Author: amilaj
Date: Sun Jan 8 15:34:56 2012
New Revision: 1228870
URL: http://svn.apache.org/viewvc?rev=1228870&view=rev
Log:
Fixing issue RAMPART-269. Also added an integration test case
Added:
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/34.xml
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-34.xml
Modified:
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
Modified:
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java?rev=1228870&r1=1228869&r2=1228870&view=diff
==============================================================================
---
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
(original)
+++
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
Sun Jan 8 15:34:56 2012
@@ -311,6 +311,16 @@ public class RampartEngine {
}
} else if (WSConstants.SIGN == actInt.intValue()) {
X509Certificate cert = (X509Certificate)
wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+
+ if (rpd.isAsymmetricBinding() && cert == null &&
rpd.getInitiatorToken() != null
+ && !rpd.getInitiatorToken().isDerivedKeys()) {
+
+ // If symmetric binding is used, the certificate should be
null.
+ // If certificate is not null then probably initiator and
+ // recipient are using 2 different bindings.
+ throw new RampartException("invalidSignatureAlgo");
+ }
+
msgCtx.setProperty(RampartMessageData.X509_CERT, cert);
}
Modified:
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
URL:
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties?rev=1228870&r1=1228869&r2=1228870&view=diff
==============================================================================
---
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
(original)
+++
axis/axis2/java/rampart/trunk/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
Sun Jan 8 15:34:56 2012
@@ -99,4 +99,5 @@ invalidTransport = Expected transport is
requiredElementsMissing = Required Elements not found in the incoming message
: {0}
repeatingNonceValue = Nonce value : {0}, already seen before for user name :
{1}. Possibly this could be a replay attack.
invalidNonceLifeTime = Invalid value for nonceLifeTime in rampart
configuration file.
-invalidIssuerAddress = Invalid value for Issuer
\ No newline at end of file
+invalidIssuerAddress = Invalid value for Issuer
+invalidSignatureAlgo=Invalid signature algorithm for Asymmetric binding
\ No newline at end of file
Modified: axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml
URL:
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml?rev=1228870&r1=1228869&r2=1228870&view=diff
==============================================================================
--- axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml (original)
+++ axis/axis2/java/rampart/trunk/modules/rampart-integration/pom.xml Sun Jan
8 15:34:56 2012
@@ -273,6 +273,11 @@
<copy overwrite="yes"
file="src/test/resources/rampart/services-33.xml"
tofile="target/temp-ramp/META-INF/services.xml" />
<jar
jarfile="target/test-resources/rampart_service_repo/services/SecureService33.aar"
basedir="target/temp-ramp" />
+ <!-- Service 34 -->
+ <copy overwrite="yes"
file="src/test/resources/rampart/services-34.xml"
tofile="target/temp-ramp/META-INF/services.xml" />
+ <jar
jarfile="target/test-resources/rampart_service_repo/services/SecureService34.aar"
basedir="target/temp-ramp" />
+
+
<!-- Service SC-1 -->
<copy overwrite="yes"
file="src/test/resources/rampart/issuer.properties"
tofile="target/temp-ramp/issuer.properties" />
<copy overwrite="yes"
file="src/test/resources/rampart/services-sc-1.xml"
tofile="target/temp-ramp/META-INF/services.xml" />
Modified:
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java?rev=1228870&r1=1228869&r2=1228870&view=diff
==============================================================================
---
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
(original)
+++
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/java/org/apache/rampart/RampartTest.java
Sun Jan 8 15:34:56 2012
@@ -36,11 +36,24 @@ import org.apache.axis2.integration.Util
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
+import java.util.MissingResourceException;
+import java.util.ResourceBundle;
+
public class RampartTest extends TestCase {
public final static int PORT = UtilServer.TESTING_PORT;
+ private static ResourceBundle resources;
+
+ static {
+ try {
+ resources = ResourceBundle.getBundle("org.apache.rampart.errors");
+ } catch (MissingResourceException e) {
+ throw new RuntimeException(e.getMessage());
+ }
+ }
+
public RampartTest(String name) {
super(name);
}
@@ -83,7 +96,7 @@ public class RampartTest extends TestCas
"Unlimited Strength Jurisdiction Policy !!!");
}
- for (int i = 1; i <= 33; i++) { //<-The number of tests we have
+ for (int i = 1; i <= 34; i++) { //<-The number of tests we have
if(!basic256Supported && (i == 3 || i == 4 || i == 5)) {
//Skip the Basic256 tests
continue;
@@ -122,18 +135,32 @@ public class RampartTest extends TestCas
serviceClient.addHeader(header);
}
- // Invoking the serive in the TestCase-28 should fail. So
handling it differently..
- if (i == 28) {
+ // Invoking the service in the TestCase-28 should fail. So
handling it differently..
+ if (i == 28 || i == 34) {
try {
+
//Blocking invocation
serviceClient.sendReceive(getOMElement());
- fail("Service Should throw an error..");
+
+ String message = "";
+
+ if (i == 34) {
+ message = "Test case 34 should fail. We are
running the service in symmetric binding mode " +
+ "and client in asymmetric binding mode.
