Author: coheigea
Date: Fri Jul 4 15:44:00 2014
New Revision: 1607879
URL: http://svn.apache.org/r1607879
Log:
More work on asserting policies directly in WSS4J
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
Fri Jul 4 15:44:00 2014
@@ -62,6 +62,8 @@ import org.apache.wss4j.policy.model.Sig
import org.apache.wss4j.policy.model.SignedParts;
import org.apache.wss4j.policy.model.SpnegoContextToken;
import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
import org.apache.wss4j.policy.model.UsernameToken;
import org.apache.wss4j.policy.model.Wss10;
import org.apache.wss4j.policy.model.X509Token;
@@ -325,7 +327,7 @@ public class PolicyEnforcer implements S
assertableList.add(new
SamlTokenAssertionState(abstractSecurityAssertion, !tokenRequired,
policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof RelToken) {
assertableList.add(new
RelTokenAssertionState(abstractSecurityAssertion, !tokenRequired,
policyAsserter, initiator));
- } else if (abstractSecurityAssertion instanceof HttpsToken &&
!initiator) {
+ } else if (abstractSecurityAssertion instanceof HttpsToken) {
assertableList.add(new
HttpsTokenAssertionState(abstractSecurityAssertion, !tokenRequired,
policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof KeyValueToken) {
assertableList.add(new
KeyValueTokenAssertionState(abstractSecurityAssertion, !tokenRequired,
policyAsserter, initiator));
@@ -419,6 +421,41 @@ public class PolicyEnforcer implements S
}
}
}
+ } else if (abstractSecurityAssertion instanceof Trust10) {
+ Trust10 trust10 = (Trust10)abstractSecurityAssertion;
+ String namespace = trust10.getName().getNamespaceURI();
+ policyAsserter.assertPolicy(abstractSecurityAssertion);
+
+ if (trust10.isMustSupportClientChallenge()) {
+ policyAsserter.assertPolicy(new QName(namespace,
SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE));
+ }
+ if (trust10.isMustSupportIssuedTokens()) {
+ policyAsserter.assertPolicy(new QName(namespace,
SPConstants.MUST_SUPPORT_ISSUED_TOKENS));
+ }
+ if (trust10.isMustSupportServerChallenge()) {
+ policyAsserter.assertPolicy(new QName(namespace,
SPConstants.MUST_SUPPORT_SERVER_CHALLENGE));
+ }
+ if (trust10.isRequireClientEntropy()) {
+ policyAsserter.assertPolicy(new QName(namespace,
SPConstants.REQUIRE_CLIENT_ENTROPY));
+ }
+ if (trust10.isRequireServerEntropy()) {
+ policyAsserter.assertPolicy(new QName(namespace,
SPConstants.REQUIRE_SERVER_ENTROPY));
+ }
+ if (trust10 instanceof Trust13) {
+ Trust13 trust13 = (Trust13)trust10;
+ if (trust13.isMustSupportInteractiveChallenge()) {
+ policyAsserter.assertPolicy(new QName(namespace,
SPConstants.MUST_SUPPORT_INTERACTIVE_CHALLENGE));
+ }
+ if (trust13.isRequireAppliesTo()) {
+ policyAsserter.assertPolicy(new QName(namespace,
SPConstants.REQUIRE_APPLIES_TO));
+ }
+ if (trust13.isRequireRequestSecurityTokenCollection()) {
+ policyAsserter.assertPolicy(new QName(namespace,
SPConstants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION));
+ }
+ if (trust13.isScopePolicy15()) {
+ policyAsserter.assertPolicy(new QName(namespace,
SPConstants.SCOPE_POLICY_15));
+ }
+ }
} else {
policyAsserter.assertPolicy(abstractSecurityAssertion);
}
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
Fri Jul 4 15:44:00 2014
@@ -73,7 +73,7 @@ public class HttpsTokenAssertionState ex
getPolicyAsserter().unassertPolicy(getAssertion(),
getErrorMessage());
return false;
}
- if (httpsToken.getAuthenticationType() != null) {
+ if (!isInitiator() && httpsToken.getAuthenticationType() != null) {
String namespace = getAssertion().getName().getNamespaceURI();
switch (httpsToken.getAuthenticationType()) {
