1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.util.ArrayList;
22 import java.util.LinkedList;
23 import java.util.List;
24
25 import javax.xml.namespace.QName;
26
27 import org.apache.wss4j.common.ext.WSSecurityException;
28 import org.apache.wss4j.policy.stax.PolicyViolationException;
29 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
30 import org.apache.wss4j.stax.ext.WSSConstants;
31 import org.apache.wss4j.stax.impl.securityToken.X509SecurityTokenImpl;
32 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
33 import org.apache.wss4j.stax.securityEvent.RequiredElementSecurityEvent;
34 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
35 import org.apache.wss4j.stax.securityEvent.TimestampSecurityEvent;
36 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
37 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
38 import org.apache.xml.security.stax.ext.stax.XMLSecEventFactory;
39 import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
40 import org.apache.xml.security.stax.securityEvent.X509TokenSecurityEvent;
41 import org.junit.jupiter.api.Test;
42
43 import static org.junit.jupiter.api.Assertions.assertEquals;
44 import static org.junit.jupiter.api.Assertions.assertTrue;
45 import static org.junit.jupiter.api.Assertions.fail;
46
47 public class AsymmetricBindingTest extends AbstractPolicyTestBase {
48
49 @Test
50 public void testPolicy() throws Exception {
51 String policyString =
52 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
53 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
54 " <sp:AlgorithmSuite>\n" +
55 " <wsp:Policy>\n" +
56 " <sp:Basic256/>\n" +
57 " </wsp:Policy>\n" +
58 " </sp:AlgorithmSuite>\n" +
59 "<sp:IncludeTimestamp/>\n" +
60 "<sp:EncryptSignature/>\n" +
61 "<sp:OnlySignEntireHeadersAndBody/>\n" +
62 "</wsp:Policy>\n" +
63 "</sp:AsymmetricBinding>";
64 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
65 TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
66 policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
67
68 RequiredElementSecurityEvent requiredElementSecurityEvent = new RequiredElementSecurityEvent();
69 List<QName> headerPath = new ArrayList<>();
70 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
71 headerPath.add(WSSConstants.TAG_WSU_TIMESTAMP);
72 requiredElementSecurityEvent.setElementPath(headerPath);
73 policyEnforcer.registerSecurityEvent(requiredElementSecurityEvent);
74
75 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
76 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
77 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
78 x509TokenSecurityEvent.setSecurityToken(securityToken);
79 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
80
81 x509TokenSecurityEvent = new X509TokenSecurityEvent();
82 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
83 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
84 x509TokenSecurityEvent.setSecurityToken(securityToken);
85 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
86
87 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
88 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
89 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
90 EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
91 headerPath = new ArrayList<>();
92 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
93 headerPath.add(WSSConstants.TAG_dsig_Signature);
94 encryptedElementSecurityEvent.setElementPath(headerPath);
95 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
96 encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
97 headerPath = new ArrayList<>();
98 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
99 headerPath.add(WSSConstants.TAG_WSSE11_SIG_CONF);
100 encryptedElementSecurityEvent.setElementPath(headerPath);
101 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
102
103 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
104 operationSecurityEvent.setOperation(new QName("definitions"));
105 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
106
107 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
108 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
109 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
110 policyEnforcer.doFinal();
111 }
112
113 @Test
114 public void testPolicyNotIncludeTimestamp() throws Exception {
115 String policyString =
116 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
117 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
118 " <sp:AlgorithmSuite>\n" +
119 " <wsp:Policy>\n" +
120 " <sp:Basic256/>\n" +
121 " </wsp:Policy>\n" +
122 " </sp:AlgorithmSuite>\n" +
123 "<sp:EncryptSignature/>\n" +
124 "<sp:ProtectTokens/>\n" +
125 "<sp:OnlySignEntireHeadersAndBody/>\n" +
126 "</wsp:Policy>\n" +
127 "</sp:AsymmetricBinding>";
128 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
129
130 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
131 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
132 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
133 x509TokenSecurityEvent.setSecurityToken(securityToken);
134 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
135
136 x509TokenSecurityEvent = new X509TokenSecurityEvent();
137 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
138 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
139 x509TokenSecurityEvent.setSecurityToken(securityToken);
140 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
141 TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
142 policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
143
144 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
145 operationSecurityEvent.setOperation(new QName("definitions"));
146
147 try {
148 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
149 fail("Exception expected");
150 } catch (WSSecurityException e) {
151 assertTrue(e.getCause() instanceof PolicyViolationException);
