You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2017/01/29 15:59:34 UTC
svn commit: r1780817 [2/9] - in
/axis/axis2/java/rampart/branches/RAMPART-252: ./ apidocs/ code-coverage/
etc/ legal/ modules/distribution/ modules/distribution/src/
modules/documentation/ modules/rampart-core/
modules/rampart-core/src/main/java/META-I...
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java Sun Jan 29 15:59:32 2017
@@ -26,12 +26,14 @@ import org.apache.axis2.description.Para
import org.apache.axis2.engine.AxisConfiguration;
import org.apache.axis2.util.PolicyUtil;
import org.apache.axis2.wsdl.WSDLConstants;
+import org.apache.neethi.Assertion;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyComponent;
import org.apache.neethi.PolicyEngine;
import org.apache.rahas.RahasConstants;
import org.apache.rahas.SimpleTokenStore;
import org.apache.rahas.TokenStorage;
+import org.apache.rampart.handler.RampartUsernameTokenValidator;
import org.apache.rampart.handler.WSSHandlerConstants;
import org.apache.rampart.policy.RampartPolicyBuilder;
import org.apache.rampart.policy.RampartPolicyData;
@@ -46,6 +48,7 @@ import org.apache.ws.secpolicy.WSSPolicy
import org.apache.ws.security.SOAPConstants;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationConstants;
@@ -58,6 +61,7 @@ import org.apache.ws.security.util.WSSec
import org.w3c.dom.Document;
import java.util.ArrayList;
+import java.util.Collection;
import java.util.List;
public class RampartMessageData {
@@ -170,6 +174,12 @@ public class RampartMessageData {
this.msgContext = msgCtx;
try {
+
+ // Set the WSSConfig
+ this.config = WSSConfig.getNewInstance();
+
+ //Update the UsernameToken validator
+ this.config.setValidator(WSSecurityEngine.USERNAME_TOKEN, RampartUsernameTokenValidator.class);
// First obtain the axis service as we have to do a null check, there can be situations
// where Axis Service is null
@@ -234,7 +244,7 @@ public class RampartMessageData {
} catch (NullPointerException e) {
//TODO remove this once AXIS2-4114 is fixed
if (axisService != null) {
- List<PolicyComponent> policyList = new ArrayList<PolicyComponent>();
+ Collection<PolicyComponent> policyList = new ArrayList<PolicyComponent>();
policyList.addAll(axisService.getPolicySubject().getAttachedPolicyComponents());
AxisConfiguration axisConfiguration = axisService.getAxisConfiguration();
policyList.addAll(axisConfiguration.getPolicySubject().getAttachedPolicyComponents());
@@ -252,7 +262,7 @@ public class RampartMessageData {
}
if(this.servicePolicy != null){
- List it = (List)this.servicePolicy.getAlternatives().next();
+ List<Assertion> it = this.servicePolicy.getAlternatives().next();
//Process policy and build policy data
this.policyData = RampartPolicyBuilder.build(it);
@@ -339,27 +349,23 @@ public class RampartMessageData {
msgContext.setProperty(SCT_ID, outMsgCtx.getProperty(SCT_ID));
}
}
-
- // Check whether RampartConfig is present
- if (this.policyData != null && this.policyData.getRampartConfig() != null) {
-
- boolean timestampPrecisionInMilliseconds = Boolean.valueOf(this.policyData
- .getRampartConfig().getTimestampPrecisionInMilliseconds()).booleanValue();
-
- // This is not the default behavior, we clone the default WSSConfig to prevent this
- // affecting globally
- if (timestampPrecisionInMilliseconds == WSSConfig.getNewInstance()
- .isPrecisionInMilliSeconds()) {
- this.config = WSSConfig.getNewInstance();
- } else {
- this.config = RampartUtil.getWSSConfigInstance();
- this.config.setPrecisionInMilliSeconds(timestampPrecisionInMilliseconds);
- }
- } else {
- this.config = WSSConfig.getNewInstance();
- }
-
- // To handle scenarios where password type is not set by default.
+
+ // Check whether RampartConfig is present
+ if (this.policyData != null && this.policyData.getRampartConfig() != null) {
+
+ boolean timestampPrecisionInMilliseconds = this.policyData
+ .getRampartConfig().isDefaultTimestampPrecisionInMs();
+ boolean timestampStrict = this.policyData.getRampartConfig().isTimeStampStrict();
+
+
+ // We do not need earlier logic as now WSS4J returns a new instance of WSSConfig, rather
+ // than a singleton instance. Therefore modifying logic as follows,
+ this.config.setTimeStampStrict(timestampStrict);
+ this.config.setPrecisionInMilliSeconds(timestampPrecisionInMilliseconds);
+
+ }
+
+ // To handle scenarios where password type is not set by default.
this.config.setHandleCustomPasswordTypes(true);
if (axisService != null) {
@@ -384,7 +390,7 @@ public class RampartMessageData {
private void setWSSecurityVersions(String namespace) throws RampartException {
if (namespace == null || namespace.equals("")) {
- throw new RampartException("Security policy namespace cannot be null.");
+ throw new RampartException("securityPolicyNamespaceCannotBeNull");
}
if (SP11Constants.SP_NS.equals(namespace)) {
@@ -425,7 +431,7 @@ public class RampartMessageData {
this.servicePolicy.addAssertion(rc);
}
- List it = (List) this.servicePolicy.getAlternatives().next();
+ List<Assertion> it = this.servicePolicy.getAlternatives().next();
//Process policy and build policy data
try {
@@ -444,14 +450,6 @@ public class RampartMessageData {
}
/**
- * @param document The document to set.
- * @deprecated document is derived from MessageContext passed in constructor
- */
- public void setDocument(Document document) {
- this.document = document;
- }
-
- /**
* @return Returns the timeToLive.
*/
public int getTimeToLive() {
@@ -502,14 +500,6 @@ public class RampartMessageData {
}
/**
- * @param msgContext The msgContext to set.
- * @deprecated MessageContext is set in constructor
- */
- public void setMsgContext(MessageContext msgContext) {
- this.msgContext = msgContext;
- }
-
- /**
* @return Returns the policyData.
*/
public RampartPolicyData getPolicyData() {
@@ -517,28 +507,6 @@ public class RampartMessageData {
}
/**
- * @param policyData The policyData to set.