Therefore test case 34 should fail.";
+ }
+
+ fail("Service Should throw an error - " + message);
} catch (AxisFault axisFault) {
- assertEquals("Expected encrypted part missing",
axisFault.getMessage());
+
+ if (i == 28) {
+
assertEquals(resources.getString("encryptionMissing"), axisFault.getMessage());
+ } else if (i == 34) {
+
assertEquals(resources.getString("invalidSignatureAlgo"),
axisFault.getMessage());
+ }
+
}
}
-
else{
//Blocking invocation
serviceClient.sendReceive(getEchoElement());
Added:
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/34.xml
URL:
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/34.xml?rev=1228870&view=auto
==============================================================================
---
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/34.xml
(added)
+++
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/34.xml
Sun Jan 8 15:34:56 2012
@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ !
+ ! Copyright 2006 The Apache Software Foundation.
+ !
+ ! Licensed under the Apache License, Version 2.0 (the "License");
+ ! you may not use this file except in compliance with the License.
+ ! You may obtain a copy of the License at
+ !
+ ! http://www.apache.org/licenses/LICENSE-2.0
+ !
+ ! Unless required by applicable law or agreed to in writing, software
+ ! distributed under the License is distributed on an "AS IS" BASIS,
+ ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ! See the License for the specific language governing permissions and
+ ! limitations under the License.
+ !-->
+
+<wsp:Policy wsu:Id="SigEncr"
+
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+ xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
+ xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SymmetricBinding>
+ <wsp:Policy>
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
+ <wsp:Policy>
+
<sp:RequireThumbprintReference/>
+
<sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+ <sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier/>
+ <sp:MustSupportRefIssuerSerial/>
+ </wsp:Policy>
+ </sp:Wss10>
+ <sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <sp:Body/>
+ </sp:SignedParts>
+ <sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <sp:Body/>
+ </sp:EncryptedParts>
+
+ <ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
+ <ramp:user>alice</ramp:user>
+ <ramp:encryptionUser>bob</ramp:encryptionUser>
+ <ramp:passwordCallbackClass>org.apache.rampart.PWCallback
+ </ramp:passwordCallbackClass>
+
+ <ramp:signatureCrypto>
+ <ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property
+
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS
+ </ramp:property>
+ <ramp:property
name="org.apache.ws.security.crypto.merlin.file">
+ rampart/store.jks
+ </ramp:property>
+ <ramp:property
+
name="org.apache.ws.security.crypto.merlin.keystore.password">
+ password
+ </ramp:property>
+ </ramp:crypto>
+ </ramp:signatureCrypto>
+ <ramp:encryptionCypto>
+ <ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property
+
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS
+ </ramp:property>
+ <ramp:property
name="org.apache.ws.security.crypto.merlin.file">
+ rampart/store.jks
+ </ramp:property>
+ <ramp:property
+
name="org.apache.ws.security.crypto.merlin.keystore.password">
+ password
+ </ramp:property>
+ </ramp:crypto>
+ </ramp:encryptionCypto>
+ </ramp:RampartConfig>
+
+ </wsp:All>
+ </wsp:ExactlyOne>
+</wsp:Policy>
\ No newline at end of file
Added:
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-34.xml
URL:
http://svn.apache.org/viewvc/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-34.xml?rev=1228870&view=auto
==============================================================================
---
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-34.xml
(added)
+++
axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/services-34.xml
Sun Jan 8 15:34:56 2012
@@ -0,0 +1,113 @@
+<service name="SecureService34">
+
+ <module ref="addressing"/>
+ <module ref="rampart"/>
+
+ <parameter locked="false"
name="ServiceClass">org.apache.rampart.Service</parameter>
+
+ <operation name="echo">
+ <messageReceiver
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
+ <actionMapping>urn:echo</actionMapping>
+ </operation>
+
+ <operation name="returnError">
+ <messageReceiver
class="org.apache.axis2.receivers.RawXMLINOutMessageReceiver"/>
+ <actionMapping>urn:returnError</actionMapping>
+ </operation>
+
+ <wsp:Policy wsu:Id="SigEncr"
+
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+ xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:RequireThumbprintReference/>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
+ <wsp:Policy>
+ <sp:RequireThumbprintReference/>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:TripleDesRsa15/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Strict/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:Wss10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier/>
+ <sp:MustSupportRefIssuerSerial/>
+ </wsp:Policy>
+ </sp:Wss10>
+ <sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <sp:Body/>
+ </sp:SignedParts>
+ <sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
+ <sp:Body/>
+ </sp:EncryptedParts>
+
+ <ramp:RampartConfig
xmlns:ramp="http://ws.apache.org/rampart/policy";>
+ <ramp:user>alice</ramp:user>
+ <ramp:encryptionUser>bob</ramp:encryptionUser>
+ <ramp:passwordCallbackClass>org.apache.rampart.PWCallback
+ </ramp:passwordCallbackClass>
+
+ <ramp:signatureCrypto>
+ <ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property
+
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS
+ </ramp:property>
+ <ramp:property
name="org.apache.ws.security.crypto.merlin.file">
+ rampart/store.jks
+ </ramp:property>
+ <ramp:property
+
name="org.apache.ws.security.crypto.merlin.keystore.password">
+ password
+ </ramp:property>
+ </ramp:crypto>
+ </ramp:signatureCrypto>
+ <ramp:encryptionCypto>
+ <ramp:crypto
provider="org.apache.ws.security.components.crypto.Merlin">
+ <ramp:property
+
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS
+ </ramp:property>
+ <ramp:property
name="org.apache.ws.security.crypto.merlin.file">
+ rampart/store.jks
+ </ramp:property>
+ <ramp:property
+
name="org.apache.ws.security.crypto.merlin.keystore.password">
+ password
+ </ramp:property>
+ </ramp:crypto>
+ </ramp:encryptionCypto>
+ </ramp:RampartConfig>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+</service>
