1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.util.LinkedList;
22 import java.util.List;
23
24 import javax.xml.namespace.QName;
25
26 import org.apache.wss4j.common.ext.WSSecurityException;
27 import org.apache.wss4j.policy.stax.PolicyViolationException;
28 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
29 import org.apache.wss4j.stax.ext.WSSConstants;
30 import org.apache.wss4j.stax.impl.securityToken.X509SecurityTokenImpl;
31 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
32 import org.apache.wss4j.stax.securityEvent.SecurityContextTokenSecurityEvent;
33 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
34 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
35 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
36 import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
37 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
38 import org.junit.jupiter.api.Test;
39
40 import static org.junit.jupiter.api.Assertions.assertEquals;
41 import static org.junit.jupiter.api.Assertions.assertTrue;
42 import static org.junit.jupiter.api.Assertions.fail;
43
44 public class SecureConversationTokenTest extends AbstractPolicyTestBase {
45
46 @Test
47 public void testPolicy() throws Exception {
48 String policyString =
49 "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
50 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
51 "<sp:EncryptionToken>\n" +
52 " <wsp:Policy>\n" +
53 " <sp:SecureConversationToken>\n" +
54 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
55 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
56 " <sp:RequireExternalUriReference/>\n" +
57 " </wsp:Policy>\n" +
58 " </sp:SecureConversationToken>\n" +
59 " </wsp:Policy>\n" +
60 "</sp:EncryptionToken>\n" +
61 "<sp:SignatureToken>\n" +
62 " <wsp:Policy>\n" +
63 " <sp:SecureConversationToken>\n" +
64 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
65 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
66 " <sp:RequireExternalUriReference/>\n" +
67 " </wsp:Policy>\n" +
68 " </sp:SecureConversationToken>\n" +
69 " </wsp:Policy>\n" +
70 "</sp:SignatureToken>\n" +
71 " <sp:AlgorithmSuite>\n" +
72 " <wsp:Policy>\n" +
73 " <sp:Basic256/>\n" +
74 " </wsp:Policy>\n" +
75 " </sp:AlgorithmSuite>\n" +
76 "</wsp:Policy>\n" +
77 "</sp:SymmetricBinding>";
78
79 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
80 SecurityContextTokenSecurityEvent initiatorTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
81 initiatorTokenSecurityEvent.setIssuerName("xs:anyURI");
82 initiatorTokenSecurityEvent.setExternalUriRef(true);
83 X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
84 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
85 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
86 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
87
88 SecurityContextTokenSecurityEvent recipientTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
89 recipientTokenSecurityEvent.setIssuerName("xs:anyURI");
90 recipientTokenSecurityEvent.setExternalUriRef(true);
91 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
92 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
93 recipientTokenSecurityEvent.setSecurityToken(securityToken);
94 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
95
96 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
97 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
98 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
99 SignedPartSecurityEvent signedPartSecurityEvent =
100 new SignedPartSecurityEvent(
101 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
102 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
103 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
104
105 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
106 new ContentEncryptedElementSecurityEvent(
107 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
108 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
109 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
110
111 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
112 operationSecurityEvent.setOperation(new QName("definitions"));
113 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
114
115 policyEnforcer.doFinal();
116 }
117
118 @Test
119 public void testPolicyNegative() throws Exception {
120 String policyString =
121 "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
122 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
123 "<sp:EncryptionToken>\n" +
124 " <wsp:Policy>\n" +
125 " <sp:SecureConversationToken>\n" +
126 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
127 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
128 " <sp:RequireExternalUriReference/>\n" +
129 " </wsp:Policy>\n" +
130 " </sp:SecureConversationToken>\n" +
131 " </wsp:Policy>\n" +
132 "</sp:EncryptionToken>\n" +
133 "<sp:SignatureToken>\n" +
134 " <wsp:Policy>\n" +
135 " <sp:SecureConversationToken>\n" +
136 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
137 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
138 " <sp:RequireExternalUriReference/>\n" +
139 " </wsp:Policy>\n" +
140 " </sp:SecureConversationToken>\n" +
141 " </wsp:Policy>\n" +
142 "</sp:SignatureToken>\n" +
143 " <sp:AlgorithmSuite>\n" +
144 " <wsp:Policy>\n" +
145 " <sp:Basic256/>\n" +
146 " </wsp:Policy>\n" +
147 " </sp:AlgorithmSuite>\n" +
148 "</wsp:Policy>\n" +
149 "</sp:SymmetricBinding>";
150 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
151 SecurityContextTokenSecurityEvent initiatorTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
152 initiatorTokenSecurityEvent.setIssuerName("sss");
153 initiatorTokenSecurityEvent.setExternalUriRef(true);
154 InboundSecurityToken securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
155 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
156 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
157 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
158
159 SecurityContextTokenSecurityEvent recipientTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
160 recipientTokenSecurityEvent.setIssuerName("sss");
161 recipientTokenSecurityEvent.setExternalUriRef(true);
162 securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
163 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
164 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
165 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
166
167 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
168 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
169 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
170 SignedPartSecurityEvent signedPartSecurityEvent =
171 new SignedPartSecurityEvent(
172 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
173 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
174 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
175
176 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
177 new ContentEncryptedElementSecurityEvent(
178 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
179 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
180 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
181
182 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
183 operationSecurityEvent.setOperation(new QName("definitions"));
184
185 try {
186 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
187 fail("Exception expected");
188 } catch (WSSecurityException e) {
189 assertTrue(e.getCause() instanceof PolicyViolationException);
190 assertEquals(e.getCause().getMessage(),
191 "IssuerName in Policy (xs:anyURI) didn't match with the one in the SecurityContextToken (sss)");
192 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
193 }
194 }
195 }