High severityNVD Advisory· Published Jan 3, 2013· Updated Apr 29, 2026
CVE-2012-2379
CVE-2012-2379
Description
Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impact and attack vectors.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cxf:cxfMaven | >= 2.4.0, < 2.4.8 | 2.4.8 |
org.apache.cxf:cxfMaven | >= 2.5.0, < 2.5.4 | 2.5.4 |
org.apache.cxf:cxfMaven | >= 2.6.0, < 2.6.1 | 2.6.1 |
Affected products
13cpe:2.3:a:apache:cxf:2.4.0:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:apache:cxf:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:2.6.0:*:*:*:*:*:*:*
Patches
2440528d928beMerged revisions 1338219 via git cherry-pick from
18 files changed · +892 −28
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java+8 −4 modified@@ -69,6 +69,7 @@ import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType; import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.BindingPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator; @@ -562,9 +563,6 @@ protected void doResults( LOG.fine("Incoming request failed supporting token policy validation"); } - // The supporting tokens are already validated - assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS); - // relatively irrelevant stuff from a verification standpoint assertPolicy(aim, SP12Constants.LAYOUT); assertPolicy(aim, SP12Constants.WSS10); @@ -703,7 +701,13 @@ private boolean checkSupportingTokenCoverage( boolean check = true; - SupportingTokenPolicyValidator validator = new SignedTokenPolicyValidator(); + SupportingTokenPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator(); + validator.setUsernameTokenResults(utResults, utWithCallbacks); + validator.setSAMLTokenResults(samlResults); + validator.setTimestampElement(timestamp); + check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults); + + validator = new SignedTokenPolicyValidator(); validator.setUsernameTokenResults(utResults, utWithCallbacks); validator.setSAMLTokenResults(samlResults); validator.setTimestampElement(timestamp);
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java+270 −16 modified@@ -23,14 +23,30 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import java.util.Map; +import java.util.logging.Level; +import java.util.logging.Logger; import javax.xml.namespace.QName; +import javax.xml.soap.SOAPException; +import javax.xml.soap.SOAPMessage; +import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathConstants; +import javax.xml.xpath.XPathExpressionException; +import javax.xml.xpath.XPathFactory; import org.w3c.dom.Element; +import org.w3c.dom.NodeList; +import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.helpers.CastUtils; +import org.apache.cxf.helpers.DOMUtils; +import org.apache.cxf.helpers.MapNamespaceContext; import org.apache.cxf.message.Message; import org.apache.cxf.security.transport.TLSSessionInfo; +import org.apache.cxf.ws.security.policy.model.Header; +import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements; +import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSDataRef; import org.apache.ws.security.WSSecurityEngine; @@ -48,6 +64,8 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractTokenPolicyValidator implements SupportingTokenPolicyValidator { + private static final Logger LOG = LogUtils.getL7dLogger(AbstractSupportingTokenPolicyValidator.class); + private Message message; private List<WSSecurityEngineResult> results; private List<WSSecurityEngineResult> signedResults; @@ -59,7 +77,11 @@ public abstract class AbstractSupportingTokenPolicyValidator private boolean signed; private boolean encrypted; private boolean derived; - private boolean endorsed; + private boolean endorsed; + private SignedEncryptedElements signedElements; + private SignedEncryptedElements encryptedElements; + private SignedEncryptedParts signedParts; + private SignedEncryptedParts encryptedParts; /** * Set the list of UsernameToken results @@ -130,7 +152,7 @@ protected boolean processUsernameTokens() { tokenResults.addAll(utResults); List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>(); for (WSSecurityEngineResult wser : utResults) { - if (endorsed && derived) { + if (derived) { byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET); WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret); if (dktResult != null) { @@ -150,9 +172,10 @@ protected boolean processUsernameTokens() { return false; } tokenResults.addAll(dktResults); - if (endorsed && !checkEndorsed(tokenResults)) { + if ((endorsed && !checkEndorsed(tokenResults)) || !validateSignedEncryptedPolicies(tokenResults)) { return false; } + return true; } @@ -174,6 +197,11 @@ protected boolean processSAMLTokens() { if (endorsed && !checkEndorsed(samlResults)) { return false; } + + if (!validateSignedEncryptedPolicies(samlResults)) { + return false; + } + return true; } @@ -190,7 +218,7 @@ protected boolean processKerberosTokens() { BinarySecurity binarySecurity = (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN); if (binarySecurity instanceof KerberosSecurity) { - if (endorsed && derived) { + if (derived) { byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET); WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret); if (dktResult != null) { @@ -216,6 +244,11 @@ protected boolean processKerberosTokens() { if (endorsed && !checkEndorsed(tokenResults)) { return false; } + + if (!validateSignedEncryptedPolicies(tokenResults)) { + return false; + } + return true; } @@ -233,7 +266,7 @@ protected boolean processX509Tokens() { (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN); if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) { - if (endorsed && derived) { + if (derived) { WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser); if (resultToStore != null) { dktResults.add(resultToStore); @@ -258,6 +291,35 @@ protected boolean processX509Tokens() { if (endorsed && !checkEndorsed(tokenResults)) { return false; } + + if (!validateSignedEncryptedPolicies(tokenResults)) { + return false; + } + + return true; + } + + /** + * Validate (SignedParts|SignedElements|EncryptedParts|EncryptedElements) policies of this + * SupportingToken. + */ + private boolean validateSignedEncryptedPolicies(List<WSSecurityEngineResult> tokenResults) { + if (!validateSignedEncryptedParts(signedParts, false, signedResults, tokenResults)) { + return false; + } + + if (!validateSignedEncryptedParts(encryptedParts, true, encryptedResults, tokenResults)) { + return false; + } + + if (!validateSignedEncryptedElements(signedElements, false, signedResults, tokenResults)) { + return false; + } + + if (!validateSignedEncryptedElements(encryptedElements, false, encryptedResults, tokenResults)) { + return false; + } + return true; } @@ -271,7 +333,7 @@ protected boolean processSCTokens() { for (WSSecurityEngineResult wser : results) { Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); if (actInt.intValue() == WSConstants.SCT) { - if (endorsed && derived) { + if (derived) { byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET); WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret); if (dktResult != null) { @@ -296,6 +358,11 @@ protected boolean processSCTokens() { if (endorsed && !checkEndorsed(tokenResults)) { return false; } + + if (!validateSignedEncryptedPolicies(tokenResults)) { + return false; + } + return true; } @@ -417,7 +484,7 @@ private boolean checkTimestampIsSigned(List<WSSecurityEngineResult> tokenResults if (sl != null) { for (WSDataRef dataRef : sl) { if (timestamp == dataRef.getProtectedElement() - && checkSignature(signedResult, tokenResults)) { + && checkSignatureOrEncryptionResult(signedResult, tokenResults)) { return true; } } @@ -441,7 +508,7 @@ private boolean checkSignatureIsSigned(List<WSSecurityEngineResult> tokenResults for (WSDataRef dataRef : sl) { QName signedQName = dataRef.getName(); if (WSSecurityEngine.SIGNATURE.equals(signedQName) - && checkSignature(signedResult, tokenResults)) { + && checkSignatureOrEncryptionResult(signedResult, tokenResults)) { return true; } } @@ -451,20 +518,20 @@ && checkSignature(signedResult, tokenResults)) { } /** - * Check that a WSSecurityEngineResult corresponding to a signature uses the same - * signing credential as one of the tokens. - * @param signatureResult a WSSecurityEngineResult corresponding