152 assertEquals(e.getCause().getMessage(),
153 "Timestamp must not be present");
154 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
155 }
156 }
157
158 @Test
159 public void testPolicyWrongProtectionOrder() throws Exception {
160 String policyString =
161 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
162 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
163 " <sp:AlgorithmSuite>\n" +
164 " <wsp:Policy>\n" +
165 " <sp:Basic256/>\n" +
166 " </wsp:Policy>\n" +
167 " </sp:AlgorithmSuite>\n" +
168 "<sp:IncludeTimestamp/>\n" +
169 "<sp:EncryptBeforeSigning/>\n" +
170 "<sp:EncryptSignature/>\n" +
171 "<sp:ProtectTokens/>\n" +
172 "<sp:OnlySignEntireHeadersAndBody/>\n" +
173 "</wsp:Policy>\n" +
174 "</sp:AsymmetricBinding>";
175 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
176 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
177 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
178 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
179 x509TokenSecurityEvent.setSecurityToken(securityToken);
180 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
181
182 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
183 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
184 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
185 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
186 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
187 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
188
189 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
190 operationSecurityEvent.setOperation(new QName("definitions"));
191 try {
192 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
193 fail("Exception expected");
194 } catch (WSSecurityException e) {
195 assertTrue(e.getCause() instanceof PolicyViolationException);
196 assertEquals(e.getCause().getMessage(),
197 "Policy enforces EncryptBeforeSigning but the /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body was signed and then encrypted");
198 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
199 }
200 }
201
202 @Test
203 public void testPolicySignatureNotEncrypted() throws Exception {
204 String policyString =
205 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
206 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
207 " <sp:AlgorithmSuite>\n" +
208 " <wsp:Policy>\n" +
209 " <sp:Basic256/>\n" +
210 " </wsp:Policy>\n" +
211 " </sp:AlgorithmSuite>\n" +
212 "<sp:IncludeTimestamp/>\n" +
213 "<sp:EncryptSignature/>\n" +
214 "<sp:ProtectTokens/>\n" +
215 "<sp:OnlySignEntireHeadersAndBody/>\n" +
216 "</wsp:Policy>\n" +
217 "</sp:AsymmetricBinding>";
218 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
219 TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
220 policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
221
222 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
223 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
224 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
225 x509TokenSecurityEvent.setSecurityToken(securityToken);
226 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
227
228 x509TokenSecurityEvent = new X509TokenSecurityEvent();
229 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
230 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
231 x509TokenSecurityEvent.setSecurityToken(securityToken);
232 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
233
234 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
235 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
236 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
237 EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, false, protectionOrder);
238 List<QName> headerPath = new ArrayList<>();
239 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
240 headerPath.add(WSSConstants.TAG_dsig_Signature);
241 encryptedElementSecurityEvent.setElementPath(headerPath);
242 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
243
244 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
245 operationSecurityEvent.setOperation(new QName("definitions"));
246 try {
247 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
248 fail("Exception expected");
249 } catch (WSSecurityException e) {
250 assertTrue(e.getCause() instanceof PolicyViolationException);
251 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
252 }
253 }
254
255 @Test
256 public void testPolicyNotWholeBodySigned() throws Exception {
257 String policyString =
258 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
259 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
260 " <sp:AlgorithmSuite>\n" +
261 " <wsp:Policy>\n" +
262 " <sp:Basic256/>\n" +
263 " </wsp:Policy>\n" +
264 " </sp:AlgorithmSuite>\n" +
265 "<sp:IncludeTimestamp/>\n" +
266 "<sp:EncryptSignature/>\n" +
267 "<sp:ProtectTokens/>\n" +
268 "<sp:OnlySignEntireHeadersAndBody/>\n" +
269 "</wsp:Policy>\n" +
270 "</sp:AsymmetricBinding>";
271 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
272 TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
273 policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
274
275 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
276 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
277 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
278 x509TokenSecurityEvent.setSecurityToken(securityToken);
279 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
280
281 x509TokenSecurityEvent = new X509TokenSecurityEvent();
282 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
283 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
284 x509TokenSecurityEvent.setSecurityToken(securityToken);
285
286 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
287
288 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
289 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
290 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
291 EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
