1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.wss4j.policy.stax.test;
21
22 import java.util.LinkedList;
23 import java.util.List;
24
25 import javax.xml.namespace.QName;
26
27 import org.apache.wss4j.common.ext.WSSecurityException;
28 import org.apache.wss4j.policy.stax.PolicyViolationException;
29 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
30 import org.apache.wss4j.stax.ext.WSSConstants;
31 import org.apache.wss4j.stax.impl.securityToken.X509SecurityTokenImpl;
32 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
33 import org.apache.wss4j.stax.securityEvent.SecurityContextTokenSecurityEvent;
34 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
35 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
36 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
37 import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
38 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
39 import org.junit.jupiter.api.Test;
40
41 import static org.junit.jupiter.api.Assertions.assertEquals;
42 import static org.junit.jupiter.api.Assertions.assertTrue;
43 import static org.junit.jupiter.api.Assertions.fail;
44
45 public class SecurityContextTokenTest extends AbstractPolicyTestBase {
46
47 @Test
48 public void testPolicy() throws Exception {
49 String policyString =
50 "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
51 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
52 "<sp:EncryptionToken>\n" +
53 " <wsp:Policy>\n" +
54 " <sp:SecurityContextToken>\n" +
55 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
56 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
57 " <sp:RequireExternalUriReference/>\n" +
58 " </wsp:Policy>\n" +
59 " </sp:SecurityContextToken>\n" +
60 " </wsp:Policy>\n" +
61 "</sp:EncryptionToken>\n" +
62 "<sp:SignatureToken>\n" +
63 " <wsp:Policy>\n" +
64 " <sp:SecurityContextToken>\n" +
65 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
66 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
67 " <sp:RequireExternalUriReference/>\n" +
68 " </wsp:Policy>\n" +
69 " </sp:SecurityContextToken>\n" +
70 " </wsp:Policy>\n" +
71 "</sp:SignatureToken>\n" +
72 " <sp:AlgorithmSuite>\n" +
73 " <wsp:Policy>\n" +
74 " <sp:Basic256/>\n" +
75 " </wsp:Policy>\n" +
76 " </sp:AlgorithmSuite>\n" +
77 "</wsp:Policy>\n" +
78 "</sp:SymmetricBinding>";
79
80 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
81 SecurityContextTokenSecurityEvent initiatorTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
82 initiatorTokenSecurityEvent.setIssuerName("xs:anyURI");
83 initiatorTokenSecurityEvent.setExternalUriRef(true);
84
85 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
86 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
87 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
88 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
89
90 SecurityContextTokenSecurityEvent recipientTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
91 recipientTokenSecurityEvent.setIssuerName("xs:anyURI");
92 recipientTokenSecurityEvent.setExternalUriRef(true);
93 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
94 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
95 recipientTokenSecurityEvent.setSecurityToken(securityToken);
96 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
97
98 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
99 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
100 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
101 SignedPartSecurityEvent signedPartSecurityEvent =
102 new SignedPartSecurityEvent(
103 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
104 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
105 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
106
107 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
108 new ContentEncryptedElementSecurityEvent(
109 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
110 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
111 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
112
113 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
114 operationSecurityEvent.setOperation(new QName("definitions"));
115 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
116
117 policyEnforcer.doFinal();
118 }
119
120 @Test
121 public void testPolicyNegative() throws Exception {
122 String policyString =
123 "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
124 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
125 "<sp:EncryptionToken>\n" +
126 " <wsp:Policy>\n" +
127 " <sp:SecurityContextToken>\n" +
128 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
129 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
130 " <sp:RequireExternalUriReference/>\n" +
131 " </wsp:Policy>\n" +
132 " </sp:SecurityContextToken>\n" +
133 " </wsp:Policy>\n" +
134 "</sp:EncryptionToken>\n" +
135 "<sp:SignatureToken>\n" +
136 " <wsp:Policy>\n" +
137 " <sp:SecurityContextToken>\n" +
138 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
139 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
140 " <sp:RequireExternalUriReference/>\n" +
141 " </wsp:Policy>\n" +
142 " </sp:SecurityContextToken>\n" +
143 " </wsp:Policy>\n" +
144 "</sp:SignatureToken>\n" +
145 " <sp:AlgorithmSuite>\n" +
146 " <wsp:Policy>\n" +
147 " <sp:Basic256/>\n" +
148 " </wsp:Policy>\n" +
149 " </sp:AlgorithmSuite>\n" +
150 "</wsp:Policy>\n" +
151 "</sp:SymmetricBinding>";
152
153 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
154 SecurityContextTokenSecurityEvent initiatorTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
155 initiatorTokenSecurityEvent.setIssuerName("sss");
156 initiatorTokenSecurityEvent.setExternalUriRef(true);
157 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
158 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
159 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
160 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
161
162 SecurityContextTokenSecurityEvent recipientTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
163 recipientTokenSecurityEvent.setIssuerName("sss");
164 recipientTokenSecurityEvent.setExternalUriRef(true);
165 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
166 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
167 recipientTokenSecurityEvent.setSecurityToken(securityToken);
168 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
169
170 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
171 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
172 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
173 SignedPartSecurityEvent signedPartSecurityEvent =
174 new SignedPartSecurityEvent(
175 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
176 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
177 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
178
179 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
180 new ContentEncryptedElementSecurityEvent(
181 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
182 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
183 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
184
185 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
186 operationSecurityEvent.setOperation(new QName("definitions"));
187
188 try {
189 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
190 fail("Exception expected");
191 } catch (WSSecurityException e) {
192 assertTrue(e.getCause() instanceof PolicyViolationException);
193 assertEquals(e.getCause().getMessage(),
194 "IssuerName in Policy (xs:anyURI) didn't match with the one in the SecurityContextToken (sss)");
195 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
196 }
197 }
198 }