- * @deprecated Policy data determined within constructor
- */
- public void setPolicyData(RampartPolicyData policyData) throws RampartException {
- this.policyData = policyData;
-
- try {
- //if client side then check whether sig conf enabled
- //and get hold of the stored signature values
- if(this.isInitiator && !this.sender && policyData.isSignatureConfirmation()) {
- OperationContext opCtx = msgContext.getOperationContext();
- MessageContext outMsgCtx = opCtx
- .getMessageContext(WSDLConstants.MESSAGE_LABEL_OUT_VALUE);
- msgContext.setProperty(WSHandlerConstants.SEND_SIGV, outMsgCtx
- .getProperty(WSHandlerConstants.SEND_SIGV));
- }
- } catch (AxisFault e) {
- throw new RampartException("errorGettingSignatureValuesForSigconf", e);
- }
- }
-
- /**
* @return Returns the secHeader.
*/
public WSSecHeader getSecHeader() {
@@ -720,14 +688,6 @@ public class RampartMessageData {
}
/**
- * @param wstVersion The wstVersion to set.
- * @deprecated This is defined by the class.
- */
- public void setWstVersion(int wstVersion) {
- this.wstVersion = wstVersion;
- }
-
- /**
* @return Returns the secConvVersion.
*/
public int getSecConvVersion() {
@@ -741,13 +701,6 @@ public class RampartMessageData {
return servicePolicy;
}
- /**
- * @param servicePolicy The servicePolicy to set.
- * @deprecated servicePolicy determined in constructor
- */
- public void setServicePolicy(Policy servicePolicy) {
- this.servicePolicy = servicePolicy;
- }
/**
* @return Returns the timestampId.
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java Sun Jan 29 15:59:32 2017
@@ -27,14 +27,12 @@ import org.apache.rampart.policy.Rampart
import org.apache.rampart.policy.SupportingPolicyData;
import org.apache.rampart.policy.model.RampartConfig;
import org.apache.rampart.util.RampartUtil;
-import org.apache.ws.secpolicy.SPConstants;
import org.apache.ws.secpolicy.model.AlgorithmSuite;
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.X509Token;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
-import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.handler.WSHandlerConstants;
@@ -202,12 +200,12 @@ public class AsymmetricBindingBuilder ex
// TODO may contain deifferent types of objects as values, therefore cannot use strongly type maps
// need to figure out a way
- HashMap sigSuppTokMap = null;
- HashMap endSuppTokMap = null;
- HashMap sgndEndSuppTokMap = null;
- HashMap sgndEncSuppTokMap = null;
- HashMap endEncSuppTokMap = null;
- HashMap sgndEndEncSuppTokMap = null;
+ HashMap<Token,Object> sigSuppTokMap = null;
+ HashMap<Token,Object> endSuppTokMap = null;
+ HashMap<Token,Object> sgndEndSuppTokMap = null;
+ HashMap<Token,Object> sgndEncSuppTokMap = null;
+ HashMap<Token,Object> endEncSuppTokMap = null;
+ HashMap<Token,Object> sgndEndEncSuppTokMap = null;
if(this.timestampElement != null){
sigParts.add(RampartUtil.createEncryptionPart(WSConstants.TIMESTAMP_TOKEN_LN,
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java Sun Jan 29 15:59:32 2017
@@ -17,7 +17,10 @@
package org.apache.rampart.builder;
import org.apache.axiom.om.OMElement;
+import org.apache.axis2.addressing.AddressingConstants;
+import org.apache.axis2.addressing.AddressingHelper;
import org.apache.axis2.client.Options;
+import org.apache.axis2.description.AxisEndpoint;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rahas.EncryptedKeyToken;
@@ -28,6 +31,7 @@ import org.apache.rampart.RampartMessage
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.policy.SupportingPolicyData;
import org.apache.rampart.policy.model.RampartConfig;
+import org.apache.rampart.policy.model.KerberosConfig;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.Constants;
import org.apache.ws.secpolicy.SPConstants;
@@ -38,6 +42,7 @@ import org.apache.ws.secpolicy.model.Sup
import org.apache.ws.secpolicy.model.Token;
import org.apache.ws.secpolicy.model.UsernameToken;
import org.apache.ws.secpolicy.model.X509Token;
+import org.apache.ws.security.NamePasswordCallbackHandler;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSPasswordCallback;
@@ -53,6 +58,7 @@ import org.apache.ws.security.message.WS
import org.apache.ws.security.message.WSSecSignatureConfirmation;
import org.apache.ws.security.message.WSSecTimestamp;
import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
@@ -231,20 +237,6 @@ public abstract class BindingBuilder {
}
}
- //Deprecated after 1.5 release
- @Deprecated
- protected WSSecSignature getSignatureBuider(RampartMessageData rmd,
- Token token) throws RampartException {
- return getSignatureBuilder(rmd, token, null);
- }
-
- //Deprecated after 1.5 release
- @Deprecated
- protected WSSecSignature getSignatureBuider(RampartMessageData rmd, Token token,
- String userCertAlias) throws RampartException {
- return getSignatureBuilder(rmd, token, userCertAlias);
- }
-
protected WSSecSignature getSignatureBuilder(RampartMessageData rmd,
Token token)throws RampartException {
return getSignatureBuilder(rmd, token, null);
@@ -351,20 +343,18 @@ public abstract class BindingBuilder {
* @param suppTokens
* @throws RampartException
*/
- protected HashMap handleSupportingTokens(RampartMessageData rmd, SupportingToken suppTokens)
+ protected HashMap<Token,Object> handleSupportingTokens(RampartMessageData rmd, SupportingToken suppTokens)
throws RampartException {
//Create the list to hold the tokens
// TODO putting different types of objects. Need to figure out a way to add single types of objects
- HashMap endSuppTokMap = new HashMap();
+ HashMap<Token,Object> endSuppTokMap = new HashMap<Token,Object>();
if(suppTokens != null && suppTokens.getTokens() != null &&
suppTokens.getTokens().size() > 0) {
log.debug("Processing supporting tokens");
- ArrayList tokens = suppTokens.getTokens();
- for (Object objectToken : tokens) {
- Token token = (Token) objectToken;
+ for (Token token : suppTokens.getTokens()) {
org.apache.rahas.Token endSuppTok = null;
if (token instanceof IssuedToken && rmd.isInitiator()) {
String id = RampartUtil.getIssuedToken(rmd, (IssuedToken) token);
@@ -424,8 +414,10 @@ public abstract class BindingBuilder {
//Add the UT
Element elem = utBuilder.getUsernameTokenElement();
