You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by ru...@apache.org on 2006/09/14 22:38:21 UTC
svn commit: r443459 - in
/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart:
MessageBuilder.java builder/BindingBuilder.java
builder/SymmetricBindingBuilder.java errors.properties
Author: ruchithf
Date: Thu Sep 14 13:38:20 2006
New Revision: 443459
URL: http://svn.apache.org/viewvc?view=rev&rev=443459
Log:
Completed client side encryptBeforeSignature processing of SymmetricBinding.
Modified:
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/MessageBuilder.java
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/BindingBuilder.java
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/SymmetricBindingBuilder.java
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties
Modified: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/MessageBuilder.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/MessageBuilder.java?view=diff&rev=443459&r1=443458&r2=443459
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/MessageBuilder.java (original)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/MessageBuilder.java Thu Sep 14 13:38:20 2006
@@ -31,10 +31,8 @@
import org.apache.rampart.policy.RampartPolicyData;
import org.apache.rampart.util.Axis2Util;
import org.apache.ws.secpolicy.WSSPolicyException;
-import org.apache.ws.security.SOAPConstants;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.message.WSSecHeader;
-import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import java.io.ByteArrayInputStream;
@@ -56,10 +54,7 @@
*/
Document doc = Axis2Util.getDocumentFromSOAPEnvelope(msgCtx.getEnvelope(), false);
msgCtx.setEnvelope((SOAPEnvelope)doc.getDocumentElement());
-
- SOAPConstants soapConstants = WSSecurityUtil.getSOAPConstants(doc
- .getDocumentElement());
-
+
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
Modified: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/BindingBuilder.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/BindingBuilder.java?view=diff&rev=443459&r1=443458&r2=443459
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/BindingBuilder.java (original)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/BindingBuilder.java Thu Sep 14 13:38:20 2006
@@ -31,8 +31,11 @@
import org.apache.ws.secpolicy.model.UsernameToken;
import org.apache.ws.secpolicy.model.X509Token;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.conversation.ConversationException;
+import org.apache.ws.security.message.WSSecDKSign;
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.message.WSSecSignature;
import org.apache.ws.security.message.WSSecTimestamp;
@@ -46,13 +49,18 @@
import java.io.IOException;
import java.util.ArrayList;
import java.util.Date;
+import java.util.HashMap;
import java.util.Iterator;
+import java.util.Set;
+import java.util.Vector;
public abstract class BindingBuilder {
private static Log log = LogFactory.getLog(BindingBuilder.class);
private Element insertionLocation;
+ protected String mainSigId = null;
+
/**
* @param rmd
* @param doc
@@ -249,11 +257,11 @@
* @param suppTokens
* @throws RampartException
*/
- protected ArrayList handleSupportingTokens(RampartMessageData rmd, SupportingToken suppTokens)
+ protected HashMap handleSupportingTokens(RampartMessageData rmd, SupportingToken suppTokens)
throws RampartException {
//Create the list to hold the tokens
- ArrayList endSuppTokList = new ArrayList();
+ HashMap endSuppTokMap = new HashMap();
if(suppTokens != null && suppTokens.getTokens() != null &&
suppTokens.getTokens().size() > 0) {
@@ -284,7 +292,7 @@
this.setInsertionLocation(siblingElem);
//Add the extracted token
- endSuppTokList.add(endSuppTok);
+ endSuppTokMap.put(token, endSuppTok);
} else if(token instanceof X509Token) {
