This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit e9ccb685286663879611feb62daa634ce5fe6267 Author: Robert Lazarski <[email protected]> AuthorDate: Wed Jun 10 04:50:04 2026 -1000 RAMPART-411: add regression test for signing the BinarySecurityToken The original report (Rampart 1.6.2) could not sign the BinarySecurityToken: the WSS4J 1.x parameter-based "signatureParts" config failed with "Element to encrypt/sign not found: ...BinarySecurityToken" (the BST was referenced by QName - with the wrong namespace - and could not be resolved at signing time). In 2.0.0 this works through WS-SecurityPolicy: sp:ProtectTokens sets token protection and the binding builders add the BinarySecurityToken to the signature by its wsu:Id (RampartUtil/...getBSTTokenId), so the token is reliably signed. No code change is required. Adds an AsymmetricBindingBuilderTest case using a new ProtectTokens policy: the message builds successfully and the security header contains a signed BinarySecurityToken and Signature. Had BST signing been broken, build() would throw the original "Element to encrypt/sign not found" error. Verified with a full clean -Papache-release verify across all modules including the nine policy samples on JDK 25. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> --- .../rampart/AsymmetricBindingBuilderTest.java | 24 +++++++ .../policy/rampart-asymm-binding-protecttokens.xml | 77 ++++++++++++++++++++++ 2 files changed, 101 insertions(+) diff --git a/modules/rampart-tests/src/test/java/org/apache/rampart/AsymmetricBindingBuilderTest.java b/modules/rampart-tests/src/test/java/org/apache/rampart/AsymmetricBindingBuilderTest.java index a99dd2b0..ce3bc080 100644 --- a/modules/rampart-tests/src/test/java/org/apache/rampart/AsymmetricBindingBuilderTest.java +++ b/modules/rampart-tests/src/test/java/org/apache/rampart/AsymmetricBindingBuilderTest.java @@ -47,6 +47,30 @@ public class AsymmetricBindingBuilderTest extends MessageBuilderTestBase { this.verifySecHeader(list.iterator(), ctx.getEnvelope()); } + public void testAsymmBindingProtectTokens() throws Exception { + // RAMPART-411: with sp:ProtectTokens the BinarySecurityToken must be signed. + // The original failure was during signing ("Element to encrypt/sign not found: + // ...BinarySecurityToken"), so a successful build that produces a BST and a + // Signature proves the token is now correctly added to the signature (by its + // wsu:Id) and signed. + MessageContext ctx = getMsgCtx(); + + String policyXml = "test-resources/policy/rampart-asymm-binding-protecttokens.xml"; + Policy policy = this.loadPolicy(policyXml); + + ctx.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy); + + MessageBuilder builder = new MessageBuilder(); + builder.build(ctx); + + ArrayList<QName> list = new ArrayList<QName>(); + list.add(new QName(WSConstants.WSU_NS, WSConstants.TIMESTAMP_TOKEN_LN)); + list.add(new QName(WSConstants.WSSE_NS, WSConstants.BINARY_TOKEN_LN)); + list.add(new QName(WSConstants.SIG_NS, WSConstants.SIG_LN)); + + this.verifySecHeader(list.iterator(), ctx.getEnvelope()); + } + public void testAsymmBindingServerSide() throws Exception { MessageContext ctx = getMsgCtx(); diff --git a/modules/rampart-tests/test-resources/policy/rampart-asymm-binding-protecttokens.xml b/modules/rampart-tests/test-resources/policy/rampart-asymm-binding-protecttokens.xml new file mode 100644 index 00000000..94fad611 --- /dev/null +++ b/modules/rampart-tests/test-resources/policy/rampart-asymm-binding-protecttokens.xml @@ -0,0 +1,77 @@ +<wsp:Policy wsu:Id="protect-tokens" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> + <wsp:ExactlyOne> + <wsp:All> + <sp:AsymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> + <wsp:Policy> + <sp:InitiatorToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> + <wsp:Policy> + <sp:WssX509V3Token10/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:InitiatorToken> + <sp:RecipientToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> + <wsp:Policy> + <sp:WssX509V3Token10/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:RecipientToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128/> + </wsp:Policy> + </sp:AlgorithmSuite> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <!-- RAMPART-411: sign the BinarySecurityToken (the X509 token). --> + <sp:ProtectTokens/> + <sp:OnlySignEntireHeadersAndBody/> + </wsp:Policy> + </sp:AsymmetricBinding> + <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> + <wsp:Policy> + <sp:MustSupportRefKeyIdentifier/> + <sp:MustSupportRefIssuerSerial/> + </wsp:Policy> + </sp:Wss10> + <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> + <wsp:Policy> + <sp:MustSupportIssuedTokens/> + <sp:RequireClientEntropy/> + <sp:RequireServerEntropy/> + </wsp:Policy> + </sp:Trust10> + + <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy";> + <ramp:user>alice</ramp:user> + <ramp:encryptionUser>bob</ramp:encryptionUser> + <ramp:passwordCallbackClass>org.apache.rampart.TestCBHandler</ramp:passwordCallbackClass> + + <ramp:signatureCrypto> + <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2024.pkcs12</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property> + </ramp:crypto> + </ramp:signatureCrypto> + <ramp:encryptionCypto> + <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin"> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.type">pkcs12</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.file">test-resources/keys/interop2024.pkcs12</ramp:property> + <ramp:property name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property> + </ramp:crypto> + </ramp:encryptionCypto> + </ramp:RampartConfig> + + </wsp:All> + </wsp:ExactlyOne> +</wsp:Policy>