elem = RampartUtil.insertSiblingAfter(rmd, this.getInsertionLocation(), elem);
-
- encryptedTokensIdList.add(utBuilder.getId());
+
+ if (suppTokens.isEncryptedToken()) {
+ encryptedTokensIdList.add(utBuilder.getId());
+ }
//Move the insert location to the next element
this.setInsertionLocation(elem);
@@ -488,17 +480,13 @@ public abstract class BindingBuilder {
}
- protected List<byte[]> doEndorsedSignatures(RampartMessageData rmd, HashMap tokenMap) throws RampartException {
-
- Set tokenSet = tokenMap.keySet();
+ protected List<byte[]> doEndorsedSignatures(RampartMessageData rmd, HashMap<Token,Object> tokenMap) throws RampartException {
List<byte[]> sigValues = new ArrayList<byte[]>();
- for (Object aTokenSet : tokenSet) {
-
- Token token = (Token) aTokenSet;
-
- Object tempTok = tokenMap.get(token);
+ for (Map.Entry<Token,Object> entry : tokenMap.entrySet()) {
+ Token token = entry.getKey();
+ Object tempTok = entry.getValue();
// Migrating to a list
List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
@@ -864,5 +852,95 @@ public abstract class BindingBuilder {
}
}
-
+ protected KerberosSecurity addKerberosToken(RampartMessageData rmd, Token token)
+ throws RampartException {
+ RampartPolicyData rpd = rmd.getPolicyData();
+ KerberosConfig krbConfig = rpd.getRampartConfig().getKerberosConfig();
+
+ if (krbConfig == null) {
+ throw new RampartException("noKerberosConfigDefined");
+ }
+
+ log.debug("Token inclusion: " + token.getInclusion());
+
+ String user = krbConfig.getPrincipalName();
+ if (user == null) {
+ user = rpd.getRampartConfig().getUser();
+ }
+
+ String password = krbConfig.getPrincipalPassword();
+ if (password == null) {
+ CallbackHandler handler = RampartUtil.getPasswordCB(rmd);
+
+ if (handler != null) {
+ if (user == null) {
+ log.debug("Password callback is configured but no user value is specified in the configuration");
+ throw new RampartException("userMissing");
+ }
+
+ //TODO We do not have a separate usage type for Kerberos token, let's use custom token
+ WSPasswordCallback[] cb = { new WSPasswordCallback(user, WSPasswordCallback.CUSTOM_TOKEN) };
+ try {
+ handler.handle(cb);
+ if (cb[0].getPassword() != null && !"".equals(cb[0].getPassword())) {
+ password = cb[0].getPassword();
+ }
+ } catch (IOException e) {
+ throw new RampartException("errorInGettingPasswordForUser", new String[] { user }, e);
+ } catch (UnsupportedCallbackException e) {
+ throw new RampartException("errorInGettingPasswordForUser", new String[] { user }, e);
+ }
+ }
+ }
+
+ String principalName = null;
+ boolean isUsernameServiceNameForm = KerberosConfig.USERNAME_NAME_FORM.equals(krbConfig.getServicePrincipalNameForm());
+
+ AxisEndpoint endpoint = rmd.getMsgContext().findEndpoint();
+ if (endpoint != null) {
+ if (log.isDebugEnabled()) {
+ log.debug("Identified endpoint: " + endpoint.getName() + ". Looking for SPN identity claim.");
+ }
+
+ OMElement addressingIdentity = AddressingHelper.getAddressingIdentityParameterValue(endpoint);
+ if (addressingIdentity != null) {
+ OMElement spnClaim = addressingIdentity.getFirstChildWithName(AddressingConstants.QNAME_IDENTITY_SPN);
+ if (spnClaim != null) {
+ principalName = spnClaim.getText();
+ isUsernameServiceNameForm = false;
+ if (log.isDebugEnabled()) {
+ log.debug("Found SPN identity claim: " + principalName);
+ }
+ }
+ else {
+ OMElement upnClaim = addressingIdentity.getFirstChildWithName(AddressingConstants.QNAME_IDENTITY_UPN);
+ if (upnClaim != null) {
+ principalName = upnClaim.getText();
+ isUsernameServiceNameForm = true;
+ if (log.isDebugEnabled()) {
+ log.debug("Found UPN identity claim: " + principalName);
+ }
+ } else if (log.isDebugEnabled()) {
+ log.debug(String.format("Neither SPN nor UPN identity claim found in %s EPR element for endpoint %s.", addressingIdentity.getQName().toString(), endpoint.getName()));
+ }
+ }
+ }
+ }
+
+ if (principalName == null) {
+ principalName = krbConfig.getServicePrincipalName();
+ }
+
+ try {
+ KerberosSecurity bst = new KerberosSecurity(rmd.getDocument());
+
+ NamePasswordCallbackHandler cb = new NamePasswordCallbackHandler(user, password);
+ bst.retrieveServiceTicket(krbConfig.getJaasContext(), cb, principalName, isUsernameServiceNameForm,
+ krbConfig.isRequstCredentialDelegation(), krbConfig.getDelegationCredential());
+
+ return bst;
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInBuildingKereberosToken", e);
+ }
+ }
}
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java Sun Jan 29 15:59:32 2017
@@ -32,6 +32,7 @@ import org.apache.ws.secpolicy.SPConstan
import org.apache.ws.secpolicy.model.AlgorithmSuite;
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.IssuedToken;
+import org.apache.ws.secpolicy.model.KerberosToken;
import org.apache.ws.secpolicy.model.SecureConversationToken;
import org.apache.ws.secpolicy.model.SignedEncryptedParts;
import org.apache.ws.secpolicy.model.SupportingToken;
@@ -44,10 +45,16 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.message.*;
+import org.apache.ws.security.message.token.KerberosSecurity;
+import org.apache.ws.security.util.Base64;
+import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
+import javax.xml.crypto.dsig.SignatureMethod;
+
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
@@ -138,6 +145,8 @@ public class TransportBindingBuilder ext
} else if (token instanceof SecureConversationToken) {
handleSecureConversationTokens(rmd, (SecureConversationToken) token);
signatureValues.add(doSecureConversationSignature(rmd, token, signdParts));
+ } else if (token instanceof KerberosToken) {
+ signatureValues.add(doKerberosTokenSignature(rmd, (KerberosToken)token, signdParts));
}
}
}
@@ -292,6 +301,77 @@ public class TransportBindingBuilder ext
}
+ /**
+ * Generates a signature over the timestamp element (if any) using the Kerberos client/server session key.
+ *
+ * @param rmd
+ * @param token
+ * @param signdParts
+ */
+ private byte[] doKerberosTokenSignature(RampartMessageData rmd, KerberosToken token, SignedEncryptedParts signdParts) throws RampartException {
+
+ Document doc = rmd.getDocument();
+
+ List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
+
+ //TODO Shall we always include a timestamp?