to a signature + * Check that a WSSecurityEngineResult corresponding to a signature or encryption uses the same + * signing/encrypting credential as one of the tokens. + * @param signatureResult a WSSecurityEngineResult corresponding to a signature or encryption * @param tokenResult A list of WSSecurityEngineResults corresponding to tokens * @return */ - private boolean checkSignature( - WSSecurityEngineResult signatureResult, + private boolean checkSignatureOrEncryptionResult( + WSSecurityEngineResult result, List<WSSecurityEngineResult> tokenResult ) { - // See what was used to sign this result + // See what was used to sign/encrypt this result X509Certificate cert = - (X509Certificate)signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); - byte[] secret = (byte[])signatureResult.get(WSSecurityEngineResult.TAG_SECRET); + (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); + byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET); // Now see if the same credential exists in the tokenResult list for (WSSecurityEngineResult token : tokenResult) { @@ -509,6 +576,165 @@ private boolean checkSignature( return false; } + /** + * Validate the SignedParts or EncryptedParts policies + */ + private boolean validateSignedEncryptedParts( + SignedEncryptedParts parts, + boolean content, + List<WSSecurityEngineResult> protResults, + List<WSSecurityEngineResult> tokenResults + ) { + if (parts == null) { + return true; + } + + if (parts.isBody()) { + SOAPMessage soapMessage = message.getContent(SOAPMessage.class); + Element soapBody = null; + try { + soapBody = soapMessage.getSOAPBody(); + } catch (SOAPException ex) { + LOG.log(Level.FINE, ex.getMessage(), ex); + return false; + } + + if (!checkProtectionResult(soapBody, content, protResults, tokenResults)) { + return false; + } + } + + for (Header h : parts.getHeaders()) { + SOAPMessage soapMessage = message.getContent(SOAPMessage.class); + Element soapHeader = null; + try { + soapHeader = soapMessage.getSOAPHeader(); + } catch (SOAPException ex) { + LOG.log(Level.FINE, ex.getMessage(), ex); + return false; + } + + final List<Element> elements; + if (h.getName() == null) { + elements = DOMUtils.getChildrenWithNamespace(soapHeader, h.getNamespace()); + } else { + elements = DOMUtils.getChildrenWithName(soapHeader, h.getNamespace(), h.getName()); + } + + for (Element el : elements) { + if (!checkProtectionResult(el, false, protResults, tokenResults)) { + return false; + } + } + } + + return true; + } + + /** + * Check that an Element is signed or encrypted by one of the token results + */ + private boolean checkProtectionResult( + Element elementToProtect, + boolean content, + List<WSSecurityEngineResult> protResults, + List<WSSecurityEngineResult> tokenResults + ) { + for (WSSecurityEngineResult result : protResults) { + List<WSDataRef> dataRefs = + CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); + if (dataRefs != null) { + for (WSDataRef dataRef : dataRefs) { + if (elementToProtect == dataRef.getProtectedElement() + && content == dataRef.isContent() + && checkSignatureOrEncryptionResult(result, tokenResults)) { + return true; + } + } + } + } + return false; + } + + /** + * Validate SignedElements or EncryptedElements policies + */ + private boolean validateSignedEncryptedElements( + SignedEncryptedElements elements, + boolean content, + List<WSSecurityEngineResult> protResults, + List<WSSecurityEngineResult> tokenResults + ) { + if (elements == null) { + return true; + } + + Map<String, String> namespaces = elements.getDeclaredNamespaces(); + List<String> xpaths = elements.getXPathExpressions(); + + if (xpaths != null) { + SOAPMessage soapMessage = message.getContent(SOAPMessage.class); + Element soapEnvelope = soapMessage.getSOAPPart().getDocumentElement(); + + for (String xPath : xpaths) { + if (!checkXPathResult(soapEnvelope, xPath, namespaces, protResults, tokenResults)) { + return false; + } + } + } + + return true; + } + + /** + * Check a particular XPath result + */ + private boolean checkXPathResult( + Element soapEnvelope, + String xPath, + Map<String, String> namespaces, + List<WSSecurityEngineResult> protResults, + List<WSSecurityEngineResult> tokenResults + ) { + // XPathFactory and XPath are not thread-safe so we must recreate them + // each request. + final XPathFactory factory = XPathFactory.newInstance(); + final XPath xpath = factory.newXPath(); + + if (namespaces != null) { + xpath.setNamespaceContext(new MapNamespaceContext(namespaces)); + } + + // For each XPath + for (String xpathString : Arrays.asList(xPath)) { + // Get the matching nodes + NodeList list; + try { + list = (NodeList)xpath.evaluate( + xpathString, + soapEnvelope, + XPathConstants.NODESET); + } catch (XPathExpressionException e) { + LOG.log(Level.FINE, e.getMessage(), e); + return false; + } + + // If we found nodes then we need to do the check. + if (list.getLength() != 0) { + // For each matching element, check for a ref that + // covers it. + for (int x = 0; x < list.getLength(); x++) { + final Element el = (Element)list.item(x); + + if (!checkProtectionResult(el, false, protResults, tokenResults)) { + return false; + } + } + } + } + return true; + } + /** * Return true if a token was signed, false otherwise. */ @@ -543,5 +769,33 @@ private boolean isTokenEncrypted(Element token) { } return false; } + + public void setUtResults(List<WSSecurityEngineResult> utResults) { + this.utResults = utResults; + } + + public void setValidateUsernameToken(boolean validateUsernameToken) { + this.validateUsernameToken = validateUsernameToken; + } + + public void setTimestamp(Element timestamp) { + this.timestamp = timestamp; + } + + public void setSignedElements(SignedEncryptedElements signedElements) { + this.signedElements = signedElements; + } + + public void setEncryptedElements(SignedEncryptedElements encryptedElements) { + this.encryptedElements = encryptedElements; + } + + public void setSignedParts(SignedEncryptedParts signedParts) { + this.signedParts = signedParts; + } + + public void setEncryptedParts(SignedEncryptedParts encryptedParts) { + this.encryptedParts = encryptedParts; + } }
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java+122 −0 added@@ -0,0 +1,122 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.ws.security.wss4j.policyvalidators; + +import java.util.Collection; +import java.util.List; + +import org.apache.cxf.message.Message; +import org.apache.cxf.ws.policy.AssertionInfo; +import org.apache.cxf.ws.policy.AssertionInfoMap; +import org.apache.cxf.ws.security.policy.SP12Constants; +import org.apache.cxf.ws.security.policy.SPConstants; +import org.apache.cxf.ws.security.policy.model.IssuedToken; +import org.apache.cxf.ws.security.policy.model.KerberosToken; +import org.apache.cxf.ws.security.policy.model.SamlToken; +import org.apache.cxf.ws.security.policy.model.SecurityContextToken; +import org.apache.cxf.ws.security.policy.model.SupportingToken; +import org.apache.cxf.ws.security.policy.model.Token; +import org.apache.cxf.ws.security.policy.model.UsernameToken; +import org.apache.cxf.ws.security.policy.model.X509Token; +import org.apache.ws.security.WSSecurityEngineResult; + +/** + * Validate SupportingToken policies. + */ +public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator { + + public ConcreteSupportingTokenPolicyValidator() { + setSigned(false); + } + + public boolean validatePolicy( + AssertionInfoMap aim, + Message message, + List<WSSecurityEngineResult> results, + List<WSSecurityEngineResult> signedResults, + List<WSSecurityEngineResult> encryptedResults + ) { + Collection<AssertionInfo> ais = aim.get(SP12Constants.SUPPORTING_TOKENS); + if (ais == null || ais.isEmpty()) { + return true; + } + + setMessage(message); + setResults(results); + setSignedResults(signedResults); + setEncryptedResults(encryptedResults); + + for (AssertionInfo ai : ais) { + SupportingToken binding = (SupportingToken)ai.getAssertion(); + if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SUPPORTING != binding.getTokenType()) { + continue; + } + ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); + + List<Token> tokens = binding.getTokens(); + for (Token token : tokens) { + if (!isTokenRequired(token, message)) { + continue; + } + + boolean processingFailed = false; + if (token instanceof UsernameToken) { + if (!processUsernameTokens()) { + processingFailed = true; + } + } else if (token instanceof SamlToken) { + if (!processSAMLTokens()) { + processingFailed = true; + } + } else if (token instanceof KerberosToken) { + if (!processKerberosTokens()) { + processingFailed = true; + } + } else if (token instanceof X509Token) { + if (!processX509Tokens()) { + processingFailed = true; + } + } else if (token instanceof SecurityContextToken) { + if (!processSCTokens()) { + processingFailed = true; + } + } else if (!(token instanceof IssuedToken)) { + processingFailed = true; + } + + if (processingFailed) { + ai.setNotAsserted( + "The received token does not match the supporting token requirement" + ); + return false; + } + } + + } + + return true; + } + +}
