This is an automated email from the ASF dual-hosted git repository.
robertlazarski pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
The following commit(s) were added to refs/heads/master by this push:
new 1d69f56c RAMPART-261 Ability to Toggle mustUnderstand flag in security
header
1d69f56c is described below
commit 1d69f56cac5490ded516503c38957ee4b4ba3759
Author: Robert Lazarski <robertlazar...@gmail.com>
AuthorDate: Wed Nov 6 08:56:31 2024 -1000
RAMPART-261 Ability to Toggle mustUnderstand flag in security header
---
.../org/apache/rampart/RampartMessageData.java | 9 ++
.../policy/builders/RampartConfigBuilder.java | 6 ++
.../apache/rampart/policy/model/RampartConfig.java | 21 ++++-
.../rampart/policy/builders/kerberosConfig.policy | 1 +
src/site/markdown/release-notes/1.8.0.md | 104 ++++++++++++++++++++-
src/site/site.xml | 1 +
6 files changed, 138 insertions(+), 4 deletions(-)
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
b/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
index f9aa3daa..58c3c7f7 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
@@ -150,6 +150,8 @@ public class RampartMessageData {
public final static String SCT_ID = "sctID";
public final static String X509_CERT ="X509Certificate";
+
+ public final static String MUST_UNDERSTAND_SECURITY_HEADER =
"mustUnderstandSecurityHeader";
private MessageContext msgContext = null;
@@ -450,6 +452,13 @@ public class RampartMessageData {
if(this.sender && this.policyData != null) {
this.secHeader = new WSSecHeader(this.document);
secHeader.insertSecurityHeader();
+ // RAMPART-261
+ Boolean mustUnderstandSecurityHeaderInput =
(Boolean)msgCtx.getProperty(MUST_UNDERSTAND_SECURITY_HEADER);
+ if (mustUnderstandSecurityHeaderInput != null) {
+
secHeader.setMustUnderstand(mustUnderstandSecurityHeaderInput);
+ } else if (this.policyData != null &&
this.policyData.getRampartConfig() != null) {
+
secHeader.setMustUnderstand(this.policyData.getRampartConfig().isMustUnderstandSecurityHeader());
+ }
}
} catch (AxisFault e) {
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
index 5a03e062..6b6efdee 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
@@ -232,6 +232,12 @@ public class RampartConfigBuilder implements
AssertionBuilder<OMElement> {
rampartConfig.setAllowRSA15KeyTransportAlgorithm(childElement.getText().trim());
}
+ childElement = element.getFirstChildWithName(new QName(
+ RampartConfig.NS,
RampartConfig.MUST_UNDERSTAND_SECURITY_HEADER_LN));
+ if (childElement != null) {
+
rampartConfig.setMustUnderstandSecurityHeader(childElement.getText().trim());
+ }
+
return rampartConfig;
}
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
index 7f2ed3b5..db97b23d 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
@@ -136,6 +136,7 @@ public class RampartConfig implements Assertion {
public final static String VALIDATE_SAML_SUBJECT_CONFIRMATION_LN =
"validateSamlSubjectConfirmation";
public final static String ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM_LN =
"allowRSA15KeyTransportAlgorithm";
+ public final static String MUST_UNDERSTAND_SECURITY_HEADER_LN =
"mustUnderstandSecurityHeader";
private String user;
@@ -209,7 +210,9 @@ public class RampartConfig implements Assertion {
private boolean validateSamlSubjectConfirmation = false; // backward
compatibility
private boolean allowRSA15KeyTransportAlgorithm = true; // backward
compatibility
-
+
+ private boolean mustUnderstandSecurityHeader = true; // RAMPART-261, WSS4J
default is true
+
public SSLConfig getSSLConfig() {
return sslConfig;
}
@@ -391,6 +394,10 @@ public class RampartConfig implements Assertion {
writer.writeEndElement();
}
+ writer.writeStartElement(NS, MUST_UNDERSTAND_SECURITY_HEADER_LN);
+
writer.writeCharacters(Boolean.toString(isMustUnderstandSecurityHeader()));
+ writer.writeEndElement();
+
writer.writeStartElement(NS, TIMESTAMP_PRECISION_IN_MS_LN);
writer.writeCharacters(Boolean.toString(isTimestampPrecisionInMs()));
writer.writeEndElement();
@@ -713,4 +720,16 @@ public class RampartConfig implements Assertion {
this.allowRSA15KeyTransportAlgorithm = allowRSA15KeyTransportAlgorithm;
}
+ public boolean isMustUnderstandSecurityHeader() {
+ return mustUnderstandSecurityHeader;
+ }
+
+ public void setMustUnderstandSecurityHeader(String
mustUnderstandSecurityHeader) {
+ this.mustUnderstandSecurityHeader =
Boolean.valueOf(mustUnderstandSecurityHeader);
+ }
+
+ public void setMustUnderstandSecurityHeader(boolean
mustUnderstandSecurityHeader) {
+ this.mustUnderstandSecurityHeader = mustUnderstandSecurityHeader;
+ }
+
}
diff --git
a/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy
b/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy
index d7e8a406..e4e79e79 100644
---
a/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy
+++
b/modules/rampart-core/src/test/resources/org/apache/rampart/policy/builders/kerberosConfig.policy
@@ -2,6 +2,7 @@
<wsp:ExactlyOne>
<wsp:All>
<rampart:RampartConfig
xmlns:rampart="http://ws.apache.org/rampart/policy";>
+
<rampart:mustUnderstandSecurityHeader>true</rampart:mustUnderstandSecurityHeader>
<rampart:timestampPrecisionInMs>true</rampart:timestampPrecisionInMs>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
diff --git a/src/site/markdown/release-notes/1.8.0.md
b/src/site/markdown/release-notes/1.8.0.md
index abd25ff2..46e51d8b 100644
--- a/src/site/markdown/release-notes/1.8.0.md
+++ b/src/site/markdown/release-notes/1.8.0.md
@@ -1,4 +1,4 @@
-Apache Rampart 1.8.0 Release Note
+Apache Rampart 1.8.0 Release Notes
---------------------------------
Apache Rampart 1.8.0 is a major release designed for compatibility with Axis2
@@ -11,8 +11,106 @@ This will be the last javax based release. The next Rampart
release will be 2.0.
and will support Axis2 2.0.0, Jakarta, servlet 6.0 and EE 10. This should
happen
soon as the hardwork in Axis2 2.0.0 has been done already.
