[CXF-6327] - Invalid Policy exception for EndorsingSupportingTokens with more than one token assertions
Conflicts: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7f001482 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7f001482 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7f001482 Branch: refs/heads/3.0.x-fixes Commit: 7f0014828b9201e0f32a7ebe3bd02ef3ccfb760b Parents: 97682e6 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Wed Apr 15 13:41:13 2015 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Wed Apr 15 13:43:18 2015 +0100 ---------------------------------------------------------------------- .../policyhandlers/AbstractBindingBuilder.java | 65 ++++++++++++-------- .../AbstractStaxBindingHandler.java | 9 ++- .../AsymmetricBindingHandler.java | 15 ++--- .../StaxAsymmetricBindingHandler.java | 4 +- .../StaxSymmetricBindingHandler.java | 4 +- .../StaxTransportBindingHandler.java | 4 +- .../policyhandlers/SymmetricBindingHandler.java | 11 ++-- .../policyhandlers/TransportBindingHandler.java | 17 +++-- .../sts/transport/TransportBindingTest.java | 7 ++- .../cxf/systest/sts/transport/DoubleIt.wsdl | 3 +- .../cxf/systest/sts/transport/cxf-service.xml | 3 +- .../systest/sts/transport/cxf-stax-service.xml | 3 +- 12 files changed, 85 insertions(+), 60 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index fec27e8..a996944 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -113,7 +113,6 @@ import org.apache.wss4j.policy.model.AbstractSecurityAssertion; import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding; import org.apache.wss4j.policy.model.AbstractToken; import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys; -import org.apache.wss4j.policy.model.AbstractTokenWrapper; import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType; import org.apache.wss4j.policy.model.AsymmetricBinding; import org.apache.wss4j.policy.model.Attachments; @@ -492,7 +491,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle } else if (token instanceof X509Token) { //We have to use a cert. Prepare X509 signature - WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse); + WSSecSignature sig = getSignatureBuilder(token, false, endorse); + assertPolicy(suppTokens); Element bstElem = sig.getBinarySecurityTokenElement(); if (bstElem != null) { if (lastEncryptedKeyElement != null) { @@ -513,7 +513,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle } ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens))); } else if (token instanceof KeyValueToken) { - WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse); + WSSecSignature sig = getSignatureBuilder(token, false, endorse); + assertPolicy(suppTokens); if (suppTokens.isEncryptedToken()) { WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element"); encryptedTokensList.add(part); @@ -860,7 +861,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle } Crypto crypto = samlCallback.getIssuerCrypto(); if (crypto == null) { - crypto = getSignatureCrypto(null); + crypto = getSignatureCrypto(); } assertion.signAssertion( @@ -1372,12 +1373,21 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle return null; } +<<<<<<< HEAD protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractTokenWrapper wrapper, AbstractToken token) throws WSSecurityException { WSSecEncryptedKey encrKey = new WSSecEncryptedKey(wssConfig); Crypto crypto = getEncryptionCrypto(wrapper); +======= + protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException { + WSSecEncryptedKey encrKey = new WSSecEncryptedKey(); + encrKey.setIdAllocator(wssConfig.getIdAllocator()); + encrKey.setCallbackLookup(callbackLookup); + Crypto crypto = getEncryptionCrypto(); +>>>>>>> aaad96f... [CXF-6327] - Invalid Policy exception for EndorsingSupportingTokens with more than one token assertions message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto); - setKeyIdentifierType(encrKey, wrapper, token); + setKeyIdentifierType(encrKey, token); + boolean alsoIncludeToken = false; // Find out do we also need to include the token as per the Inclusion requirement if (token instanceof X509Token @@ -1386,7 +1396,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle alsoIncludeToken = true; } - String encrUser = setEncryptionUser(encrKey, wrapper, false, crypto); + String encrUser = setEncryptionUser(encrKey, token, false, crypto); AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); encrKey.setSymmetricEncAlgorithm(algType.getEncryption()); @@ -1421,17 +1431,28 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle return certs[0]; } - public Crypto getSignatureCrypto(AbstractTokenWrapper