You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2021/02/19 10:55:27 UTC
[cxf-fediz] branch cxf340 updated (29d6b79 -> f249a5f)
This is an automated email from the ASF dual-hosted git repository.
buhhunyx pushed a change to branch cxf340
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git.
discard 29d6b79 sync dependencies #2
discard 7c36bd5 sync dependenciesSAMLEncryptedResponseTest
discard 63133bb Merge remote-tracking branch 'cxf-fediz/master' into cxf340
discard 8218994 initial upgrade to CXF 3.4.0 & WSS4J 2.3.0
add 92c3fad fediz-core: extract duplicate code in SAMLProcessorImpl
add 21e7063 Update htmlunit and junit
new f249a5f initial upgrade to CXF 3.4.2 & WSS4J 2.3.1
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (29d6b79)
\
N -- N -- N refs/heads/cxf340 (f249a5f)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../fediz/core/processor/SAMLProcessorImpl.java | 107 ++++++++-------------
.../core/samlsso/SAMLEncryptedResponseTest.java | 67 ++++---------
2 files changed, 61 insertions(+), 113 deletions(-)
[cxf-fediz] 01/01: initial upgrade to CXF 3.4.2 & WSS4J 2.3.1
Posted by bu...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
buhhunyx pushed a commit to branch cxf340
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit f249a5fde9452e609299dbe54152dd55e0fcb009
Author: Alexey Markevich <bu...@gmail.com>
AuthorDate: Wed Aug 26 09:55:50 2020 +0300
initial upgrade to CXF 3.4.2 & WSS4J 2.3.1
---
plugins/core/pom.xml | 31 ++++++++----------
.../apache/cxf/fediz/core/config/FedizContext.java | 37 ++++++++++++----------
.../core/processor/AbstractFedizProcessor.java | 4 +--
.../core/samlsso/SAMLSSOResponseValidator.java | 7 ++--
.../fediz/core/AbstractSAMLCallbackHandler.java | 11 +++++--
.../fediz/core/config/FedizConfigurationTest.java | 7 ++--
.../core/federation/FederationResponseTest.java | 11 +++++--
plugins/cxf/pom.xml | 6 ++++
pom.xml | 6 ++--
.../protocols/TrustedIdpSAMLProtocolHandler.java | 4 +--
.../oidc/PrivateKeyPasswordProviderImpl.java | 2 +-
services/sts/src/main/resources/log4j.properties | 4 +--
12 files changed, 72 insertions(+), 58 deletions(-)
diff --git a/plugins/core/pom.xml b/plugins/core/pom.xml
index ad04a6d..8e0d119 100644
--- a/plugins/core/pom.xml
+++ b/plugins/core/pom.xml
@@ -33,12 +33,6 @@
</properties>
<dependencies>
<dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>${junit.version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
<groupId>org.apache.wss4j</groupId>
<artifactId>wss4j-ws-security-dom</artifactId>
<version>${wss4j.version}</version>
@@ -51,18 +45,6 @@
</exclusions>
</dependency>
<dependency>
- <groupId>net.sf.ehcache</groupId>
- <artifactId>ehcache</artifactId>
- <version>${ehcache.version}</version>
- <scope>compile</scope>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-jdk14</artifactId>
- <version>${slf4j.version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
@@ -73,12 +55,25 @@
<version>${servlet.version}</version>
<scope>provided</scope>
</dependency>
+
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>${junit.version}</version>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.easymock</groupId>
<artifactId>easymock</artifactId>
<version>${easymock.version}</version>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-jdk14</artifactId>
+ <version>${slf4j.version}</version>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
<plugins>
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
index d23165a..131f331 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
@@ -24,6 +24,8 @@ import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.Path;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -44,10 +46,11 @@ import org.apache.cxf.fediz.core.config.jaxb.TrustManagersType;
import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuerType;
import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuers;
import org.apache.cxf.fediz.core.exception.IllegalConfigurationException;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.processor.ClaimsProcessor;
import org.apache.cxf.fediz.core.util.CertsUtils;
+import org.apache.wss4j.common.cache.EHCacheReplayCache;
import org.apache.wss4j.common.cache.ReplayCache;
-import org.apache.wss4j.common.cache.ReplayCacheFactory;
import org.apache.wss4j.common.crypto.CertificateStore;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
@@ -239,26 +242,26 @@ public class FedizContext implements Closeable {
}
- public ReplayCache getTokenReplayCache() {
+ public ReplayCache getTokenReplayCache() throws ProcessingException {
if (replayCache != null) {
return replayCache;
}
- String replayCacheString = config.getTokenReplayCache();
- String cacheKey = CACHE_KEY_PREFIX + "-" + config.getName();
- ReplayCacheFactory replayCacheFactory = ReplayCacheFactory.newInstance();
- if (replayCacheString == null || "".equals(replayCacheString)) {