-The Apache Rampart and top level Axis project covering Axis2 needs committers!
+The Apache Rampart project and our top level Axis project covering Axis2 needs
committers!
GitHub PR's are welcome too. If you have an interest in a feature that Rampart
-lacks or simple a bug, please think about contributing.
+lacks or simply found a bug you can help with, please think about contributing.
+Jira issues completed for 1.8.0:
+
+<h2> Sub-task
+</h2>
+<ul>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-234'>RAMPART-234</a>] -
Allow custom https listeners to populate the client certificate chain in
the message context
+</li>
+</ul>
+
+<h2> Bug
+</h2>
+<ul>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-289'>RAMPART-289</a>] -
PolicyBasedResultsValidator Incorrectly Invalidates Supporting Token
Signatures/Encryptions and Encrypted Supporting Tokens
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-325'>RAMPART-325</a>] -
NullPointerException with UsernameToken Policy and MTOM Policy without
Rampart Config in WSDL
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-331'>RAMPART-331</a>] -
Unreachable code in
org.apache.rahas.STSMessageReceiver.invokeBusinessLogic() -
"dispatcher" is never null at end of try
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-361'>RAMPART-361</a>] -
Rampart can not accept Username token which is generated from WCF client.
Due to name space qualified password type attribute in username token
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-374'>RAMPART-374</a>] -
Not Able to use custom validator for USERNAME_TOKEN during server side
validation
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-388'>RAMPART-388</a>] -
NPE in RampartUtil#setKeyIdentifierType (line #1389) wss (web service
security options assertion) is null.
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-390'>RAMPART-390</a>] -
SupportingToken assertions do not support multiple nested protection
assertions
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-396'>RAMPART-396</a>] -
NullPointerException using STS, Trust and entropy
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-423'>RAMPART-423</a>] -
STS implementation may lead to performance reduction
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-432'>RAMPART-432</a>] -
Axis2 BSP compliance
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-435'>RAMPART-435</a>] -
Unable to set timestampTTLand timestampMaxSkew values through a rampart
callbackorg.apache.axis2.AxisFault: The message has expired
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-437'>RAMPART-437</a>] -
SHA256 not supported for DigestAlgorithm for TransportBinding when
specified correctly in policy.xml
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-441'>RAMPART-441</a>] -
rampart-config.xsd is outdated
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-448'>RAMPART-448</a>] -
NullPointerException in RampartUtil.setKeyIdentifierType() when signing
response
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-449'>RAMPART-449</a>] -
NoClassDefFoundError with Axis2 1.8.0
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-452'>RAMPART-452</a>] -
Rampart Dependency on Outdated Version of WSS4J 1.6.x
+</li>
+</ul>
+
+<h2> New Feature
+</h2>
+<ul>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-261'>RAMPART-261</a>] -
Ability to Toggle "mustUnderstand" flag in security header.
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-417'>RAMPART-417</a>] -
Support for transport binding Kerberos v5 authentication
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-433'>RAMPART-433</a>] -
Support for Kerberos v5 delegated authentication
+</li>
+</ul>
+
+<h2> Improvement
+</h2>
+<ul>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-205'>RAMPART-205</a>] -
Setting WSSConfig properties from RampartConfig
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-335'>RAMPART-335</a>] -
X509V3 KeyIdentifier cannot be set dynmaically
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-339'>RAMPART-339</a>] -
Sample 09 for rampart policy samples -(different security policies to
secure request and response messages with policy attachments)
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-369'>RAMPART-369</a>] -
Rampart project need a DOAP file.
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-420'>RAMPART-420</a>] -
Allow WS-Security timestamps to be spoofed and BSP checking disabled
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-440'>RAMPART-440</a>] -
update OpenSAML to 2.6.1
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-451'>RAMPART-451</a>] -
remove xalan dependency due to it being end of life
+</li>
+</ul>
+
+<h2> Request
+</h2>
+<ul>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-453'>RAMPART-453</a>] -
Request to release the next latest rampart-trust version
+</li>
+</ul>
+
+<h2> Question
+</h2>
+<ul>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-436'>RAMPART-436</a>] -
Proper settings to use WS-Security(UsernameToken) with Rampart 1.7.0
+</li>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-442'>RAMPART-442</a>] -
Help ASAP
+</li>
+</ul>
+
+<h2> Documentation
+</h2>
+<ul>
+<li>[<a
href='https://issues.apache.org/jira/browse/RAMPART-425'>RAMPART-425</a>] -
Links not found
+</li>
+</ul>
diff --git a/src/site/site.xml b/src/site/site.xml
index ff60ed9e..3e26ddd4 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -54,6 +54,7 @@
<item name="1.6.3" href="release-notes/1.6.3.html"/>
<item name="1.6.4" href="release-notes/1.6.4.html"/>
<item name="1.7.0" href="release-notes/1.7.0.html"/>
+ <item name="1.8.0" href="release-notes/1.8.0.html"/>
</item>
</menu>
<menu name="Documentation">