wrapper) throws WSSecurityException { - return getCrypto(wrapper, SecurityConstants.SIGNATURE_CRYPTO, - SecurityConstants.SIGNATURE_PROPERTIES); + public Crypto getSignatureCrypto() throws WSSecurityException { + return getCrypto(SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES); } +<<<<<<< HEAD public Crypto getEncryptionCrypto(AbstractTokenWrapper wrapper) throws WSSecurityException { Crypto crypto = getCrypto(wrapper, SecurityConstants.ENCRYPT_CRYPTO, SecurityConstants.ENCRYPT_PROPERTIES); boolean enableRevocation = MessageUtils.isTrue( message.getContextualProperty(SecurityConstants.ENABLE_REVOCATION)); +======= + public Crypto getEncryptionCrypto() throws WSSecurityException { + Crypto crypto = + getCrypto(SecurityConstants.ENCRYPT_CRYPTO, SecurityConstants.ENCRYPT_PROPERTIES); + boolean enableRevocation = false; + String enableRevStr = + (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION, message); + if (enableRevStr != null) { + enableRevocation = Boolean.parseBoolean(enableRevStr); + } +>>>>>>> aaad96f... [CXF-6327] - Invalid Policy exception for EndorsingSupportingTokens with more than one token assertions if (enableRevocation && crypto != null) { CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); String encrUser = (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME); @@ -1452,8 +1473,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle } - public Crypto getCrypto( - AbstractTokenWrapper wrapper, + protected Crypto getCrypto( String cryptoKey, String propKey ) throws WSSecurityException { @@ -1503,7 +1523,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle return null; } - public void setKeyIdentifierType(WSSecBase secBase, AbstractTokenWrapper wrapper, AbstractToken token) { + public void setKeyIdentifierType(WSSecBase secBase, AbstractToken token) { boolean tokenTypeSet = false; if (token instanceof X509Token) { @@ -1524,7 +1544,6 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle } assertPolicy(token); - assertPolicy(wrapper); if (!tokenTypeSet) { boolean requestor = isRequestor(); @@ -1551,7 +1570,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle } } - public String setEncryptionUser(WSSecEncryptedKey encrKeyBuilder, AbstractTokenWrapper token, + public String setEncryptionUser(WSSecEncryptedKey encrKeyBuilder, AbstractToken token, boolean sign, Crypto crypto) { // Check for prepared certificate property X509Certificate encrCert = (X509Certificate)message.getContextualProperty(SecurityConstants.ENCRYPT_CERT); @@ -1659,20 +1678,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle } protected WSSecSignature getSignatureBuilder( - AbstractTokenWrapper wrapper, AbstractToken token, boolean endorse - ) throws WSSecurityException { - return getSignatureBuilder(wrapper, token, false, endorse); - } - - protected WSSecSignature getSignatureBuilder( - AbstractTokenWrapper wrapper, AbstractToken token, boolean attached, boolean endorse + AbstractToken token, boolean attached, boolean endorse ) throws WSSecurityException { WSSecSignature sig = new WSSecSignature(wssConfig); sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); checkForX509PkiPath(sig, token); if (token instanceof IssuedToken || token instanceof SamlToken) { assertPolicy(token); - assertPolicy(wrapper); SecurityToken securityToken = getSecurityToken(); String tokenType = securityToken.getTokenType(); @@ -1720,7 +1732,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle sig.setCustomTokenId(sigTokId); } else { - setKeyIdentifierType(sig, wrapper, token); + setKeyIdentifierType(sig, token); // Find out do we also need to include the token as per the Inclusion requirement if (token instanceof X509Token && token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER @@ -1738,13 +1750,12 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle userNameKey = SecurityConstants.ENCRYPT_USERNAME; } - Crypto crypto = encryptCrypto ? getEncryptionCrypto(wrapper) - : getSignatureCrypto(wrapper); + Crypto crypto = encryptCrypto ? getEncryptionCrypto() : getSignatureCrypto(); if (endorse && crypto == null && binding instanceof SymmetricBinding) { type = "encryption"; userNameKey = SecurityConstants.ENCRYPT_USERNAME; - crypto = getEncryptionCrypto(wrapper); + crypto = getEncryptionCrypto(); } if (!endorse) { @@ -2013,7 +2024,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle sig.setSecretKey(tok.getSecret()); sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature()); sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue()); - sig.prepare(doc, getSignatureCrypto(null), secHeader); + sig.prepare(doc, getSignatureCrypto(), secHeader); sig.setParts(sigParts); List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader); http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java