You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by ru...@apache.org on 2008/01/17 02:15:58 UTC
svn commit: r612671 - in
/webservices/wss4j/trunk/src/org/apache/ws/security: ./ action/ handler/
message/ message/token/ processor/
Author: ruchithf
Date: Wed Jan 16 17:15:40 2008
New Revision: 612671
URL: http://svn.apache.org/viewvc?rev=612671&view=rev
Log:
Fixed WSS-68, thanks Marcel Ammerlaan for the patch
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java
webservices/wss4j/trunk/src/org/apache/ws/security/WSPasswordCallback.java
webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenAction.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java?rev=612671&r1=612670&r2=612671&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java Wed Jan 16 17:15:40 2008
@@ -177,6 +177,15 @@
* The password type URI used in the username token
*/
public static final String PASSWORD_TEXT = USERNAMETOKEN_NS + "#PasswordText";
+
+ /**
+ * Sets the {@link org.apache.ws.security.message.WSSAddUsernameToken#build(Document, String, String) UserNameToken}
+ * method to send _no_ password related information.
+ * <p/>
+ * This is a required method as defined by WS Specification, Username token profile as passwords are optional.
+ * Also see the WS-I documentation for scenario's using this feature in a trust environment.
+ */
+ public static final String PW_NONE = "PasswordNone";
/**
* Sets the {@link org.apache.ws.security.message.WSEncryptBody#build(Document, Crypto) encryption}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSPasswordCallback.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSPasswordCallback.java?rev=612671&r1=612670&r2=612671&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSPasswordCallback.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSPasswordCallback.java Wed Jan 16 17:15:40 2008
@@ -75,7 +75,7 @@
public final static int SECURITY_CONTEXT_TOKEN = 6;
public final static int CUSTOM_TOKEN = 7;
public final static int ENCRYPTED_KEY_TOKEN = 8;
-
+
private String identifier;
private String password;
private byte[] key;
@@ -113,6 +113,19 @@
*/
public String getIdentifer() {
return identifier;
+ }
+
+ /**
+ * Extended callback interface allows for setting the username as well.
+ * Callback functions can change the identifier, this is intended in the usernametoken scenario
+ * where the usernametoken denotes the identity, but a fixed identity for signing is used
+ * The initial value is that from the configuration file. If this method is not called, the
+ * configured identity is used.
+ *
+ * @param ident The identity.
+ */
+ public void setIdentifier(String ident) {
+ this.identifier = ident;
}
/**
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenAction.java?rev=612671&r1=612670&r2=612671&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenAction.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenAction.java Wed Jan 16 17:15:40 2008
@@ -17,6 +17,8 @@
package org.apache.ws.security.action;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandler;
@@ -27,18 +29,20 @@
public class UsernameTokenAction implements Action {
public void execute(WSHandler handler, int actionToDo, Document doc, RequestData reqData)
throws WSSecurityException {
- String password;
- password =
- handler.getPassword(reqData.getUsername(),
+
+ // Always call the callback for the username. We mis-use the configured password callback class and callback methods for this.
+ String providedUsername = reqData.getUsername();
+ WSPasswordCallback callbackData = handler.getPassword(reqData.getUsername(),
actionToDo,
WSHandlerConstants.PW_CALLBACK_CLASS,
- WSHandlerConstants.PW_CALLBACK_REF, reqData)
- .getPassword();
+ WSHandlerConstants.PW_CALLBACK_REF, reqData);
+ providedUsername = callbackData.getIdentifer();
+ String password = callbackData.getPassword();
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setWsConfig(reqData.getWssConfig());
builder.setPasswordType(reqData.getPwType());
- builder.setUserInfo(reqData.getUsername(), password);
+ builder.setUserInfo(providedUsername, password);
if (reqData.getUtElements() != null && reqData.getUtElements().length > 0) {
for (int j = 0; j < reqData.getUtElements().length; j++) {
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java?rev=612671&r1=612670&r2=612671&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java Wed Jan 16 17:15:40 2008
@@ -1,6 +1,7 @@
package org.apache.ws.security.handler;
import org.apache.ws.security.SOAPConstants;
+import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.WSSecHeader;
@@ -19,7 +20,7 @@
private SOAPConstants soapConstants = null;
private String actor = null;
private String username = null;
- private String pwType = null;
+ private String pwType = WSConstants.PASSWORD_DIGEST; // Make this the default when no password type is given.
private String[] utElements = null;
private Crypto sigCrypto = null;
private Crypto decCrypto = null;
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java?rev=612671&r1=612670&r2=612671&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java Wed Jan 16 17:15:40 2008
@@ -51,10 +51,11 @@
/**
* Extracted from WSDoAllReceiver and WSDoAllSender
- *
+ * Extended to all passwordless UsernameTokens and configurable identities.
*
* @author Davanum Srinivas (dims@yahoo.com).
* @author Werner Dittmann (Werner.Dittmann@t-online.de).
+ * @author Marcel Ammerlaan (marcel.ammerlaan@gmail.com).