//Get the to be added
@@ -315,7 +323,7 @@
(OMElement)encrKey.getEncryptedKeyElement(),
now, new Date(now.getTime() + 300000));
- endSuppTokList.add(endSuppTok);
+ endSuppTokMap.put(token, endSuppTok);
} catch (WSSecurityException e) {
throw new RampartException("errorCreatingEncryptedKey", e);
@@ -332,7 +340,7 @@
.getInsertionLocation(), bstElem);
this.setInsertionLocation(bstElem);
}
- endSuppTokList.add(sig);
+ endSuppTokMap.put(token, sig);
}
} else if(token instanceof UsernameToken) {
WSSecUsernameToken utBuilder = addUsernameToken(rmd);
@@ -347,9 +355,10 @@
this.setInsertionLocation(elem);
Date now = new Date();
try {
- endSuppTokList.add(new org.apache.rahas.Token(utBuilder
- .getId(), (OMElement)elem, now,
- new Date(now.getTime() + 300000)));
+ org.apache.rahas.Token tempTok = new org.apache.rahas.Token(
+ utBuilder.getId(), (OMElement) elem, now,
+ new Date(now.getTime() + 300000));
+ endSuppTokMap.put(token, tempTok);
} catch (TrustException e) {
throw new RampartException("errorCreatingRahasToken", e);
}
@@ -357,7 +366,35 @@
}
}
- return endSuppTokList;
+ return endSuppTokMap;
+ }
+ /**
+ * @param sigSuppTokMap
+ * @param sigParts
+ * @throws RampartException
+ */
+ protected Vector addSignatureParts(HashMap tokenMap, Vector sigParts) throws RampartException {
+
+ Set entrySet = tokenMap.entrySet();
+
+ for (Iterator iter = entrySet.iterator(); iter.hasNext();) {
+ Object tempTok = iter.next();
+ WSEncryptionPart part = null;
+ if(tempTok instanceof org.apache.rahas.Token) {
+ part = new WSEncryptionPart(
+ ((org.apache.rahas.Token) tempTok).getId());
+ } else if(tempTok instanceof WSSecSignature) {
+ WSSecSignature tempSig = (WSSecSignature) tempTok;
+ if(tempSig.getBSTTokenId() != null) {
+ part = new WSEncryptionPart(tempSig.getBSTTokenId());
+ }
+ } else {
+ throw new RampartException("UnsupportedTokenInSupportingToken");
+ }
+ sigParts.add(part);
+ }
+
+ return sigParts;
}
@@ -367,6 +404,115 @@
public void setInsertionLocation(Element insertionLocation) {
this.insertionLocation = insertionLocation;
+ }
+
+
+ protected Vector doEndorsedSignatures(RampartMessageData rmd, HashMap tokenMap) throws RampartException {
+
+ Set tokenSet = tokenMap.keySet();
+
+ Vector sigValues = new Vector();
+
+ for (Iterator iter = tokenSet.iterator(); iter.hasNext();) {
+
+ Token token = (Token)iter.next();
+
+ Object tempTok = tokenMap.get(token);
+
+ Vector sigParts = new Vector();
+ sigParts.add(new WSEncryptionPart(this.mainSigId));
+
+ if (tempTok instanceof org.apache.rahas.Token) {
+ org.apache.rahas.Token tok = (org.apache.rahas.Token)tempTok;
+ if(rmd.getPolicyData().isTokenProtection()) {
+ sigParts.add(new WSEncryptionPart(tok.getId()));
+ }
+
+ this.doSignature(rmd, token, (org.apache.rahas.Token)tempTok, sigParts);
+
+ } else if (tempTok instanceof WSSecSignature) {
+ WSSecSignature sig = (WSSecSignature)tempTok;
+ if(rmd.getPolicyData().isTokenProtection() &&
+ sig.getBSTTokenId() != null) {
+ sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
+ }
+
+ try {
+ sig.addReferencesToSign(sigParts, rmd.getSecHeader());
+ sig.computeSignature();
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithX509Token", e);
+ }
+ sigValues.add(sig.getSignatureValue());
+ }
+ }
+
+ return sigValues;
+
+ }
+
+
+ protected byte[] doSignature(RampartMessageData rmd, Token policyToken, org.apache.rahas.Token tok, Vector sigParts) throws RampartException {
+
+ Document doc = rmd.getDocument();
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ if(policyToken.isDerivedKeys()) {
+ try {
+ WSSecDKSign dkSign = new WSSecDKSign();
+
+ OMElement ref = tok.getAttachedReference();
+ if(ref == null) {
+ ref = tok.getUnattachedReference();
+ }
+ if(ref != null) {
+ dkSign.setExternalKey(tok.getSecret(), (Element)