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java+5 −0 modified@@ -69,6 +69,11 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); List<Token> tokens = binding.getTokens(); for (Token token : tokens) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java+5 −0 modified@@ -71,6 +71,11 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); List<Token> tokens = binding.getTokens(); for (Token token : tokens) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java+6 −1 modified@@ -70,7 +70,12 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); - + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); + List<Token> tokens = binding.getTokens(); for (Token token : tokens) { if (!isTokenRequired(token, message)) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java+5 −0 modified@@ -70,6 +70,11 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); List<Token> tokens = binding.getTokens(); for (Token token : tokens) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java+5 −0 modified@@ -72,6 +72,11 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); List<Token> tokens = binding.getTokens(); for (Token token : tokens) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java+5 −0 modified@@ -70,6 +70,11 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); List<Token> tokens = binding.getTokens(); for (Token token : tokens) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java+5 −0 modified@@ -70,6 +70,11 @@ public boolean validatePolicy( } ai.setAsserted(true); + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); + List<Token> tokens = binding.getTokens(); for (Token token : tokens) { if (!isTokenRequired(token, message)) {
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java+62 −3 modified@@ -79,7 +79,7 @@ public void testAsymmetric() throws Exception { QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricPort"); DoubleItPortType utPort = service.getPort(portQName, DoubleItPortType.class); - updateAddressPort(utPort, PORT2); + updateAddressPort(utPort, PORT); utPort.doubleIt(25); @@ -104,7 +104,7 @@ public void testNoSecurity() throws Exception { QName portQName = new QName(NAMESPACE, "DoubleItNoSecurityPort"); DoubleItPortType utPort = service.getPort(portQName, DoubleItPortType.class); - updateAddressPort(utPort, PORT2); + updateAddressPort(utPort, PORT); try { utPort.doubleIt(25); @@ -134,11 +134,70 @@ public void testUsernameToken() throws Exception { QName portQName = new QName(NAMESPACE, "DoubleItUsernameTokenPort"); DoubleItPortType utPort = service.getPort(portQName, DoubleItPortType.class); - updateAddressPort(utPort, PORT2); + updateAddressPort(utPort, PORT); utPort.doubleIt(25); bus.shutdown(true); } + /** + * The client uses a Transport binding policy with a Endorsing Supporting X509 Token. The client does + * not sign part of the WSA header though and so the invocation should fail. + */ + @org.junit.Test + public void testTransportSupportingSigned() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = PolicyAlternativeTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = PolicyAlternativeTest.class.getResource("DoubleItPolicy.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItTransportSupportingSignedPort"); + DoubleItPortType transportPort = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(transportPort, PORT2); + + try { + transportPort.doubleIt(25); + fail("Failure expected on not signing a wsa header"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + // expected + } + } + + /** + * The client uses a Transport binding policy with a Endorsing Supporting X509 Token as well as a + * Signed Endorsing UsernameToken. Here the client is trying to trick the Service Provider as + * the UsernameToken signs the wsa:To Header, not the X.509 Token. + */ + @org.junit.Test + public void testTransportUTSupportingSigned() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = PolicyAlternativeTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = PolicyAlternativeTest.class.getResource("DoubleItPolicy.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItTransportUTSupportingSignedPort"); + DoubleItPortType transportPort = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(transportPort, PORT2); + + try { + transportPort.doubleIt(25); + fail("Failure expected on not signing a wsa header"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + // expected + } + } + }
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java+22 −0 modified@@ -466,6 +466,28 @@ public void testAsymmetricSignatureReplay() throws Exception { bus.shutdown(true); } + @org.junit.Test + public void testTransportSupportingSigned() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = X509TokenTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItTransportSupportingSignedPort"); + DoubleItPortType x509Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(x509Port, PORT2); + x509Port.doubleIt(25); + } + private boolean checkUnrestrictedPoliciesInstalled() { try { byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml+147 −1 modified@@ -98,8 +98,51 @@ </jaxws:features> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSupportingSignedPort" + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="ws-security.signature.username" value="alice"/> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" + URI="#DoubleItTransportSupportingSignedPolicy" /> + </p:policies> + </jaxws:features> + </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportUTSupportingSignedPort" + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.username" value="alice"/> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="ws-security.signature.username" value="alice"/> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" + URI="#DoubleItTransportUTSupportingSignedPolicy" /> + </p:policies> + </jaxws:features> + </jaxws:client> + + <http:conduit name="https://localhost:.*"> + <http:tlsClientParameters disableCNCheck="true"> + <sec:trustManagers> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/> + </sec:trustManagers> + </http:tlsClientParameters> + </http:conduit> + - <wsp:Policy wsu:Id="UsernameToken" + <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:ExactlyOne> @@ -164,4 +207,107 @@ </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsp="http://www.w3.org/ns/ws-policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" /> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp /> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:TransportBinding> + <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + <sp:SignedParts> + <sp:Body/> + <!