1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.io.ByteArrayInputStream;
22 import java.io.ByteArrayOutputStream;
23 import java.io.IOException;
24 import java.io.InputStream;
25 import java.io.OutputStream;
26 import java.util.ArrayList;
27 import java.util.List;
28
29 import javax.xml.namespace.QName;
30 import javax.xml.stream.XMLStreamException;
31 import javax.xml.transform.Transformer;
32 import javax.xml.transform.TransformerFactory;
33 import javax.xml.transform.dom.DOMSource;
34 import javax.xml.transform.stream.StreamResult;
35
36 import org.apache.wss4j.common.bsp.BSPRule;
37 import org.apache.wss4j.common.ext.WSSecurityException;
38 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
39 import org.apache.wss4j.policy.stax.enforcer.PolicyInputProcessor;
40 import org.apache.wss4j.stax.ext.WSSConstants;
41 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
42 import org.apache.wss4j.stax.impl.securityToken.HttpsSecurityTokenImpl;
43 import org.apache.wss4j.stax.securityEvent.HttpsTokenSecurityEvent;
44 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
45 import org.apache.wss4j.stax.test.CallbackHandlerImpl;
46 import org.apache.xml.security.stax.ext.SecurePart;
47 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
48 import org.junit.jupiter.api.Test;
49 import org.w3c.dom.Document;
50
51 import static org.junit.jupiter.api.Assertions.assertEquals;
52 import static org.junit.jupiter.api.Assertions.assertTrue;
53 import static org.junit.jupiter.api.Assertions.fail;
54
55 public class TransportBindingIntegrationTest extends AbstractPolicyTestBase {
56
57 @Test
58 public void testIncludeTimestampPolicy() throws Exception {
59
60 String policyString =
61 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
62 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
63 " <wsp:All>\n" +
64 " <sp:TransportBinding>\n" +
65 " <wsp:Policy>\n" +
66 " <sp:TransportToken>\n" +
67 " <wsp:Policy>\n" +
68 " <sp:HttpsToken>\n" +
69 " <sp:IssuerName>transmitter</sp:IssuerName>\n" +
70 " <wsp:Policy>\n" +
71 " <sp:HttpBasicAuthentication/>\n" +
72 " </wsp:Policy>\n" +
73 " </sp:HttpsToken>\n" +
74 " </wsp:Policy>\n" +
75 " </sp:TransportToken>\n" +
76 " <sp:AlgorithmSuite>\n" +
77 " <wsp:Policy>\n" +
78 " <sp:Basic256/>\n" +
79 " </wsp:Policy>\n" +
80 " </sp:AlgorithmSuite>\n" +
81 " <sp:Layout>\n" +
82 " <wsp:Policy>\n" +
83 " <sp:Lax/>\n" +
84 " </wsp:Policy>\n" +
85 " </sp:Layout>\n" +
86 " <sp:IncludeTimestamp/>\n" +
87 " </wsp:Policy>\n" +
88 " </sp:TransportBinding>\n" +
89 " <sp:SignedParts>\n" +
90 " <sp:Body/>\n" +
91 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
92 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
93 " </sp:SignedParts>\n" +
94 " <sp:SignedElements>\n" +
95 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
96 " </sp:SignedElements>\n" +
97 " <sp:EncryptedParts>\n" +
98 " <sp:Body/>\n" +
99 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
100 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
101 " </sp:EncryptedParts>\n" +
102 " <sp:EncryptedElements>\n" +
103 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
104 " </sp:EncryptedElements>\n" +
105 " <sp:ContentEncryptedElements>\n" +
106 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
107 " </sp:ContentEncryptedElements>\n" +
108 " </wsp:All>\n" +
109 " </wsp:ExactlyOne>";
110
111 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
112 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
113 outSecurityProperties.setEncryptionUser("receiver");
114 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
115 outSecurityProperties.setSignatureUser("transmitter");
116 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
117
118 List<WSSConstants.Action> actions = new ArrayList<>();
119 actions.add(WSSConstants.TIMESTAMP);
120 actions.add(WSSConstants.SIGNATURE);
121 actions.add(WSSConstants.ENCRYPTION);
122 outSecurityProperties.setActions(actions);
123
124 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
125 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
126
127 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
128 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
129 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
130 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
131
132 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
133 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
134
135 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
136 httpsTokenSecurityEvent.setIssuerName("transmitter");
137 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
138 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "transmitter");
139 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
140 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
141
142 List<SecurityEvent> securityEventList = new ArrayList<>();
143 securityEventList.add(httpsTokenSecurityEvent);
144
145 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
146
147
148 Transformer transformer = TransformerFactory.newInstance().newTransformer();
149 transformer.transform(new DOMSource(document), new StreamResult(
150 new OutputStream() {
151 @Override
152 public void write(int b) throws IOException {
153
154 }
155 }
156 ));
157 }
158
159 @Test
160 public void testIncludeTimestampPolicyNegativeTest() throws Exception {
161
162 String policyString =
163 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
164 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
165 " <wsp:All>\n" +
166 " <sp:TransportBinding>\n" +
167 " <wsp:Policy>\n" +
168 " <sp:TransportToken>\n" +
169 " <wsp:Policy>\n" +
170 " <sp:HttpsToken>\n" +
171 " <!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
172 " <sp:IssuerName>transmitter</sp:IssuerName>\n" +
173 " <wsp:Policy>\n" +
174 " <sp:HttpBasicAuthentication/>\n" +
175 " </wsp:Policy>\n" +
176 " </sp:HttpsToken>\n" +
177 " </wsp:Policy>\n" +
178 " </sp:TransportToken>\n" +
179 " <sp:AlgorithmSuite>\n" +
180 " <wsp:Policy>\n" +
181 " <sp:Basic256/>\n" +
182 " </wsp:Policy>\n" +
183 " </sp:AlgorithmSuite>\n" +
184 " <sp:Layout>\n" +
185 " <wsp:Policy>\n" +
186 " <sp:Lax/>\n" +
187 " </wsp:Policy>\n" +
188 " </sp:Layout>\n" +
189 " <sp:IncludeTimestamp/>\n" +
190 " </wsp:Policy>\n" +
191 " </sp:TransportBinding>\n" +
192 " <sp:SignedParts>\n" +
193 " <sp:Body/>\n" +
194 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
195 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
196 " </sp:SignedParts>\n" +
197 " <sp:SignedElements>\n" +
198 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
199 " </sp:SignedElements>\n" +
200 " <sp:EncryptedParts>\n" +
201 " <sp:Body/>\n" +
202 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
203 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
204 " </sp:EncryptedParts>\n" +
205 " <sp:EncryptedElements>\n" +
206 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
207 " </sp:EncryptedElements>\n" +
208 " <sp:ContentEncryptedElements>\n" +
