1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import org.apache.wss4j.common.ext.WSSecurityException;
22 import org.apache.wss4j.policy.stax.PolicyViolationException;
23 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
24 import org.apache.wss4j.stax.ext.WSSConstants;
25 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
26 import org.apache.wss4j.stax.impl.securityToken.HttpsSecurityTokenImpl;
27 import org.apache.wss4j.stax.securityEvent.*;
28 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
29 import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
30 import org.junit.jupiter.api.Test;
31
32 import javax.xml.namespace.QName;
33
34 import java.util.ArrayList;
35 import java.util.LinkedList;
36 import java.util.List;
37
38 import static org.junit.jupiter.api.Assertions.assertEquals;
39 import static org.junit.jupiter.api.Assertions.assertTrue;
40 import static org.junit.jupiter.api.Assertions.fail;
41
42 public class TransportBindingTest extends AbstractPolicyTestBase {
43
44 @Test
45 public void testPolicy() throws Exception {
46 String policyString =
47 "<sp:TransportBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
48 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
49 " <sp:AlgorithmSuite>\n" +
50 " <wsp:Policy>\n" +
51 " <sp:Basic256/>\n" +
52 " </wsp:Policy>\n" +
53 " </sp:AlgorithmSuite>\n" +
54 "<sp:IncludeTimestamp/>\n" +
55 "</wsp:Policy>\n" +
56 "</sp:TransportBinding>";
57 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
58 TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
59 policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
60
61 RequiredElementSecurityEvent requiredElementSecurityEvent = new RequiredElementSecurityEvent();
62 List<QName> headerPath = new ArrayList<>();
63 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
64 headerPath.add(WSSConstants.TAG_WSU_TIMESTAMP);
65 requiredElementSecurityEvent.setElementPath(headerPath);
66 policyEnforcer.registerSecurityEvent(requiredElementSecurityEvent);
67
68 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
69 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "username");
70 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
71 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
72 policyEnforcer.registerSecurityEvent(httpsTokenSecurityEvent);
73
74 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
75 operationSecurityEvent.setOperation(new QName("definitions"));
76 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
77
78 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
79 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
80 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
81 EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
82 headerPath = new ArrayList<>();
83 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
84 headerPath.add(WSSConstants.TAG_dsig_Signature);
85 requiredElementSecurityEvent.setElementPath(headerPath);
86 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
87
88 encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
89 headerPath = new ArrayList<>();
90 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
91 headerPath.add(WSSConstants.TAG_WSSE11_SIG_CONF);
92 requiredElementSecurityEvent.setElementPath(headerPath);
93 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
94
95 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
96 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
97 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
98
99 policyEnforcer.doFinal();
100 }
101
102 @Test
103 public void testPolicyNotIncludeTimestamp() throws Exception {
104 String policyString =
105 "<sp:TransportBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
106 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
107 " <sp:AlgorithmSuite>\n" +
108 " <wsp:Policy>\n" +
109 " <sp:Basic256/>\n" +
110 " </wsp:Policy>\n" +
111 " </sp:AlgorithmSuite>\n" +
112 "</wsp:Policy>\n" +
113 "</sp:TransportBinding>";
114 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
115
116 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
117 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "username");
118 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
119 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
120 policyEnforcer.registerSecurityEvent(httpsTokenSecurityEvent);
121
122 TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
123 policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
124
125 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
126 operationSecurityEvent.setOperation(new QName("definitions"));
127
128 try {
129 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
130 fail("Exception expected");
131 } catch (WSSecurityException e) {
132 assertTrue(e.getCause() instanceof PolicyViolationException);
133 assertEquals(e.getCause().getMessage(),
134 "Timestamp must not be present");
135 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
136 }
137 }
138
139 @Test
140 public void testPolicySignatureNotEncrypted() throws Exception {
141 String policyString =
142 "<sp:TransportBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
143 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
144 " <sp:AlgorithmSuite>\n" +
145 " <wsp:Policy>\n" +
146 " <sp:Basic256/>\n" +
147 " </wsp:Policy>\n" +
148 " </sp:AlgorithmSuite>\n" +
149 "<sp:IncludeTimestamp/>\n" +
150 "</wsp:Policy>\n" +
151 "</sp:TransportBinding>";
152 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
153
154 TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
155 policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
156
157 RequiredElementSecurityEvent requiredElementSecurityEvent = new RequiredElementSecurityEvent();
158 List<QName> headerPath = new ArrayList<>();
159 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
160 headerPath.add(WSSConstants.TAG_WSU_TIMESTAMP);
161 requiredElementSecurityEvent.setElementPath(headerPath);
162 policyEnforcer.registerSecurityEvent(requiredElementSecurityEvent);
163
164 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
165 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "username");
166 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
167 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
168 policyEnforcer.registerSecurityEvent(httpsTokenSecurityEvent);
169
170 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
171 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
172 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
173 EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, false, protectionOrder);
174 headerPath = new ArrayList<>();
175 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
176 headerPath.add(WSSConstants.TAG_dsig_Signature);
177 encryptedElementSecurityEvent.setElementPath(headerPath);
178 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
179
180 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
181 operationSecurityEvent.setOperation(new QName("definitions"));
182 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
183
184 policyEnforcer.doFinal();
185 }
186
187 @Test
188 public void testPolicyNotWholeBodySigned() throws Exception {
189 String policyString =
190 "<sp:TransportBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
191 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
192 " <sp:AlgorithmSuite>\n" +
193 " <wsp:Policy>\n" +
194 " <sp:Basic256/>\n" +
195 " </wsp:Policy>\n" +
196 " </sp:AlgorithmSuite>\n" +
197 "<sp:IncludeTimestamp/>\n" +
198 "</wsp:Policy>\n" +
199 "</sp:TransportBinding>";
200 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
201 TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
202 policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
203
204 RequiredElementSecurityEvent requiredElementSecurityEvent = new RequiredElementSecurityEvent();
205 List<QName> headerPath = new ArrayList<>();
206 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
207 headerPath.add(WSSConstants.TAG_WSU_TIMESTAMP);
208 requiredElementSecurityEvent.setElementPath(headerPath);
209 policyEnforcer.registerSecurityEvent(requiredElementSecurityEvent);
210
211 HttpsTokenSecurityEvent httpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
212 HttpsSecurityTokenImpl httpsSecurityToken = new HttpsSecurityTokenImpl(true, "username");
213 httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
214 httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
215 policyEnforcer.registerSecurityEvent(httpsTokenSecurityEvent);
216
217 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
218 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
219 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
220 EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
221 headerPath = new ArrayList<>();
222 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
223 headerPath.add(WSSConstants.TAG_dsig_Signature);
224 encryptedElementSecurityEvent.setElementPath(headerPath);
225 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
226
227 encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
228 headerPath = new ArrayList<>();
229 headerPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
230 headerPath.add(WSSConstants.TAG_WSSE11_SIG_CONF);
231 encryptedElementSecurityEvent.setElementPath(headerPath);
232 policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
233
234 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
235 operationSecurityEvent.setOperation(new QName("definitions"));
236 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
237
238 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, false, protectionOrder);
239 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
240 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
241
242 policyEnforcer.doFinal();
243 }
244 }