-- <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> --> + </sp:SignedParts> + </wsp:Policy> + </sp:EndorsingSupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + + <wsp:Policy wsu:Id="DoubleItTransportUTSupportingSignedPolicy" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsp="http://www.w3.org/ns/ws-policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" /> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp /> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:TransportBinding> + <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" > + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:Policy> + </sp:EndorsingSupportingTokens> + <sp:SignedEndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:UsernameToken + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy/> + </sp:UsernameToken> + <sp:SignedParts> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + </sp:SignedParts> + </wsp:Policy> + </sp:SignedEndorsingSupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + </beans>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl+6 −0 modified@@ -57,6 +57,12 @@ <wsdl:port name="DoubleItNoSecurityPort" binding="tns:DoubleItInlinePolicyBinding"> <soap:address location="http://localhost:9010/DoubleItNoSecurity" /> </wsdl:port> + <wsdl:port name="DoubleItTransportSupportingSignedPort" binding="tns:DoubleItInlinePolicyBinding"> + <soap:address location="https://localhost:9011/DoubleItTransportSupportingSigned" /> + </wsdl:port> + <wsdl:port name="DoubleItTransportUTSupportingSignedPort" binding="tns:DoubleItInlinePolicyBinding"> + <soap:address location="https://localhost:9011/DoubleItTransportUTSupportingSigned" /> + </wsdl:port> </wsdl:service> </wsdl:definitions>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml+121 −3 modified@@ -44,8 +44,32 @@ </cxf:features> </cxf:bus> + <!-- --> + <!-- Any services listening on port 9009 must use the following --> + <!-- Transport Layer Security (TLS) settings --> + <!-- --> + <httpj:engine-factory id="tls-settings"> + <httpj:engine port="${testutil.ports.Server.2}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/> + </sec:keyManagers> + <sec:cipherSuitesFilter> + <sec:include>.*_EXPORT_.*</sec:include> + <sec:include>.*_EXPORT1024_.*</sec:include> + <sec:include>.*_WITH_DES_.*</sec:include> + <sec:include>.*_WITH_AES_.*</sec:include> + <sec:include>.*_WITH_NULL_.*</sec:include> + <sec:exclude>.*_DH_anon_.*</sec:exclude> + </sec:cipherSuitesFilter> + <sec:clientAuthentication want="true" required="false"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> + + <jaxws:endpoint id="AsymmetricEndpoint" - address="http://localhost:${testutil.ports.Server.2}/DoubleItAsymmetric" + address="http://localhost:${testutil.ports.Server}/DoubleItAsymmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricPort" xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl"> @@ -68,7 +92,7 @@ </jaxws:endpoint> <jaxws:endpoint id="NoSecurityEndpoint" - address="http://localhost:${testutil.ports.Server.2}/DoubleItNoSecurity" + address="http://localhost:${testutil.ports.Server}/DoubleItNoSecurity" serviceName="s:DoubleItService" endpointName="s:DoubleItNoSecurityPort" xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl"> @@ -91,7 +115,7 @@ </jaxws:endpoint> <jaxws:endpoint id="UsernameTokenEndpoint" - address="http://localhost:${testutil.ports.Server.2}/DoubleItUsernameToken" + address="http://localhost:${testutil.ports.Server}/DoubleItUsernameToken" serviceName="s:DoubleItService" endpointName="s:DoubleItUsernameTokenPort" xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl"> @@ -112,6 +136,54 @@ </jaxws:features> </jaxws:endpoint> + + <jaxws:endpoint + id="TransportSupportingSigned" + address="https://localhost:${testutil.ports.Server.2}/DoubleItTransportSupportingSigned" + serviceName="s:DoubleItService" + endpointName="s:DoubleItTransportSupportingSignedPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl" + depends-on="tls-settings"> + + <jaxws:properties> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" + URI="#DoubleItTransportSupportingSignedPolicy" /> + </p:policies> + </jaxws:features> + + </jaxws:endpoint> + + <jaxws:endpoint + id="TransportUTSupportingSigned" + address="https://localhost:${testutil.ports.Server.2}/DoubleItTransportUTSupportingSigned" + serviceName="s:DoubleItService" + endpointName="s:DoubleItTransportUTSupportingSignedPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl" + depends-on="tls-settings"> + + <jaxws:properties> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" /> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" + URI="#DoubleItTransportSupportingSignedPolicy" /> + </p:policies> + </jaxws:features> + + </jaxws:endpoint> <wsp:Policy wsu:Id="Combined" @@ -189,6 +261,52 @@ </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsp="http://www.w3.org/ns/ws-policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" /> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp /> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:TransportBinding> + <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" > + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + <sp:SignedParts> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + </sp:SignedParts> + </wsp:Policy> + </sp:EndorsingSupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + </beans>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml+11 −0 modified@@ -211,6 +211,17 @@ </jaxws:properties> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSupportingSignedPort" + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="ws-security.signature.username" value="alice"/> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </jaxws:properties> + </jaxws:client> + <http:conduit name="https://localhost:.*"> <http:tlsClientParameters disableCNCheck="true"> <sec:trustManagers>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl+70 −0 modified@@ -258,6 +258,23 @@ </wsdl:fault> </wsdl:operation> </wsdl:binding> + <wsdl:binding name="DoubleItTransportSupportingSignedBinding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItTransportSupportingSignedPolicy" /> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http" /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <soap:body use="literal" /> + </wsdl:input> + <wsdl:output> + <soap:body use="literal" /> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault" /> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> <wsdl:service name="DoubleItService"> <wsdl:port name="DoubleItKeyIdentifierPort" binding="tns:DoubleItKeyIdentifierBinding"> @@ -305,6 +322,10 @@ binding="tns:DoubleItTransportSignedEndorsingEncryptedBinding"> <soap:address location="https://localhost:9002/DoubleItX509TransportSignedEndorsingEncrypted" /> </wsdl:port> + <wsdl:port name="DoubleItTransportSupportingSignedPort" + binding="tns:DoubleItTransportSupportingSignedBinding"> + <soap:address location="https://localhost:9002/DoubleItX509TransportSupportingSigned" /> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy"> @@ -778,6 +799,55 @@ </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy"> + <wsp:ExactlyOne> + <wsp:All> + <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" /> + <sp:TransportBinding> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp /> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:TransportBinding> + <sp:EndorsingSupportingTokens> + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + <sp:SignedParts> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + </sp:SignedParts> + <!-- + <sp:SignedElements> + <sp:XPath>//ReplyTo</sp:XPath> + </sp:SignedElements> + --> + </wsp:Policy> + </sp:EndorsingSupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy"> <wsp:ExactlyOne>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml+17 −0 modified@@ -348,4 +348,21 @@ </jaxws:endpoint> + <jaxws:endpoint + id="TransportSupportingSigned" + address="https://localhost:${testutil.ports.Server.2}/DoubleItX509TransportSupportingSigned" + serviceName="s:DoubleItService" + endpointName="s:DoubleItTransportSupportingSignedPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl" + depends-on="tls-settings"> + + <jaxws:properties> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + </jaxws:properties> + + </jaxws:endpoint> + </beans>
4500bf901cb2Improved SupportingToken policy validation
18 files changed · +892 −28
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java+8 −4 modified@@ -69,6 +69,7 @@ import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType; import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.BindingPolicyValidator; +import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator; import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator; @@ -562,9 +563,6 @@ protected void doResults( LOG.fine("Incoming request failed supporting token policy validation"); } - // The supporting tokens are already validated - assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS); - // relatively irrelevant stuff from a verification standpoint assertPolicy(aim, SP12Constants.LAYOUT); assertPolicy(aim, SP12Constants.WSS10); @@ -703,7 +701,13 @@ private boolean checkSupportingTokenCoverage( boolean check = true; - SupportingTokenPolicyValidator validator = new SignedTokenPolicyValidator(); + SupportingTokenPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator(); + validator.setUsernameTokenResults(utResults, utWithCallbacks); + validator.setSAMLTokenResults(samlResults); + validator.setTimestampElement(timestamp); + check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults); + + validator = new SignedTokenPolicyValidator(); validator.setUsernameTokenResults(utResults, utWithCallbacks); validator.setSAMLTokenResults(samlResults); validator.setTimestampElement(timestamp);
