1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.util.LinkedList;
22 import java.util.List;
23
24 import javax.xml.namespace.QName;
25
26 import org.apache.wss4j.common.ext.WSSecurityException;
27 import org.apache.wss4j.policy.stax.PolicyViolationException;
28 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
29 import org.apache.wss4j.stax.ext.WSSConstants;
30 import org.apache.wss4j.stax.securityEvent.EncryptedPartSecurityEvent;
31 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
32 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
33 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
34 import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
35 import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
36 import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
37 import org.junit.jupiter.api.Test;
38
39 import static org.junit.jupiter.api.Assertions.assertEquals;
40 import static org.junit.jupiter.api.Assertions.assertTrue;
41 import static org.junit.jupiter.api.Assertions.fail;
42
43 public class ProtectionOrderTest extends AbstractPolicyTestBase {
44
45 @Test
46 public void testPolicySignBeforeEncrypt() throws Exception {
47 String policyString =
48 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
49 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
50 " <sp:AlgorithmSuite>\n" +
51 " <wsp:Policy>\n" +
52 " <sp:Basic256/>\n" +
53 " </wsp:Policy>\n" +
54 " </sp:AlgorithmSuite>\n" +
55 " </wsp:Policy>\n" +
56 "</sp:AsymmetricBinding>\n";
57 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
58
59 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
60 operationSecurityEvent.setOperation(new QName("definitions"));
61 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
62
63 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
64 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
65 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
66
67 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
68 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
69 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
70
71 SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(null, true, protectionOrder);
72 signedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
73 policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
74
75 EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
76 encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
77 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
78
79 EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
80 encryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
81 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
82
83 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = new ContentEncryptedElementSecurityEvent(null, true, protectionOrder);
84 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
85 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
86
87 policyEnforcer.doFinal();
88 }
89
90 @Test
91 public void testPolicySignBeforeEncryptWithoutEncryption() throws Exception {
92 String policyString =
93 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
94 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
95 " <sp:AlgorithmSuite>\n" +
96 " <wsp:Policy>\n" +
97 " <sp:Basic256/>\n" +
98 " </wsp:Policy>\n" +
99 " </sp:AlgorithmSuite>\n" +
100 " </wsp:Policy>\n" +
101 "</sp:AsymmetricBinding>\n";
102 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
103
104 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
105 operationSecurityEvent.setOperation(new QName("definitions"));
106 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
107
108 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
109 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
110 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
111 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
112 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
113 policyEnforcer.doFinal();
114 }
115
116 @Test
117 public void testPolicySignBeforeEncryptNegative() throws Exception {
118 String policyString =
119 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
120 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
121 " <sp:AlgorithmSuite>\n" +
122 " <wsp:Policy>\n" +
123 " <sp:Basic256/>\n" +
124 " </wsp:Policy>\n" +
125 " </sp:AlgorithmSuite>\n" +
126 " </wsp:Policy>\n" +
127 "</sp:AsymmetricBinding>\n";
128 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
129
130 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
131 operationSecurityEvent.setOperation(new QName("definitions"));
132 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
133
134 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
135 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
136 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
137 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
138 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
139 try {
140 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
141 fail("Exception expected");
142 } catch (WSSecurityException e) {
143 assertTrue(e.getCause() instanceof PolicyViolationException);
144 assertEquals(e.getCause().getMessage(),
145 "Policy enforces SignBeforeEncrypting but the /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body was encrypted and then signed");
146 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
147 }
148 }
149
150 @Test
151 public void testPolicyEncryptBeforeSign() throws Exception {
152 String policyString =
153 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
154 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
155 " <sp:AlgorithmSuite>\n" +
156 " <wsp:Policy>\n" +
157 " <sp:Basic256/>\n" +
158 " </wsp:Policy>\n" +
159 " </sp:AlgorithmSuite>\n" +
160 " <sp:EncryptBeforeSigning/>\n" +
161 " </wsp:Policy>\n" +
162 "</sp:AsymmetricBinding>\n";
163 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
164
165 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
166 operationSecurityEvent.setOperation(new QName("definitions"));
167 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
168
169 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
170 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
171 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
172
173 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
174 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
175 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
176
177 SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(null, true, protectionOrder);
178 signedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
179 policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
180
181 EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
182 encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
183 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
184
185 EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
186 encryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
187 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
188
189 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = new ContentEncryptedElementSecurityEvent(null, true, protectionOrder);
190 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
191 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
192
193 policyEnforcer.doFinal();
194 }
195
196 @Test
197 public void testPolicyEncryptBeforeSignWithoutSignature() throws Exception {
198 String policyString =
199 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
200 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
201 " <sp:AlgorithmSuite>\n" +
202 " <wsp:Policy>\n" +
203 " <sp:Basic256/>\n" +
204 " </wsp:Policy>\n" +
205 " </sp:AlgorithmSuite>\n" +
206 " <sp:EncryptBeforeSigning/>\n" +
207 " </wsp:Policy>\n" +
208 "</sp:AsymmetricBinding>\n";
209 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
210
211 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
212 operationSecurityEvent.setOperation(new QName("definitions"));
213 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
214
215 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
216 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
217 EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
218 encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
219 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
220 policyEnforcer.doFinal();
221 }
222
223 @Test
224 public void testPolicyEncryptBeforeSignNegative() throws Exception {
225 String policyString =
226 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
227 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
228 " <sp:AlgorithmSuite>\n" +
229 " <wsp:Policy>\n" +
230 " <sp:Basic256/>\n" +
231 " </wsp:Policy>\n" +
232 " </sp:AlgorithmSuite>\n" +
233 " <sp:EncryptBeforeSigning/>\n" +
234 " </wsp:Policy>\n" +
235 "</sp:AsymmetricBinding>\n";
236 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
237
238 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
239 operationSecurityEvent.setOperation(new QName("definitions"));
240 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
241
242 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
243 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
244 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
245 EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
246 encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
247 try {
248 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
249 fail("Exception expected");
250 } catch (WSSecurityException e) {
251 assertTrue(e.getCause() instanceof PolicyViolationException);
252 assertEquals(e.getCause().getMessage(),
253 "Policy enforces EncryptBeforeSigning but the /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body was signed and then encrypted");
254 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
255 }
256 }
257 }