index 05c4c97..fb12cbe 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java @@ -57,7 +57,6 @@ import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.SPConstants.IncludeTokenType; import org.apache.wss4j.policy.model.AbstractBinding; import org.apache.wss4j.policy.model.AbstractToken; -import org.apache.wss4j.policy.model.AbstractTokenWrapper; import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType; import org.apache.wss4j.policy.model.Attachments; import org.apache.wss4j.policy.model.ContentEncryptedElements; @@ -509,7 +508,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa } protected void configureSignature( - AbstractTokenWrapper wrapper, AbstractToken token, boolean attached + AbstractToken token, boolean attached ) throws WSSecurityException { if (token instanceof X509Token) { @@ -521,7 +520,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa } } - properties.setSignatureKeyIdentifier(getKeyIdentifierType(wrapper, token)); + properties.setSignatureKeyIdentifier(getKeyIdentifierType(token)); // Find out do we also need to include the token as per the Inclusion requirement WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getSignatureKeyIdentifier(); @@ -562,7 +561,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa } protected WSSecurityTokenConstants.KeyIdentifier getKeyIdentifierType( - AbstractTokenWrapper wrapper, AbstractToken token + AbstractToken token ) { WSSecurityTokenConstants.KeyIdentifier identifier = null; if (token instanceof X509Token) { @@ -679,7 +678,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa } } else if (token instanceof X509Token || token instanceof KeyValueToken) { assertToken(token); - configureSignature(suppTokens, token, false); + configureSignature(token, false); if (suppTokens.isEncryptedToken()) { SecurePart part = new SecurePart(WSSConstants.TAG_wsse_BinarySecurityToken, Modifier.Element); http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java index 9acaee6..83c3b50 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java @@ -483,7 +483,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); encr.setDocument(saaj.getSOAPPart()); - Crypto crypto = getEncryptionCrypto(recToken); + Crypto crypto = getEncryptionCrypto(); SecurityToken securityToken = getSecurityToken(); if (!isRequestor() && securityToken != null @@ -500,10 +500,10 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); encr.setCustomEKTokenId(securityToken.getId()); } else { - setKeyIdentifierType(encr, recToken, encrToken); + setKeyIdentifierType(encr, encrToken); } } else { - setKeyIdentifierType(encr, recToken, encrToken); + setKeyIdentifierType(encr, encrToken); } // // Using a stored cert is only suitable for the Issued Token case, where @@ -513,7 +513,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { && securityToken.getX509Certificate() != null) { encr.setUseThisCert(securityToken.getX509Certificate()); } else { - setEncryptionUser(encr, recToken, false, crypto); + setEncryptionUser(encr, encrToken, false, crypto); } if (!encr.isCertSet() && crypto == null) { policyNotAsserted(recToken, "Missing security configuration. " @@ -605,7 +605,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { if (sigParts.isEmpty()) { // Add the BST to the security header if required if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) { - WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, attached, false); + WSSecSignature sig = getSignatureBuilder(sigToken, attached, false); sig.appendBSTElementToHeader(secHeader); } return; @@ -670,7 +670,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { throw new Fault(ex); } } else { - WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, attached, false); + WSSecSignature sig = getSignatureBuilder(sigToken, attached, false); // This action must occur before sig.prependBSTElementToHeader if (abinding.isProtectTokens()) { @@ -784,7 +784,8 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { private void createEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken token) throws WSSecurityException { //Set up the encrypted key to use - encrKey = this.getEncryptedKeyBuilder(wrapper, token); + encrKey = this.getEncryptedKeyBuilder(token); + assertPolicy(wrapper); Element bstElem = encrKey.getBinarySecurityTokenElement(); if (bstElem != null) { // If a BST is available then use it http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java