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java+270 −16 modified@@ -23,14 +23,30 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import java.util.Map; +import java.util.logging.Level; +import java.util.logging.Logger; import javax.xml.namespace.QName; +import javax.xml.soap.SOAPException; +import javax.xml.soap.SOAPMessage; +import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathConstants; +import javax.xml.xpath.XPathExpressionException; +import javax.xml.xpath.XPathFactory; import org.w3c.dom.Element; +import org.w3c.dom.NodeList; +import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.helpers.CastUtils; +import org.apache.cxf.helpers.DOMUtils; +import org.apache.cxf.helpers.MapNamespaceContext; import org.apache.cxf.message.Message; import org.apache.cxf.security.transport.TLSSessionInfo; +import org.apache.cxf.ws.security.policy.model.Header; +import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements; +import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSDataRef; import org.apache.ws.security.WSSecurityEngine; @@ -48,6 +64,8 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractTokenPolicyValidator implements SupportingTokenPolicyValidator { + private static final Logger LOG = LogUtils.getL7dLogger(AbstractSupportingTokenPolicyValidator.class); + private Message message; private List<WSSecurityEngineResult> results; private List<WSSecurityEngineResult> signedResults; @@ -59,7 +77,11 @@ public abstract class AbstractSupportingTokenPolicyValidator private boolean signed; private boolean encrypted; private boolean derived; - private boolean endorsed; + private boolean endorsed; + private SignedEncryptedElements signedElements; + private SignedEncryptedElements encryptedElements; + private SignedEncryptedParts signedParts; + private SignedEncryptedParts encryptedParts; /** * Set the list of UsernameToken results @@ -130,7 +152,7 @@ protected boolean processUsernameTokens() { tokenResults.addAll(utResults); List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>(); for (WSSecurityEngineResult wser : utResults) { - if (endorsed && derived) { + if (derived) { byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET); WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret); if (dktResult != null) { @@ -150,9 +172,10 @@ protected boolean processUsernameTokens() { return false; } tokenResults.addAll(dktResults); - if (endorsed && !checkEndorsed(tokenResults)) { + if ((endorsed && !checkEndorsed(tokenResults)) || !validateSignedEncryptedPolicies(tokenResults)) { return false; } + return true; } @@ -174,6 +197,11 @@ protected boolean processSAMLTokens() { if (endorsed && !checkEndorsed(samlResults)) { return false; } + + if (!validateSignedEncryptedPolicies(samlResults)) { + return false; + } + return true; } @@ -190,7 +218,7 @@ protected boolean processKerberosTokens() { BinarySecurity binarySecurity = (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN); if (binarySecurity instanceof KerberosSecurity) { - if (endorsed && derived) { + if (derived) { byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET); WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret); if (dktResult != null) { @@ -216,6 +244,11 @@ protected boolean processKerberosTokens() { if (endorsed && !checkEndorsed(tokenResults)) { return false; } + + if (!validateSignedEncryptedPolicies(tokenResults)) { + return false; + } + return true; } @@ -233,7 +266,7 @@ protected boolean processX509Tokens() { (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN); if (binarySecurity instanceof X509Security || binarySecurity instanceof PKIPathSecurity) { - if (endorsed && derived) { + if (derived) { WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser); if (resultToStore != null) { dktResults.add(resultToStore); @@ -258,6 +291,35 @@ protected boolean processX509Tokens() { if (endorsed && !checkEndorsed(tokenResults)) { return false; } + + if (!validateSignedEncryptedPolicies(tokenResults)) { + return false; + } + + return true; + } + + /** + * Validate (SignedParts|SignedElements|EncryptedParts|EncryptedElements) policies of this + * SupportingToken. + */ + private boolean validateSignedEncryptedPolicies(List<WSSecurityEngineResult> tokenResults) { + if (!validateSignedEncryptedParts(signedParts, false, signedResults, tokenResults)) { + return false; + } + + if (!validateSignedEncryptedParts(encryptedParts, true, encryptedResults, tokenResults)) { + return false; + } + + if (!validateSignedEncryptedElements(signedElements, false, signedResults, tokenResults)) { + return false; + } + + if (!validateSignedEncryptedElements(encryptedElements, false, encryptedResults, tokenResults)) { + return false; + } + return true; } @@ -271,7 +333,7 @@ protected boolean processSCTokens() { for (WSSecurityEngineResult wser : results) { Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION); if (actInt.intValue() == WSConstants.SCT) { - if (endorsed && derived) { + if (derived) { byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET); WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret); if (dktResult != null) { @@ -296,6 +358,11 @@ protected boolean processSCTokens() { if (endorsed && !checkEndorsed(tokenResults)) { return false; } + + if (!validateSignedEncryptedPolicies(tokenResults)) { + return false; + } + return true; } @@ -417,7 +484,7 @@ private boolean checkTimestampIsSigned(List<WSSecurityEngineResult> tokenResults if (sl != null) { for (WSDataRef dataRef : sl) { if (timestamp == dataRef.getProtectedElement() - && checkSignature(signedResult, tokenResults)) { + && checkSignatureOrEncryptionResult(signedResult, tokenResults)) { return true; } } @@ -441,7 +508,7 @@ private boolean checkSignatureIsSigned(List<WSSecurityEngineResult> tokenResults for (WSDataRef dataRef : sl) { QName signedQName = dataRef.getName(); if (WSSecurityEngine.SIGNATURE.equals(signedQName) - && checkSignature(signedResult, tokenResults)) { + && checkSignatureOrEncryptionResult(signedResult, tokenResults)) { return true; } } @@ -451,20 +518,20 @@ && checkSignature(signedResult, tokenResults)) { } /** - * Check that a WSSecurityEngineResult corresponding to a signature uses the same - * signing credential as one of the tokens. - * @param signatureResult a WSSecurityEngineResult corresponding to a signature + * Check that a WSSecurityEngineResult corresponding to a signature or encryption uses the same + * signing/encrypting credential as one of the tokens. + * @param signatureResult a WSSecurityEngineResult corresponding to a signature or encryption * @param tokenResult A list of WSSecurityEngineResults corresponding to tokens * @return */ - private boolean checkSignature( - WSSecurityEngineResult signatureResult, + private boolean checkSignatureOrEncryptionResult( + WSSecurityEngineResult result, List<WSSecurityEngineResult> tokenResult ) { - // See what was used to sign this result + // See what was used to sign/encrypt this result X509Certificate cert = - (X509Certificate)signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); - byte[] secret = (byte[])signatureResult.get(WSSecurityEngineResult.TAG_SECRET); + (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); + byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET); // Now see if the same credential exists in the tokenResult list for (WSSecurityEngineResult token : tokenResult) { @@ -509,6 +576,165 @@ private boolean checkSignature( return false; } + /** + * Validate the SignedParts or EncryptedParts policies + */ + private boolean validateSignedEncryptedParts( + SignedEncryptedParts