+ if (this.timestampElement != null) {
+ sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
+ }
+
+ if (signdParts != null) {
+ if (signdParts.isBody()) {
+ SOAPEnvelope env = rmd.getMsgContext().getEnvelope();
+ sigParts.add(new WSEncryptionPart(RampartUtil.addWsuIdToElement(env.getBody())));
+ }
+
+ ArrayList headers = signdParts.getHeaders();
+ for (Iterator iterator = headers.iterator(); iterator.hasNext();) {
+ Header header = (Header) iterator.next();
+ WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
+ header.getNamespace(),
+ "Content");
+ sigParts.add(wep);
+ }
+ }
+
+ try {
+ KerberosSecurity kerberosBst = addKerberosToken(rmd, token);
+ kerberosBst.setID("Id-" + kerberosBst.hashCode());
+
+ WSSecSignature sign = new WSSecSignature();
+ sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
+
+ if (token.isRequiresKeyIdentifierReference()) {
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+
+ byte[] digestBytes = WSSecurityUtil.generateDigest(kerberosBst.getToken());
+ sign.setCustomTokenId(Base64.encode(digestBytes));
+ sign.setCustomTokenValueType(WSConstants.WSS_KRB_KI_VALUE_TYPE);
+ } else {
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+
+ sign.setCustomTokenId(kerberosBst.getID());
+ sign.setCustomTokenValueType(kerberosBst.getValueType());
+ }
+
+ SecretKey secretKey = kerberosBst.getSecretKey();
+ sign.setSecretKey(secretKey.getEncoded());
+
+ sign.prepare(doc, null, rmd.getSecHeader());
+
+ WSSecurityUtil.prependChildElement(rmd.getSecHeader().getSecurityHeader(), kerberosBst.getElement());
+
+ List<Reference> referenceList = sign.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ sign.computeSignature(referenceList, false, null);
+
+ return sign.getSignatureValue();
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithKerberosToken", e);
+ }
+ }
+
private void appendToHeader(WSSecHeader secHeader, Element appendingChild) {
// TODO this is bit dubious, before migration code was like "dkSig.appendSigToHeader(rmd.getSecHeader())"
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java Sun Jan 29 15:59:32 2017
@@ -30,7 +30,6 @@ import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.rampart.RampartMessageData;
import org.apache.rampart.policy.RampartPolicyData;
-import org.apache.rampart.util.HandlerParameterDecoder;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.model.Binding;
import org.apache.ws.secpolicy.model.SupportingToken;
@@ -122,13 +121,13 @@ public class PostDispatchVerificationHan
return InvocationResponse.CONTINUE;
}
- Iterator alternatives = policy.getAlternatives();
+ Iterator<List<Assertion>> alternatives = policy.getAlternatives();
boolean securityPolicyPresent = false;
if(alternatives.hasNext()) {
- List assertions = (List)alternatives.next();
- for (Iterator iterator = assertions.iterator(); iterator.hasNext();) {
- Assertion assertion = (Assertion) iterator.next();
+ List<Assertion> assertions = alternatives.next();
+ for (Iterator<Assertion> iterator = assertions.iterator(); iterator.hasNext();) {
+ Assertion assertion = iterator.next();
//Check for any *Binding assertion
if (assertion instanceof Binding) {
securityPolicyPresent = true;
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyBuilder.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyBuilder.java Sun Jan 29 15:59:32 2017
@@ -36,7 +36,6 @@ import org.apache.ws.secpolicy.model.Sig
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.SymmetricAsymmetricBindingBase;
import org.apache.ws.secpolicy.model.SymmetricBinding;
-import org.apache.ws.secpolicy.model.TokenWrapper;
import org.apache.ws.secpolicy.model.TransportBinding;
import org.apache.ws.secpolicy.model.TransportToken;
import org.apache.ws.secpolicy.model.Trust10;
@@ -65,15 +64,15 @@ public class RampartPolicyBuilder {
*
* @param topLevelAssertions
* The iterator of the top level policy assertions
- * @return The compile Poilcy data block.
+ * @return The compile Policy data block.
* @throws WSSPolicyException
*/
- public static RampartPolicyData build(List topLevelAssertions)
+ public static RampartPolicyData build(List<Assertion> topLevelAssertions)
throws WSSPolicyException {
RampartPolicyData rpd = new RampartPolicyData();
- for (Iterator iter = topLevelAssertions.iterator(); iter.hasNext();) {
+ for (Iterator<Assertion> iter = topLevelAssertions.iterator(); iter.hasNext();) {
Assertion assertion = (Assertion) iter.next();
if (assertion instanceof Binding) {
@@ -228,14 +227,14 @@ public class RampartPolicyBuilder {
*/
private static void processSignedEncryptedElements(
SignedEncryptedElements see, RampartPolicyData rpd) {
- Iterator it = see.getXPathExpressions().iterator();
+ Iterator<String> it = see.getXPathExpressions().iterator();
if (see.isSignedElemets()) {
while (it.hasNext()) {
- rpd.setSignedElements((String) it.next());
+ rpd.setSignedElements(it.next());
}
} else {
while (it.hasNext()) {
- rpd.setEncryptedElements((String) it.next());
+ rpd.setEncryptedElements(it.next());
}
}
rpd.addDeclaredNamespaces(see.getDeclaredNamespaces());
@@ -251,7 +250,7 @@ public class RampartPolicyBuilder {
*/
private static void processSignedEncryptedParts(SignedEncryptedParts sep,
RampartPolicyData rpd) {
- Iterator it = sep.getHeaders().iterator();
+ Iterator<Header> it = sep.getHeaders().iterator();
if (sep.isSignedParts()) {
rpd.setSignBody(sep.isBody());
rpd.setSignAttachments(sep.isAttachments());
@@ -259,7 +258,7 @@ public class RampartPolicyBuilder {
rpd.setSignBodyOptional(sep.isOptional());
rpd.setSignAttachmentsOptional(sep.isOptional());
while (it.hasNext()) {
- Header header = (Header) it.next();
+ Header header = it.next();
rpd.addSignedPart(header.getNamespace(), header.getName());
}
} else {
@@ -268,7 +267,7 @@ public class RampartPolicyBuilder {
rpd.setEncryptBodyOptional(sep.isOptional());
rpd.setEncryptAttachmentsOptional(sep.isOptional());
while (it.hasNext()) {
- Header header = (Header) it.next();
+ Header header = it.next();
rpd.setEncryptedParts(header.getNamespace(), header.getName(),"Header");
}
}
@@ -277,9 +276,9 @@ public class RampartPolicyBuilder {
private static void processContentEncryptedElements(ContentEncryptedElements cee,
RampartPolicyData rpd) {
- Iterator it = cee.getXPathExpressions().iterator();
+ Iterator<String> it = cee.getXPathExpressions().iterator();
while (it.hasNext()) {
- rpd.setContentEncryptedElements((String) it.next());
+ rpd.setContentEncryptedElements(it.next());
}
rpd.addDeclaredNamespaces(cee.getDeclaredNamespaces());
}
@@ -287,9 +286,9 @@ public class RampartPolicyBuilder {
private static void processRequiredElements(RequiredElements req,
RampartPolicyData rpd) {
- Iterator it = req.getXPathExpressions().iterator();
+ Iterator<String> it = req.getXPathExpressions().iterator();
while (it.hasNext()) {