209 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
210 " </sp:ContentEncryptedElements>\n" +
211 " </wsp:All>\n" +
212 " </wsp:ExactlyOne>";
213
214 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
215 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
216 outSecurityProperties.setEncryptionUser("receiver");
217 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
218 outSecurityProperties.setSignatureUser("transmitter");
219 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
220
221 List<WSSConstants.Action> actions = new ArrayList<>();
222 actions.add(WSSConstants.SIGNATURE);
223 actions.add(WSSConstants.ENCRYPTION);
224 outSecurityProperties.setActions(actions);
225
226 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
227 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
228
229 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
230 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
231 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
232 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
233
234 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
235 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
236
237 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
238 httpsTokenSecurityEvent.setIssuerName("transmitter");
239 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
240 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "transmitter");
241 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
242 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
243
244 List<SecurityEvent> securityEventList = new ArrayList<>();
245 securityEventList.add(httpsTokenSecurityEvent);
246
247 try {
248 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
249
250
251 Transformer transformer = TransformerFactory.newInstance().newTransformer();
252 transformer.transform(new DOMSource(document), new StreamResult(
253 new OutputStream() {
254 @Override
255 public void write(int b) throws IOException {
256
257 }
258 }
259 ));
260 fail("Exception expected");
261 } catch (XMLStreamException e) {
262 assertTrue(e.getCause() instanceof WSSecurityException);
263 assertEquals(e.getCause().getMessage(),
264 "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp must be present");
265 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
266 }
267 }
268
269 @Test
270 public void testIncludeTimestampAndSignedUsernameSupportingTokenPolicy() throws Exception {
271
272 String policyString =
273 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
274 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
275 " <wsp:All>\n" +
276 " <sp:TransportBinding>\n" +
277 " <wsp:Policy>\n" +
278 " <sp:TransportToken>\n" +
279 " <wsp:Policy>\n" +
280 " <sp:HttpsToken>\n" +
281 " <!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
282 " <sp:IssuerName>transmitter</sp:IssuerName>\n" +
283 " <wsp:Policy>\n" +
284 " <sp:HttpBasicAuthentication/>\n" +
285 " </wsp:Policy>\n" +
286 " </sp:HttpsToken>\n" +
287 " </wsp:Policy>\n" +
288 " </sp:TransportToken>\n" +
289 " <sp:AlgorithmSuite>\n" +
290 " <wsp:Policy>\n" +
291 " <sp:Basic256/>\n" +
292 " </wsp:Policy>\n" +
293 " </sp:AlgorithmSuite>\n" +
294 " <sp:Layout>\n" +
295 " <wsp:Policy>\n" +
296 " <sp:Lax/>\n" +
297 " </wsp:Policy>\n" +
298 " </sp:Layout>\n" +
299 " <sp:IncludeTimestamp/>\n" +
300 " </wsp:Policy>\n" +
301 " </sp:TransportBinding>\n" +
302 " <sp:SignedParts>\n" +
303 " <sp:Body/>\n" +
304 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
305 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
306 " </sp:SignedParts>\n" +
307 " <sp:SignedElements>\n" +
308 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
309 " </sp:SignedElements>\n" +
310 " <sp:EncryptedParts>\n" +
311 " <sp:Body/>\n" +
312 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
313 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
314 " </sp:EncryptedParts>\n" +
315 " <sp:EncryptedElements>\n" +
316 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
317 " </sp:EncryptedElements>\n" +
318 " <sp:ContentEncryptedElements>\n" +
319 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
320 " </sp:ContentEncryptedElements>\n" +
321 " <sp:SignedSupportingTokens>\n" +
322 " <wsp:Policy>\n" +
323 " <sp:UsernameToken sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
324 " <wsp:Policy>\n" +
325 " <sp:NoPassword/>\n" +
326 " </wsp:Policy>\n" +
327 " </sp:UsernameToken>\n" +
328 " </wsp:Policy>\n" +
329 " </sp:SignedSupportingTokens>\n" +
330 " </wsp:All>\n" +
331 " </wsp:ExactlyOne>";
332
333 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
334 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
335 outSecurityProperties.setEncryptionUser("receiver");
336 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
337 outSecurityProperties.setSignatureUser("transmitter");
338 outSecurityProperties.setTokenUser("transmitter");
339 outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
340 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
341
342 List<WSSConstants.Action> actions = new ArrayList<>();
343 actions.add(WSSConstants.USERNAMETOKEN);
344 actions.add(WSSConstants.TIMESTAMP);
345 actions.add(WSSConstants.SIGNATURE);
346 actions.add(WSSConstants.ENCRYPTION);
347 outSecurityProperties.setActions(actions);
348
349 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
350 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
351
352 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
353 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
354 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
355 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
356
357 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
358 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
359
360 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
361 httpsTokenSecurityEvent.setIssuerName("transmitter");
362 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
363 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "transmitter");
364 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
365 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
366
367 List<SecurityEvent> securityEventList = new ArrayList<>();
368 securityEventList.add(httpsTokenSecurityEvent);
369
370 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
371
372
373 Transformer transformer = TransformerFactory.newInstance().newTransformer();
374 transformer.transform(new DOMSource(document), new StreamResult(
375 new OutputStream() {
376 @Override
377 public void write(int b) throws IOException {
378
379 }
380 }
381 ));
382 }
383
384 @Test
385 public void testIncludeTimestampAndSignedUsernameSupportingTokenPolicyNegativeTest() throws Exception {
386
387 String policyString =
388 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
389 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
390 " <wsp:All>\n" +
391 " <sp:TransportBinding>\n" +
392 " <wsp:Policy>\n" +
393 " <sp:TransportToken>\n" +