parts, + boolean content, + List<WSSecurityEngineResult> protResults, + List<WSSecurityEngineResult> tokenResults + ) { + if (parts == null) { + return true; + } + + if (parts.isBody()) { + SOAPMessage soapMessage = message.getContent(SOAPMessage.class); + Element soapBody = null; + try { + soapBody = soapMessage.getSOAPBody(); + } catch (SOAPException ex) { + LOG.log(Level.FINE, ex.getMessage(), ex); + return false; + } + + if (!checkProtectionResult(soapBody, content, protResults, tokenResults)) { + return false; + } + } + + for (Header h : parts.getHeaders()) { + SOAPMessage soapMessage = message.getContent(SOAPMessage.class); + Element soapHeader = null; + try { + soapHeader = soapMessage.getSOAPHeader(); + } catch (SOAPException ex) { + LOG.log(Level.FINE, ex.getMessage(), ex); + return false; + } + + final List<Element> elements; + if (h.getName() == null) { + elements = DOMUtils.getChildrenWithNamespace(soapHeader, h.getNamespace()); + } else { + elements = DOMUtils.getChildrenWithName(soapHeader, h.getNamespace(), h.getName()); + } + + for (Element el : elements) { + if (!checkProtectionResult(el, false, protResults, tokenResults)) { + return false; + } + } + } + + return true; + } + + /** + * Check that an Element is signed or encrypted by one of the token results + */ + private boolean checkProtectionResult( + Element elementToProtect, + boolean content, + List<WSSecurityEngineResult> protResults, + List<WSSecurityEngineResult> tokenResults + ) { + for (WSSecurityEngineResult result : protResults) { + List<WSDataRef> dataRefs = + CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS)); + if (dataRefs != null) { + for (WSDataRef dataRef : dataRefs) { + if (elementToProtect == dataRef.getProtectedElement() + && content == dataRef.isContent() + && checkSignatureOrEncryptionResult(result, tokenResults)) { + return true; + } + } + } + } + return false; + } + + /** + * Validate SignedElements or EncryptedElements policies + */ + private boolean validateSignedEncryptedElements( + SignedEncryptedElements elements, + boolean content, + List<WSSecurityEngineResult> protResults, + List<WSSecurityEngineResult> tokenResults + ) { + if (elements == null) { + return true; + } + + Map<String, String> namespaces = elements.getDeclaredNamespaces(); + List<String> xpaths = elements.getXPathExpressions(); + + if (xpaths != null) { + SOAPMessage soapMessage = message.getContent(SOAPMessage.class); + Element soapEnvelope = soapMessage.getSOAPPart().getDocumentElement(); + + for (String xPath : xpaths) { + if (!checkXPathResult(soapEnvelope, xPath, namespaces, protResults, tokenResults)) { + return false; + } + } + } + + return true; + } + + /** + * Check a particular XPath result + */ + private boolean checkXPathResult( + Element soapEnvelope, + String xPath, + Map<String, String> namespaces, + List<WSSecurityEngineResult> protResults, + List<WSSecurityEngineResult> tokenResults + ) { + // XPathFactory and XPath are not thread-safe so we must recreate them + // each request. + final XPathFactory factory = XPathFactory.newInstance(); + final XPath xpath = factory.newXPath(); + + if (namespaces != null) { + xpath.setNamespaceContext(new MapNamespaceContext(namespaces)); + } + + // For each XPath + for (String xpathString : Arrays.asList(xPath)) { + // Get the matching nodes + NodeList list; + try { + list = (NodeList)xpath.evaluate( + xpathString, + soapEnvelope, + XPathConstants.NODESET); + } catch (XPathExpressionException e) { + LOG.log(Level.FINE, e.getMessage(), e); + return false; + } + + // If we found nodes then we need to do the check. + if (list.getLength() != 0) { + // For each matching element, check for a ref that + // covers it. + for (int x = 0; x < list.getLength(); x++) { + final Element el = (Element)list.item(x); + + if (!checkProtectionResult(el, false, protResults, tokenResults)) { + return false; + } + } + } + } + return true; + } + /** * Return true if a token was signed, false otherwise. */ @@ -543,5 +769,33 @@ private boolean isTokenEncrypted(Element token) { } return false; } + + public void setUtResults(List<WSSecurityEngineResult> utResults) { + this.utResults = utResults; + } + + public void setValidateUsernameToken(boolean validateUsernameToken) { + this.validateUsernameToken = validateUsernameToken; + } + + public void setTimestamp(Element timestamp) { + this.timestamp = timestamp; + } + + public void setSignedElements(SignedEncryptedElements signedElements) { + this.signedElements = signedElements; + } + + public void setEncryptedElements(SignedEncryptedElements encryptedElements) { + this.encryptedElements = encryptedElements; + } + + public void setSignedParts(SignedEncryptedParts signedParts) { + this.signedParts = signedParts; + } + + public void setEncryptedParts(SignedEncryptedParts encryptedParts) { + this.encryptedParts = encryptedParts; + } }
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java+122 −0 added@@ -0,0 +1,122 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.ws.security.wss4j.policyvalidators; + +import java.util.Collection; +import java.util.List; + +import org.apache.cxf.message.Message; +import org.apache.cxf.ws.policy.AssertionInfo; +import org.apache.cxf.ws.policy.AssertionInfoMap; +import org.apache.cxf.ws.security.policy.SP12Constants; +import org.apache.cxf.ws.security.policy.SPConstants; +import org.apache.cxf.ws.security.policy.model.IssuedToken; +import org.apache.cxf.ws.security.policy.model.KerberosToken; +import org.apache.cxf.ws.security.policy.model.SamlToken; +import org.apache.cxf.ws.security.policy.model.SecurityContextToken; +import org.apache.cxf.ws.security.policy.model.SupportingToken; +import org.apache.cxf.ws.security.policy.model.Token; +import org.apache.cxf.ws.security.policy.model.UsernameToken; +import org.apache.cxf.ws.security.policy.model.X509Token; +import org.apache.ws.security.WSSecurityEngineResult; + +/** + * Validate SupportingToken policies. + */ +public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator { + + public ConcreteSupportingTokenPolicyValidator() { + setSigned(false); + } + + public boolean validatePolicy( + AssertionInfoMap aim, + Message message, + List<WSSecurityEngineResult> results, + List<WSSecurityEngineResult> signedResults, + List<WSSecurityEngineResult> encryptedResults + ) { + Collection<AssertionInfo> ais = aim.get(SP12Constants.SUPPORTING_TOKENS); + if (ais == null || ais.isEmpty()) { + return true; + } + + setMessage(message); + setResults(results); + setSignedResults(signedResults); + setEncryptedResults(encryptedResults); + + for (AssertionInfo ai : ais) { + SupportingToken binding = (SupportingToken)ai.getAssertion(); + if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SUPPORTING != binding.getTokenType()) { + continue; + } + ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); + + List<Token> tokens = binding.getTokens(); + for (Token token : tokens) { + if (!isTokenRequired(token, message)) { + continue; + } + + boolean processingFailed = false; + if (token instanceof UsernameToken) { + if (!processUsernameTokens()) { + processingFailed = true; + } + } else if (token instanceof SamlToken) { + if (!processSAMLTokens()) { + processingFailed = true; + } + } else if (token instanceof KerberosToken) { + if (!processKerberosTokens()) { + processingFailed = true; + } + } else if (token instanceof X509Token) { + if (!processX509Tokens()) { + processingFailed = true; + } + } else if (token instanceof SecurityContextToken) { + if (!processSCTokens()) { + processingFailed = true; + } + } else if (!(token instanceof IssuedToken)) { + processingFailed = true; + } + + if (processingFailed) { + ai.setNotAsserted( + "The received token does not match the supporting token requirement" + ); + return false; + } + } + + } + + return true; + } + +}
