You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/07/26 17:11:06 UTC
svn commit: r1151127 - in
/webservices/wss4j/trunk/src/main/java/org/apache/ws/security: ./ message/
message/token/ processor/ saml/ transform/ util/ validate/
Author: coheigea
Date: Tue Jul 26 15:11:05 2011
New Revision: 1151127
URL: http://svn.apache.org/viewvc?rev=1151127&view=rev
Log:
[WSS-301] - WSS4J 1.6 incorrectly using XML-Security ResourceResolvers
Removed:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/DOMURIDereferencer.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/EnvelopeIdResolver.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDKSign.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/transform/STRTransform.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java Tue Jul 26 15:11:05 2011
@@ -34,6 +34,7 @@ package org.apache.ws.security;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.CallbackLookup;
+import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -41,6 +42,8 @@ import org.w3c.dom.Element;
import java.util.ArrayList;
import java.util.List;
+import javax.xml.crypto.dom.DOMCryptoContext;
+
public class WSDocInfo {
private Document doc = null;
private Crypto crypto = null;
@@ -163,6 +166,18 @@ public class WSDocInfo {
}
return null;
}
+
+ /**
+ * Set all stored tokens on the DOMCryptoContext argument
+ * @param context
+ */
+ public void setTokensOnContext(DOMCryptoContext context) {
+ if (tokenList != null) {
+ for (Element elem : tokenList) {
+ WSSecurityUtil.storeElementInContext(context, elem);
+ }
+ }
+ }
/**
* Store a protection element for later retrieval. This is only used for the
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDKSign.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDKSign.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDKSign.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDKSign.java Tue Jul 26 15:11:05 2011
@@ -36,7 +36,6 @@ import org.w3c.dom.Element;
import java.util.ArrayList;
import java.util.List;
-import javax.xml.crypto.URIDereferencer;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.CanonicalizationMethod;
@@ -269,11 +268,15 @@ public class WSSecDKSign extends WSSecDe
WSConstants.C14N_EXCL_OMIT_COMMENTS_PREFIX
);
}
- URIDereferencer dereferencer = new DOMURIDereferencer();
signContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, wsDocInfo);
wsDocInfo.setCallbackLookup(callbackLookup);
- ((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
- signContext.setURIDereferencer(dereferencer);
+
+ // Add the elements to sign to the Signature Context
+ wsDocInfo.setTokensOnContext((DOMSignContext)signContext);
+ if (secRef != null && secRef.getElement() != null) {
+ WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRef.getElement());
+ }
+
sig.sign(signContext);
signatureValue = sig.getSignatureValue().getValue();
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java Tue Jul 26 15:11:05 2011
@@ -46,7 +46,6 @@ import java.security.cert.X509Certificat
import java.util.ArrayList;
import java.util.List;
-import javax.xml.crypto.URIDereferencer;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.CanonicalizationMethod;
@@ -520,9 +519,12 @@ public class WSSecSignature extends WSSe
}
signContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, wsDocInfo);
wsDocInfo.setCallbackLookup(callbackLookup);
- URIDereferencer dereferencer = new DOMURIDereferencer();
- ((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
- signContext.setURIDereferencer(dereferencer);
+
+ // Add the elements to sign to the Signature Context
+ wsDocInfo.setTokensOnContext((DOMSignContext)signContext);
+ if (secRef != null && secRef.getElement() != null) {
+ WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRef.getElement());
+ }
sig.sign(signContext);
signatureValue = sig.getSignatureValue().getValue();
@@ -534,7 +536,6 @@ public class WSSecSignature extends WSSe
}
}
-
/**
* Set the single cert flag.