394 " <wsp:Policy>\n" +
395 " <sp:HttpsToken>\n" +
396 " <!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
397 " <sp:IssuerName>transmitter</sp:IssuerName>\n" +
398 " <wsp:Policy>\n" +
399 " <sp:HttpBasicAuthentication/>\n" +
400 " </wsp:Policy>\n" +
401 " </sp:HttpsToken>\n" +
402 " </wsp:Policy>\n" +
403 " </sp:TransportToken>\n" +
404 " <sp:AlgorithmSuite>\n" +
405 " <wsp:Policy>\n" +
406 " <sp:Basic256/>\n" +
407 " </wsp:Policy>\n" +
408 " </sp:AlgorithmSuite>\n" +
409 " <sp:Layout>\n" +
410 " <wsp:Policy>\n" +
411 " <sp:Lax/>\n" +
412 " </wsp:Policy>\n" +
413 " </sp:Layout>\n" +
414 " <sp:IncludeTimestamp/>\n" +
415 " </wsp:Policy>\n" +
416 " </sp:TransportBinding>\n" +
417 " <sp:SignedParts>\n" +
418 " <sp:Body/>\n" +
419 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
420 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
421 " </sp:SignedParts>\n" +
422 " <sp:SignedElements>\n" +
423 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
424 " </sp:SignedElements>\n" +
425 " <sp:EncryptedParts>\n" +
426 " <sp:Body/>\n" +
427 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
428 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
429 " </sp:EncryptedParts>\n" +
430 " <sp:EncryptedElements>\n" +
431 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
432 " </sp:EncryptedElements>\n" +
433 " <sp:ContentEncryptedElements>\n" +
434 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
435 " </sp:ContentEncryptedElements>\n" +
436 " <sp:SignedSupportingTokens>\n" +
437 " <wsp:Policy>\n" +
438 " <sp:UsernameToken sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
439 " <wsp:Policy>\n" +
440 " <sp:NoPassword/>\n" +
441 " </wsp:Policy>\n" +
442 " </sp:UsernameToken>\n" +
443 " </wsp:Policy>\n" +
444 " </sp:SignedSupportingTokens>\n" +
445 " </wsp:All>\n" +
446 " </wsp:ExactlyOne>";
447
448 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
449 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
450 outSecurityProperties.setEncryptionUser("receiver");
451 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
452 outSecurityProperties.setSignatureUser("transmitter");
453 outSecurityProperties.setTokenUser("transmitter");
454 outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
455 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
456
457 List<WSSConstants.Action> actions = new ArrayList<>();
458 actions.add(WSSConstants.TIMESTAMP);
459 actions.add(WSSConstants.SIGNATURE);
460 actions.add(WSSConstants.ENCRYPTION);
461 outSecurityProperties.setActions(actions);
462
463 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
464 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
465
466 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
467 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
468 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
469 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
470
471 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
472 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
473
474 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
475 httpsTokenSecurityEvent.setIssuerName("transmitter");
476 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
477 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "transmitter");
478 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
479 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
480
481 List<SecurityEvent> securityEventList = new ArrayList<>();
482 securityEventList.add(httpsTokenSecurityEvent);
483
484 try {
485 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
486
487
488 Transformer transformer = TransformerFactory.newInstance().newTransformer();
489 transformer.transform(new DOMSource(document), new StreamResult(
490 new OutputStream() {
491 @Override
492 public void write(int b) throws IOException {
493
494 }
495 }
496 ));
497 fail("Exception expected");
498 } catch (XMLStreamException e) {
499 assertTrue(e.getCause() instanceof WSSecurityException);
500 assertEquals(e.getCause().getMessage(),
501 "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken not satisfied");
502 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
503 }
504 }
505
506 @Test
507 public void testIncludeTimestampAndSignedUsernameSupportingTokenPolicyNegativeTest_2() throws Exception {
508
509 String policyString =
510 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
511 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
512 " <wsp:All>\n" +
513 " <sp:TransportBinding>\n" +
514 " <wsp:Policy>\n" +
515 " <sp:TransportToken>\n" +
516 " <wsp:Policy>\n" +
517 " <sp:HttpsToken>\n" +
518 " <!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
519 " <sp:IssuerName>transmitter</sp:IssuerName>\n" +
520 " <wsp:Policy>\n" +
521 " <sp:HttpBasicAuthentication/>\n" +
522 " </wsp:Policy>\n" +
523 " </sp:HttpsToken>\n" +
524 " </wsp:Policy>\n" +
525 " </sp:TransportToken>\n" +
526 " <sp:AlgorithmSuite>\n" +
527 " <wsp:Policy>\n" +
528 " <sp:Basic256/>\n" +
529 " </wsp:Policy>\n" +
530 " </sp:AlgorithmSuite>\n" +
531 " <sp:Layout>\n" +
532 " <wsp:Policy>\n" +
533 " <sp:Lax/>\n" +
534 " </wsp:Policy>\n" +
535 " </sp:Layout>\n" +
536 " </wsp:Policy>\n" +
537 " </sp:TransportBinding>\n" +
538 " <sp:SignedSupportingTokens>\n" +
539 " <wsp:Policy>\n" +
540 " <sp:UsernameToken sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
541 " <wsp:Policy>\n" +
542 " <sp:NoPassword/>\n" +
543 " </wsp:Policy>\n" +
544 " </sp:UsernameToken>\n" +
545 " </wsp:Policy>\n" +
546 " </sp:SignedSupportingTokens>\n" +
547 " </wsp:All>\n" +
548 " </wsp:ExactlyOne>";
549
550 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
551 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
552 outSecurityProperties.setEncryptionUser("receiver");
553 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
554 outSecurityProperties.setSignatureUser("transmitter");
555 outSecurityProperties.setTokenUser("transmitter");
556 outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
557 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
558
559 List<WSSConstants.Action> actions = new ArrayList<>();
560 actions.add(WSSConstants.SIGNATURE);
561 actions.add(WSSConstants.ENCRYPTION);
562 outSecurityProperties.setActions(actions);
563
564 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
565 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
566
567 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
568 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
569 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
570 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
571
572 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
573 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
574
575 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
576 httpsTokenSecurityEvent.setIssuerName("transmitter");
577 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
578 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "transmitter");