index 2d1ebb1..843ffd2 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java @@ -356,7 +356,7 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler { properties.addAction(actionToPerform); properties.getEncryptionSecureParts().addAll(encrParts); - properties.setEncryptionKeyIdentifier(getKeyIdentifierType(recToken, encrToken)); + properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken)); // Find out do we also need to include the token as per the Inclusion requirement WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getEncryptionKeyIdentifier(); @@ -424,7 +424,7 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler { properties.getSignatureSecureParts().addAll(sigParts); AbstractToken sigToken = wrapper.getToken(); - configureSignature(wrapper, sigToken, false); + configureSignature(sigToken, false); if (abinding.isProtectTokens() && (sigToken instanceof X509Token) && sigToken.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER) { http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java index 4b41380..d5a3084 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java @@ -423,7 +423,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler { properties.addAction(actionToPerform); if (isRequestor()) { - properties.setEncryptionKeyIdentifier(getKeyIdentifierType(recToken, encrToken)); + properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken)); properties.setDerivedKeyKeyIdentifier( WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference); } else if (recToken.getToken() instanceof KerberosToken && !isRequestor()) { @@ -538,7 +538,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler { properties.addSignaturePart(securePart); } - configureSignature(wrapper, sigToken, false); + configureSignature(sigToken, false); if (policyToken instanceof X509Token) { properties.setIncludeSignatureToken(false); http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java index 46fa53e..decb8c3 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java @@ -348,7 +348,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler { } else if (token instanceof KerberosToken) { WSSSecurityProperties properties = getProperties(); properties.addAction(WSSConstants.SIGNATURE); - configureSignature(wrapper, token, false); + configureSignature(token, false); addKerberosToken((KerberosToken)token, false, true, false); signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements()); @@ -375,7 +375,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler { } properties.addAction(actionToPerform); - configureSignature(wrapper, token, false); + configureSignature(token, false); if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { properties.setSignatureAlgorithm( tbinding.getAlgorithmSuite().getSymmetricSignature()); http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java index a46fb30..6bc2528 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java @@ -534,10 +534,10 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } encr.setEncKeyId(encrTokId); encr.setEphemeralKey(encrTok.getSecret()); - Crypto crypto = getEncryptionCrypto(recToken); + Crypto crypto = getEncryptionCrypto(); if (crypto != null) { this.message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto); - setEncryptionUser(encr, recToken, false, crypto); + setEncryptionUser(encr, encrToken, false, crypto); } encr.setDocument(saaj.getSOAPPart()); @@ -834,9 +834,9 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { sig.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue()); Crypto crypto = null; if (sbinding.getProtectionToken() != null) { - crypto = getEncryptionCrypto(sbinding.getProtectionToken()); + crypto = getEncryptionCrypto(); } else { - crypto = getSignatureCrypto(policyAbstractTokenWrapper); + crypto = getSignatureCrypto(); } this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto); sig.prepare(saaj.getSOAPPart(), crypto, secHeader); @@ -857,7 +857,8 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException { - WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(wrapper, sigToken); + WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken); + assertPolicy(wrapper); String id = encrKey.getId(); byte[] secret = encrKey.getEphemeralKey(); http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java index 113e507..c35d202 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java @@ -355,7 +355,8 @@ public class TransportBindingHandler extends AbstractBindingBuilder { signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements()); if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { - WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(wrapper, token); + WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token); + assertPolicy(wrapper); Element bstElem = encrKey.getBinarySecurityTokenElement(); if (bstElem != null) { @@ -363,8 +364,15 @@ public class TransportBindingHandler extends AbstractBindingBuilder { } encrKey.appendToHeader(secHeader); +<<<<<<< HEAD WSSecDKSign dkSig = new WSSecDKSign(wssConfig); if (wrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) { +======= + WSSecDKSign dkSig = new WSSecDKSign(); + dkSig.setIdAllocator(wssConfig.getIdAllocator()); + dkSig.setCallbackLookup(callbackLookup); + if (token.getVersion() == SPConstants.SPVersion.SP11) { +>>>>>>> aaad96f... [CXF-6327] - Invalid Policy exception for EndorsingSupportingTokens with more than one token assertions dkSig.setWscVersion(ConversationConstants.VERSION_05_02); } @@ -386,7 +394,8 @@ public class TransportBindingHandler extends AbstractBindingBuilder { return dkSig.getSignatureValue(); } else { - WSSecSignature sig = getSignatureBuilder(wrapper, token, false); + WSSecSignature sig = getSignatureBuilder(token, false, false); + assertPolicy(wrapper); if (sig != null) { sig.prependBSTElementToHeader(secHeader); @@ -552,7 +561,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { crypto = secTok.getCrypto(); if (crypto == null) { - crypto = getSignatureCrypto(wrapper); + crypto = getSignatureCrypto(); } if (crypto == null) { LOG.fine("No signature Crypto properties are available"); @@ -574,7 +583,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { sig.setUserInfo(uname, password); sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature()); } else { - crypto = getSignatureCrypto(wrapper); + crypto = getSignatureCrypto(); sig.setSecretKey(secTok.getSecret()); sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature()); } http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java index ba23de9..6a91247 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java @@ -378,10 +378,13 @@ public class TransportBindingTest extends AbstractBusClientServerTestBase { bus.shutdown(true); } - // TODO Not supported for now @org.junit.Test - @org.junit.Ignore public void testSAML2EndorsingX509() throws Exception { + + // Only works for DOM (clients) + if (test.isStreaming()) { + return; + } SpringBusFactory bf = new SpringBusFactory(); URL busFile = TransportBindingTest.class.getResource("cxf-client.xml"); http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl index d08b102..fe0e803 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl @@ -349,10 +349,9 @@ </wsaw:Metadata> </sp:Issuer> </sp:IssuedToken> - <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy> <sp:WssX509V3Token10/> - <sp:RequireIssuerSerialReference/> </wsp:Policy> </sp:X509Token> </wsp:Policy> http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml index a5dbcc4..3fbf5a2 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml @@ -48,7 +48,8 @@ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2x509" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportSAML2X509EndorsingPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleittransportsaml2x509endorsing" wsdlLocation="org/apache/cxf/systest/sts/transport/DoubleIt.wsdl"> <jaxws:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> - <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/> + <entry key="ws-security.signature.properties" value="stsKeystore.properties"/> + <entry key="ws-security.enable.timestamp.cache" value="false"/> </jaxws:properties> </jaxws:endpoint> <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf"> http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml index f9d7a0c..6aa03e8 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml @@ -51,9 +51,10 @@ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2x509endorsing" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportSAML2X509EndorsingPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.StaxServer}/doubleit/services/doubleittransportsaml2x509endorsing" wsdlLocation="org/apache/cxf/systest/sts/transport/DoubleIt.wsdl"> <jaxws:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> - <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/> + <entry key="ws-security.signature.properties" value="stsKeystore.properties"/> <entry key="ws-security.is-bsp-compliant" value="false"/> <entry key="ws-security.enable.streaming" value="true"/> + <entry key="ws-security.enable.timestamp.cache" value="false"/> </jaxws:properties> </jaxws:endpoint> <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">