*
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java Tue Jul 26 15:11:05 2011
@@ -155,7 +155,7 @@ public class KerberosSecurity extends Bi
// Get the service ticket
KerberosClientAction action =
new KerberosClientAction(clientPrincipals.iterator().next(), serviceName);
- byte[] ticket = Subject.doAs(clientSubject, action);
+ byte[] ticket = (byte[])Subject.doAs(clientSubject, action);
if (ticket == null) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "kerberosServiceTicketError"
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java Tue Jul 26 15:11:05 2011
@@ -32,7 +32,6 @@ import org.apache.ws.security.components
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.DOMCallbackLookup;
-import org.apache.ws.security.message.DOMURIDereferencer;
import org.apache.ws.security.message.CallbackLookup;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.str.STRParser;
@@ -50,7 +49,6 @@ import org.w3c.dom.Node;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.NodeSetData;
-import javax.xml.crypto.URIDereferencer;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.Reference;
@@ -342,12 +340,11 @@ public class SignatureProcessor implemen
XMLValidateContext context = new DOMValidateContext(key, elem);
context.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
- URIDereferencer dereferencer = new DOMURIDereferencer();
- ((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
- context.setURIDereferencer(dereferencer);
context.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, wsDocInfo);
+
try {
XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
+ setElementsOnContext(xmlSignature, (DOMValidateContext)context, wsDocInfo, elem.getOwnerDocument());
boolean signatureOk = xmlSignature.validate(context);
if (signatureOk) {
return xmlSignature;
@@ -380,6 +377,38 @@ public class SignatureProcessor implemen
throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
}
+ /**
+ * Retrieve the Reference elements and set them on the ValidateContext
+ * @param xmlSignature the XMLSignature object to get the references from
+ * @param context the ValidateContext
+ * @param wsDocInfo the WSDocInfo object where tokens are stored
+ * @param doc the owner document from which to find elements
+ * @throws WSSecurityException
+ */
+ private void setElementsOnContext(
+ XMLSignature xmlSignature,
+ DOMValidateContext context,
+ WSDocInfo wsDocInfo,
+ Document doc
+ ) throws WSSecurityException {
+ java.util.Iterator<?> referenceIterator =
+ xmlSignature.getSignedInfo().getReferences().iterator();
+ CallbackLookup callbackLookup = wsDocInfo.getCallbackLookup();
+ if (callbackLookup == null) {
+ callbackLookup = new DOMCallbackLookup(doc);
+ }
+ while (referenceIterator.hasNext()) {
+ Reference reference = (Reference)referenceIterator.next();
+ String uri = reference.getURI();
+ Element element = callbackLookup.getElement(uri, null, true);
+ if (element == null) {
+ element = wsDocInfo.getTokenElement(uri);
+ }
+ if (element != null) {
+ WSSecurityUtil.storeElementInContext(((DOMValidateContext)context), element);
+ }
+ }
+ }
/**
* Get the signature method algorithm URI from the associated signature element.
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java Tue Jul 26 15:11:05 2011
@@ -27,7 +27,6 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.message.DOMURIDereferencer;
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.message.WSSecSignature;
import org.apache.ws.security.message.token.Reference;
@@ -46,7 +45,6 @@ import java.security.cert.X509Certificat
import java.util.ArrayList;
import java.util.List;
-import javax.xml.crypto.URIDereferencer;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.SignatureMethod;
@@ -518,9 +516,16 @@ public class WSSecSignatureSAML extends
}
signContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, wsDocInfo);
wsDocInfo.setCallbackLookup(callbackLookup);
- URIDereferencer dereferencer = new DOMURIDereferencer();
- ((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
- signContext.setURIDereferencer(dereferencer);
+
+ // Add the elements to sign to the Signature Context
+ wsDocInfo.setTokensOnContext((DOMSignContext)signContext);
+
+ if (secRefSaml != null && secRefSaml.getElement() != null) {
+ WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRefSaml.getElement());
+ }
+ if (secRef != null && secRef.getElement() != null) {
+ WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRef.getElement());
+ }
sig.sign(signContext);
signatureValue = sig.getSignatureValue().getValue();
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/transform/STRTransform.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/transform/STRTransform.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/transform/STRTransform.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/transform/STRTransform.java Tue Jul 26 15:11:05 2011
@@ -29,20 +29,19 @@ import org.apache.ws.security.util.WSSec
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.signature.XMLSignatureInput;
-import org.jcp.xml.dsig.internal.dom.ApacheData;
-import org.jcp.xml.dsig.internal.dom.DOMSubTreeData;
-import org.jcp.xml.dsig.internal.dom.DOMUtils;
-
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import org.w3c.dom.Node;
import java.io.ByteArrayOutputStream;
import java.io.OutputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.spec.AlgorithmParameterSpec;
+import java.util.Iterator;
import javax.xml.crypto.Data;
import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.NodeSetData;
import javax.xml.crypto.OctetStreamData;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.XMLStructure;
@@ -98,7 +97,7 @@ public class STRTransform extends Transf
}
Element transformElement2 = (Element)
((javax.xml.crypto.dom.DOMStructure) parent).getNode();
- DOMUtils.appendChild(transformElement2, transformElement);
+ appendChild(transformElement2, transformElement);
transformElement = transformElement2;
}
@@ -143,33 +142,31 @@ public class STRTransform extends Transf
}
try {
//
- // Get the input (node) to transform. Currently we support only an
- // Element as input format. If other formats are required we must
- // get it as bytes and probably reparse it into a DOM tree (How to
- // work with nodesets? how to select the right node from a nodeset?)
