You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/01/26 18:14:35 UTC
svn commit: r1654847 - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/wss4j/common/ext/
ws-security-stax/src/main/java/org/apache/wss4j/stax/
ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/
ws-security-stax/src/main/...
Author: coheigea
Date: Mon Jan 26 17:14:34 2015
New Revision: 1654847
URL: http://svn.apache.org/r1654847
Log:
[WSS-525] - Provide a means of unifying all error messages
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSSecurityException.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/WSSecurityStreamReader.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PasswordTypeTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureCertConstaintsTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureConfirmationTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/UsernameTokenTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/VulnerabliltyVectorsTest.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSSecurityException.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSSecurityException.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSSecurityException.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSSecurityException.java Mon Jan 26 17:14:34 2015
@@ -77,6 +77,12 @@ public class WSSecurityException extends
*/
public static final QName MESSAGE_EXPIRED = new QName(NS_WSSE10, "MessageExpired");
+ /**
+ * Generic Security error
+ */
+ public static final QName SECURITY_ERROR =
+ new QName("http://ws.apache.org/wss4j", "SecurityError");
+
// FAULT error messages
public static final String UNSUPPORTED_TOKEN_ERR = "An unsupported token was provided";
public static final String UNSUPPORTED_ALGORITHM_ERR =
@@ -91,6 +97,8 @@ public class WSSecurityException extends
public static final String SECURITY_TOKEN_UNAVAILABLE_ERR =
"Referenced security token could not be retrieved";
public static final String MESSAGE_EXPIRED_ERR = "The message has expired";
+ public static final String UNIFIED_SECURITY_ERR =
+ "A security error was encountered when verifying the message";
public enum ErrorCode {
FAILURE(null), //Non standard error message
@@ -104,6 +112,7 @@ public class WSSecurityException extends
MESSAGE_EXPIRED(WSSecurityException.MESSAGE_EXPIRED),
FAILED_ENCRYPTION(null), //Non standard error message
FAILED_SIGNATURE(null), //Non standard error message
+ SECURITY_ERROR(WSSecurityException.SECURITY_ERROR)
;
private QName qName;
@@ -196,39 +205,19 @@ public class WSSecurityException extends
}
/**
- * Map a WSSecurityException FaultCode to a standard error String, so as not to leak
- * internal configuration to an attacker.
+ * Get a "safe" / unified error message, so as not to leak internal configuration
+ * to an attacker.
*/
public String getSafeExceptionMessage() {
- // Allow a Replay Attack message to be returned, otherwise it could be confusing
- // for clients who don't understand the default caching functionality of WSS4J/CXF
- if (getMessage() != null && getMessage().contains("replay attack")) {
- return getMessage();
- }
-
- String errorMessage = null;
- QName faultCode = getFaultCode();
- if (UNSUPPORTED_SECURITY_TOKEN.equals(faultCode)) {
- errorMessage = UNSUPPORTED_TOKEN_ERR;
- } else if (UNSUPPORTED_ALGORITHM.equals(faultCode)) {
- errorMessage = UNSUPPORTED_ALGORITHM_ERR;
- } else if (INVALID_SECURITY.equals(faultCode)) {
- errorMessage = INVALID_SECURITY_ERR;
- } else if (INVALID_SECURITY_TOKEN.equals(faultCode)) {
- errorMessage = INVALID_SECURITY_TOKEN_ERR;
- } else if (FAILED_AUTHENTICATION.equals(faultCode)) {
- errorMessage = FAILED_AUTHENTICATION_ERR;
- } else if (FAILED_CHECK.equals(faultCode)) {
- errorMessage = FAILED_CHECK_ERR;
- } else if (SECURITY_TOKEN_UNAVAILABLE.equals(faultCode)) {
- errorMessage = SECURITY_TOKEN_UNAVAILABLE_ERR;
- } else if (MESSAGE_EXPIRED.equals(faultCode)) {
- errorMessage = MESSAGE_EXPIRED_ERR;
- } else {
- // Default
- errorMessage = INVALID_SECURITY_ERR;
- }
- return errorMessage;
+ return UNIFIED_SECURITY_ERR;
}
+
+ /**
+ * Get the "safe" / unified fault code QName associated with this exception, so as
+ * not to leak internal configuration to an attacker
+ */
+ public QName getSafeFaultCode() {
+ return SECURITY_ERROR;
+ }
}
\ No newline at end of file
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/WSSec.java Mon Jan 26 17:14:34 2015
@@ -135,12 +135,30 @@ public class WSSec {
*/
public static InboundWSSec getInboundWSSec(WSSSecurityProperties securityProperties,
boolean initiator) throws WSSecurityException {
+ return getInboundWSSec(securityProperties, false, false);
+ }
+
+ /**
+ * Creates and configures an inbound streaming security engine
+ *
+ * @param securityProperties The user-defined security configuration
+ * @param initiator Whether we are the message initiator or not
+ * @param returnSecurityError Whether to return the underlying security error or not
+ * @return A new InboundWSSec
+ * @throws WSSecurityException
+ * if the initialisation failed
+ * @throws org.apache.wss4j.stax.ext.WSSConfigurationException
+ * if the configuration is invalid
+ */
+ public static InboundWSSec getInboundWSSec(WSSSecurityProperties securityProperties,
+ boolean initiator,
+ boolean returnSecurityError) throws WSSecurityException {
if (securityProperties == null) {
throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "missingSecurityProperties");
}