- replayCache = replayCacheFactory.newReplayCache(cacheKey, "/fediz-ehcache.xml");
- } else {
- try {
- Class<?> replayCacheClass = Loader.loadClass(replayCacheString);
- replayCache = (ReplayCache) replayCacheClass.newInstance();
- } catch (ClassNotFoundException e) {
- replayCache = replayCacheFactory.newReplayCache(cacheKey, "/fediz-ehcache.xml");
- } catch (InstantiationException e) {
- replayCache = replayCacheFactory.newReplayCache(cacheKey, "/fediz-ehcache.xml");
- } catch (IllegalAccessException e) {
- replayCache = replayCacheFactory.newReplayCache(cacheKey, "/fediz-ehcache.xml");
+ final String replayCacheString = config.getTokenReplayCache();
+ final String cacheKey = CACHE_KEY_PREFIX + '-' + config.getName();
+ try {
+ final Path diskstorePath = Files.createTempDirectory("fediz");
+ if (replayCacheString == null || "".equals(replayCacheString)) {
+ replayCache = new EHCacheReplayCache(cacheKey, diskstorePath);
+ } else {
+ try {
+ Class<?> replayCacheClass = Loader.loadClass(replayCacheString);
+ replayCache = (ReplayCache) replayCacheClass.newInstance();
+ } catch (ReflectiveOperationException e) {
+ replayCache = new EHCacheReplayCache(cacheKey, diskstorePath);
+ }
}
+ } catch (Exception e) {
+ throw new ProcessingException(e.getMessage(), e);
}
return replayCache;
}
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
index 37a4a63..354408c 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
@@ -94,9 +94,7 @@ public abstract class AbstractFedizProcessor implements FedizProcessor {
if (!config.getTokenReplayCache().contains(tokenId)) {
// not cached
if (expires != null) {
- Instant now = Instant.now();
- long ttl = expires.getEpochSecond() - now.getEpochSecond();
- config.getTokenReplayCache().add(tokenId, ttl);
+ config.getTokenReplayCache().add(tokenId, expires);
} else {
config.getTokenReplayCache().add(tokenId);
}
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
index a027ffa..5e15ec9 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
@@ -19,7 +19,6 @@
package org.apache.cxf.fediz.core.samlsso;
import java.time.Instant;
-import java.util.Date;
import java.util.List;
import org.w3c.dom.Element;
@@ -228,10 +227,8 @@ public class SAMLSSOResponseValidator {
// Need to keep bearer assertion IDs based on NotOnOrAfter to detect replay attacks
if (postBinding && replayCache != null) {
if (replayCache.contains(id)) {
- Date expires = subjectConfData.getNotOnOrAfter().toDate();
- Date currentTime = new Date();
- long ttl = expires.getTime() - currentTime.getTime();
- replayCache.add(id, ttl / 1000L);
+ Instant expires = subjectConfData.getNotOnOrAfter().toDate().toInstant();
+ replayCache.add(id, expires);
} else {
LOG.debug("Replay attack with token id: " + id);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
index 7fc9ece..f7b4a2b 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
@@ -28,6 +28,8 @@ import java.util.Collections;
import java.util.List;
import java.util.Map;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -47,6 +49,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.bean.SubjectLocalityBean;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
@@ -422,8 +425,12 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUseThisCert(certs[0]);
- encrKey.prepare(null);
- ephemeralKey = encrKey.getEphemeralKey();
+
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ encrKey.prepare(null, symmetricKey);
+ ephemeralKey = symmetricKey.getEncoded();
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java
index 9fbaa06..cc72508 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java
@@ -49,6 +49,7 @@ import org.apache.cxf.fediz.core.config.jaxb.TrustManagersType;
import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuerType;
import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuers;
import org.apache.cxf.fediz.core.config.jaxb.ValidationType;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.processor.ClaimsProcessor;
import org.apache.wss4j.common.cache.EHCacheReplayCache;
import org.apache.wss4j.common.cache.MemoryReplayCache;
@@ -350,7 +351,7 @@ public class FedizConfigurationTest {
}
@org.junit.Test
- public void testTokenReplayCacheFederation() throws JAXBException, IOException {
+ public void testTokenReplayCacheFederation() throws Exception {
FedizConfig config = createConfiguration(true);
// Test the default TokenReplayCache
@@ -375,7 +376,7 @@ public class FedizConfigurationTest {
}
@org.junit.Test
- public void testTokenReplayCacheSAML() throws JAXBException, IOException {
+ public void testTokenReplayCacheSAML() throws Exception {
FedizConfig config = createConfiguration(false);
// Test the default TokenReplayCache
@@ -400,7 +401,7 @@ public class FedizConfigurationTest {
}
private ReplayCache parseConfigAndReturnTokenReplayCache(FedizConfig config)
- throws JAXBException {
+ throws JAXBException, ProcessingException {
final JAXBContext jaxbContext = JAXBContext.newInstance(FedizConfig.class);