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java+5 −0 modified@@ -69,6 +69,11 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); List<Token> tokens = binding.getTokens(); for (Token token : tokens) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java+5 −0 modified@@ -71,6 +71,11 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); List<Token> tokens = binding.getTokens(); for (Token token : tokens) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java+6 −1 modified@@ -70,7 +70,12 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); - + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); + List<Token> tokens = binding.getTokens(); for (Token token : tokens) { if (!isTokenRequired(token, message)) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java+5 −0 modified@@ -70,6 +70,11 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); List<Token> tokens = binding.getTokens(); for (Token token : tokens) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java+5 −0 modified@@ -72,6 +72,11 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); List<Token> tokens = binding.getTokens(); for (Token token : tokens) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java+5 −0 modified@@ -70,6 +70,11 @@ public boolean validatePolicy( continue; } ai.setAsserted(true); + + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); List<Token> tokens = binding.getTokens(); for (Token token : tokens) {
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java+5 −0 modified@@ -70,6 +70,11 @@ public boolean validatePolicy( } ai.setAsserted(true); + setSignedParts(binding.getSignedParts()); + setEncryptedParts(binding.getEncryptedParts()); + setSignedElements(binding.getSignedElements()); + setEncryptedElements(binding.getEncryptedElements()); + List<Token> tokens = binding.getTokens(); for (Token token : tokens) { if (!isTokenRequired(token, message)) {
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java+62 −3 modified@@ -79,7 +79,7 @@ public void testAsymmetric() throws Exception { QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricPort"); DoubleItPortType utPort = service.getPort(portQName, DoubleItPortType.class); - updateAddressPort(utPort, PORT2); + updateAddressPort(utPort, PORT); utPort.doubleIt(25); @@ -104,7 +104,7 @@ public void testNoSecurity() throws Exception { QName portQName = new QName(NAMESPACE, "DoubleItNoSecurityPort"); DoubleItPortType utPort = service.getPort(portQName, DoubleItPortType.class); - updateAddressPort(utPort, PORT2); + updateAddressPort(utPort, PORT); try { utPort.doubleIt(25); @@ -134,11 +134,70 @@ public void testUsernameToken() throws Exception { QName portQName = new QName(NAMESPACE, "DoubleItUsernameTokenPort"); DoubleItPortType utPort = service.getPort(portQName, DoubleItPortType.class); - updateAddressPort(utPort, PORT2); + updateAddressPort(utPort, PORT); utPort.doubleIt(25); bus.shutdown(true); } + /** + * The client uses a Transport binding policy with a Endorsing Supporting X509 Token. The client does + * not sign part of the WSA header though and so the invocation should fail. + */ + @org.junit.Test + public void testTransportSupportingSigned() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = PolicyAlternativeTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = PolicyAlternativeTest.class.getResource("DoubleItPolicy.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItTransportSupportingSignedPort"); + DoubleItPortType transportPort = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(transportPort, PORT2); + + try { + transportPort.doubleIt(25); + fail("Failure expected on not signing a wsa header"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + // expected + } + } + + /** + * The client uses a Transport binding policy with a Endorsing Supporting X509 Token as well as a + * Signed Endorsing UsernameToken. Here the client is trying to trick the Service Provider as + * the UsernameToken signs the wsa:To Header, not the X.509 Token. + */ + @org.junit.Test + public void testTransportUTSupportingSigned() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = PolicyAlternativeTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = PolicyAlternativeTest.class.getResource("DoubleItPolicy.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItTransportUTSupportingSignedPort"); + DoubleItPortType transportPort = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(transportPort, PORT2); + + try { + transportPort.doubleIt(25); + fail("Failure expected on not signing a wsa header"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + // expected + } + } + }
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java+22 −0 modified@@ -466,6 +466,28 @@ public void testAsymmetricSignatureReplay() throws Exception { bus.shutdown(true); } + @org.junit.Test + public void testTransportSupportingSigned() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = X509TokenTest.class.getResource("client/client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItTransportSupportingSignedPort"); + DoubleItPortType x509Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(x509Port, PORT2); + x509Port.doubleIt(25); + } + private boolean checkUnrestrictedPoliciesInstalled() { try { byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml+147 −1 modified@@ -98,8 +98,51 @@ </jaxws:features> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSupportingSignedPort" + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="ws-security.signature.username" value="alice"/> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" + URI="#DoubleItTransportSupportingSignedPolicy" /> + </p:policies> + </jaxws:features> + </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportUTSupportingSignedPort" + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.username" value="alice"/> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="ws-security.signature.username" value="alice"/> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" + URI="#DoubleItTransportUTSupportingSignedPolicy" /> + </p:policies> + </jaxws:features> + </jaxws:client> + + <http:conduit name="https://localhost:.*"> + <http:tlsClientParameters disableCNCheck="true"> + <sec:trustManagers> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/> + </sec:trustManagers> + </http:tlsClientParameters> + </http:conduit> + - <wsp:Policy wsu:Id="UsernameToken" + <wsp:Policy wsu:Id="UsernameToken" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> <wsp:ExactlyOne> @@ -164,4 +207,107 @@ </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsp="http://www.w3.org/ns/ws-policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" /> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp /> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:TransportBinding> + <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + <sp:SignedParts> + <sp:Body/> + <!-- <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> --> + </sp:SignedParts> + </wsp:Policy> + </sp:EndorsingSupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + + <wsp:Policy wsu:Id="DoubleItTransportUTSupportingSignedPolicy" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsp="http://www.w3.org/ns/ws-policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" /> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp /> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:TransportBinding> + <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" > + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:Policy> + </sp:EndorsingSupportingTokens> + <sp:SignedEndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:UsernameToken + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy/> + </sp:UsernameToken> + <sp:SignedParts> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + </sp:SignedParts> + </wsp:Policy> + </sp:SignedEndorsingSupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + </beans>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl+6 −0 modified@@ -57,6 +57,12 @@ <wsdl:port name="DoubleItNoSecurityPort" binding="tns:DoubleItInlinePolicyBinding"> <soap:address location="http://localhost:9010/DoubleItNoSecurity" /> </wsdl:port> + <wsdl:port name="DoubleItTransportSupportingSignedPort" binding="tns:DoubleItInlinePolicyBinding"> + <soap:address location="https://localhost:9011/DoubleItTransportSupportingSigned" /> + </wsdl:port> + <wsdl:port name="DoubleItTransportUTSupportingSignedPort" binding="tns:DoubleItInlinePolicyBinding"> + <soap:address location="https://localhost:9011/DoubleItTransportUTSupportingSigned" /> + </wsdl:port> </wsdl:service> </wsdl:definitions>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml+121 −3 modified@@ -44,8 +44,32 @@ </cxf:features> </cxf:bus> + <!