- rpd.setRequiredElements((String) it.next());
+ rpd.setRequiredElements(it.next());
}
rpd.addDeclaredNamespaces(req.getDeclaredNamespaces());
}
@@ -363,14 +362,14 @@ public class RampartPolicyBuilder {
*/
private static void asymmetricBinding(AsymmetricBinding binding,
RampartPolicyData rpd) throws WSSPolicyException {
- TokenWrapper tokWrapper = binding.getRecipientToken();
- TokenWrapper tokWrapper1 = binding.getInitiatorToken();
- if (tokWrapper == null || tokWrapper1 == null) {
+ RecipientToken rt = binding.getRecipientToken();
+ InitiatorToken it = binding.getInitiatorToken();
+ if (rt == null || it == null) {
throw new WSSPolicyException("Asymmetric binding should have both Initiator and " +
"Recipient tokens defined");
}
- rpd.setRecipientToken(((RecipientToken) tokWrapper).getReceipientToken());
- rpd.setInitiatorToken(((InitiatorToken) tokWrapper1).getInitiatorToken());
+ rpd.setRecipientToken(rt.getReceipientToken());
+ rpd.setInitiatorToken(it.getInitiatorToken());
}
private static void processSupportingTokens(SupportingToken token,
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyData.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyData.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyData.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/RampartPolicyData.java Sun Jan 29 15:59:32 2017
@@ -35,7 +35,6 @@ import org.apache.ws.security.WSEncrypti
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
-import java.util.Vector;
public class RampartPolicyData {
@@ -126,8 +125,7 @@ public class RampartPolicyData {
private List<String> contentEncryptedElements = new ArrayList<String>();
- //TODO make this strongly type attribute
- private HashMap declaredNamespaces = new HashMap();
+ private HashMap<String, String> declaredNamespaces = new HashMap<String, String>();
/*
* Holds the supporting tokens elements
@@ -528,11 +526,11 @@ public class RampartPolicyData {
return signedParts;
}
- public HashMap getDeclaredNamespaces() {
+ public HashMap<String, String> getDeclaredNamespaces() {
return declaredNamespaces;
}
- public void addDeclaredNamespaces(HashMap namespaces) {
+ public void addDeclaredNamespaces(HashMap<String, String> namespaces) {
declaredNamespaces.putAll(namespaces);
}
@@ -900,7 +898,7 @@ public class RampartPolicyData {
case SPConstants.SUPPORTING_TOKEN_SIGNED_ENDORSING:
if(this.signedEndorsingSupportingTokensIdMap == null) {
- this.signedEndorsingSupportingTokensIdMap = new HashMap();
+ this.signedEndorsingSupportingTokensIdMap = new HashMap<Token,String>();
}
return null;
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/SupportingPolicyData.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/SupportingPolicyData.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/SupportingPolicyData.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/SupportingPolicyData.java Sun Jan 29 15:59:32 2017
@@ -1,53 +1,62 @@
-package org.apache.rampart.policy;
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
-import java.util.Iterator;
+package org.apache.rampart.policy;
import org.apache.ws.secpolicy.model.Header;
import org.apache.ws.secpolicy.model.SupportingToken;
public class SupportingPolicyData extends RampartPolicyData {
- public void build(SupportingToken token) {
+ public void build(SupportingToken token) {
- if (token.getSignedParts() != null && !token.getSignedParts().isOptional()) {
- Iterator it = token.getSignedParts().getHeaders().iterator();
- this.setSignBody(token.getSignedParts().isBody());
- while (it.hasNext()) {
- Header header = (Header) it.next();
- this.addSignedPart(header.getNamespace(), header.getName());
- }
- }
-
- if (token.getEncryptedParts() != null && !token.getEncryptedParts().isOptional()) {
- Iterator it = token.getEncryptedParts().getHeaders().iterator();
- this.setEncryptBody(token.getEncryptedParts().isBody());
- while (it.hasNext()) {
- Header header = (Header) it.next();
- this.setEncryptedParts(header.getNamespace(), header.getName(),
- "Header");
- }
- }
-
- if (token.getSignedElements() != null && !token.getSignedElements().isOptional()) {
- Iterator it = token.getSignedElements().getXPathExpressions()
- .iterator();
- while (it.hasNext()) {
- this.setSignedElements((String) it.next());
- }
- this.addDeclaredNamespaces(token.getSignedElements()
- .getDeclaredNamespaces());
- }
-
- if (token.getEncryptedElements() != null && !token.getEncryptedElements().isOptional()) {
- Iterator it = token.getEncryptedElements().getXPathExpressions()
- .iterator();
- while (it.hasNext()) {
- this.setEncryptedElements((String) it.next());
- }
- if (token.getSignedElements() == null) {
- this.addDeclaredNamespaces(token.getEncryptedElements()
- .getDeclaredNamespaces());
- }
- }
- }
+ if (token.getSignedParts() != null && !token.getSignedParts().isOptional()) {
+ this.setSignBody(token.getSignedParts().isBody());
+ for (Header header : token.getSignedParts().getHeaders()) {
+ this.addSignedPart(header.getNamespace(), header.getName());
+ }
+ }
+
+ if (token.getEncryptedParts() != null && !token.getEncryptedParts().isOptional()) {
+ this.setEncryptBody(token.getEncryptedParts().isBody());
+ for (Header header : token.getEncryptedParts().getHeaders()) {
+ this.setEncryptedParts(header.getNamespace(), header.getName(),
+ "Header");
+ }
+ }
+
+ if (token.getSignedElements() != null && !token.getSignedElements().isOptional()) {
+ for (String xpath : token.getSignedElements().getXPathExpressions()) {
+ this.setSignedElements(xpath);
+ }
+ this.addDeclaredNamespaces(token.getSignedElements()
+ .getDeclaredNamespaces());
+ }
+
+ if (token.getEncryptedElements() != null && !token.getEncryptedElements().isOptional()) {
+ for (String xpath : token.getEncryptedElements().getXPathExpressions()) {
+ this.setEncryptedElements(xpath);
+ }
+ if (token.getSignedElements() == null) {
+ this.addDeclaredNamespaces(token.getEncryptedElements()
+ .getDeclaredNamespaces());
+ }
+ }
+ }
}
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/builders/RampartConfigBuilder.java Sun Jan 29 15:59:32 2017
@@ -22,6 +22,7 @@ import org.apache.neethi.Assertion;
import org.apache.neethi.AssertionBuilderFactory;
import org.apache.neethi.builders.AssertionBuilder;
import org.apache.rampart.policy.model.CryptoConfig;
+import org.apache.rampart.policy.model.KerberosConfig;
import org.apache.rampart.policy.model.OptimizePartsConfig;
import org.apache.rampart.policy.model.RampartConfig;
import org.apache.rampart.policy.model.SSLConfig;
@@ -89,6 +90,16 @@ public class RampartConfigBuilder implem
}
childElement = element.getFirstChildWithName(new QName(
+ RampartConfig.NS, RampartConfig.KERBEROS_CONFIG));
+ if (childElement != null) {
+ KerberosConfig kerberosConfig = (KerberosConfig)new KerberosConfigBuilder().
