You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/06/04 16:41:59 UTC
svn commit: r1683563 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/wss4j/common/token/BinarySecurity.java ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java

Author: coheigea
Date: Thu Jun  4 14:41:59 2015
New Revision: 1683563

URL: http://svn.apache.org/r1683563
Log:
If a BinarySecurityToken is xop:Include + is signed, then expand it

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/token/BinarySecurity.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/token/BinarySecurity.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/token/BinarySecurity.java?rev=1683563&r1=1683562&r2=1683563&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/token/BinarySecurity.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/token/BinarySecurity.java Thu Jun  4 14:41:59 2015
@@ -216,6 +216,17 @@ public class BinarySecurity {
     public void setRawToken(byte[] data) {
         this.data = Arrays.copyOf(data, data.length);
     }
+    
+    /**
+     * BASE64-Encode the raw token bytes + store them in a text child node.
+     */
+    public void encodeRawToken() {
+        if (data == null) {
+            throw new IllegalArgumentException("data == null");
+        }
+        Text node = getFirstNode();
+        node.setData(Base64.encode(data));
+    }
 
     /**
      * return the first text node.

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java?rev=1683563&r1=1683562&r2=1683563&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java Thu Jun  4 14:41:59 2015
@@ -30,6 +30,7 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
+import java.util.Map;
 
 import javax.xml.crypto.Data;
 import javax.xml.crypto.MarshalException;
@@ -63,6 +64,7 @@ import org.apache.wss4j.common.ext.WSSec
 import org.apache.wss4j.common.principal.PublicKeyPrincipalImpl;
 import org.apache.wss4j.common.principal.UsernameTokenPrincipal;
 import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
+import org.apache.wss4j.common.token.BinarySecurity;
 import org.apache.wss4j.common.token.SecurityTokenReference;
 import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.common.util.XMLUtils;
@@ -472,6 +474,39 @@ public class SignatureProcessor implemen
             Element element = callbackLookup.getAndRegisterElement(uri, null, true, context);
             if (element == null) {
                 wsDocInfo.setTokenOnContext(uri, context);
+            } else if ("BinarySecurityToken".equals(element.getLocalName())
+                && WSConstants.WSSE_NS.equals(element.getNamespaceURI())
+                && isXopInclude(element)) {
+                // We don't write out the xop:Include bytes into the BinarySecurityToken by default
+                // But if the BST is signed, then we have to, or else Signature validation fails...
+                handleXopInclude(element, wsDocInfo);
+            }
+        }
+    }
+    
+    private boolean isXopInclude(Element element) {
+        Element elementChild =
+            XMLUtils.getDirectChildElement(element, "Include", WSConstants.XOP_NS);
+        if (elementChild != null && elementChild.hasAttributeNS(null, "href")) {
+            String xopUri = elementChild.getAttributeNS(null, "href");
+            if (xopUri != null && xopUri.startsWith("cid:")) {
+                return true;
+            }
+        }
+        return false;
+    }
+    
+    private void handleXopInclude(Element element, WSDocInfo wsDocInfo) {
+        Map<Integer, List<WSSecurityEngineResult>> actionResults = wsDocInfo.getActionResults();
+        if (actionResults != null && actionResults.containsKey(WSConstants.BST)) {
+            for (WSSecurityEngineResult result : actionResults.get(WSConstants.BST)) {
+                Element token = (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+                if (element.equals(token)) {
+                    BinarySecurity binarySecurity = 
+                        (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                    binarySecurity.encodeRawToken();
+                    return;
+                }
             }
         }
     }