579 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
580 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
581
582 List<SecurityEvent> securityEventList = new ArrayList<>();
583 securityEventList.add(httpsTokenSecurityEvent);
584
585 try {
586 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
587
588
589 Transformer transformer = TransformerFactory.newInstance().newTransformer();
590 transformer.transform(new DOMSource(document), new StreamResult(
591 new OutputStream() {
592 @Override
593 public void write(int b) throws IOException {
594
595 }
596 }
597 ));
598 fail("Exception expected");
599 } catch (XMLStreamException e) {
600 assertTrue(e.getCause() instanceof WSSecurityException);
601 assertEquals(e.getCause().getMessage(),
602 "Assertion {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken not satisfied");
603 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
604 }
605 }
606
607 @Test
608 public void testIncludeTimestampAndSignedEncryptedUsernameSupportingTokenPolicy() throws Exception {
609
610 String policyString =
611 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
612 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
613 " <wsp:All>\n" +
614 " <sp:TransportBinding>\n" +
615 " <wsp:Policy>\n" +
616 " <sp:TransportToken>\n" +
617 " <wsp:Policy>\n" +
618 " <sp:HttpsToken>\n" +
619 " <!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
620 " <sp:IssuerName>transmitter</sp:IssuerName>\n" +
621 " <wsp:Policy>\n" +
622 " <sp:HttpBasicAuthentication/>\n" +
623 " </wsp:Policy>\n" +
624 " </sp:HttpsToken>\n" +
625 " </wsp:Policy>\n" +
626 " </sp:TransportToken>\n" +
627 " <sp:AlgorithmSuite>\n" +
628 " <wsp:Policy>\n" +
629 " <sp:Basic256/>\n" +
630 " </wsp:Policy>\n" +
631 " </sp:AlgorithmSuite>\n" +
632 " <sp:Layout>\n" +
633 " <wsp:Policy>\n" +
634 " <sp:Lax/>\n" +
635 " </wsp:Policy>\n" +
636 " </sp:Layout>\n" +
637 " <sp:IncludeTimestamp/>\n" +
638 " </wsp:Policy>\n" +
639 " </sp:TransportBinding>\n" +
640 " <sp:SignedParts>\n" +
641 " <sp:Body/>\n" +
642 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
643 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
644 " </sp:SignedParts>\n" +
645 " <sp:SignedElements>\n" +
646 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
647 " </sp:SignedElements>\n" +
648 " <sp:EncryptedParts>\n" +
649 " <sp:Body/>\n" +
650 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
651 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
652 " </sp:EncryptedParts>\n" +
653 " <sp:EncryptedElements>\n" +
654 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
655 " </sp:EncryptedElements>\n" +
656 " <sp:ContentEncryptedElements>\n" +
657 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
658 " </sp:ContentEncryptedElements>\n" +
659 " <sp:SignedEncryptedSupportingTokens>\n" +
660 " <wsp:Policy>\n" +
661 " <sp:UsernameToken sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
662 " <wsp:Policy>\n" +
663 " <sp:NoPassword/>\n" +
664 " </wsp:Policy>\n" +
665 " </sp:UsernameToken>\n" +
666 " </wsp:Policy>\n" +
667 " </sp:SignedEncryptedSupportingTokens>\n" +
668 " </wsp:All>\n" +
669 " </wsp:ExactlyOne>";
670
671 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
672 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
673 outSecurityProperties.setEncryptionUser("receiver");
674 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
675 outSecurityProperties.setSignatureUser("transmitter");
676 outSecurityProperties.setTokenUser("transmitter");
677 outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
678 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
679
680 List<WSSConstants.Action> actions = new ArrayList<>();
681 actions.add(WSSConstants.USERNAMETOKEN);
682 actions.add(WSSConstants.TIMESTAMP);
683 actions.add(WSSConstants.SIGNATURE);
684 actions.add(WSSConstants.ENCRYPTION);
685 outSecurityProperties.setActions(actions);
686
687 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
688 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
689
690 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
691 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
692 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
693 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
694
695 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
696 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
697
698 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
699 httpsTokenSecurityEvent.setIssuerName("transmitter");
700 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
701 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "transmitter");
702 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
703 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
704
705 List<SecurityEvent> securityEventList = new ArrayList<>();
706 securityEventList.add(httpsTokenSecurityEvent);
707
708 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
709
710
711 Transformer transformer = TransformerFactory.newInstance().newTransformer();
712 transformer.transform(new DOMSource(document), new StreamResult(
713 new OutputStream() {
714 @Override
715 public void write(int b) throws IOException {
716
717 }
718 }
719 ));
720 }
721
722 @Test
723 public void testIncludeTimestampAndProtectionOrderEncryptBeforeSignAndSignedUsernameSupportingTokenPolicyTest() throws Exception {
724
725 String policyString =
726 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
727 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
728 " <wsp:All>\n" +
729 " <sp:TransportBinding>\n" +
730 " <wsp:Policy>\n" +
731 " <sp:TransportToken>\n" +
732 " <wsp:Policy>\n" +
733 " <sp:HttpsToken>\n" +
734 " <!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
735 " <sp:IssuerName>transmitter</sp:IssuerName>\n" +
736 " <wsp:Policy>\n" +
737 " <sp:HttpBasicAuthentication/>\n" +
738 " </wsp:Policy>\n" +
739 " </sp:HttpsToken>\n" +
740 " </wsp:Policy>\n" +
741 " </sp:TransportToken>\n" +
742 " <sp:AlgorithmSuite>\n" +
743 " <wsp:Policy>\n" +
744 " <sp:Basic256/>\n" +
745 " </wsp:Policy>\n" +
746 " </sp:AlgorithmSuite>\n" +
747 " <sp:Layout>\n" +
748 " <wsp:Policy>\n" +
749 " <sp:Lax/>\n" +
750 " </wsp:Policy>\n" +
751 " </sp:Layout>\n" +
752 " <sp:IncludeTimestamp/>\n" +
753 " </wsp:Policy>\n" +
754 " </sp:TransportBinding>\n" +
755 " <sp:SignedParts>\n" +
756 " <sp:Body/>\n" +
757 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
758 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
759 " </sp:SignedParts>\n" +
760 " <sp:SignedElements>\n" +
761 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
762 " </sp:SignedElements>\n" +
763 " <sp:EncryptedParts>\n" +
764 " <sp:Body/>\n" +
765 " </sp:EncryptedParts>\n" +
766 " <sp:SignedSupportingTokens>\n" +
767 " <wsp:Policy>\n" +
768 " <sp:UsernameToken sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
769 " <wsp:Policy>\n" +
770 " <sp:NoPassword/>\n" +
771 " </wsp:Policy>\n" +
772 " </sp:UsernameToken>\n" +