+ build(childElement,
+ factory);
+ rampartConfig.setKerberosConfig(kerberosConfig);
+
+ }
+
+ childElement = element.getFirstChildWithName(new QName(
RampartConfig.NS, RampartConfig.SIG_CRYPTO_LN));
if (childElement != null) {
rampartConfig.setSigCryptoConfig((CryptoConfig) factory
@@ -154,6 +165,12 @@ public class RampartConfigBuilder implem
rampartConfig.setOptimizeParts(config);
}
+ childElement = element.getFirstChildWithName(new QName(
+ RampartConfig.NS, RampartConfig.TIMESTAMP_STRICT_LN));
+ if (childElement != null) {
+ rampartConfig.setTimeStampStrict(childElement.getText().trim());
+ }
+
return rampartConfig;
}
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/policy/model/RampartConfig.java Sun Jan 29 15:59:32 2017
@@ -106,12 +106,16 @@ public class RampartConfig implements As
public final static String TOKEN_STORE_CLASS_LN = "tokenStoreClass";
+ public final static String TIMESTAMP_STRICT_LN = "timestampStrict";
+
public final static String NONCE_LIFE_TIME = "nonceLifeTime";
public final static String OPTIMISE_PARTS = "optimizeParts";
public final static String SSL_CONFIG = "sslConfig";
+ public final static String KERBEROS_CONFIG = "kerberosConfig";
+
private String user;
private String userCertAlias;
@@ -135,6 +139,7 @@ public class RampartConfig implements As
private CryptoConfig stsCryptoConfig;
private String timestampPrecisionInMilliseconds = Boolean.toString(DEFAULT_TIMESTAMP_PRECISION_IN_MS);
+ private boolean isTimestampPrecisionInMs = DEFAULT_TIMESTAMP_PRECISION_IN_MS;
private String timestampTTL = Integer.toString(DEFAULT_TIMESTAMP_TTL);
@@ -148,6 +153,19 @@ public class RampartConfig implements As
private SSLConfig sslConfig;
+ private KerberosConfig kerberosConfig;
+
+ public KerberosConfig getKerberosConfig() {
+ return kerberosConfig;
+ }
+
+ public void setKerberosConfig(KerberosConfig kerberosConfig) {
+ this.kerberosConfig = kerberosConfig;
+ }
+
+ /*To set timeStampStrict in WSSConfig through rampartConfig - default value is false*/
+ private boolean timeStampStrict = false;
+
public SSLConfig getSSLConfig() {
return sslConfig;
}
@@ -326,15 +344,13 @@ public class RampartConfig implements As
if (getRampartConfigCbClass() != null) {
writer.writeStartElement(NS, RAMPART_CONFIG_CB_CLASS_LN);
writer.writeCharacters(getRampartConfigCbClass());
- writer.writeEndElement();
- }
-
- if (getTimestampPrecisionInMilliseconds() != null) {
- writer.writeStartElement(NS, TS_PRECISION_IN_MS_LN);
- writer.writeCharacters(getTimestampPrecisionInMilliseconds());
writer.writeEndElement();
}
-
+
+ writer.writeStartElement(NS, TS_PRECISION_IN_MS_LN);
+ writer.writeCharacters(Boolean.toString(isDefaultTimestampPrecisionInMs()));
+ writer.writeEndElement();
+
if (getTimestampTTL() != null) {
writer.writeStartElement(NS, TS_TTL_LN);
writer.writeCharacters(getTimestampTTL());
@@ -347,6 +363,10 @@ public class RampartConfig implements As
writer.writeEndElement();
}
+ writer.writeStartElement(NS, TIMESTAMP_STRICT_LN);
+ writer.writeCharacters(Boolean.toString(isTimeStampStrict()));
+ writer.writeEndElement();
+
if (getTokenStoreClass() != null) {
writer.writeStartElement(NS, TOKEN_STORE_CLASS_LN);
writer.writeCharacters(getTokenStoreClass());
@@ -384,6 +404,12 @@ public class RampartConfig implements As
writer.writeEndElement();
}
+ if (kerberosConfig != null) {
+ writer.writeStartElement(NS, KERBEROS_CONFIG);
+ kerberosConfig.serialize(writer);
+ writer.writeEndElement();
+ }
+
writer.writeEndElement();
}
@@ -396,12 +422,26 @@ public class RampartConfig implements As
return Constants.TYPE_ASSERTION;
}
+ /**
+ * @deprecated As of version 1.7.0, replaced by isDefaultTimestampPrecisionInMs
+ * @see #isDefaultTimestampPrecisionInMs()
+ * @return Returns "true" or "false".
