(axis-axis2-java-rampart) 01/02: RAMPART-234 Allow custom https listeners to populate the client certificate chain in the message context
This is an automated email from the ASF dual-hosted git repository.
robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit f8dcc7460487a18382320a0a553781e914fafb31
Author: Robert Lazarski
AuthorDate: Wed Nov 6 10:41:26 2024 -1000
RAMPART-234 Allow custom https listeners to populate the client certificate
chain in the message context
---
.../java/org/apache/rampart/RampartConstants.java | 5 +
.../java/org/apache/rampart/util/RampartUtil.java | 114 +
.../resources/org/apache/rampart/errors.properties | 5 +-
3 files changed, 102 insertions(+), 22 deletions(-)
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/RampartConstants.java
b/modules/rampart-core/src/main/java/org/apache/rampart/RampartConstants.java
index e280d746..a7741f10 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/RampartConstants.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/RampartConstants.java
@@ -5,6 +5,11 @@ public class RampartConstants {
public static final String TIME_LOG = "org.apache.rampart.TIME";
public static final String MESSAGE_LOG = "org.apache.rampart.MESSAGE";
public static final String SEC_FAULT = "SECURITY_VALIDATION_FAILURE";
+/**
+ * The key under which the HTTPS client certificate, determened by the
https listener, may
+ * be populated as a property of the message context.
+ */
+public static final String HTTPS_CLIENT_CERT_KEY =
"https.client.cert.key";
public static final String MERLIN_CRYPTO_IMPL =
"org.apache.ws.security.components.crypto.Merlin";
public static final String MERLIN_CRYPTO_IMPL_CACHE_KEY =
"org.apache.ws.security.crypto.merlin.file";
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
b/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
index 2ed59869..c09ca1ab 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
@@ -31,11 +31,14 @@ import org.apache.axis2.dataretrieval.DRConstants;
import org.apache.axis2.dataretrieval.client.MexClient;
import org.apache.axis2.description.AxisService;
import org.apache.axis2.description.Parameter;
+import org.apache.axis2.description.TransportInDescription;
+import org.apache.axis2.engine.AxisConfiguration;
import org.apache.axis2.mex.MexConstants;
import org.apache.axis2.mex.MexException;
import org.apache.axis2.mex.om.Metadata;
import org.apache.axis2.mex.om.MetadataReference;
import org.apache.axis2.mex.om.MetadataSection;
+import org.apache.axis2.kernel.TransportListener;
import org.apache.axis2.kernel.http.HTTPConstants;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -58,7 +61,14 @@ import org.apache.rampart.policy.model.CryptoConfig;
import org.apache.rampart.policy.model.KerberosConfig;
import org.apache.rampart.policy.model.RampartConfig;
import org.apache.ws.secpolicy.SPConstants;
-import org.apache.ws.secpolicy.model.*;
+import org.apache.ws.secpolicy.model.HttpsToken;
+import org.apache.ws.secpolicy.model.IssuedToken;
+import org.apache.ws.secpolicy.model.SecureConversationToken;
+import org.apache.ws.secpolicy.model.SupportingToken;
+import org.apache.ws.secpolicy.model.UsernameToken;
+import org.apache.ws.secpolicy.model.Wss10;
+import org.apache.ws.secpolicy.model.Wss11;
+import org.apache.ws.secpolicy.model.X509Token;
import org.apache.wss4j.dom.message.WSSecBase;
import org.apache.wss4j.common.crypto.CryptoType;
import org.apache.wss4j.common.crypto.Crypto;
@@ -1814,29 +1824,91 @@ public class RampartUtil {
return null;
}
-public static void validateTransport(RampartMessageData rmd) throws
RampartException {
-
-RampartPolicyData rpd = rmd.getPolicyData();
-
-if (rpd == null) {
-return;
-}
-
-if (rpd.isTransportBinding() && !rmd.isInitiator()) {
-if (rpd.getTransportToken() instanceof HttpsToken) {
-String incomingTransport =
rmd.getMsgContext().getIncomingTransportName();
-if
(!incomingTransport.equals(org.apache.axis2.Constants.TRANSPORT_HTTPS)) {
-throw new RampartException("invalidTransport",
-new String[]{incomingTransport});
+/**
+ * Validate transport binding policy assertions.