- //
- XMLSignatureInput xmlSignatureInput = null;
- if (data instanceof ApacheData) {
- xmlSignatureInput = ((ApacheData) data).getXMLSignatureInput();
- } else if (data instanceof DOMSubTreeData) {
- DOMSubTreeData subTree = (DOMSubTreeData) data;
- xmlSignatureInput = new XMLSignatureInput(subTree.getRoot());
- xmlSignatureInput.setExcludeComments(subTree.excludeComments());
+ // Get the input (node) to transform.
+ //
+ Element str = null;
+ if (data instanceof NodeSetData) {
+ NodeSetData nodeSetData = (NodeSetData)data;
+ Iterator<?> iterator = nodeSetData.iterator();
+ while (iterator.hasNext()) {
+ Node node = (Node)iterator.next();
+ if (node instanceof Element && "SecurityTokenReference".equals(node.getLocalName())) {
+ str = (Element)node;
+ break;
+ }
+ }
} else {
try {
- xmlSignatureInput =
+ XMLSignatureInput xmlSignatureInput =
new XMLSignatureInput(((OctetStreamData)data).getOctetStream());
+ str = (Element)xmlSignatureInput.getSubNode();
} catch (Exception ex) {
throw new TransformException(ex);
}
}
-
- if (!xmlSignatureInput.isElement()) {
- throw new TransformException(
- "Wrong input format - only element input supported"
- );
+ if (str == null) {
+ throw new TransformException("No SecurityTokenReference found");
}
- Element str = (Element)xmlSignatureInput.getSubNode();
//
// The element to transform MUST be a SecurityTokenReference
// element.
@@ -276,5 +273,19 @@ public class STRTransform extends Transf
return false;
}
}
+
+ private static void appendChild(Node parent, Node child) {
+ Document ownerDoc = null;
+ if (parent.getNodeType() == Node.DOCUMENT_NODE) {
+ ownerDoc = (Document)parent;
+ } else {
+ ownerDoc = parent.getOwnerDocument();
+ }
+ if (child.getOwnerDocument() != ownerDoc) {
+ parent.appendChild(ownerDoc.importNode(child, true));
+ } else {
+ parent.appendChild(child);
+ }
+ }
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java Tue Jul 26 15:11:05 2011
@@ -42,6 +42,7 @@ import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
+import javax.xml.crypto.dom.DOMCryptoContext;
import javax.xml.namespace.QName;
import java.security.MessageDigest;
@@ -1205,4 +1206,23 @@ public class WSSecurityUtil {
return ret;
}
+ /**
+ * Store the element argument in the DOM Crypto Context if it has one of the standard
+ * "Id" attributes.
+ */
+ public static void storeElementInContext(DOMCryptoContext context, Element element) {
+ if (element.hasAttributeNS(WSConstants.WSU_NS, "Id")) {
+ context.setIdAttributeNS(element, WSConstants.WSU_NS, "Id");
+ }
+ if (element.hasAttributeNS(null, "Id")) {
+ context.setIdAttributeNS(element, null, "Id");
+ }
+ if (element.hasAttributeNS(null, "ID")) {
+ context.setIdAttributeNS(element, null, "ID");
+ }
+ if (element.hasAttributeNS(null, "AssertionID")) {
+ context.setIdAttributeNS(element, null, "AssertionID");
+ }
+ }
+
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java Tue Jul 26 15:11:05 2011
@@ -148,7 +148,7 @@ public class KerberosTokenValidator impl
// Validate the ticket
KerberosServiceAction action = new KerberosServiceAction(token, service);
- Principal principal = Subject.doAs(subject, action);
+ Principal principal = (Principal)Subject.doAs(subject, action);
if (principal == null) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "kerberosTicketValidationError"