773 " </wsp:Policy>\n" +
774 " </sp:SignedSupportingTokens>\n" +
775 " </wsp:All>\n" +
776 " </wsp:ExactlyOne>";
777
778 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
779 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
780 outSecurityProperties.setEncryptionUser("receiver");
781 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
782 outSecurityProperties.setSignatureUser("transmitter");
783 outSecurityProperties.setTokenUser("transmitter");
784 outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
785 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
786
787 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
788 List<WSSConstants.Action> actions = new ArrayList<>();
789 actions.add(WSSConstants.USERNAMETOKEN);
790 actions.add(WSSConstants.TIMESTAMP);
791 actions.add(WSSConstants.ENCRYPTION);
792 outSecurityProperties.setActions(actions);
793
794 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
795 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
796
797 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
798 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
799 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
800 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
801
802 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
803 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
804
805 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
806 httpsTokenSecurityEvent.setIssuerName("transmitter");
807 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
808 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "transmitter");
809
810 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
811 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
812
813 List<SecurityEvent> securityEventList = new ArrayList<>();
814 securityEventList.add(httpsTokenSecurityEvent);
815
816 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
817
818
819 Transformer transformer = TransformerFactory.newInstance().newTransformer();
820 transformer.transform(new DOMSource(document), new StreamResult(
821 new OutputStream() {
822 @Override
823 public void write(int b) throws IOException {
824
825 }
826 }
827 ));
828 }
829
830 @Test
831 public void testHttpsClientAuthenticationIncludeTimestampAndSignedUsernameSupportingTokenPolicy() throws Exception {
832
833 String policyString =
834 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
835 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
836 " <wsp:All>\n" +
837 " <sp:TransportBinding>\n" +
838 " <wsp:Policy>\n" +
839 " <sp:TransportToken>\n" +
840 " <wsp:Policy>\n" +
841 " <sp:HttpsToken>\n" +
842 " <!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
843 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
844 " <wsp:Policy>\n" +
845 " <sp:RequireClientCertificate/>\n" +
846 " </wsp:Policy>\n" +
847 " </sp:HttpsToken>\n" +
848 " </wsp:Policy>\n" +
849 " </sp:TransportToken>\n" +
850 " <sp:AlgorithmSuite>\n" +
851 " <wsp:Policy>\n" +
852 " <sp:Basic256/>\n" +
853 " </wsp:Policy>\n" +
854 " </sp:AlgorithmSuite>\n" +
855 " <sp:Layout>\n" +
856 " <wsp:Policy>\n" +
857 " <sp:Lax/>\n" +
858 " </wsp:Policy>\n" +
859 " </sp:Layout>\n" +
860 " <sp:IncludeTimestamp/>\n" +
861 " </wsp:Policy>\n" +
862 " </sp:TransportBinding>\n" +
863 " <sp:SignedParts>\n" +
864 " <sp:Body/>\n" +
865 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
866 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
867 " </sp:SignedParts>\n" +
868 " <sp:SignedElements>\n" +
869 " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
870 " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
871 " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
872 " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
873 " </sp:XPath>\n" +
874 " </sp:SignedElements>\n" +
875 " <sp:EncryptedParts>\n" +
876 " <sp:Body/>\n" +
877 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
878 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
879 " </sp:EncryptedParts>\n" +
880 " <sp:EncryptedElements>\n" +
881 " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
882 " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
883 " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
884 " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
885 " </sp:XPath>\n" +
886 " </sp:EncryptedElements>\n" +
887 " <sp:ContentEncryptedElements>\n" +
888 " <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
889 " xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
890 " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
891 " /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Expires" +
892 " </sp:XPath>\n" +
893 " </sp:ContentEncryptedElements>\n" +
894 " <sp:SignedSupportingTokens>\n" +
895 " <wsp:Policy>\n" +
896 " <sp:UsernameToken sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
897 " <wsp:Policy>\n" +
898 " <!--<sp:HashPassword/>-->\n" +
899 " <sp:NoPassword/>\n" +
900 " <!--<sp:Created/>\n" +
901 " <sp:Nonce/>-->\n" +
902 " </wsp:Policy>\n" +
903 " </sp:UsernameToken>\n" +
904 " </wsp:Policy>\n" +
905 " </sp:SignedSupportingTokens>\n" +
906 " </wsp:All>\n" +
907 " </wsp:ExactlyOne>";
908
909 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
910 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
911 outSecurityProperties.setEncryptionUser("receiver");
912 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
913 outSecurityProperties.setSignatureUser("transmitter");
914 outSecurityProperties.setTokenUser("transmitter");
915 outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
916 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
917
918 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
919 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
920 List<WSSConstants.Action> actions = new ArrayList<>();
921 actions.add(WSSConstants.USERNAMETOKEN);
922 actions.add(WSSConstants.TIMESTAMP);
923 actions.add(WSSConstants.SIGNATURE);
924 actions.add(WSSConstants.ENCRYPTION);
925 outSecurityProperties.setActions(actions);
926
927 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
928 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
929
930 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
931 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
932 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
933 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
934
935 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
936 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
937
938 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
939 httpsTokenSecurityEvent.setIssuerName("CN=transmitter,OU=swssf,C=CH");
940 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpsClientCertificateAuthentication);
941 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "CN=transmitter,OU=swssf,C=CH");
942 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
943 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
944
945 List<SecurityEvent> securityEventList = new ArrayList<>();
