Fixing some outbound policy assertions
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6f0dec69 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6f0dec69 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6f0dec69 Branch: refs/heads/3.0.x-fixes Commit: 6f0dec6995ac63f25bfb6b5a770501482d737bab Parents: 5130728 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Wed Sep 9 12:53:11 2015 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Wed Sep 9 14:44:28 2015 +0100 ---------------------------------------------------------------------- .../policyhandlers/AbstractBindingBuilder.java | 14 +++++--- .../AbstractCommonBindingHandler.java | 1 + .../AsymmetricBindingHandler.java | 34 ++++++-------------- .../policyhandlers/SymmetricBindingHandler.java | 13 ++++---- 4 files changed, 27 insertions(+), 35 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/6f0dec69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index d8ec26a..8ffa513 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -363,12 +363,16 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle ai.setNotAsserted(SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST + " requires a timestamp"); } else { addTopDownElement(timestampEl.getElement()); + ai.setAsserted(true); assertPolicy( new QName(binding.getLayout().getName().getNamespaceURI(), SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST)); } } else if (timestampEl != null) { + ai.setAsserted(true); addTopDownElement(timestampEl.getElement()); + } else { + ai.setAsserted(true); } assertPolicy( @@ -1125,18 +1129,20 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle // Store them so that the main Signature doesn't sign them if (parts != null) { suppTokenParts.add(parts); + this.assertPolicy(parts.getName()); } if (elements != null) { suppTokenParts.add(elements); + this.assertPolicy(elements.getName()); } } else { Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.SIGNED_PARTS); if (!ais.isEmpty()) { for (AssertionInfo ai : ais) { SignedParts signedParts = (SignedParts)ai.getAssertion(); + ai.setAsserted(true); if (!suppTokenParts.contains(signedParts)) { parts = signedParts; - ai.setAsserted(true); } } } @@ -1145,9 +1151,9 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle if (!ais.isEmpty()) { for (AssertionInfo ai : ais) { SignedElements signedElements = (SignedElements)ai.getAssertion(); + ai.setAsserted(true); if (!suppTokenParts.contains(signedElements)) { elements = signedElements; - ai.setAsserted(true); } } } @@ -1557,7 +1563,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle tokenTypeSet = true; } - assertPolicy(token); + assertToken(token); if (!tokenTypeSet) { boolean requestor = isRequestor(); @@ -1676,7 +1682,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle sig.setStoreBytesInAttachment(storeBytesInAttachment); checkForX509PkiPath(sig, token); if (token instanceof IssuedToken || token instanceof SamlToken) { - assertPolicy(token); + assertToken(token); SecurityToken securityToken = getSecurityToken(); String tokenType = securityToken.getTokenType(); http://git-wip-us.apache.org/repos/asf/cxf/blob/6f0dec69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java index 5c8250c..d344648 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java @@ -123,6 +123,7 @@ public abstract class AbstractCommonBindingHandler { return; } assertPolicy(tokenWrapper.getName()); + assertToken(tokenWrapper.getToken()); } protected void assertToken(AbstractToken token) { http://git-wip-us.apache.org/repos/asf/cxf/blob/6f0dec69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java index c94c913..d5b18f1 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java @@ -136,8 +136,6 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { policyNotAsserted(initiatorToken, "Security token is not found or expired"); return; } else { - assertPolicy(initiatorToken); - if (isTokenRequired(initiatorToken.getIncludeTokenType())) { Element el = secToken.getToken(); this.addEncryptedKeyElement(cloneElement(el)); @@ -146,12 +144,9 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { } } else if (initiatorToken instanceof SamlToken && isRequestor()) { SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)initiatorToken); - if (assertionWrapper != null) { - if (isTokenRequired(initiatorToken.getIncludeTokenType())) { - addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart())); - storeAssertionAsSecurityToken(assertionWrapper); - } - assertPolicy(initiatorToken); + if (assertionWrapper != null && isTokenRequired(initiatorToken.getIncludeTokenType())) { + addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart())); + storeAssertionAsSecurityToken(assertionWrapper); } } else if (initiatorToken instanceof SamlToken) { String tokenId = getSAMLToken(); @@ -276,24 +271,17 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { if (secToken == null) { policyNotAsserted(initiatorToken, "Security token is not found or expired"); return; - } else { - assertPolicy(initiatorToken); - - if (isTokenRequired(initiatorToken.getIncludeTokenType())) { - Element el = secToken.getToken(); - this.addEncryptedKeyElement(cloneElement(el)); - attached = true; - } + } else if (isTokenRequired(initiatorToken.getIncludeTokenType())) { + Element el = secToken.getToken(); + this.addEncryptedKeyElement(cloneElement(el)); + attached = true; } } else if (initiatorToken instanceof SamlToken && isRequestor()) { try { SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)initiatorToken); - if (assertionWrapper != null) { - if (isTokenRequired(initiatorToken.getIncludeTokenType())) { - addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart())); - storeAssertionAsSecurityToken(assertionWrapper); - } - assertPolicy(initiatorToken); + if (assertionWrapper != null && isTokenRequired(initiatorToken.getIncludeTokenType())) { + addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart())); + storeAssertionAsSecurityToken(assertionWrapper); } } catch (Exception e) { String reason = e.getMessage(); @@ -308,7 +296,6 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { return; } } - assertToken(initiatorToken); } List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>(); @@ -808,7 +795,6 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { throws WSSecurityException { //Set up the encrypted key to use encrKey = this.getEncryptedKeyBuilder(token); - assertPolicy(wrapper); Element bstElem = encrKey.getBinarySecurityTokenElement(); if (bstElem != null) { // If a BST is available then use it http://git-wip-us.apache.org/repos/asf/cxf/blob/6f0dec69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java index 979d170..dfc0900 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java @@ -164,7 +164,6 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { tokenId = getUTDerivedKey(); } } - assertToken(encryptionToken); if (tok == null) { //if (tokenId == null || tokenId.length() == 0) { //REVISIT - no tokenId? Exception? @@ -295,7 +294,6 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { sigTokId = getUTDerivedKey(); } } - assertToken(sigToken); } else { policyNotAsserted(sbinding, "No signature token"); return; @@ -836,10 +834,11 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } } - if (included && sbinding.isProtectTokens()) { - sigs.add(new WSEncryptionPart(sigTokId)); - assertPolicy( - new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS)); + if (sbinding.isProtectTokens()) { + assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS)); + if (included) { + sigs.add(new WSEncryptionPart(sigTokId)); + } } sig.setCustomTokenId(sigTokId); @@ -874,7 +873,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException { WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken); - assertPolicy(wrapper); + assertTokenWrapper(wrapper); String id = encrKey.getId(); byte[] secret = encrKey.getEphemeralKey();