StringWriter writer = new StringWriter();
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java
index b013ac6..abdc062 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java
@@ -28,6 +28,8 @@ import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.List;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
@@ -77,6 +79,7 @@ import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.DOM2Writer;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncrypt;
@@ -1757,8 +1760,12 @@ public class FederationResponseTest {
encryptionPart.setElement(token);
Crypto encrCrypto = CryptoFactory.getInstance("signature.properties");
- builder.prepare(encrCrypto);
- builder.encryptForRef(null, Collections.singletonList(encryptionPart));
+
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(builder.getSymmetricEncAlgorithm());
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ builder.prepare(encrCrypto, symmetricKey);
+ builder.encryptForRef(null, Collections.singletonList(encryptionPart), symmetricKey);
// return doc.getDocumentElement();
return DOM2Writer.nodeToString(doc);
diff --git a/plugins/cxf/pom.xml b/plugins/cxf/pom.xml
index c5171aa..9d7239c 100644
--- a/plugins/cxf/pom.xml
+++ b/plugins/cxf/pom.xml
@@ -39,6 +39,12 @@
<scope>compile</scope>
</dependency>
<dependency>
+ <groupId>net.sf.ehcache</groupId>
+ <artifactId>ehcache</artifactId>
+ <version>${ehcache.version}</version>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>${servlet.version}</version>
diff --git a/pom.xml b/pom.xml
index 52f6525..21cccd6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -43,7 +43,7 @@
<commons.logging.version>1.2</commons.logging.version>
<commons.text.version>1.9</commons.text.version>
<commons.validator.version>1.7</commons.validator.version>
- <cxf.version>3.3.9</cxf.version>
+ <cxf.version>3.4.2</cxf.version>
<cxf.build-utils.version>3.4.4</cxf.build-utils.version>
<easymock.version>4.0.2</easymock.version>
<ehcache.version>2.10.6</ehcache.version>
@@ -51,7 +51,7 @@
<jcache.version>1.0.0</jcache.version>
<hsqldb.version>2.5.1</hsqldb.version>
<htmlunit.version>2.47.1</htmlunit.version>
- <jackson.version>2.10.5</jackson.version>
+ <jackson.version>2.11.4</jackson.version>
<jaxb.version>2.3.2</jaxb.version>
<jetty9.version>9.4.36.v20210114</jetty9.version>
<junit.version>4.13.2</junit.version>
@@ -66,7 +66,7 @@
<spring-webflow.version>2.5.1.RELEASE</spring-webflow.version>
<tomcat.version>9.0.43</tomcat.version>
<validation-api.version>2.0.2</validation-api.version>
- <wss4j.version>2.2.6</wss4j.version>
+ <wss4j.version>2.3.1</wss4j.version>
<tomcat.url>http://localhost:8080/manager/text</tomcat.url>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
index bc6c417..0fc37a6 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
@@ -389,7 +389,7 @@ public class TrustedIdpSAMLProtocolHandler extends AbstractTrustedIdpProtocolHan
}
return ssoResponseValidator.validateSamlResponse(samlResponse, post);
- } catch (WSSecurityException ex) {
+ } catch (Exception ex) {
LOG.debug(ex.getMessage(), ex);
throw ExceptionUtils.toBadRequestException(ex, null);
}
@@ -399,7 +399,7 @@ public class TrustedIdpSAMLProtocolHandler extends AbstractTrustedIdpProtocolHan
this.replayCache = replayCache;
}
- public TokenReplayCache<String> getReplayCache() {
+ public TokenReplayCache<String> getReplayCache() throws IllegalAccessException, ReflectiveOperationException {
if (replayCache == null) {
replayCache = new EHCacheTokenReplayCache();
}
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/PrivateKeyPasswordProviderImpl.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/PrivateKeyPasswordProviderImpl.java
index 9ad8a2d..51ca53d 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/PrivateKeyPasswordProviderImpl.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/PrivateKeyPasswordProviderImpl.java
@@ -20,7 +20,7 @@ package org.apache.cxf.fediz.service.oidc;
import java.util.Properties;
-import org.apache.cxf.rs.security.jose.common.PrivateKeyPasswordProvider;
+import org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider;
public class PrivateKeyPasswordProviderImpl implements PrivateKeyPasswordProvider {
diff --git a/services/sts/src/main/resources/log4j.properties b/services/sts/src/main/resources/log4j.properties
index 3c00256..87a741b 100644
--- a/services/sts/src/main/resources/log4j.properties
+++ b/services/sts/src/main/resources/log4j.properties
@@ -28,5 +28,5 @@ log4j.appender.AUDIT.File=${catalina.base}/logs/audit.log
log4j.appender.AUDIT.DatePattern='.'yyyy-MM-dd
log4j.appender.AUDIT.Append=true
log4j.appender.AUDIT.Threshold=DEBUG
-log4j.appender.AUDIT.layout=org.apache.cxf.sts.event.LoggerPatternLayoutLog4J
-log4j.appender.AUDIT.layout.ConversionPattern=%m%n
+log4j.appender.AUDIT.layout=org.apache.log4j.PatternLayout
+log4j.appender.AUDIT.layout.ConversionPattern=%d [%t] %-5p %c %x - %m%n