+ doc.importNode((Element) ref, true));
+ } else {
+ dkSign.setExternalKey(tok.getSecret(), tok.getId());
+ }
+
+ //Set the algo info
+ dkSign.setSignatureAlgorithm(rpd.getAlgorithmSuite().getSymmetricSignature());
+
+
+ dkSign.prepare(doc);
+
+ sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
+
+ if(rpd.isTokenProtection()) {
+ sigParts.add(new WSEncryptionPart(tok.getId()));
+ }
+
+ dkSign.setParts(sigParts);
+
+ dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ //Do signature
+ dkSign.computeSignature();
+
+ //Add elements to header
+ this.setInsertionLocation(RampartUtil
+ .insertSiblingAfter(this.getInsertionLocation(),
+ dkSign.getdktElement()));
+
+ this.setInsertionLocation(RampartUtil.insertSiblingAfter(
+ this.getInsertionLocation(), dkSign
+ .getSignatureElement()));
+
+ return dkSign.getSignatureValue();
+
+ } catch (ConversationException e) {
+ throw new RampartException(
+ "errorInDerivedKeyTokenSignature", e);
+ } catch (WSSecurityException e) {
+ throw new RampartException(
+ "errorInDerivedKeyTokenSignature", e);
+ }
+ } else {
+ //TODO : Example SAMLTOken Signature
+ throw new UnsupportedOperationException("TODO");
+ }
}
}
Modified: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/SymmetricBindingBuilder.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/SymmetricBindingBuilder.java?view=diff&rev=443459&r1=443458&r2=443459
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/SymmetricBindingBuilder.java (original)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/SymmetricBindingBuilder.java Thu Sep 14 13:38:20 2006
@@ -29,21 +29,16 @@
import org.apache.ws.secpolicy.model.SecureConversationToken;
import org.apache.ws.secpolicy.model.SupportingToken;
import org.apache.ws.secpolicy.model.Token;
-import org.apache.ws.secpolicy.model.UsernameToken;
-import org.apache.ws.secpolicy.model.X509Token;
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationException;
import org.apache.ws.security.message.WSSecDKEncrypt;
+import org.apache.ws.security.message.WSSecDKSign;
import org.apache.ws.security.message.WSSecEncrypt;
-import org.apache.ws.security.message.WSSecEncryptedKey;
-import org.apache.ws.security.message.WSSecUsernameToken;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.Iterator;
+import java.util.HashMap;
import java.util.Vector;
@@ -82,6 +77,8 @@
RampartPolicyData rpd = rmd.getPolicyData();
+ Vector signatureValues = new Vector();
+
Token encryptionToken = rpd.getEncryptionToken();
if(encryptionToken != null) {
//The encryption token can be an IssuedToken or a
@@ -181,65 +178,95 @@
RampartUtil.appendChildToSecHeader(rmd, refList);
- //Now add the supporting tokens
- SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
-
- Vector sigParts = rpd.getSignedParts();
-
this.setInsertionLocation(refList);
+
+// Now add the supporting tokens
+ SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
- if(sgndSuppTokens != null && sgndSuppTokens.getTokens() != null &&
- sgndSuppTokens.getTokens().size() > 0) {
- log.debug("Processing signed supporting tokens");
-
- ArrayList tokens = sgndSuppTokens.getTokens();
- for (Iterator iter = tokens.iterator(); iter.hasNext();) {
-
- Token token = (Token) iter.next();
- if(token instanceof UsernameToken) {
- WSSecUsernameToken utBuilder = addUsernameToken(rmd);
-
- utBuilder.prepare(rmd.getDocument());
-
- //Add the UT
- Element elem = utBuilder.getUsernameTokenElement();
- RampartUtil.insertSiblingAfter(this.getInsertionLocation(), elem);
-
- //Move the insert location to th enext element
- this.setInsertionLocation(elem);
-
- WSEncryptionPart part = new WSEncryptionPart(utBuilder
- .getId());
- sigParts.add(part);
-
- } else {
- throw new RampartException("unsupportedSignedSupportingToken",