292 List<QName> headerPath = new ArrayList<>();
293 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
294 headerPath.add(WSSConstants.TAG_dsig_Signature);
295 encryptedElementSecurityEvent.setElementPath(headerPath);
296 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
297
298 encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
299 headerPath = new ArrayList<>();
300 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
301 headerPath.add(WSSConstants.TAG_WSSE11_SIG_CONF);
302 encryptedElementSecurityEvent.setElementPath(headerPath);
303 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
304
305 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
306 QName elementName = new QName("http://www.example.com", "bodyChildElement");
307 signedPartSecurityEvent.setXmlSecEvent(XMLSecEventFactory.createXmlSecStartElement(elementName, null, null));
308 List<QName> elementPath = new ArrayList<>();
309 elementPath.addAll(WSSConstants.SOAP_11_BODY_PATH);
310 elementPath.add(elementName);
311 signedPartSecurityEvent.setElementPath(elementPath);
312 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
313
314 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
315 operationSecurityEvent.setOperation(new QName("definitions"));
316 try {
317 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
318 fail("Exception expected");
319 } catch (WSSecurityException e) {
320 assertTrue(e.getCause() instanceof PolicyViolationException);
321 assertEquals(e.getCause().getMessage(),
322 "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
323 "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body/{http://www.example.com}bodyChildElement");
324 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
325 }
326 }
327
328 @Test
329 public void testPolicyNotWholeSecurityHeaderChildSigned() throws Exception {
330 String policyString =
331 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
332 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
333 " <sp:AlgorithmSuite>\n" +
334 " <wsp:Policy>\n" +
335 " <sp:Basic256/>\n" +
336 " </wsp:Policy>\n" +
337 " </sp:AlgorithmSuite>\n" +
338 "<sp:IncludeTimestamp/>\n" +
339 "<sp:EncryptSignature/>\n" +
340 "<sp:ProtectTokens/>\n" +
341 "<sp:OnlySignEntireHeadersAndBody/>\n" +
342 "</wsp:Policy>\n" +
343 "</sp:AsymmetricBinding>";
344 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
345 TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
346 policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
347
348 X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
349 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
350 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
351 x509TokenSecurityEvent.setSecurityToken(securityToken);
352 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
353
354 x509TokenSecurityEvent = new X509TokenSecurityEvent();
355 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
356 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
357 x509TokenSecurityEvent.setSecurityToken(securityToken);
358
359 policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
360
361 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
362 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
363 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
364 EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
365 List<QName> headerPath = new ArrayList<>();
366 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
367 headerPath.add(WSSConstants.TAG_dsig_Signature);
368 encryptedElementSecurityEvent.setElementPath(headerPath);
369 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
370
371 encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
372 headerPath = new ArrayList<>();
373 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
374 headerPath.add(WSSConstants.TAG_WSSE11_SIG_CONF);
375 encryptedElementSecurityEvent.setElementPath(headerPath);
376 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
377
378 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
379 QName elementName = WSSConstants.TAG_WSSE_USERNAME;
380 signedPartSecurityEvent.setXmlSecEvent(XMLSecEventFactory.createXmlSecStartElement(elementName, null, null));
381 List<QName> elementPath = new ArrayList<>();
382 elementPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
383 elementPath.add(WSSConstants.TAG_WSSE_USERNAME_TOKEN);
384 elementPath.add(elementName);
385 signedPartSecurityEvent.setElementPath(elementPath);
386 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
387
388 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
389 operationSecurityEvent.setOperation(new QName("definitions"));
390 try {
391 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
392 fail("Exception expected");
393 } catch (WSSecurityException e) {
394 assertTrue(e.getCause() instanceof PolicyViolationException);
395 assertEquals(e.getCause().getMessage(),
396 "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
397 "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Username");
398 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
399 }
400 }
401
402 @Test
403 public void testOnlySignEntireHeadersAndBodyPolicyNothingSigned() throws Exception {
404 String policyString =
405 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
406 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
407 " <sp:AlgorithmSuite>\n" +
408 " <wsp:Policy>\n" +
409 " <sp:Basic256/>\n" +
410 " </wsp:Policy>\n" +
411 " </sp:AlgorithmSuite>\n" +
412 "<sp:OnlySignEntireHeadersAndBody/>\n" +
413 "</wsp:Policy>\n" +
414 "</sp:AsymmetricBinding>";
415 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
416
417 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
418 operationSecurityEvent.setOperation(new QName("definitions"));
419 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
420 policyEnforcer.doFinal();
421 }
422 }