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
Fri Jul 4 15:44:00 2014
@@ -84,6 +84,7 @@ public class IssuedTokenAssertionState e
!issuedToken.getIssuerName().equals(issuedTokenSecurityEvent.getIssuerName())) {
setErrorMessage("IssuerName in Policy (" +
issuedToken.getIssuerName() +
") didn't match with the one in the IssuedToken (" +
issuedTokenSecurityEvent.getIssuerName() + ")");
+ getPolicyAsserter().unassertPolicy(getAssertion(),
getErrorMessage());
return false;
}
if (issuedToken.getRequestSecurityTokenTemplate() != null) {
@@ -92,6 +93,7 @@ public class IssuedTokenAssertionState e
String errorMsg =
checkIssuedTokenTemplate(issuedToken.getRequestSecurityTokenTemplate(),
samlTokenSecurityEvent);
if (errorMsg != null) {
setErrorMessage(errorMsg);
+ getPolicyAsserter().unassertPolicy(getAssertion(),
getErrorMessage());
return false;
}
} else if (issuedTokenSecurityEvent instanceof
KerberosTokenSecurityEvent) {
@@ -99,6 +101,7 @@ public class IssuedTokenAssertionState e
String errorMsg =
checkIssuedTokenTemplate(issuedToken.getRequestSecurityTokenTemplate(),
kerberosTokenSecurityEvent);
if (errorMsg != null) {
setErrorMessage(errorMsg);
+ getPolicyAsserter().unassertPolicy(getAssertion(),
getErrorMessage());
return false;
}
}
@@ -110,15 +113,18 @@ public class IssuedTokenAssertionState e
validateClaims((Element) claims,
(SamlTokenSecurityEvent)issuedTokenSecurityEvent);
if (errorMsg != null) {
setErrorMessage(errorMsg);
+ getPolicyAsserter().unassertPolicy(getAssertion(),
getErrorMessage());
return false;
}
}
} catch (XMLSecurityException e) {
+ getPolicyAsserter().unassertPolicy(getAssertion(),
getErrorMessage());
throw new WSSPolicyException(e.getMessage(), e);
}
//always return true to prevent false alarm in case additional tokens
with the same usage
//appears in the message but do not fulfill the policy and are also
not needed to fulfil the policy.
+ getPolicyAsserter().assertPolicy(getAssertion());
return true;
}
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
Fri Jul 4 15:44:00 2014
@@ -38,6 +38,10 @@ public class SpnegoContextTokenAssertion
public SpnegoContextTokenAssertionState(AbstractSecurityAssertion
assertion, boolean asserted,
PolicyAsserter policyAsserter,
boolean initiator) {
super(assertion, asserted, policyAsserter, initiator);
+
+ if (asserted) {
+ getPolicyAsserter().assertPolicy(getAssertion());
+ }
}
@Override
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
Fri Jul 4 15:44:00 2014
@@ -285,4 +285,8 @@ public abstract class TokenAssertionStat
protected PolicyAsserter getPolicyAsserter() {
return policyAsserter;
}
+
+ protected boolean isInitiator() {
+ return initiator;
+ }
}
Modified:
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
(original)
+++
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
Fri Jul 4 15:44:00 2014
@@ -93,9 +93,6 @@ public class TokenProtectionAssertionSta
AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding
= (AbstractSymmetricAsymmetricBinding) getAssertion();
boolean protectTokens =
abstractSymmetricAsymmetricBinding.isProtectTokens();
String namespace = getAssertion().getName().getNamespaceURI();
- if (protectTokens) {
- policyAsserter.assertPolicy(new QName(namespace,
SPConstants.PROTECT_TOKENS));
- }
if (securityEvent instanceof SignedElementSecurityEvent) {
SignedElementSecurityEvent signedElementSecurityEvent =
(SignedElementSecurityEvent) securityEvent;
@@ -151,6 +148,8 @@ public class TokenProtectionAssertionSta
}
}
}
+
+ policyAsserter.assertPolicy(new QName(namespace,
SPConstants.PROTECT_TOKENS));
return true;
}
