ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1607879 - in /webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax: ./ assertionStates/
Date Fri, 04 Jul 2014 15:44:01 GMT
Author: coheigea
Date: Fri Jul  4 15:44:00 2014
New Revision: 1607879

URL: http://svn.apache.org/r1607879
Log:
More work on asserting policies directly in WSS4J

Modified:
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
Fri Jul  4 15:44:00 2014
@@ -62,6 +62,8 @@ import org.apache.wss4j.policy.model.Sig
 import org.apache.wss4j.policy.model.SignedParts;
 import org.apache.wss4j.policy.model.SpnegoContextToken;
 import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
 import org.apache.wss4j.policy.model.UsernameToken;
 import org.apache.wss4j.policy.model.Wss10;
 import org.apache.wss4j.policy.model.X509Token;
@@ -325,7 +327,7 @@ public class PolicyEnforcer implements S
             assertableList.add(new SamlTokenAssertionState(abstractSecurityAssertion, !tokenRequired,
policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof RelToken) {
             assertableList.add(new RelTokenAssertionState(abstractSecurityAssertion, !tokenRequired,
policyAsserter, initiator));
-        } else if (abstractSecurityAssertion instanceof HttpsToken && !initiator)
{
+        } else if (abstractSecurityAssertion instanceof HttpsToken) {
             assertableList.add(new HttpsTokenAssertionState(abstractSecurityAssertion, !tokenRequired,
policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof KeyValueToken) {
             assertableList.add(new KeyValueTokenAssertionState(abstractSecurityAssertion,
!tokenRequired, policyAsserter, initiator));
@@ -419,6 +421,41 @@ public class PolicyEnforcer implements S
                     }
                 }
             }
+        } else if (abstractSecurityAssertion instanceof Trust10) {
+            Trust10 trust10 = (Trust10)abstractSecurityAssertion;
+            String namespace = trust10.getName().getNamespaceURI();
+            policyAsserter.assertPolicy(abstractSecurityAssertion);
+            
+            if (trust10.isMustSupportClientChallenge()) {
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE));
+            }
+            if (trust10.isMustSupportIssuedTokens()) {
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_ISSUED_TOKENS));
+            }
+            if (trust10.isMustSupportServerChallenge()) {
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE));
+            }
+            if (trust10.isRequireClientEntropy()) {
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_ENTROPY));
+            }
+            if (trust10.isRequireServerEntropy()) {
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_SERVER_ENTROPY));
+            }
+            if (trust10 instanceof Trust13) {
+                Trust13 trust13 = (Trust13)trust10;
+                if (trust13.isMustSupportInteractiveChallenge()) {
+                    policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_INTERACTIVE_CHALLENGE));
+                }
+                if (trust13.isRequireAppliesTo()) {
+                    policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_APPLIES_TO));
+                }
+                if (trust13.isRequireRequestSecurityTokenCollection()) {
+                    policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION));
+                }
+                if (trust13.isScopePolicy15()) {
+                    policyAsserter.assertPolicy(new QName(namespace, SPConstants.SCOPE_POLICY_15));
+                }
+            }
         } else {
             policyAsserter.assertPolicy(abstractSecurityAssertion);
         }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
Fri Jul  4 15:44:00 2014
@@ -73,7 +73,7 @@ public class HttpsTokenAssertionState ex
             getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
             return false;
         }
-        if (httpsToken.getAuthenticationType() != null) {
+        if (!isInitiator() && httpsToken.getAuthenticationType() != null) {
             String namespace = getAssertion().getName().getNamespaceURI();
             
             switch (httpsToken.getAuthenticationType()) {

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
Fri Jul  4 15:44:00 2014
@@ -84,6 +84,7 @@ public class IssuedTokenAssertionState e
                     !issuedToken.getIssuerName().equals(issuedTokenSecurityEvent.getIssuerName()))
{
                 setErrorMessage("IssuerName in Policy (" + issuedToken.getIssuerName() +
                         ") didn't match with the one in the IssuedToken (" + issuedTokenSecurityEvent.getIssuerName()
+ ")");
+                getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
                 return false;
             }
             if (issuedToken.getRequestSecurityTokenTemplate() != null) {
@@ -92,6 +93,7 @@ public class IssuedTokenAssertionState e
                     String errorMsg = checkIssuedTokenTemplate(issuedToken.getRequestSecurityTokenTemplate(),
samlTokenSecurityEvent);
                     if (errorMsg != null) {
                         setErrorMessage(errorMsg);
+                        getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
                         return false;
                     }
                 } else if (issuedTokenSecurityEvent instanceof KerberosTokenSecurityEvent)
{
@@ -99,6 +101,7 @@ public class IssuedTokenAssertionState e
                     String errorMsg = checkIssuedTokenTemplate(issuedToken.getRequestSecurityTokenTemplate(),
kerberosTokenSecurityEvent);
                     if (errorMsg != null) {
                         setErrorMessage(errorMsg);
+                        getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
                         return false;
                     }
                 }
@@ -110,15 +113,18 @@ public class IssuedTokenAssertionState e
                     validateClaims((Element) claims, (SamlTokenSecurityEvent)issuedTokenSecurityEvent);
                 if (errorMsg != null) {
                     setErrorMessage(errorMsg);
+                    getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
                     return false;
                 }
             }
         } catch (XMLSecurityException e) {
+            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
             throw new WSSPolicyException(e.getMessage(), e);
         }
 
         //always return true to prevent false alarm in case additional tokens with the same
usage
         //appears in the message but do not fulfill the policy and are also not needed to
fulfil the policy.
+        getPolicyAsserter().assertPolicy(getAssertion());
         return true;
     }
 

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
Fri Jul  4 15:44:00 2014
@@ -38,6 +38,10 @@ public class SpnegoContextTokenAssertion
     public SpnegoContextTokenAssertionState(AbstractSecurityAssertion assertion, boolean
asserted, 
                                             PolicyAsserter policyAsserter, boolean initiator)
{
         super(assertion, asserted, policyAsserter, initiator);
+        
+        if (asserted) {
+            getPolicyAsserter().assertPolicy(getAssertion());
+        }
     }
 
     @Override

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
Fri Jul  4 15:44:00 2014
@@ -285,4 +285,8 @@ public abstract class TokenAssertionStat
     protected PolicyAsserter getPolicyAsserter() {
         return policyAsserter;
     }
+    
+    protected boolean isInitiator() {
+        return initiator;
+    }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java?rev=1607879&r1=1607878&r2=1607879&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
Fri Jul  4 15:44:00 2014
@@ -93,9 +93,6 @@ public class TokenProtectionAssertionSta
         AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding)
getAssertion();
         boolean protectTokens = abstractSymmetricAsymmetricBinding.isProtectTokens();
         String namespace = getAssertion().getName().getNamespaceURI();
-        if (protectTokens) {
-            policyAsserter.assertPolicy(new QName(namespace, SPConstants.PROTECT_TOKENS));
-        }
 
         if (securityEvent instanceof SignedElementSecurityEvent) {
             SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent)
securityEvent;
@@ -151,6 +148,8 @@ public class TokenProtectionAssertionSta
                 }
             }
         }
+        
+        policyAsserter.assertPolicy(new QName(namespace, SPConstants.PROTECT_TOKENS));
         return true;
     }
 



Mime
View raw message