946 securityEventList.add(httpsTokenSecurityEvent);
947
948 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
949
950
951 Transformer transformer = TransformerFactory.newInstance().newTransformer();
952 transformer.transform(new DOMSource(document), new StreamResult(
953 new OutputStream() {
954 @Override
955 public void write(int b) throws IOException {
956
957 }
958 }
959 ));
960 }
961
962 @Test
963 public void testHttpsClientAuthenticationPolicyNegative() throws Exception {
964
965 String policyString =
966 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
967 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
968 " <wsp:All>\n" +
969 " <sp:TransportBinding>\n" +
970 " <wsp:Policy>\n" +
971 " <sp:TransportToken>\n" +
972 " <wsp:Policy>\n" +
973 " <sp:HttpsToken>\n" +
974 " <!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
975 " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
976 " <wsp:Policy>\n" +
977 " <sp:RequireClientCertificate/>\n" +
978 " </wsp:Policy>\n" +
979 " </sp:HttpsToken>\n" +
980 " </wsp:Policy>\n" +
981 " </sp:TransportToken>\n" +
982 " <sp:AlgorithmSuite>\n" +
983 " <wsp:Policy>\n" +
984 " <sp:Basic256/>\n" +
985 " </wsp:Policy>\n" +
986 " </sp:AlgorithmSuite>\n" +
987 " <sp:Layout>\n" +
988 " <wsp:Policy>\n" +
989 " <sp:Lax/>\n" +
990 " </wsp:Policy>\n" +
991 " </sp:Layout>\n" +
992 " <sp:IncludeTimestamp/>\n" +
993 " </wsp:Policy>\n" +
994 " </sp:TransportBinding>\n" +
995 " <sp:SignedParts>\n" +
996 " <sp:Body/>\n" +
997 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
998 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
999 " </sp:SignedParts>\n" +
1000 " <sp:SignedElements>\n" +
1001 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1002 " </sp:SignedElements>\n" +
1003 " <sp:EncryptedParts>\n" +
1004 " <sp:Body/>\n" +
1005 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1006 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1007 " </sp:EncryptedParts>\n" +
1008 " <sp:EncryptedElements>\n" +
1009 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1010 " </sp:EncryptedElements>\n" +
1011 " <sp:ContentEncryptedElements>\n" +
1012 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
1013 " </sp:ContentEncryptedElements>\n" +
1014 " <sp:SignedSupportingTokens>\n" +
1015 " <wsp:Policy>\n" +
1016 " <sp:UsernameToken sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
1017 " <wsp:Policy>\n" +
1018 " <!--<sp:HashPassword/>-->\n" +
1019 " <sp:NoPassword/>\n" +
1020 " <!--<sp:Created/>\n" +
1021 " <sp:Nonce/>-->\n" +
1022 " </wsp:Policy>\n" +
1023 " </sp:UsernameToken>\n" +
1024 " </wsp:Policy>\n" +
1025 " </sp:SignedSupportingTokens>\n" +
1026 " </wsp:All>\n" +
1027 " </wsp:ExactlyOne>";
1028
1029 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1030 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1031 outSecurityProperties.setEncryptionUser("receiver");
1032 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1033 outSecurityProperties.setSignatureUser("transmitter");
1034 outSecurityProperties.setTokenUser("transmitter");
1035 outSecurityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
1036 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1037
1038 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
1039 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1040 List<WSSConstants.Action> actions = new ArrayList<>();
1041 actions.add(WSSConstants.USERNAMETOKEN);
1042 actions.add(WSSConstants.TIMESTAMP);
1043 actions.add(WSSConstants.SIGNATURE);
1044 actions.add(WSSConstants.ENCRYPTION);
1045 outSecurityProperties.setActions(actions);
1046
1047 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1048 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1049
1050 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1051 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1052 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1053 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1054
1055 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1056 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
1057
1058 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
1059 httpsTokenSecurityEvent.setIssuerName("CN=example,OU=swssf,C=CH");
1060 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpsClientCertificateAuthentication);
1061 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "CN=example,OU=swssf,C=CH");
1062 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
1063 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
1064
1065 List<SecurityEvent> securityEventList = new ArrayList<>();
1066 securityEventList.add(httpsTokenSecurityEvent);
1067
1068 try {
1069 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
1070
1071
1072 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1073 transformer.transform(new DOMSource(document), new StreamResult(
1074 new OutputStream() {
1075 @Override
1076 public void write(int b) throws IOException {
1077
1078 }
1079 }
1080 ));
1081 fail("Exception expected");
1082 } catch (XMLStreamException e) {
1083 assertTrue(e.getCause() instanceof WSSecurityException);
1084 assertEquals(e.getCause().getMessage(),
1085 "IssuerName in Policy (CN=transmitter,OU=swssf,C=CH) didn't match with the one in the HttpsToken (CN=example,OU=swssf,C=CH)");
1086 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
1087 }
1088 }
1089
1090 @Test
1091 public void testSignatureAlgorithmSuiteNegative() throws Exception {
1092
1093 String policyString =
1094 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1095 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1096 " <wsp:All>\n" +
1097 " <sp:TransportBinding>\n" +
1098 " <wsp:Policy>\n" +
1099 " <sp:TransportToken>\n" +
1100 " <wsp:Policy>\n" +
1101 " <sp:HttpsToken>\n" +
1102 " <!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
1103 " <sp:IssuerName>transmitter</sp:IssuerName>\n" +
1104 " <wsp:Policy>\n" +
1105 " <sp:HttpBasicAuthentication/>\n" +
1106 " </wsp:Policy>\n" +
1107 " </sp:HttpsToken>\n" +
1108 " </wsp:Policy>\n" +
1109 " </sp:TransportToken>\n" +
1110 " <sp:AlgorithmSuite>\n" +
1111 " <wsp:Policy>\n" +
1112 " <sp:Basic256/>\n" +
1113 " </wsp:Policy>\n" +
1114 " </sp:AlgorithmSuite>\n" +
1115 " <sp:Layout>\n" +
1116 " <wsp:Policy>\n" +
1117 " <sp:Lax/>\n" +
1118 " </wsp:Policy>\n" +
1119 " </sp:Layout>\n" +
1120 " <sp:IncludeTimestamp/>\n" +
1121 " </wsp:Policy>\n" +
1122 " </sp:TransportBinding>\n" +
1123 " <sp:SignedParts>\n" +
1124 " <sp:Body/>\n" +
1125 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
1126 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1127 " </sp:SignedParts>\n" +
1128 " <sp:SignedElements>\n" +
1129 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1130 " </sp:SignedElements>\n" +
1131 " <sp:EncryptedParts>\n" +
1132 " <sp:Body/>\n" +
1133 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1134 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1135 " </sp:EncryptedParts>\n" +