*/
public abstract class WSHandler {
public static String DONE = "done";
@@ -430,11 +431,17 @@
Object mc = reqData.getMsgContext();
String type = getString(WSHandlerConstants.PASSWORD_TYPE, mc);
- reqData.setPwType(type);
if (type != null) {
- reqData.setPwType(type.equals(WSConstants.PW_TEXT)
- ? WSConstants.PASSWORD_TEXT
- : WSConstants.PASSWORD_DIGEST);
+ if(WSConstants.PW_TEXT.equals(type)) {
+ reqData.setPwType(WSConstants.PASSWORD_TEXT);
+ } else if(WSConstants.PW_DIGEST.equals(type)) {
+ reqData.setPwType(WSConstants.PASSWORD_DIGEST);
+ } else if(WSConstants.PW_NONE.equals(type)) {
+ // No password requested.
+ reqData.setPwType(null);
+ } else {
+ throw new WSSecurityException("Unknown password type encoding: " + type);
+ }
}
String add = getString(WSHandlerConstants.ADD_UT_ELEMENTS, mc);
@@ -604,8 +611,7 @@
throw new WSSecurityException(
"WSHandler: illegal timestampStrict parameter");
}
-
-
+
/**
* Get a password to construct a UsernameToken or sign a message.
* <p/>
@@ -620,25 +626,19 @@
WSPasswordCallback pwCb = null;
String password = null;
CallbackHandler cbHandler = null;
- String err = "provided null or empty password";
- Object mc = reqData.getMsgContext();
+ String err = "provided null or empty password";
+ Object mc = reqData.getMsgContext();
String callback = getString(clsProp, mc);
if (callback != null) { // we have a password callback class
pwCb = readPwViaCallbackClass(callback, username, doAction, reqData);
- if ((pwCb.getPassword() == null) && (pwCb.getKey() == null)) {
- throw new WSSecurityException("WSHandler: password callback class "
- +err);
- }
- } else if ((cbHandler = (CallbackHandler) getProperty(mc, refProp))
- != null) {
+ // Null passwords are not always a problem: if the callback was called to provide a username instead.
+ } else if ((cbHandler = (CallbackHandler) getProperty(mc, refProp)) != null) {
pwCb = performCallback(cbHandler, username, doAction);
- if ((pwCb.getPassword() == null) && (pwCb.getKey() == null)) {
- throw new WSSecurityException("WSHandler: password callback "
- +err);
- }
} else if ((password = getPassword(mc)) == null) {
- throw new WSSecurityException("WSHandler: application "+err);
+ // TODO: hmm. does this also need changed for username processing?
+ throw new WSSecurityException("WSHandler: application " + err);
} else {
+ // TODO: hmm. does this also need changed for username processing?
setPassword(mc, null);
pwCb = new WSPasswordCallback("", WSPasswordCallback.UNKNOWN);
pwCb.setPassword(password);
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java?rev=612671&r1=612670&r2=612671&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java Wed Jan 16 17:15:40 2008
@@ -63,14 +63,10 @@
* contains the password type. Only allowed values are
* {@link WSConstants#PASSWORD_DIGEST} and
* {@link WSConstants#PASSWORD_TEXT}.
+ * or null when no password is needed.
*/
public void setPasswordType(String pwType) {
- if (pwType == null) {
- passwordType = WSConstants.PASSWORD_DIGEST;
- } else if (pwType.equals(WSConstants.PASSWORD_DIGEST)
- || pwType.equals(WSConstants.PASSWORD_TEXT)) {
- passwordType = pwType;
- }
+ this.passwordType = pwType;
}
/**
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java?rev=612671&r1=612670&r2=612671&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java Wed Jan 16 17:15:40 2008
@@ -45,6 +45,7 @@
* UsernameToken according to WS Security specifications, UsernameToken profile.
*
* Enhanced to support digest password type for username token signature
+ * Enhanced to support passwordless usernametokens as allowed by spec.
*
* @author Davanum Srinivas (dims@yahoo.com)
* @author Werner Dittmann (Werner.Dittmann@t-online.de)
@@ -168,7 +169,8 @@
* @param pwType
* the required password encoding, either
* {@link WSConstants#PASSWORD_DIGEST} or
- * {@link WSConstants#PASSWORD_TEXT} or <code>null</code> if no
+ * {@link WSConstants#PASSWORD_TEXT} or
+ * {@link WSConstants#PASSWORD_NONE} <code>null</code> if no
* password required
*/
public UsernameToken(boolean milliseconds, Document doc, String pwType) {
@@ -399,8 +401,14 @@
*/
public void setPassword(String pwd) {
if (pwd == null) {
- throw new IllegalArgumentException("pwd == null");
+ if(this.passwordType != null) {
+ throw new IllegalArgumentException("pwd == null but a password is needed");
+ } else {
+ // Ignore setting the password.
+ return;
+ }
}
+
raw_password = pwd; // enhancement by Alberto coletti
Text node = getFirstNode(this.elementPassword);
try {
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java?rev=612671&r1=612670&r2=612671&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java Wed Jan 16 17:15:40 2008
@@ -33,8 +33,6 @@
import org.apache.ws.security.util.Base64;
import org.w3c.dom.Element;
-import sun.security.x509.KeyIdentifier;
-
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org