- new String[]{"{" +token.getName().getNamespaceURI()
- + "}" + token.getName().getLocalPart()});
- }
- }
- }
+ HashMap sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);
- //Endorsing Supporting Tokens
SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
- //The list to hold tokens
- ArrayList endSuppTokList = this.handleSupportingTokens(rmd, endSuppTokens);
+ HashMap endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);
SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
- ArrayList sgndEndSuppTokList = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
-
+ HashMap sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
+
+ //Setup signature parts
+ Vector sigParts = addSignatureParts(sigSuppTokMap, rpd.getSignedParts());
+ sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
//Sign the message
+ //We should use the same key in the case of EncryptBeforeSig
+ if(encryptionToken.isDerivedKeys()) {
+ try {
+ WSSecDKSign dkSign = new WSSecDKSign();
+
+ OMElement ref = tok.getAttachedReference();
+ if(ref == null) {
+ ref = tok.getUnattachedReference();
+ }
+ if(ref != null) {
+ dkSign.setExternalKey(tok.getSecret(), (Element)
+ doc.importNode((Element) ref, true));
+ } else {
+ dkSign.setExternalKey(tok.getSecret(), tok.getId());
+ }
+
+ //Set the algo info
+ dkSign.setSignatureAlgorithm(rpd.getAlgorithmSuite().getSymmetricSignature());
+
+
+ dkSign.prepare(doc);
+
+ sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
+
+ if(rpd.isTokenProtection() && attached) {
+ sigParts.add(new WSEncryptionPart(tokenId));
+ }
+
+ dkSign.setParts(sigParts);
+
+ dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ //Do signature
+ dkSign.computeSignature();
+
+ signatureValues.add(dkSign.getSignatureValue());
+
+ //Add elements to header
+ this.setInsertionLocation(RampartUtil
+ .insertSiblingAfter(this.getInsertionLocation(),
+ dkSign.getdktElement()));
+
+ this.setInsertionLocation(RampartUtil.insertSiblingAfter(
+ this.getInsertionLocation(), dkSign
+ .getSignatureElement()));
+ this.mainSigId = RampartUtil.addWsuIdToElement((OMElement)dkSign.getSignatureElement());
+
+ } catch (ConversationException e) {
+ throw new RampartException(
+ "errorInDerivedKeyTokenSignature", e);
+ } catch (WSSecurityException e) {
+ throw new RampartException(
+ "errorInDerivedKeyTokenSignature", e);
+ }
+ } else {
+ //TODO : Example SAMLTOken Signature
+ }
+
+ //Do endorsed signatures
+ this.doEndorsedSignatures(rmd, endSuppTokMap);
- String sigId = null;
+ //Do signed endorsing signatures
+ this.doEndorsedSignatures(rmd, sgndEndSuppTokMap);
//Check for signature protection
- if(rpd.isSignatureProtection()) {
+ if(rpd.isSignatureProtection() && this.mainSigId != null) {
//Now encrypt the signature using the above token
Vector secondEncrParts = new Vector();
- secondEncrParts.add(new WSEncryptionPart(sigId, "Element"));
+ secondEncrParts.add(new WSEncryptionPart(this.mainSigId, "Element"));
Element secondRefList = null;
@@ -266,7 +293,8 @@
}
}
}
-
+
+
/**
* Setup the required tokens
Modified: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties?view=diff&rev=443459&r1=443458&r2=443459
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties (original)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties Thu Sep 14 13:38:20 2006
@@ -31,4 +31,5 @@
errorInRetrievingTokenId = Error in retrieving token : {0}
errorInEncryption = Error in encryption
errorInDKEncr = Error in encryption with a derived key
-errorCreatingRahasToken = Error in creating a org.apache.rahas.Token instance
\ No newline at end of file
+errorCreatingRahasToken = Error in creating a org.apache.rahas.Token instance
+UnsupportedTokenInSupportingToken = Unsupprted token in supporting tokens
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org