This is an automated email from the ASF dual-hosted git repository.
billblough pushed a commit to branch RAMPART-289
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit f2febb5a5c26cd59cf68df8351b241d89ea1b39a
Author: Andreas Veithen <veit...@apache.org>
AuthorDate: Sun Jan 29 21:00:00 2017 +0000
RAMPART-289: Apply patch provided by Todd Wolff.
---
.../rampart/PolicyBasedResultsValidator.java | 157 ++++++++++++++++++---
1 file changed, 139 insertions(+), 18 deletions(-)
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
index 4d5aa35..a0d24c5 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
@@ -31,6 +31,7 @@ import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
import org.jaxen.XPath;
import org.jaxen.JaxenException;
@@ -116,7 +117,23 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
new
WSEncryptionPart("SignedEndorsingSupportingTokens"));
}
}
-
+ //Add an indicator for Encrypted Supporting Tokens
+ SupportingToken encryptedSupportingToken =
rpd.getEncryptedSupportingTokens();
+ if(encryptedSupportingToken != null) {
+ encryptedParts.add(new
WSEncryptionPart("EncryptedSupportingToken"));
+ }
+ encryptedSupportingToken =
rpd.getSignedEncryptedSupportingTokens();
+ if(encryptedSupportingToken != null) {
+ encryptedParts.add(new
WSEncryptionPart("EncryptedSupportingToken"));
+ }
+ encryptedSupportingToken =
rpd.getSignedEndorsingEncryptedSupportingTokens();
+ if(encryptedSupportingToken != null) {
+ encryptedParts.add(new
WSEncryptionPart("EncryptedSupportingToken"));
+ }
+ encryptedSupportingToken =
rpd.getEndorsingEncryptedSupportingTokens();
+ if(encryptedSupportingToken != null) {
+ encryptedParts.add(new
WSEncryptionPart("EncryptedSupportingToken"));
+ }
Vector supportingToks = rpd.getSupportingTokensList();
for (int i = 0; i < supportingToks.size(); i++) {
SupportingToken supportingToken = (SupportingToken)
supportingToks.get(i);
@@ -127,12 +144,61 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
signatureParts.addAll(RampartUtil.getSupportingSignedParts(rmd, policyData));
}
}
+ SupportingToken supportingToken =
rpd.getEncryptedSupportingTokens();
+ if (supportingToken != null) {
+ SupportingPolicyData policyData = new SupportingPolicyData();
+ policyData.build(supportingToken);
+
encryptedParts.addAll(RampartUtil.getSupportingEncryptedParts(rmd, policyData));
+
signatureParts.addAll(RampartUtil.getSupportingSignedParts(rmd, policyData));
+ }
+ supportingToken = rpd.getSignedSupportingTokens();
+ if (supportingToken != null) {
+ SupportingPolicyData policyData = new SupportingPolicyData();
+ policyData.build(supportingToken);
+
encryptedParts.addAll(RampartUtil.getSupportingEncryptedParts(rmd, policyData));
+
signatureParts.addAll(RampartUtil.getSupportingSignedParts(rmd, policyData));
+ }
+ supportingToken = rpd.getSignedEndorsingSupportingTokens();
+ if (supportingToken != null) {
+ SupportingPolicyData policyData = new SupportingPolicyData();
+ policyData.build(supportingToken);
+
encryptedParts.addAll(RampartUtil.getSupportingEncryptedParts(rmd, policyData));
+
signatureParts.addAll(RampartUtil.getSupportingSignedParts(rmd, policyData));
+ }
+ supportingToken = rpd.getSignedEncryptedSupportingTokens();
+ if (supportingToken != null) {
+ SupportingPolicyData policyData = new SupportingPolicyData();
+ policyData.build(supportingToken);
+
encryptedParts.addAll(RampartUtil.getSupportingEncryptedParts(rmd, policyData));
+
signatureParts.addAll(RampartUtil.getSupportingSignedParts(rmd, policyData));
+ }
+ supportingToken =
rpd.getSignedEndorsingEncryptedSupportingTokens();
+ if (supportingToken != null) {