securityProperties = validateAndApplyDefaultsToInboundSecurityProperties(securityProperties);
- return new InboundWSSec(securityProperties, initiator);
+ return new InboundWSSec(securityProperties, initiator, returnSecurityError);
}
/**
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java Mon Jan 26 17:14:34 2015
@@ -71,14 +71,17 @@ public class InboundWSSec {
private final WSSSecurityProperties securityProperties;
private final boolean initiator;
+ private final boolean returnSecurityError;
public InboundWSSec(WSSSecurityProperties securityProperties) {
- this(securityProperties, false);
+ this(securityProperties, false, false);
}
- public InboundWSSec(WSSSecurityProperties securityProperties, boolean initiator) {
+ public InboundWSSec(WSSSecurityProperties securityProperties, boolean initiator,
+ boolean returnSecurityError) {
this.securityProperties = securityProperties;
this.initiator = initiator;
+ this.returnSecurityError = returnSecurityError;
}
/**
@@ -259,6 +262,6 @@ public class InboundWSSec {
}
}
- return new WSSecurityStreamReader(inputProcessorChain, securityProperties, initiator);
+ return new WSSecurityStreamReader(inputProcessorChain, securityProperties, initiator, returnSecurityError);
}
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/WSSecurityStreamReader.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/WSSecurityStreamReader.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/WSSecurityStreamReader.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/WSSecurityStreamReader.java Mon Jan 26 17:14:34 2015
@@ -20,7 +20,6 @@ package org.apache.wss4j.stax.impl;
import org.apache.wss4j.common.WSSPolicyException;
import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.ext.InputProcessorChain;
import org.apache.xml.security.stax.ext.XMLSecurityProperties;
import org.apache.xml.security.stax.impl.XMLSecurityStreamReader;
@@ -30,11 +29,14 @@ import javax.xml.stream.XMLStreamExcepti
public class WSSecurityStreamReader extends XMLSecurityStreamReader {
private final boolean initiator;
+ private final boolean returnSecurityError;
public WSSecurityStreamReader(InputProcessorChain inputProcessorChain,
- XMLSecurityProperties securityProperties, boolean initiator) {
+ XMLSecurityProperties securityProperties, boolean initiator,
+ boolean returnSecurityError) {
super(inputProcessorChain, securityProperties);
this.initiator = initiator;
+ this.returnSecurityError = returnSecurityError;
}
@Override
@@ -43,23 +45,18 @@ public class WSSecurityStreamReader exte
return super.next();
} catch (XMLStreamException e) {
Throwable cause = e.getCause();
- if (cause instanceof WSSecurityException) {
- // Allow a WSSPolicyException
- if (initiator || cause.getCause() instanceof WSSPolicyException) {
- throw e;
- }
- // Map to a "safe" error message if we are not the initiator
- String error = ((WSSecurityException)cause).getSafeExceptionMessage();
- throw new XMLStreamException(
- new WSSecurityException(((WSSecurityException)cause).getErrorCode(),
- new Exception(error)));
+
+ // Allow a WSSPolicyException
+ if (returnSecurityError || initiator ||
+ cause != null && cause.getCause() instanceof WSSPolicyException) {
+ throw e;
}
- if (cause instanceof XMLSecurityException) {
- throw new XMLStreamException(
- new WSSecurityException(
- WSSecurityException.ErrorCode.FAILED_CHECK, (XMLSecurityException)cause));
- }
- throw e;
+
+ // Mask the real error
+ String safeErrorMessage = WSSecurityException.UNIFIED_SECURITY_ERR;
+ throw new XMLStreamException(
+ new WSSecurityException(WSSecurityException.ErrorCode.SECURITY_ERROR,
+ new Exception(safeErrorMessage)));
}
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java Mon Jan 26 17:14:34 2015
@@ -145,7 +145,7 @@ public abstract class AbstractTestBase e
public Document doInboundSecurity(WSSSecurityProperties securityProperties, XMLStreamReader xmlStreamReader,
List<SecurityEvent> securityEventList, SecurityEventListener securityEventListener)
throws XMLStreamException, ParserConfigurationException, XMLSecurityException {
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader outXmlStreamReader = wsSecIn.processInMessage(xmlStreamReader, securityEventList, securityEventListener);
return StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), outXmlStreamReader);
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PasswordTypeTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PasswordTypeTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PasswordTypeTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/PasswordTypeTest.java Mon Jan 26 17:14:34 2015
@@ -98,7 +98,7 @@ public class PasswordTypeTest extends Ab
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT);
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null);
@@ -165,7 +165,7 @@ public class PasswordTypeTest extends Ab
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST);
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null);
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/ReplayTest.java Mon Jan 26 17:14:34 2015
@@ -89,7 +89,7 @@ public class ReplayTest extends Abstract
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setTimestampReplayCache(replayCache);
securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureCertConstaintsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureCertConstaintsTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureCertConstaintsTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureCertConstaintsTest.java Mon Jan 26 17:14:34 2015