-- --> + <!-- Any services listening on port 9009 must use the following --> + <!-- Transport Layer Security (TLS) settings --> + <!-- --> + <httpj:engine-factory id="tls-settings"> + <httpj:engine port="${testutil.ports.Server.2}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/> + </sec:keyManagers> + <sec:cipherSuitesFilter> + <sec:include>.*_EXPORT_.*</sec:include> + <sec:include>.*_EXPORT1024_.*</sec:include> + <sec:include>.*_WITH_DES_.*</sec:include> + <sec:include>.*_WITH_AES_.*</sec:include> + <sec:include>.*_WITH_NULL_.*</sec:include> + <sec:exclude>.*_DH_anon_.*</sec:exclude> + </sec:cipherSuitesFilter> + <sec:clientAuthentication want="true" required="false"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> + + <jaxws:endpoint id="AsymmetricEndpoint" - address="http://localhost:${testutil.ports.Server.2}/DoubleItAsymmetric" + address="http://localhost:${testutil.ports.Server}/DoubleItAsymmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricPort" xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl"> @@ -68,7 +92,7 @@ </jaxws:endpoint> <jaxws:endpoint id="NoSecurityEndpoint" - address="http://localhost:${testutil.ports.Server.2}/DoubleItNoSecurity" + address="http://localhost:${testutil.ports.Server}/DoubleItNoSecurity" serviceName="s:DoubleItService" endpointName="s:DoubleItNoSecurityPort" xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl"> @@ -91,7 +115,7 @@ </jaxws:endpoint> <jaxws:endpoint id="UsernameTokenEndpoint" - address="http://localhost:${testutil.ports.Server.2}/DoubleItUsernameToken" + address="http://localhost:${testutil.ports.Server}/DoubleItUsernameToken" serviceName="s:DoubleItService" endpointName="s:DoubleItUsernameTokenPort" xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl"> @@ -112,6 +136,54 @@ </jaxws:features> </jaxws:endpoint> + + <jaxws:endpoint + id="TransportSupportingSigned" + address="https://localhost:${testutil.ports.Server.2}/DoubleItTransportSupportingSigned" + serviceName="s:DoubleItService" + endpointName="s:DoubleItTransportSupportingSignedPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl" + depends-on="tls-settings"> + + <jaxws:properties> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" + URI="#DoubleItTransportSupportingSignedPolicy" /> + </p:policies> + </jaxws:features> + + </jaxws:endpoint> + + <jaxws:endpoint + id="TransportUTSupportingSigned" + address="https://localhost:${testutil.ports.Server.2}/DoubleItTransportUTSupportingSigned" + serviceName="s:DoubleItService" + endpointName="s:DoubleItTransportUTSupportingSignedPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl" + depends-on="tls-settings"> + + <jaxws:properties> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" /> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" + URI="#DoubleItTransportSupportingSignedPolicy" /> + </p:policies> + </jaxws:features> + + </jaxws:endpoint> <wsp:Policy wsu:Id="Combined" @@ -189,6 +261,52 @@ </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsp="http://www.w3.org/ns/ws-policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" /> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp /> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:TransportBinding> + <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" > + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + <sp:SignedParts> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + </sp:SignedParts> + </wsp:Policy> + </sp:EndorsingSupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + </beans>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml+11 −0 modified@@ -211,6 +211,17 @@ </jaxws:properties> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSupportingSignedPort" + createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + <entry key="ws-security.signature.username" value="alice"/> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + </jaxws:properties> + </jaxws:client> + <http:conduit name="https://localhost:.*"> <http:tlsClientParameters disableCNCheck="true"> <sec:trustManagers>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl+70 −0 modified@@ -258,6 +258,23 @@ </wsdl:fault> </wsdl:operation> </wsdl:binding> + <wsdl:binding name="DoubleItTransportSupportingSignedBinding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItTransportSupportingSignedPolicy" /> + <soap:binding style="document" + transport="http://schemas.xmlsoap.org/soap/http" /> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction="" /> + <wsdl:input> + <soap:body use="literal" /> + </wsdl:input> + <wsdl:output> + <soap:body use="literal" /> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault" /> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> <wsdl:service name="DoubleItService"> <wsdl:port name="DoubleItKeyIdentifierPort" binding="tns:DoubleItKeyIdentifierBinding"> @@ -305,6 +322,10 @@ binding="tns:DoubleItTransportSignedEndorsingEncryptedBinding"> <soap:address location="https://localhost:9002/DoubleItX509TransportSignedEndorsingEncrypted" /> </wsdl:port> + <wsdl:port name="DoubleItTransportSupportingSignedPort" + binding="tns:DoubleItTransportSupportingSignedBinding"> + <soap:address location="https://localhost:9002/DoubleItX509TransportSupportingSigned" /> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy"> @@ -778,6 +799,55 @@ </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy"> + <wsp:ExactlyOne> + <wsp:All> + <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" /> + <sp:TransportBinding> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp /> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128 /> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:TransportBinding> + <sp:EndorsingSupportingTokens> + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + <sp:SignedParts> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + </sp:SignedParts> + <!-- + <sp:SignedElements> + <sp:XPath>//ReplyTo</sp:XPath> + </sp:SignedElements> + --> + </wsp:Policy> + </sp:EndorsingSupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy"> <wsp:ExactlyOne>
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml+17 −0 modified@@ -347,4 +347,21 @@ </jaxws:endpoint> + <jaxws:endpoint + id="TransportSupportingSigned" + address="https://localhost:${testutil.ports.Server.2}/DoubleItX509TransportSupportingSigned" + serviceName="s:DoubleItService" + endpointName="s:DoubleItTransportSupportingSignedPort" + xmlns:s="http://www.example.org/contract/DoubleIt" + implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" + wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl" + depends-on="tls-settings"> + + <jaxws:properties> + <entry key="ws-security.encryption.properties" + value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> + </jaxws:properties> + + </jaxws:endpoint> + </beans>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
36- cxf.apache.org/cve-2012-2379.htmlnvdPatchVendor Advisory
- github.com/advisories/GHSA-2g99-c67p-56hmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-2379ghsaADVISORY
- cxf.apache.org/cve-2012-2379.htmlghsaWEB
- github.com/apache/cxf/commit/440528d928be1e2030e7227b958c9c072847d9b2ghsaWEB
- github.com/apache/cxf/commit/4500bf901cb2a7312291b6663045f28a95d2a0c4ghsaWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3EnvdWEB
- lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3EghsaWEB
- svn.apache.org/viewvcghsaWEB
- rhn.redhat.com/errata/RHSA-2012-1559.htmlnvd
- rhn.redhat.com/errata/RHSA-2012-1573.htmlnvd
- rhn.redhat.com/errata/RHSA-2012-1591.htmlnvd
- rhn.redhat.com/errata/RHSA-2012-1592.htmlnvd
- rhn.redhat.com/errata/RHSA-2012-1593.htmlnvd
- rhn.redhat.com/errata/RHSA-2012-1594.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0191.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0192.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0193.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0194.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0195.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0196.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0197.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0198.htmlnvd
- secunia.com/advisories/51607nvd
- secunia.com/advisories/51984nvd
- svn.apache.org/viewvcnvd
News mentions
0No linked articles in our index yet.