+ */
+ @Deprecated
public String getTimestampPrecisionInMilliseconds() {
return timestampPrecisionInMilliseconds;
}
+
+ public boolean isDefaultTimestampPrecisionInMs() {
+ return this.isTimestampPrecisionInMs;
+ }
public void setTimestampPrecisionInMilliseconds(String timestampPrecisionInMilliseconds) {
- this.timestampPrecisionInMilliseconds = timestampPrecisionInMilliseconds;
+
+ if (timestampPrecisionInMilliseconds != null) {
+ this.timestampPrecisionInMilliseconds = timestampPrecisionInMilliseconds;
+ this.isTimestampPrecisionInMs = Boolean.valueOf(timestampPrecisionInMilliseconds);
+ }
}
/**
@@ -457,5 +497,13 @@ public class RampartConfig implements As
public void setStsCryptoConfig(CryptoConfig stsCryptoConfig) {
this.stsCryptoConfig = stsCryptoConfig;
}
+
+ public boolean isTimeStampStrict() {
+ return timeStampStrict;
+ }
+
+ public void setTimeStampStrict(String timeStampStrict) {
+ this.timeStampStrict = Boolean.valueOf(timeStampStrict);
+ }
}
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/util/Axis2Util.java Sun Jan 29 15:59:32 2017
@@ -20,19 +20,14 @@ import org.apache.axiom.om.OMAbstractFac
import org.apache.axiom.om.OMAttribute;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.OMFactory;
-import org.apache.axiom.om.OMMetaFactory;
import org.apache.axiom.om.OMNamespace;
import org.apache.axiom.om.OMNode;
import org.apache.axiom.om.OMXMLBuilderFactory;
-import org.apache.axiom.om.impl.builder.StAXOMBuilder;
-import org.apache.axiom.soap.SOAP11Constants;
-import org.apache.axiom.soap.SOAP12Constants;
+import org.apache.axiom.om.OMXMLParserWrapper;
import org.apache.axiom.soap.SOAPEnvelope;
-import org.apache.axiom.soap.SOAPFactory;
import org.apache.axiom.soap.SOAPHeader;
import org.apache.axiom.soap.SOAPHeaderBlock;
import org.apache.axiom.soap.SOAPModelBuilder;
-import org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder;
import org.apache.rampart.handler.WSSHandlerConstants;
import org.apache.ws.security.WSSecurityException;
import org.apache.xml.security.utils.XMLUtils;
@@ -144,21 +139,9 @@ public class Axis2Util {
}
}
- // Check the namespace and find SOAP version and factory
- String nsURI = null;
- OMMetaFactory metaFactory = OMAbstractFactory.getMetaFactory(OMAbstractFactory.FEATURE_DOM);
- SOAPFactory factory;
- if (env.getNamespace().getNamespaceURI().equals(
- SOAP11Constants.SOAP_ENVELOPE_NAMESPACE_URI)) {
- nsURI = SOAP11Constants.SOAP_ENVELOPE_NAMESPACE_URI;
- factory = metaFactory.getSOAP11Factory();
- } else {
- nsURI = SOAP12Constants.SOAP_ENVELOPE_NAMESPACE_URI;
- factory = metaFactory.getSOAP12Factory();
- }
-
- StAXSOAPModelBuilder stAXSOAPModelBuilder = new StAXSOAPModelBuilder(
- env.getXMLStreamReader(), factory, nsURI);
+ SOAPModelBuilder stAXSOAPModelBuilder = OMXMLBuilderFactory.createStAXSOAPModelBuilder(
+ OMAbstractFactory.getMetaFactory(OMAbstractFactory.FEATURE_DOM),
+ env.getXMLStreamReader());
SOAPEnvelope envelope = (stAXSOAPModelBuilder)
.getSOAPEnvelope();
envelope.getParent().build();
@@ -256,7 +239,7 @@ public class Axis2Util {
header.addChild(child);
}
- element.detach();
+ headerBlocs.remove();
soapHeader.build();
@@ -337,7 +320,7 @@ public class Axis2Util {
* @return
*/
public static OMElement toDOOM(OMFactory factory, OMElement element){
- StAXOMBuilder builder = new StAXOMBuilder(factory, element.getXMLStreamReader());
+ OMXMLParserWrapper builder = OMXMLBuilderFactory.createStAXOMBuilder(factory, element.getXMLStreamReader());
OMElement elem = builder.getDocumentElement();
elem.build();
return elem;
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?rev=1780817&r1=1780816&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java Sun Jan 29 15:59:32 2017
@@ -29,6 +29,7 @@ import org.apache.axis2.client.Options;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.dataretrieval.DRConstants;
import org.apache.axis2.dataretrieval.client.MexClient;
+import org.apache.axis2.description.AxisService;
import org.apache.axis2.description.Parameter;
import org.apache.axis2.mex.MexConstants;
import org.apache.axis2.mex.MexException;
@@ -55,6 +56,7 @@ import org.apache.rampart.RampartMessage
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.policy.SupportingPolicyData;
import org.apache.rampart.policy.model.CryptoConfig;
+import org.apache.rampart.policy.model.KerberosConfig;
import org.apache.rampart.policy.model.RampartConfig;
import org.apache.ws.secpolicy.SPConstants;
import org.apache.ws.secpolicy.model.*;
@@ -75,6 +77,7 @@ import org.apache.ws.security.message.WS
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.util.Loader;
import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.ws.security.validate.KerberosTokenDecoder;
import org.apache.xml.security.utils.Constants;
import org.jaxen.JaxenException;
import org.jaxen.XPath;
@@ -165,6 +168,64 @@ public class RampartUtil {
return cbHandler;
}
+ /**
+ * Instantiates any Kerberos token decoder implementation configured via {@link KerberosConfig#setKerberosTokenDecoderClass(String)}
+ * using the {@link AxisService#getClassLoader() class loader} of the specified message context's {@link MessageContext#getAxisService() service}.
+ *
+ * @param msgContext The current message context. Must not be null and must contain a valid service instance.
+ * @param kerberosConfig Rampart's Kerberos configuration.
+ *
+ * @return A new instance of {@link KerberosTokenDecoder} implementation configured via {@link KerberosConfig#setKerberosTokenDecoderClass(String)} or <code>null</code>
+ * if no Kerberos token decoder is configured.
+ * @throws RampartException If the class cannot be loaded or instantiated.