+ SupportingPolicyData policyData = new SupportingPolicyData();
+ policyData.build(supportingToken);
+
encryptedParts.addAll(RampartUtil.getSupportingEncryptedParts(rmd, policyData));
+
signatureParts.addAll(RampartUtil.getSupportingSignedParts(rmd, policyData));
+ }
+ supportingToken = rpd.getEndorsingEncryptedSupportingTokens();
+ if (supportingToken != null) {
+ SupportingPolicyData policyData = new SupportingPolicyData();
+ policyData.build(supportingToken);
+
encryptedParts.addAll(RampartUtil.getSupportingEncryptedParts(rmd, policyData));
+
signatureParts.addAll(RampartUtil.getSupportingSignedParts(rmd, policyData));
+ }
+ supportingToken = rpd.getEndorsingSupportingTokens();
+ if (supportingToken != null) {
+ SupportingPolicyData policyData = new SupportingPolicyData();
+ policyData.build(supportingToken);
+
encryptedParts.addAll(RampartUtil.getSupportingEncryptedParts(rmd, policyData));
+
signatureParts.addAll(RampartUtil.getSupportingSignedParts(rmd, policyData));
+ }
}
validateEncrSig(data,encryptedParts, signatureParts, results);
if(!rpd.isTransportBinding()) {
- validateProtectionOrder(data, results);
+ validateProtectionOrder(data, results, encryptedParts);
}
validateEncryptedParts(data, encryptedParts, results);
@@ -217,10 +283,14 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
SupportingToken sgndSupTokens = rpd.getSignedSupportingTokens();
SupportingToken sgndEndorSupTokens =
rpd.getSignedEndorsingSupportingTokens();
+ SupportingToken sgndEncryptedSupTokens =
rpd.getSignedEncryptedSupportingTokens();
+ SupportingToken sgndEndorsingEncryptedSupTokens =
rpd.getSignedEndorsingEncryptedSupportingTokens();
if(sig && signatureParts.size() == 0
&& (sgndSupTokens == null || sgndSupTokens.getTokens().size()
== 0)
- && (sgndEndorSupTokens == null ||
sgndEndorSupTokens.getTokens().size() == 0)) {
+ && (sgndEndorSupTokens == null ||
sgndEndorSupTokens.getTokens().size() == 0)
+ && (sgndEncryptedSupTokens == null ||
sgndEncryptedSupTokens.getTokens().size() == 0)
+ && (sgndEndorsingEncryptedSupTokens == null ||
sgndEndorsingEncryptedSupTokens.getTokens().size() == 0)) {
//Unexpected signature
throw new RampartException("unexprectedSignature");
@@ -321,7 +391,7 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
* @param data
* @param results
*/
- protected void validateProtectionOrder(ValidatorData data, Vector results)
+ protected void validateProtectionOrder(ValidatorData data, Vector results,
Vector encryptedParts)
throws RampartException {
String protectionOrder =
data.getRampartMessageData().getPolicyData().getProtectionOrder();
@@ -374,8 +444,34 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
for (Iterator iter = sigEncrActions.iterator(); iter.hasNext();) {
Integer act = (Integer) iter.next();
if(act.intValue() == WSConstants.SIGN && ! encrFound ) {
- // We found SIGN and ENCR has not been found - break and
fail
- break;
+ boolean messageEncryptionsFound = false;
+ boolean encryptedSupportingTokensFound = false;
+ Iterator iter2 = encryptedParts.iterator();
+ while (iter2.hasNext()) {
+ WSEncryptionPart wp = (WSEncryptionPart)iter2.next();
+ String id = wp.getId();
+ if (id != null &&
id.equals("EncryptedSupportingToken")) {
+ encryptedSupportingTokensFound = true;
+ } else if (id != null &&
id.equals("EndorsingSupportingTokens")){
+ continue;
+ } else if (id != null &&
id.equals("SignedEndorsingSupportingTokens")){
+ continue;
+ } else {
+ messageEncryptionsFound = true;
+ }
+ }
+ if (!messageEncryptionsFound &&
encryptedSupportingTokensFound) {
+ // no message parts encrypted. the encryption action
