1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.util.ArrayList;
22 import java.util.LinkedList;
23 import java.util.List;
24
25 import javax.xml.namespace.QName;
26
27 import org.apache.wss4j.common.ext.WSSecurityException;
28 import org.apache.wss4j.policy.stax.PolicyViolationException;
29 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
30 import org.apache.wss4j.stax.ext.WSSConstants;
31 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
32 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
33 import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
34 import org.junit.jupiter.api.Test;
35
36 import static org.junit.jupiter.api.Assertions.assertEquals;
37 import static org.junit.jupiter.api.Assertions.assertTrue;
38 import static org.junit.jupiter.api.Assertions.fail;
39
40 public class SignedElementsTest extends AbstractPolicyTestBase {
41
42 @Test
43 public void testPolicy() throws Exception {
44 String policyString =
45 "<sp:SignedElements xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
46 "<sp:XPath xmlns:b=\"http://example.org\">/b:a</sp:XPath>\n" +
47 "</sp:SignedElements>";
48 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
49
50 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
51 operationSecurityEvent.setOperation(new QName("definitions"));
52 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
53
54 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
55 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
56 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
57 SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(null, true, protectionOrder);
58 signedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
59 policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
60 List<QName> headerPath = new ArrayList<>();
61 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
62 headerPath.add(new QName("http://example.org", "a"));
63 signedElementSecurityEvent.setElementPath(headerPath);
64 policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
65
66 headerPath = new ArrayList<>();
67 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
68 headerPath.add(new QName("http://example.org", "b"));
69 signedElementSecurityEvent.setElementPath(headerPath);
70 policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
71 policyEnforcer.doFinal();
72 }
73
74 @Test
75 public void testPolicyMultipleAssertionEventsNegative() throws Exception {
76 String policyString =
77 "<sp:SignedElements xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
78 "<sp:XPath xmlns:b=\"http://example.org\">/b:a</sp:XPath>\n" +
79 "</sp:SignedElements>";
80 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
81
82 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
83 operationSecurityEvent.setOperation(new QName("definitions"));
84 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
85
86 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
87 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
88 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
89 SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(null, true, protectionOrder);
90 signedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
91 policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
92 signedElementSecurityEvent = new SignedElementSecurityEvent(null, false, null);
93 List<QName> headerPath = new ArrayList<>();
94 headerPath.add(new QName("http://example.org", "a"));
95 signedElementSecurityEvent.setElementPath(headerPath);
96 try {
97 policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
98 fail("Exception expected");
99 } catch (WSSecurityException e) {
100 assertTrue(e.getCause() instanceof PolicyViolationException);
101 assertEquals(e.getCause().getMessage(),
102 "Element /{http://example.org}a must be signed");
103 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
104 }
105 }
106 }