map"; + // // STS Client Configuration tags // @@ -651,7 +659,7 @@ public final class SecurityConstants { DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE, KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, - AUDIENCE_RESTRICTION_VALIDATION + AUDIENCE_RESTRICTION_VALIDATION, POLICY_VALIDATOR_MAP })); ALL_PROPERTIES = Collections.unmodifiableSet(s); } http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java index 48a1e61..95a2f6b 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java @@ -20,12 +20,38 @@ package org.apache.cxf.ws.security.policy; import java.util.Collection; import java.util.Collections; +import java.util.HashMap; import java.util.HashSet; +import java.util.Map; import javax.xml.namespace.QName; +import org.apache.cxf.helpers.CastUtils; +import org.apache.cxf.message.Message; import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; +import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.KerberosTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.LayoutPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingEncryptedTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator; import org.apache.wss4j.policy.SP11Constants; import org.apache.wss4j.policy.SP12Constants; import org.apache.wss4j.policy.SPConstants; @@ -36,6 +62,74 @@ import org.apache.wss4j.policy.model.AbstractBinding; */ public final class PolicyUtils { + // The default security policy validators + private static final Map<QName, SecurityPolicyValidator> DEFAULT_SECURITY_POLICY_VALIDATORS = + new HashMap<>(); + + static { + // Tokens + SecurityPolicyValidator validator = new X509TokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.X509_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.X509_TOKEN, validator); + validator = new UsernameTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.USERNAME_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.USERNAME_TOKEN, validator); + validator = new SamlTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SAML_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SAML_TOKEN, validator); + validator = new SecurityContextTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SECURITY_CONTEXT_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SECURITY_CONTEXT_TOKEN, validator); + validator = new WSS11PolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.WSS11, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.WSS11, validator); + validator = new IssuedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ISSUED_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ISSUED_TOKEN, validator); + validator = new KerberosTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.KERBEROS_TOKEN, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.KERBEROS_TOKEN, validator); + + // Bindings + validator = new TransportBindingPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.TRANSPORT_BINDING, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.TRANSPORT_BINDING, validator); + validator = new SymmetricBindingPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SYMMETRIC_BINDING, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SYMMETRIC_BINDING, validator); + validator = new AsymmetricBindingPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ASYMMETRIC_BINDING, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ASYMMETRIC_BINDING, validator); + validator = new AlgorithmSuitePolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ALGORITHM_SUITE, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ALGORITHM_SUITE, validator); + validator = new LayoutPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.LAYOUT, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.LAYOUT, validator); + + // Supporting Tokens + validator = new ConcreteSupportingTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SUPPORTING_TOKENS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SUPPORTING_TOKENS, validator); + validator = new SignedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_SUPPORTING_TOKENS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_SUPPORTING_TOKENS, validator); + validator = new EndorsingTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENDORSING_SUPPORTING_TOKENS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.ENDORSING_SUPPORTING_TOKENS, validator); + validator = new SignedEndorsingTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS, validator); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP11Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS, validator); + validator = new EncryptedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS, validator); + validator = new SignedEncryptedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS, validator); + validator = new EndorsingEncryptedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS, validator); + validator = new SignedEndorsingEncryptedTokenPolicyValidator(); + DEFAULT_SECURITY_POLICY_VALIDATORS.put(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS, validator); + } + private PolicyUtils() { // complete } @@ -130,4 +224,16 @@ public final class PolicyUtils { return null; } + public static Map<QName, SecurityPolicyValidator> getSecurityPolicyValidators(Message message) { + Map<QName, SecurityPolicyValidator> mapToReturn = new HashMap<>(DEFAULT_SECURITY_POLICY_VALIDATORS); + Map<QName, SecurityPolicyValidator> policyMap = + CastUtils.cast((Map<?, ?>)message.getContextualProperty(SecurityConstants.POLICY_VALIDATOR_MAP)); + + // Allow overriding the default policies + if (policyMap != null && !policyMap.isEmpty()) { + mapToReturn.putAll(policyMap); + } + + return mapToReturn; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java index dd14252..c129c2f 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java @@ -23,6 +23,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.List; +import java.util.Map; import javax.xml.namespace.QName; @@ -42,7 +43,6 @@ import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor; import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor; import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; -import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters; import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator; import org.apache.wss4j.dom.WSConstants; @@ -190,8 +190,12 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro } parameters.setSamlResults(samlResults); - SecurityPolicyValidator issuedValidator = new IssuedTokenPolicyValidator(); - issuedValidator.validatePolicies(parameters, issuedAis); + QName qName = issuedAis.iterator().next().getAssertion().getName(); + Map<QName, SecurityPolicyValidator> validators = + PolicyUtils.getSecurityPolicyValidators(message); + if (validators.containsKey(qName)) { + validators.get(qName).validatePolicies(parameters, issuedAis); + } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java index 7d3bc51..79611a5 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java @@ -27,6 +27,7 @@ import java.util.Map; import java.util.logging.Logger; import