1136 " <sp:EncryptedElements>\n" +
1137 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1138 " </sp:EncryptedElements>\n" +
1139 " <sp:ContentEncryptedElements>\n" +
1140 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
1141 " </sp:ContentEncryptedElements>\n" +
1142 " </wsp:All>\n" +
1143 " </wsp:ExactlyOne>";
1144
1145 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1146 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1147 outSecurityProperties.setEncryptionUser("receiver");
1148 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1149 outSecurityProperties.setSignatureUser("transmitter");
1150 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1151 outSecurityProperties.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
1152
1153 outSecurityProperties.addSignaturePart(new SecurePart(new QName(WSSConstants.TAG_WSU_TIMESTAMP.getNamespaceURI(), WSSConstants.TAG_WSU_TIMESTAMP.getLocalPart()), SecurePart.Modifier.Element));
1154 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
1155 outSecurityProperties.addEncryptionPart(new SecurePart(new QName(WSSConstants.TAG_WSU_CREATED.getNamespaceURI(), WSSConstants.TAG_WSU_CREATED.getLocalPart()), SecurePart.Modifier.Element));
1156 outSecurityProperties.addEncryptionPart(new SecurePart(new QName(WSSConstants.TAG_WSU_EXPIRES.getNamespaceURI(), WSSConstants.TAG_WSU_EXPIRES.getLocalPart()), SecurePart.Modifier.Content));
1157 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1158 List<WSSConstants.Action> actions = new ArrayList<>();
1159 actions.add(WSSConstants.TIMESTAMP);
1160 actions.add(WSSConstants.SIGNATURE);
1161 actions.add(WSSConstants.ENCRYPTION);
1162 outSecurityProperties.setActions(actions);
1163
1164 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1165 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1166
1167 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1168 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1169 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1170 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1171 inSecurityProperties.addIgnoreBSPRule(BSPRule.R5421);
1172
1173 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1174 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
1175
1176 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
1177 httpsTokenSecurityEvent.setIssuerName("transmitter");
1178 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
1179 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "transmitter");
1180 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
1181 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
1182
1183 List<SecurityEvent> securityEventList = new ArrayList<>();
1184 securityEventList.add(httpsTokenSecurityEvent);
1185
1186 try {
1187 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
1188
1189
1190 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1191 transformer.transform(new DOMSource(document), new StreamResult(
1192 new OutputStream() {
1193 @Override
1194 public void write(int b) throws IOException {
1195
1196 }
1197 }
1198 ));
1199 fail("Exception expected");
1200 } catch (XMLStreamException e) {
1201 assertTrue(e.getCause() instanceof WSSecurityException);
1202 assertEquals(e.getCause().getMessage(),
1203 "Asymmetric algorithm http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 does not meet policy");
1204 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
1205 }
1206 }
1207
1208 @Test
1209 public void testC14NAlgorithmSuiteNegative() throws Exception {
1210
1211 String policyString =
1212 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1213 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1214 " <wsp:All>\n" +
1215 " <sp:TransportBinding>\n" +
1216 " <wsp:Policy>\n" +
1217 " <sp:TransportToken>\n" +
1218 " <wsp:Policy>\n" +
1219 " <sp:HttpsToken>\n" +
1220 " <!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
1221 " <sp:IssuerName>transmitter</sp:IssuerName>\n" +
1222 " <wsp:Policy>\n" +
1223 " <sp:HttpBasicAuthentication/>\n" +
1224 " </wsp:Policy>\n" +
1225 " </sp:HttpsToken>\n" +
1226 " </wsp:Policy>\n" +
1227 " </sp:TransportToken>\n" +
1228 " <sp:AlgorithmSuite>\n" +
1229 " <wsp:Policy>\n" +
1230 " <sp:Basic256/>\n" +
1231 " </wsp:Policy>\n" +
1232 " </sp:AlgorithmSuite>\n" +
1233 " <sp:Layout>\n" +
1234 " <wsp:Policy>\n" +
1235 " <sp:Lax/>\n" +
1236 " </wsp:Policy>\n" +
1237 " </sp:Layout>\n" +
1238 " <sp:IncludeTimestamp/>\n" +
1239 " </wsp:Policy>\n" +
1240 " </sp:TransportBinding>\n" +
1241 " <sp:SignedParts>\n" +
1242 " <sp:Body/>\n" +
1243 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
1244 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1245 " </sp:SignedParts>\n" +
1246 " <sp:SignedElements>\n" +
1247 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1248 " </sp:SignedElements>\n" +
1249 " <sp:EncryptedParts>\n" +
1250 " <sp:Body/>\n" +
1251 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1252 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1253 " </sp:EncryptedParts>\n" +
1254 " <sp:EncryptedElements>\n" +
1255 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1256 " </sp:EncryptedElements>\n" +
1257 " <sp:ContentEncryptedElements>\n" +
1258 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
1259 " </sp:ContentEncryptedElements>\n" +
1260 " </wsp:All>\n" +
1261 " </wsp:ExactlyOne>";
1262
1263 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1264 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1265 outSecurityProperties.setEncryptionUser("receiver");
1266 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1267 outSecurityProperties.setSignatureUser("transmitter");
1268 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1269 outSecurityProperties.setSignatureCanonicalizationAlgorithm("http://www.w3.org/2006/12/xml-c14n11");
1270
1271 outSecurityProperties.addSignaturePart(new SecurePart(new QName(WSSConstants.TAG_WSU_TIMESTAMP.getNamespaceURI(), WSSConstants.TAG_WSU_TIMESTAMP.getLocalPart()), SecurePart.Modifier.Element));
1272 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY , SecurePart.Modifier.Element));
1273 outSecurityProperties.addEncryptionPart(new SecurePart(new QName(WSSConstants.TAG_WSU_CREATED.getNamespaceURI(), WSSConstants.TAG_WSU_CREATED.getLocalPart()), SecurePart.Modifier.Element));
1274 outSecurityProperties.addEncryptionPart(new SecurePart(new QName(WSSConstants.TAG_WSU_EXPIRES.getNamespaceURI(), WSSConstants.TAG_WSU_EXPIRES.getLocalPart()), SecurePart.Modifier.Content));
1275 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1276 List<WSSConstants.Action> actions = new ArrayList<>();
1277 actions.add(WSSConstants.TIMESTAMP);
1278 actions.add(WSSConstants.SIGNATURE);
1279 actions.add(WSSConstants.ENCRYPTION);
1280 outSecurityProperties.setActions(actions);
1281
1282 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1283 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1284