@@ -94,7 +94,7 @@ public class SignatureCertConstaintsTest
Pattern subjectDNPattern = Pattern.compile(certConstraint.trim());
securityProperties.setSubjectCertConstraints(Collections.singletonList(subjectDNPattern));
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
@@ -152,7 +152,7 @@ public class SignatureCertConstaintsTest
Pattern subjectDNPattern = Pattern.compile(certConstraint.trim());
securityProperties.setSubjectCertConstraints(Collections.singletonList(subjectDNPattern));
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureConfirmationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureConfirmationTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureConfirmationTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureConfirmationTest.java Mon Jan 26 17:14:34 2015
@@ -401,7 +401,7 @@ public class SignatureConfirmationTest e
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setEnableSignatureConfirmationVerification(true);
securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), securityEventList);
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java Mon Jan 26 17:14:34 2015
@@ -1521,7 +1521,7 @@ public class SignatureTest extends Abstr
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/TimestampTest.java Mon Jan 26 17:14:34 2015
@@ -195,7 +195,7 @@ public class TimestampTest extends Abstr
//done timestamp; now test timestamp-verification:
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
@@ -236,7 +236,7 @@ public class TimestampTest extends Abstr
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
@@ -332,7 +332,7 @@ public class TimestampTest extends Abstr
//done timestamp; now test timestamp-verification:
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
@@ -414,7 +414,7 @@ public class TimestampTest extends Abstr
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setTimestampTTL(1);
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
@@ -456,7 +456,7 @@ public class TimestampTest extends Abstr
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.addIgnoreBSPRule(BSPRule.R3203);
securityProperties.addIgnoreBSPRule(BSPRule.R3221);
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
@@ -543,7 +543,7 @@ public class TimestampTest extends Abstr
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.addIgnoreBSPRule(BSPRule.R3203);
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
@@ -583,7 +583,7 @@ public class TimestampTest extends Abstr
//done timestamp; now test timestamp-verification:
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/UsernameTokenTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/UsernameTokenTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/UsernameTokenTest.java Mon Jan 26 17:14:34 2015
@@ -128,7 +128,7 @@ public class UsernameTokenTest extends A
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl("wrongUsername"));
//securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
@@ -171,7 +171,7 @@ public class UsernameTokenTest extends A
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl("username"));
//securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
SecurityEventListener securityEventListener = new SecurityEventListener() {
@Override
@@ -262,7 +262,7 @@ public class UsernameTokenTest extends A
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes())));
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
@@ -311,7 +311,7 @@ public class UsernameTokenTest extends A
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
try {
XMLStreamReader xmlStreamReader =
@@ -398,7 +398,7 @@ public class UsernameTokenTest extends A
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
try {
XMLStreamReader xmlStreamReader =
@@ -641,7 +641,7 @@ public class UsernameTokenTest extends A
try {
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/VulnerabliltyVectorsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/VulnerabliltyVectorsTest.java?rev=1654847&r1=1654846&r2=1654847&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/VulnerabliltyVectorsTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/VulnerabliltyVectorsTest.java Mon Jan 26 17:14:34 2015
@@ -109,12 +109,10 @@ public class VulnerabliltyVectorsTest ex
} catch (XMLStreamException e) {
Throwable throwable = e.getCause();
Assert.assertNotNull(throwable);
- Assert.assertTrue(throwable instanceof WSSecurityException);
//we expect a "No SecurityToken found" since WSS says that a token must be declared before use.
//the declare before use is in the nature of streaming xml-security and therefore expected
//Assert.assertEquals(throwable.getMessage(), "An invalid security token was provided");
Assert.assertEquals(throwable.getMessage(), "Recursive key reference detected.");
- Assert.assertEquals(((WSSecurityException) throwable).getFaultCode(), WSSecurityException.FAILED_CHECK);
}
}
@@ -196,9 +194,7 @@ public class VulnerabliltyVectorsTest ex
} catch (XMLStreamException e) {
Throwable throwable = e.getCause();
Assert.assertNotNull(throwable);
- Assert.assertTrue(throwable instanceof WSSecurityException);
Assert.assertTrue(throwable.getMessage().contains("Invalid digest of reference "));
- Assert.assertEquals(((WSSecurityException) throwable).getFaultCode(), WSSecurityException.FAILED_CHECK);
}
}
@@ -294,7 +290,7 @@ public class VulnerabliltyVectorsTest ex
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+ InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);