1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import org.apache.wss4j.common.ext.WSSecurityException;
22 import org.apache.wss4j.common.util.DateUtil;
23 import org.apache.wss4j.policy.stax.PolicyViolationException;
24 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
25 import org.apache.wss4j.stax.ext.WSSConstants;
26 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
27 import org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl;
28 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
29 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
30 import org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent;
31 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
32 import org.apache.xml.security.stax.impl.util.IDGenerator;
33 import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
34 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
35 import org.junit.jupiter.api.Test;
36
37 import javax.xml.namespace.QName;
38
39 import java.time.ZoneOffset;
40 import java.time.ZonedDateTime;
41 import java.util.LinkedList;
42 import java.util.List;
43
44 import static org.junit.jupiter.api.Assertions.assertEquals;
45 import static org.junit.jupiter.api.Assertions.assertTrue;
46 import static org.junit.jupiter.api.Assertions.fail;
47
48 public class UsernameTokenTest extends AbstractPolicyTestBase {
49
50 @Test
51 public void testPolicy() throws Exception {
52 String policyString =
53 "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
54 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
55 "<sp:EncryptionToken>\n" +
56 " <wsp:Policy>\n" +
57 " <sp:UsernameToken>\n" +
58 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
59 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
60 " <sp:HashPassword/>\n" +
61 " <sp:WssUsernameToken11/>\n" +
62 " </wsp:Policy>\n" +
63 " </sp:UsernameToken>\n" +
64 " </wsp:Policy>\n" +
65 "</sp:EncryptionToken>\n" +
66 "<sp:SignatureToken>\n" +
67 " <wsp:Policy>\n" +
68 " <sp:UsernameToken>\n" +
69 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
70 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
71 " <sp:HashPassword/>\n" +
72 " <sp:WssUsernameToken11/>\n" +
73 " </wsp:Policy>\n" +
74 " </sp:UsernameToken>\n" +
75 " </wsp:Policy>\n" +
76 "</sp:SignatureToken>\n" +
77 " <sp:AlgorithmSuite>\n" +
78 " <wsp:Policy>\n" +
79 " <sp:Basic256/>\n" +
80 " </wsp:Policy>\n" +
81 " </sp:AlgorithmSuite>\n" +
82 "</wsp:Policy>\n" +
83 "</sp:SymmetricBinding>";
84
85 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
86 UsernameTokenSecurityEvent initiatorTokenSecurityEvent = new UsernameTokenSecurityEvent();
87 initiatorTokenSecurityEvent.setUsernameTokenProfile(WSSConstants.NS_USERNAMETOKEN_PROFILE11);
88 ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
89 String created = DateUtil.getDateTimeFormatter(true).format(now);
90 UsernameSecurityTokenImpl securityToken = new UsernameSecurityTokenImpl(
91 WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST,
92 "username", "password", created, null, new byte[10], 10L,
93 null, IDGenerator.generateID(null), WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
94 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
95 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
96 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
97
98 UsernameTokenSecurityEvent recipientTokenSecurityEvent = new UsernameTokenSecurityEvent();
99 recipientTokenSecurityEvent.setUsernameTokenProfile(WSSConstants.NS_USERNAMETOKEN_PROFILE11);
100 securityToken = new UsernameSecurityTokenImpl(
101 WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST,
102 "username", "password", created, null, new byte[10], 10L,
103 null, IDGenerator.generateID(null), WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
104 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
105 recipientTokenSecurityEvent.setSecurityToken(securityToken);
106 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
107
108 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
109 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
110 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
111 SignedPartSecurityEvent signedPartSecurityEvent =
112 new SignedPartSecurityEvent(
113 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
114 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
115 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
116
117 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
118 new ContentEncryptedElementSecurityEvent(
119 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
120 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
121 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
122
123 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
124 operationSecurityEvent.setOperation(new QName("definitions"));
125 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
126
127 policyEnforcer.doFinal();
128 }
129
130 @Test
131 public void testPolicyNegative() throws Exception {
132 String policyString =
133 "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
134 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
135 "<sp:EncryptionToken>\n" +
136 " <wsp:Policy>\n" +
137 " <sp:UsernameToken>\n" +
138 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
139 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
140 " <sp:HashPassword/>\n" +
141 " <sp:WssUsernameToken11/>\n" +
142 " </wsp:Policy>\n" +
143 " </sp:UsernameToken>\n" +
144 " </wsp:Policy>\n" +
145 "</sp:EncryptionToken>\n" +
146 "<sp:SignatureToken>\n" +
147 " <wsp:Policy>\n" +
148 " <sp:UsernameToken>\n" +
149 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
150 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
151 " <sp:HashPassword/>\n" +
152 " <sp:WssUsernameToken11/>\n" +
153 " </wsp:Policy>\n" +
154 " </sp:UsernameToken>\n" +
155 " </wsp:Policy>\n" +
156 "</sp:SignatureToken>\n" +
157 " <sp:AlgorithmSuite>\n" +
158 " <wsp:Policy>\n" +
159 " <sp:Basic256/>\n" +
160 " </wsp:Policy>\n" +
161 " </sp:AlgorithmSuite>\n" +
162 "</wsp:Policy>\n" +
163 "</sp:SymmetricBinding>";
164
165 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
166 UsernameTokenSecurityEvent usernameTokenSecurityEvent = new UsernameTokenSecurityEvent();
167 usernameTokenSecurityEvent.setUsernameTokenProfile(WSSConstants.NS_USERNAMETOKEN_PROFILE11);
168 ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
169 String created = DateUtil.getDateTimeFormatter(true).format(now);
170 UsernameSecurityTokenImpl securityToken = new UsernameSecurityTokenImpl(
171 WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT,
172 "username", "password", created, null, new byte[10], 10L,
173 null, IDGenerator.generateID(null), WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
174 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
175 usernameTokenSecurityEvent.setSecurityToken(securityToken);
176 policyEnforcer.registerSecurityEvent(usernameTokenSecurityEvent);
177
178 UsernameTokenSecurityEvent recipientTokenSecurityEvent = new UsernameTokenSecurityEvent();
179 recipientTokenSecurityEvent.setUsernameTokenProfile(WSSConstants.NS_USERNAMETOKEN_PROFILE11);
180 securityToken = new UsernameSecurityTokenImpl(
181 WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT,
182 "username", "password", created, null, new byte[10], 10L,
183 null, IDGenerator.generateID(null), WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
184 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
185 recipientTokenSecurityEvent.setSecurityToken(securityToken);
186 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
187
188 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
189 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
190 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
191 SignedPartSecurityEvent signedPartSecurityEvent =
192 new SignedPartSecurityEvent(
193 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
194 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
195 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
196
197 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
198 new ContentEncryptedElementSecurityEvent(
199 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
200 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
201 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
202
203 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
204 operationSecurityEvent.setOperation(new QName("definitions"));
205
206 try {
207 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
208 fail("Exception expected");
209 } catch (WSSecurityException e) {
210 assertTrue(e.getCause() instanceof PolicyViolationException);
211 assertEquals(e.getCause().getMessage(),
212 "UsernameToken does not contain a hashed password");
213 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
214 }
215 }
216 }