+ */
+ public static KerberosTokenDecoder getKerberosTokenDecoder(MessageContext msgContext, KerberosConfig kerberosConfig) throws RampartException {
+ if (kerberosConfig == null) {
+ throw new IllegalArgumentException("Kerberos config must not be null");
+ }
+ else if (msgContext == null) {
+ throw new IllegalArgumentException("Message context must not be null");
+ }
+
+ AxisService service = msgContext.getAxisService();
+ if (service == null) {
+ throw new IllegalArgumentException("No service available in message context: " + msgContext.getLogIDString());
+ }
+
+ KerberosTokenDecoder kerberosTokenDecoder;
+
+ String kerberosTokenDecoderClass = kerberosConfig.getKerberosTokenDecoderClass();
+ if (kerberosTokenDecoderClass == null) {
+ if (log.isDebugEnabled()) {
+ log.debug("No Kerberos token decoder class configured for service: " + service.getName());
+ }
+ return null;
+ }
+
+ if (log.isDebugEnabled()) {
+ log.debug(String.format("Loading Kerberos token decoder class '%s' using class loader of service '%s'", kerberosTokenDecoderClass, service.getName()));
+ }
+
+ ClassLoader classLoader = service.getClassLoader();
+ Class krbTokenDecoderClass;
+ try {
+ krbTokenDecoderClass = Loader.loadClass(classLoader, kerberosTokenDecoderClass);
+ }
+ catch (ClassNotFoundException e) {
+ throw new RampartException("cannotLoadKrbTokenDecoderClass",
+ new String[] { kerberosTokenDecoderClass }, e);
+ }
+
+ try {
+ kerberosTokenDecoder = (KerberosTokenDecoder) krbTokenDecoderClass.newInstance();
+ } catch (java.lang.Exception e) {
+ throw new RampartException("cannotCreateKrbTokenDecoderInstance",
+ new String[] { kerberosTokenDecoderClass }, e);
+ }
+
+ return kerberosTokenDecoder;
+ }
+
/**
* Returns an instance of PolicyValidatorCallbackHandler to be used to validate ws-security results.
*
@@ -1472,7 +1533,12 @@ public class RampartUtil {
String encrKeyId = (String) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);
if (actInt == WSConstants.ENCR &&
encrKeyId != null) {
- return encrKeyId;
+ if (encrKeyId.length() > 0) {
+ return encrKeyId;
+ }
+ else if (log.isDebugEnabled()) {
+ log.debug("Found encryption security processing result with empty id, skipping it: " + wsSecEngineResult);
+ }
}
}
}
@@ -1897,4 +1963,85 @@ public class RampartUtil {
return SPConstants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder());
}
+ /**
+ * Check if the given SOAP fault reports a security fault.
+ *
+ * @param fault
+ * the SOAP fault; must not be <code>null</code>
+ * @return <code>true</code> if the fault is a security fault; <code>false</code> otherwise
+ */
+ public static boolean isSecurityFault(SOAPFault fault) {
+ String soapVersionURI = fault.getNamespaceURI();
+ SOAPFaultCode code = fault.getCode();
+ if (code == null) {
+ // If no fault code is given, then it can't be security fault
+ return false;
+ } else if (soapVersionURI.equals(SOAP11Constants.SOAP_ENVELOPE_NAMESPACE_URI)) {
+ return isSecurityFaultCode(code);
+ } else {
+ // For SOAP 1.2 security faults, the fault code is env:Sender, and the security fault code is
+ // specified in the subcode
+ SOAPFaultSubCode subCode = code.getSubCode();
+ return subCode == null ? false : isSecurityFaultCode(subCode);
+ }
+ }
+
+ private static boolean isSecurityFaultCode(SOAPFaultClassifier code) {
+ QName value = code.getValueAsQName();
+ return value == null ? false : value.getNamespaceURI().equals(WSConstants.WSSE_NS);
+ }
+
+ /**
+ * @param rpd Rampart policy data instance. Must not be null.
+ * @return A collection of all {@link UsernameToken} supporting token assertions in the specified Rampart policy instance. The method will check the following lists:
+ * <ul>
+ * <li>{@link RampartPolicyData#getSupportingTokensList()}</li>
+ * <li>{@link RampartPolicyData#getSignedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getSignedEndorsingSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getEndorsingSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getEncryptedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getSignedEncryptedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getEndorsingEncryptedSupportingTokens()}</li>
+ * <li>{@link RampartPolicyData#getSignedEndorsingEncryptedSupportingTokens()}</li>
+ * </ul>
+ */
+ public static Collection<UsernameToken> getUsernameTokens(RampartPolicyData rpd) {
+ Collection<UsernameToken> usernameTokens = new ArrayList<UsernameToken>();
+
+ List<SupportingToken> supportingToks = rpd.getSupportingTokensList();
+ for (SupportingToken suppTok : supportingToks) {
+ usernameTokens.addAll(getUsernameTokens(suppTok));
+ }
+
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedEndorsingSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getEndorsingSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getEncryptedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedEncryptedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getEndorsingEncryptedSupportingTokens()));
+ usernameTokens.addAll(getUsernameTokens(rpd.getSignedEndorsingEncryptedSupportingTokens()));
+
+ return usernameTokens;
+ }
+
+ /**
+ * @param suppTok The {@link SupportingToken} assertion to check for username tokens.
+ * @return A collection of all tokens in the specified <code>suppTok</code> SupportingToken assertion which are instances of {@link UsernameToken}.
+ * If the specified <code>suppTok</code> SupportingToken assertion is <code>null</code>, an empty collection will be returned.
+ */
+ public static Collection<UsernameToken> getUsernameTokens(SupportingToken suppTok) {
+
+ if (suppTok == null) {
+ return new ArrayList<UsernameToken>();
+ }
+
+ Collection<UsernameToken> usernameTokens = new ArrayList<UsernameToken>();
+ for (org.apache.ws.secpolicy.model.Token token : suppTok.getTokens()) {
+ if (token instanceof UsernameToken) {
+ usernameTokens.add((UsernameToken)token);
+ }
+ }
+
+ return usernameTokens;
+ }
}
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties?rev=1780817&r1=1780812&r2=1780817&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/resources/org/apache/rampart/errors.properties Sun Jan 29 15:59:32 2017
@@ -104,6 +104,8 @@ requiredElementsMissing = Required Eleme
repeatingNonceValue = Nonce value : {0}, already seen before for user name : {1}. Possibly this could be a replay attack.
invalidNonceLifeTime = Invalid value for nonceLifeTime in rampart configuration file.
invalidIssuerAddress = Invalid value for Issuer
+algorithmNotFound = Couldn't find the algorithm used
+invalidAlgorithm = Algorithm verification failed. Required Algorithm : {0}, Algorithm found {1}
invalidSignatureAlgo=Invalid signature algorithm for Asymmetric binding
invalidUsernameTokenType = Invalid UsernameToken Type.
@@ -112,4 +114,4 @@ invalidServicePrincipalNameForm = Invali
noKerberosConfigDefined = No kerberosConfig policy assertion defined in rampart config.
errorInBuildingKereberosToken = Error in building kereberos token.
cannotLoadKrbTokenDecoderClass = Cannot load Kerberos token decoder class: {0}
-cannotCreateKrbTokenDecoderInstance = Cannot create instance of Kerberos token decoder : {0}
\ No newline at end of file
+cannotCreateKrbTokenDecoderInstance = Cannot create instance of Kerberos token decoder : {0}