+ * In case an HttpsToken is required by the security policy the method
will verify that the
+ * HTTPS transport was used indeed. Furthermore if the assertion requires
a client certificate
+ * being used, the method will try to obtain the client certificate chain
first from the
+ * message context properties directly under the key {@link
RampartConstants#HTTPS_CLIENT_CERT_KEY}
+ * and, if the
(axis-axis2-java-rampart) branch master updated (b0f00965 -> 32f00ce8)
This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git from b0f00965 RAMPART-335 X509V3 KeyIdentifier cannot be set dynmaically new f8dcc746 RAMPART-234 Allow custom https listeners to populate the client certificate chain in the message context new 32f00ce8 RAMPART-234 Allow custom https listeners to populate the client certificate chain in the message context The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../java/org/apache/rampart/RampartConstants.java | 5 + .../java/org/apache/rampart/util/RampartUtil.java | 112 + .../resources/org/apache/rampart/errors.properties | 4 +- 3 files changed, 99 insertions(+), 22 deletions(-)
(axis-axis2-java-rampart) 02/02: RAMPART-234 Allow custom https listeners to populate the client certificate chain in the message context
This is an automated email from the ASF dual-hosted git repository.
robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit 32f00ce8d28ae965727746a7f1bc87c0bba381d5
Author: Robert Lazarski
AuthorDate: Wed Nov 6 10:55:45 2024 -1000
RAMPART-234 Allow custom https listeners to populate the client certificate
chain in the message context
---
.../src/main/java/org/apache/rampart/util/RampartUtil.java| 4 +---
.../src/main/resources/org/apache/rampart/errors.properties | 1 -
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
b/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
index c09ca1ab..5f8cc5b2 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
@@ -1883,9 +1883,6 @@ public class RampartUtil {
}
}
-MessageContext messageContext = messageData.getMsgContext();
-HttpServletRequest request = ((HttpServletRequest)
messageContext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST));
-
// verify client certificate used
// try to obtain the client certificate chain directly from
the message context
// and then from the servlet request
@@ -1898,6 +1895,7 @@ public class RampartUtil {
} else {
Object requestProperty =
msgContext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST);
if (requestProperty instanceof HttpServletRequest) {
+ HttpServletRequest request =
(HttpServletRequest)requestProperty;
Object certificateChain =
request.getAttribute("javax.servlet.request.X509Certificate"); //$NON-NLS-1$
if (certificateChain instanceof X509Certificate[])
{
// HTTPS client certificate chain found
diff --git
a/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties
b/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties
index fea93359..1231c2c4 100644
---
a/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties
+++
b/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties
@@ -103,7 +103,6 @@ invalidTransport = Expected transport is "https" but
incoming transport found :
requiredElementsMissing = Required Elements not found in the incoming message
: {0}
httpsVerificationFailed = Unable to verify HTTPS transport usage: incoming
transport description is unavailable
httpsClientCertValidationFailed = Unable to verify HTTPS client certificate
usage: client certificate chain is not available.
-requiredElementsMissing = Required Elements not found in the incoming message
: {0}
repeatingNonceValue = Nonce value : {0}, already seen before for user name :
{1}. Possibly this could be a replay attack.
invalidNonceLifeTime = Invalid value for nonceLifeTime in rampart
configuration file.
invalidIssuerAddress = Invalid value for Issuer
(axis-axis2-java-rampart) branch master updated: Release notes update
This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git The following commit(s) were added to refs/heads/master by this push: new add45b83 Release notes update add45b83 is described below commit add45b830136cec9ba607fab04604d8c5d6f4beb Author: Robert Lazarski AuthorDate: Wed Nov 6 11:16:37 2024 -1000 Release notes update --- src/site/markdown/release-notes/1.8.0.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/site/markdown/release-notes/1.8.0.md b/src/site/markdown/release-notes/1.8.0.md index 46e51d8b..45a234b1 100644 --- a/src/site/markdown/release-notes/1.8.0.md +++ b/src/site/markdown/release-notes/1.8.0.md @@ -17,7 +17,6 @@ GitHub PR's are welcome too. If you have an interest in a feature that Rampart lacks or simply found a bug you can help with, please think about contributing. Jira issues completed for 1.8.0: - Sub-task @@ -28,8 +27,6 @@ Jira issues completed for 1.8.0: Bug -[RAMPART-289] - PolicyBasedResultsValidator Incorrectly Invalidates Supporting Token Signatures/Encryptions and Encrypted Supporting Tokens - [RAMPART-325] - NullPointerException with UsernameToken Policy and MTOM Policy without Rampart Config in WSDL [RAMPART-331] - Unreachable code in org.apache.rahas.STSMessageReceiver.invokeBusinessLogic() - "dispatcher" is never null at end of try @@ -114,3 +111,4 @@ Jira issues completed for 1.8.0: [RAMPART-425] - Links not found +
(axis-axis2-java-rampart) branch master updated: RAMPART-261 Ability to Toggle mustUnderstand flag in security header
This is an automated email from the ASF dual-hosted git repository.
robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
The following commit(s) were added to refs/heads/master by this push:
new 1d69f56c RAMPART-261 Ability to Toggle mustUnderstand flag in security
header
1d69f56c is described below
commit 1d69f56cac5490ded516503c38957ee4b4ba3759
Author: Robert Lazarski
AuthorDate: Wed Nov 6 08:56:31 2024 -1000
RAMPART-261 Ability to Toggle mustUnderstand flag in security header
---
.../org/apache/rampart/RampartMessageData.java | 9 ++
.../policy/builders/RampartConfigBuilder.java | 6 ++
.../apache/rampart/policy/model/RampartConfig.java | 21 -
.../rampart/policy/builders/kerberosConfig.policy | 1 +
src/site/markdown/release-notes/1.8.0.md | 104 -
src/site/site.xml | 1 +
6 files changed, 138 insertions(+), 4 deletions(-)
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
b/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
index f9aa3daa..58c3c7f7 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
@@ -150,6 +150,8 @@ public class RampartMessageData {
public final static String SCT_ID = "sctID";
public final static String X509_CERT ="X509Certificate";
+
+public final static String MUST_UNDERSTAND_SECURITY_HEADER =
"mustUnderstandSecurityHeader";
private MessageContext msgContext = null;
@@ -450,6 +452,13 @@ public class RampartMessageData {
if(this.sender && this.policyData != null) {
this.secHeader = new WSSecHeader(this.document);
secHeader.insertSecurityHeader();
+ // RAMPART-261
+Boolean mustUnderstandSecurityHeaderInput =
(Boolean)msgCtx.getProperty(MUST_UNDERSTAND_SECURITY_HEADER);
+if (mustUnderstandSecurityHeaderInput != null) {
+
secHeader.setMustUnderstand(mustUnderstandSecurityHeaderInput);
+} else if (this.policyData != null &&
this.policyData.getRampartConfig() != null) {
+
secHeader.setMustUnderstand(this.policyData.getRampartConfig().isMustUnderstandSecurityHeader());
+ }
}
} catch (AxisFault e) {
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
index 5a03e062..6b6efdee 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
@@ -232,6 +232,12 @@ public class RampartConfigBuilder implements
AssertionBuilder {
rampartConfig.setAllowRSA15KeyTransportAlgorithm(childElement.getText().trim());
}
+childElement = element.getFirstChildWithName(new QName(
+RampartConfig.NS,
RampartConfig.MUST_UNDERSTAND_SECURITY_HEADER_LN));
+if (childElement != null) {
+
rampartConfig.setMustUnderstandSecurityHeader(childElement.getText().trim());
+}
+
return rampartConfig;
}
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
index 7f2ed3b5..db97b23d 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
@@ -136,6 +136,7 @@ public class RampartConfig implements Assertion {
public final static String VALIDATE_SAML_SUBJECT_CONFIRMATION_LN =
"validateSamlSubjectConfirmation";
public final static String ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM_LN =
"allowRSA15KeyTransportAlgorithm";
+public final static String MUST_UNDERSTAND_SECURITY_HEADER_LN =
"mustUnderstandSecurityHeader";
private String user;
@@ -209,7 +210,9 @@ public class RampartConfig implements Assertion {
private boolean validateSamlSubjectConfirmation = false; // backward
compatibility
private boolean allowRSA15KeyTransportAlgorithm = true; // backward
compatibility
-
+
+private boolean mustUnderstandSecurityHeader = true; // RAMPART-261, WSS4J
default is true
+
public SSLConfig getSSLConfig() {
return sslConfig;
}
@@ -391,6 +394,10 @@ public class RampartConfig implements Assertion {
writer.writeEndElement();
}
+writer.writeStartElement(NS, MUST_UNDERSTAND_SECURITY_HEADER_LN);
+
(axis-axis2-java-rampart) branch master updated: RAMPART-335 X509V3 KeyIdentifier cannot be set dynmaically
This is an automated email from the ASF dual-hosted git repository.
robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
The following commit(s) were added to refs/heads/master by this push:
new b0f00965 RAMPART-335 X509V3 KeyIdentifier cannot be set dynmaically
b0f00965 is described below
commit b0f0096543e1ef494b0356740ec76fda7d5def56
Author: Robert Lazarski
AuthorDate: Wed Nov 6 09:18:13 2024 -1000
RAMPART-335 X509V3 KeyIdentifier cannot be set dynmaically
---
.../main/java/org/apache/rampart/util/RampartUtil.java | 5 +
.../java/org/apache/ws/secpolicy/model/X509Token.java | 18 +-
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
b/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
index 78c6ae64..2ed59869 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
@@ -491,6 +491,8 @@ public class RampartUtil {
return WSConstants.THUMBPRINT_IDENTIFIER;
} else if (token.isRequireEmbeddedTokenReference()) {
return WSConstants.BST_DIRECT_REFERENCE;
+} else if (token.isRequireX509V3KeyIdentifierReference()) {
+return WSConstants.X509_KEY_IDENTIFIER;
} else {
throw new RampartException(
"unknownKeyRefSpeficier");
@@ -1459,6 +1461,9 @@ public class RampartUtil {
} else if (x509Token.isRequireThumbprintReference()) {
secBase.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER);
tokenTypeSet = true;
+ } else if
(x509Token.isRequireX509V3KeyIdentifierReference()) {
+
secBase.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
+tokenTypeSet = true;
} else if (log.isDebugEnabled()) {
log.debug("RampartUtil.setKeyIdentifierType()
found a Token that is an instanceof X509Token but was not able to identify the
correcc constant to set on WSSecBase.setKeyIdentifierType()" );
}
diff --git
a/modules/rampart-policy/src/main/java/org/apache/ws/secpolicy/model/X509Token.java
b/modules/rampart-policy/src/main/java/org/apache/ws/secpolicy/model/X509Token.java
index c81a9593..57e733b6 100644
---
a/modules/rampart-policy/src/main/java/org/apache/ws/secpolicy/model/X509Token.java
+++
b/modules/rampart-policy/src/main/java/org/apache/ws/secpolicy/model/X509Token.java
@@ -36,6 +36,8 @@ public class X509Token extends Token {
private boolean requireThumbprintReference;
+private boolean requireX509V3KeyIdentifierReference;
+
private String tokenVersionAndType = Constants.WSS_X509_V3_TOKEN10;
private String encryptionUser;
@@ -120,6 +122,20 @@ public class X509Token extends Token {
this.requireThumbprintReference = requireThumbprintReference;
}
+/**
+ * @return Returns the requireX509V3KeyIdentifierReference
+ */
+public boolean isRequireX509V3KeyIdentifierReference() {
+return requireX509V3KeyIdentifierReference;
+}
+
+/**
+ * @param requireX509V3KeyIdentifierReference The
requireX509V3KeyIdentifierReference to set
+ */
+public void setRequireX509V3KeyIdentifierReference(boolean
requireX509V3KeyIdentifierReference) {
+this.requireX509V3KeyIdentifierReference =
requireX509V3KeyIdentifierReference;
+}
+
/**
* @return Returns the tokenVersionAndType.
*/
@@ -169,7 +185,7 @@ public class X509Token extends Token {
//
writeStartElement(writer, SPConstants.POLICY);
-if (isRequireKeyIdentifierReference()) {
+if (isRequireKeyIdentifierReference() ||
isRequireX509V3KeyIdentifierReference()) {
//
writeEmptyElement(writer, prefix,
SPConstants.REQUIRE_KEY_IDENTIFIRE_REFERENCE, namespaceURI);
}