1285 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1286 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1287 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1288 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1289 inSecurityProperties.addIgnoreBSPRule(BSPRule.R5404);
1290 inSecurityProperties.addIgnoreBSPRule(BSPRule.R5423);
1291 inSecurityProperties.addIgnoreBSPRule(BSPRule.R5412);
1292
1293 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1294 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
1295
1296 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
1297 httpsTokenSecurityEvent.setIssuerName("transmitter");
1298 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
1299 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "transmitter");
1300 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
1301 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
1302
1303 List<SecurityEvent> securityEventList = new ArrayList<>();
1304 securityEventList.add(httpsTokenSecurityEvent);
1305
1306 try {
1307 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
1308
1309
1310 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1311 transformer.transform(new DOMSource(document), new StreamResult(
1312 new OutputStream() {
1313 @Override
1314 public void write(int b) throws IOException {
1315
1316 }
1317 }
1318 ));
1319 fail("Exception expected");
1320 } catch (XMLStreamException e) {
1321 assertTrue(e.getCause() instanceof WSSecurityException);
1322 assertEquals(e.getCause().getMessage(),
1323 "C14N algorithm http://www.w3.org/2006/12/xml-c14n11 does not meet policy");
1324 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
1325 }
1326 }
1327
1328 @Test
1329 public void testEncryptionAlgorithmSuiteNegative() throws Exception {
1330
1331 String policyString =
1332 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
1333 "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
1334 " <wsp:All>\n" +
1335 " <sp:TransportBinding>\n" +
1336 " <wsp:Policy>\n" +
1337 " <sp:TransportToken>\n" +
1338 " <wsp:Policy>\n" +
1339 " <sp:HttpsToken>\n" +
1340 " <!--<sp:Issuer>wsa:EndpointReferenceType</sp:Issuer>-->\n" +
1341 " <sp:IssuerName>transmitter</sp:IssuerName>\n" +
1342 " <wsp:Policy>\n" +
1343 " <sp:HttpBasicAuthentication/>\n" +
1344 " </wsp:Policy>\n" +
1345 " </sp:HttpsToken>\n" +
1346 " </wsp:Policy>\n" +
1347 " </sp:TransportToken>\n" +
1348 " <sp:AlgorithmSuite>\n" +
1349 " <wsp:Policy>\n" +
1350 " <sp:Basic256/>\n" +
1351 " </wsp:Policy>\n" +
1352 " </sp:AlgorithmSuite>\n" +
1353 " <sp:Layout>\n" +
1354 " <wsp:Policy>\n" +
1355 " <sp:Lax/>\n" +
1356 " </wsp:Policy>\n" +
1357 " </sp:Layout>\n" +
1358 " <sp:IncludeTimestamp/>\n" +
1359 " </wsp:Policy>\n" +
1360 " </sp:TransportBinding>\n" +
1361 " <sp:SignedParts>\n" +
1362 " <sp:Body/>\n" +
1363 " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
1364 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1365 " </sp:SignedParts>\n" +
1366 " <sp:SignedElements>\n" +
1367 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1368 " </sp:SignedElements>\n" +
1369 " <sp:EncryptedParts>\n" +
1370 " <sp:Body/>\n" +
1371 " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
1372 " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
1373 " </sp:EncryptedParts>\n" +
1374 " <sp:EncryptedElements>\n" +
1375 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
1376 " </sp:EncryptedElements>\n" +
1377 " <sp:ContentEncryptedElements>\n" +
1378 " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
1379 " </sp:ContentEncryptedElements>\n" +
1380 " </wsp:All>\n" +
1381 " </wsp:ExactlyOne>";
1382
1383 WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
1384 outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1385 outSecurityProperties.setEncryptionUser("receiver");
1386 outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1387 outSecurityProperties.setEncryptionSymAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
1388 outSecurityProperties.setSignatureUser("transmitter");
1389 outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
1390
1391 outSecurityProperties.addSignaturePart(new SecurePart(new QName(WSSConstants.TAG_WSU_TIMESTAMP.getNamespaceURI(), WSSConstants.TAG_WSU_TIMESTAMP.getLocalPart()), SecurePart.Modifier.Element));
1392 outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Element));
1393 outSecurityProperties.addEncryptionPart(new SecurePart(new QName(WSSConstants.TAG_WSU_CREATED.getNamespaceURI(), WSSConstants.TAG_WSU_CREATED.getLocalPart()), SecurePart.Modifier.Element));
1394 outSecurityProperties.addEncryptionPart(new SecurePart(new QName(WSSConstants.TAG_WSU_EXPIRES.getNamespaceURI(), WSSConstants.TAG_WSU_EXPIRES.getLocalPart()), SecurePart.Modifier.Content));
1395 outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_SOAP11_BODY, SecurePart.Modifier.Content));
1396 List<WSSConstants.Action> actions = new ArrayList<>();
1397 actions.add(WSSConstants.TIMESTAMP);
1398 actions.add(WSSConstants.SIGNATURE);
1399 actions.add(WSSConstants.ENCRYPTION);
1400 outSecurityProperties.setActions(actions);
1401
1402 InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
1403 ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
1404
1405 WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
1406 inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
1407 inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1408 inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
1409
1410 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
1411 inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
1412
1413 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
1414 httpsTokenSecurityEvent.setIssuerName("transmitter");
1415 httpsTokenSecurityEvent.setAuthenticationType(HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication);
1416 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "transmitter");
1417 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
1418 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
1419
1420 List<SecurityEvent> securityEventList = new ArrayList<>();
1421 securityEventList.add(httpsTokenSecurityEvent);
1422
1423 try {
1424 Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
1425
1426
1427 Transformer transformer = TransformerFactory.newInstance().newTransformer();
1428 transformer.transform(new DOMSource(document), new StreamResult(
1429 new OutputStream() {
1430 @Override
1431 public void write(int b) throws IOException {
1432
1433 }
1434 }
1435 ));
1436 fail("Exception expected");
1437 } catch (XMLStreamException e) {
1438 assertTrue(e.getCause() instanceof WSSecurityException);
1439 assertEquals(e.getCause().getMessage(),
1440 "Encryption algorithm http://www.w3.org/2001/04/xmlenc#tripledes-cbc does not meet policy\n" +
1441 "Symmetric encryption algorithm key length 192 does not meet policy");
1442 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
1443 }
1444 }
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558 }