+ // was related to a supporting token
+ done=true;
+ } else if (!messageEncryptionsFound &&
data.getRampartMessageData().getPolicyData().isSignatureProtection()) {
+ // no message parts encrypted. the encryption action
+ // was related to encrypting the message signature
+ done=true;
+ } else {
+ // We found SIGN and ENCR has not been found - break
and fail
+ break;
+ }
}
if(act.intValue() == WSConstants.ENCR) {
encrFound = true;
@@ -467,6 +563,12 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
WSEncryptionPart encPart = (WSEncryptionPart)encryptedParts.get(i);
+ // ignore place holders for encrypted supporting
+ // tokens
+ if (encPart.getId() != null &&
encPart.getId().equals("EncryptedSupportingToken")) {
+ continue;
+ }
+
//This is the encrypted Body and we already checked encrypted body
if (encPart.getType() == WSConstants.PART_TYPE_BODY) {
continue;
@@ -555,16 +657,34 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
Vector actuallySigned = new Vector();
if (actionResults != null) {
for (int j = 0; j < actionResults.length; j++) {
+
WSSecurityEngineResult actionResult = actionResults[j];
- Set signedIDs = (Set) actionResult
- .get(WSSecurityEngineResult.TAG_SIGNED_ELEMENT_IDS);
- for (Iterator i = signedIDs.iterator(); i.hasNext();) {
- String e = (String) i.next();
-
- Element element = WSSecurityUtil.findElementById(envelope,
e,
- WSConstants.WSU_NS);
- actuallySigned.add(element);
+ List wsDataRefs =
(List)actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
+
+ // if header was encrypted before it was signed, protected
+ // element is 'EncryptedHeader.' the actual element is
+ // first child element
+
+ for (Iterator k = wsDataRefs.iterator(); k.hasNext();) {
+ WSDataRef wsDataRef = (WSDataRef)k.next();
+ Element protectedElement = wsDataRef.getProtectedElement();
+ if
(protectedElement.getLocalName().equals("EncryptedHeader")) {
+ NodeList nodeList = protectedElement.getChildNodes();
+ for (int x = 0; x < nodeList.getLength(); x++) {
+ if (nodeList.item(x).getNodeType() ==
Node.ELEMENT_NODE) {
+ String ns =
((Element)nodeList.item(x)).getNamespaceURI();
+ String ln =
((Element)nodeList.item(x)).getLocalName();
+ actuallySigned.add(new QName(ns,ln));
+ break;
+ }
+ }
+ } else {
+ String ns = protectedElement.getNamespaceURI();
+ String ln = protectedElement.getLocalName();
+ actuallySigned.add(new QName(ns,ln));
+ }
}
+
}
}
@@ -573,12 +693,12 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
if (wsep.getType() == WSConstants.PART_TYPE_BODY) {
- Element body;
+ QName body;
if
(WSConstants.URI_SOAP11_ENV.equals(envelope.getNamespaceURI())) {
- body = WSSecurityUtil.findBodyElement(rmd.getDocument(),
new SOAP11Constants());
+ body = new SOAP11Constants().getBodyQName();
} else {
- body = WSSecurityUtil.findBodyElement(rmd.getDocument(),
new SOAP12Constants());
+ body = new SOAP12Constants().getBodyQName();
}
if (!actuallySigned.contains(body) &&
!rmd.getPolicyData().isSignBodyOptional()) {
@@ -591,6 +711,7 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
Element element = (Element) WSSecurityUtil.findElement(
envelope, wsep.getName(), wsep.getNamespace() );
+
if( element == null ) {
// The signedpart header or element we are checking is not
present in
// soap envelope - this is allowed
@@ -598,7 +719,7 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
}
// header or the element present in soap envelope - verify
that it is part of signature
- if( actuallySigned.contains( element) ) {
+ if( actuallySigned.contains( new
QName(element.getNamespaceURI(), element.getLocalName())) ) {
continue;
}