javax.crypto.SecretKey; +import javax.xml.namespace.QName; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.endpoint.Endpoint; @@ -51,7 +52,6 @@ import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor; import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor; import org.apache.cxf.ws.security.wss4j.StaxSecurityContextInInterceptor; import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor; -import org.apache.cxf.ws.security.wss4j.policyvalidators.KerberosTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters; import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator; import org.apache.wss4j.common.ext.WSSecurityException; @@ -198,8 +198,12 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP parameters.setMessage(message); parameters.setResults(rResult); - SecurityPolicyValidator kerberosValidator = new KerberosTokenPolicyValidator(); - kerberosValidator.validatePolicies(parameters, ais); + QName qName = ais.iterator().next().getAssertion().getName(); + Map<QName, SecurityPolicyValidator> validators = + PolicyUtils.getSecurityPolicyValidators(message); + if (validators.containsKey(qName)) { + validators.get(qName).validatePolicies(parameters, ais); + } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java index ad65a3c..833c8f9 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java @@ -38,6 +38,7 @@ import javax.xml.xpath.XPathFactory; import org.w3c.dom.Element; import org.w3c.dom.Node; import org.w3c.dom.NodeList; + import org.apache.cxf.binding.soap.SoapMessage; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.helpers.CastUtils; @@ -52,26 +53,8 @@ import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.policy.PolicyUtils; import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope; import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType; -import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.LayoutPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingEncryptedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator; -import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.crypto.PasswordEncryptor; import org.apache.wss4j.common.ext.WSSecurityException; @@ -684,9 +667,14 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { } parameters.setTimestampElement(timestamp); - checkTokenCoverage(parameters); - checkBindingCoverage(parameters); - checkSupportingTokenCoverage(parameters); + // Validate security policies + Map<QName, SecurityPolicyValidator> validators = PolicyUtils.getSecurityPolicyValidators(msg); + for (QName qName : aim.keySet()) { + // Check to see if we have a security policy + if we can validate it + if (validators.containsKey(qName)) { + validators.get(qName).validatePolicies(parameters, aim.get(qName)); + } + } super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks); } @@ -735,104 +723,6 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { return check; } - /** - * Check the token coverage - */ - private void checkTokenCoverage(PolicyValidatorParameters parameters) { - - AssertionInfoMap aim = parameters.getAssertionInfoMap(); - - Collection<AssertionInfo> ais = - PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN); - SecurityPolicyValidator x509Validator = new X509TokenPolicyValidator(); - x509Validator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN); - SecurityPolicyValidator utValidator = new UsernameTokenPolicyValidator(); - utValidator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN); - SecurityPolicyValidator samlValidator = new SamlTokenPolicyValidator(); - samlValidator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN); - SecurityPolicyValidator sctValidator = new SecurityContextTokenPolicyValidator(); - sctValidator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11); - SecurityPolicyValidator wss11Validator = new WSS11PolicyValidator(); - wss11Validator.validatePolicies(parameters, ais); - } - - /** - * Check the binding coverage - */ - private void checkBindingCoverage(PolicyValidatorParameters parameters) { - AssertionInfoMap aim = parameters.getAssertionInfoMap(); - - Collection<AssertionInfo> ais = - PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING); - SecurityPolicyValidator transportValidator = new TransportBindingPolicyValidator(); - transportValidator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING); - SecurityPolicyValidator symmetricValidator = new SymmetricBindingPolicyValidator(); - symmetricValidator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING); - SecurityPolicyValidator asymmetricValidator = new AsymmetricBindingPolicyValidator(); - asymmetricValidator.validatePolicies(parameters, ais); - - // Check AlgorithmSuite + Layout that might not be tied to a binding - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE); - SecurityPolicyValidator algorithmSuiteValidator = new AlgorithmSuitePolicyValidator(); - algorithmSuiteValidator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.LAYOUT); - LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(); - layoutValidator.validatePolicies(parameters, ais); - } - - /** - * Check the supporting token coverage - */ - private void checkSupportingTokenCoverage(PolicyValidatorParameters parameters) { - AssertionInfoMap aim = parameters.getAssertionInfoMap(); - - Collection<AssertionInfo> ais = - PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS); - SecurityPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator(); - validator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS); - validator = new SignedTokenPolicyValidator(); - validator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS); - validator = new EndorsingTokenPolicyValidator(); - validator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS); - validator = new SignedEndorsingTokenPolicyValidator(); - validator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS); - validator = new SignedEncryptedTokenPolicyValidator(); - validator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS); - validator = new EncryptedTokenPolicyValidator(); - validator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS); - validator = new EndorsingEncryptedTokenPolicyValidator(); - validator.validatePolicies(parameters, ais); - - ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS); - validator = new SignedEndorsingEncryptedTokenPolicyValidator(); - validator.validatePolicies(parameters, ais); - } - private boolean assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header) throws SOAPException { http://git-wip-us.apache.org/repos/asf/cxf/blob/9fce658c/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java index 45d7277..dba08ba 100644 --- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java +++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java @@ -226,7 +226,7 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest { } } - private void checkAssertion(AssertionInfoMap aim, + protected void checkAssertion(AssertionInfoMap aim, QName name, AssertionInfo inf, boolean asserted) {
