You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/01/06 16:44:41 UTC
svn commit: r731979 - in /webservices/wss4j/trunk:
src/org/apache/ws/security/components/crypto/
src/org/apache/ws/security/handler/ src/org/apache/ws/security/message/
src/org/apache/ws/security/message/token/
src/org/apache/ws/security/processor/ tes...
Author: coheigea
Date: Tue Jan 6 07:44:39 2009
New Revision: 731979
URL: http://svn.apache.org/viewvc?rev=731979&view=rev
Log:
Added some unit testing of Timestamps plus some code cleanup
Added:
webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java (with props)
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoFactory.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecTimestamp.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/Timestamp.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java
webservices/wss4j/trunk/test/wssec/PackageTests.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java?rev=731979&r1=731978&r2=731979&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java Tue Jan 6 07:44:39 2009
@@ -59,7 +59,8 @@
* @throws CredentialException
* @throws IOException
*/
- public AbstractCrypto(Properties properties, ClassLoader loader) throws CredentialException, IOException {
+ public AbstractCrypto(Properties properties, ClassLoader loader)
+ throws CredentialException, IOException {
this.properties = properties;
if (this.properties == null) {
return;
@@ -68,8 +69,8 @@
InputStream is = null;
if (location != null) {
java.net.URL url = Loader.getResource(loader, location);
- if(url != null) {
- is = url.openStream();
+ if (url != null) {
+ is = url.openStream();
} else {
is = new java.io.FileInputStream(location);
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java?rev=731979&r1=731978&r2=731979&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java Tue Jan 6 07:44:39 2009
@@ -77,7 +77,7 @@
* <p/>
*
* @return Returns a <code>CertificateFactory</code> to construct
- * X509 certficates
+ * X509 certificates
* @throws org.apache.ws.security.WSSecurityException
*
*/
@@ -302,7 +302,7 @@
* or null if no such certificate was found.
*/
-/*
+ /*
* See comment above
*/
public String getAliasForX509Cert(Certificate cert) throws WSSecurityException {
@@ -463,10 +463,10 @@
public byte[] getSKIBytesFromCert(X509Certificate cert)
throws WSSecurityException {
/*
- * Gets the DER-encoded OCTET string for the extension value (extnValue)
- * identified by the passed-in oid String. The oid string is represented
- * by a set of positive whole numbers separated by periods.
- */
+ * Gets the DER-encoded OCTET string for the extension value (extnValue)
+ * identified by the passed-in oid String. The oid string is represented
+ * by a set of positive whole numbers separated by periods.
+ */
byte[] derEncodedValue = cert.getExtensionValue(SKI_OID);
if (cert.getVersion() < 3 || derEncodedValue == null) {
@@ -496,7 +496,7 @@
return sha.digest();
}
- /**
+ /*
* Strip away first four bytes from the DerValue (tag and length of
* ExtensionValue OCTET STRING and KeyIdentifier OCTET STRING)
*/
@@ -509,6 +509,7 @@
public KeyStore getKeyStore() {
return this.keystore;
}
+
/**
* Lookup X509 Certificates in the keystore according to a given DN of the subject of the certificate
* <p/>
@@ -527,14 +528,15 @@
Vector aliases = getAlias(subjectRDN, keystore);
//If we can't find the issuer in the keystore then look at cacerts
- if(aliases.size() == 0) {
+ if (aliases.size() == 0) {
aliases = getAlias(subjectRDN, cacerts);
}
// Convert the vector into an array
String[] result = new String[aliases.size()];
- for (int i = 0; i < aliases.size(); i++)
+ for (int i = 0; i < aliases.size(); i++) {
result[i] = (String) aliases.elementAt(i);
+ }
return result;
}
@@ -620,8 +622,7 @@
public boolean
validateCertPath(
java.security.cert.X509Certificate[] certs
- )
- throws org.apache.ws.security.WSSecurityException {
+ ) throws org.apache.ws.security.WSSecurityException {
try {
// Generate cert path
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoFactory.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoFactory.java?rev=731979&r1=731978&r2=731979&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoFactory.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoFactory.java Tue Jan 6 07:44:39 2009
@@ -44,7 +44,7 @@
* use. Thus the property <code>org.apache.ws.security.crypto.provider</code>
* must define the classname of the Crypto implementation. The file
* may contain other property definitions as well. These properties are
- * handed over to the Crypto implementation. The file
+ * handed over to the Crypto implementation. The file
* <code>crypto.properties</code> is loaded with the
* <code>Loader.getResource()</code> method.
* <p/>
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java?rev=731979&r1=731978&r2=731979&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java Tue Jan 6 07:44:39 2009
@@ -93,11 +93,13 @@
wssConfig = WSSConfig.getNewInstance();
}
- wssConfig
- .setEnableSignatureConfirmation(decodeEnableSignatureConfirmation(reqData));
+ wssConfig.setEnableSignatureConfirmation(
+ decodeEnableSignatureConfirmation(reqData)
+ );
- wssConfig
- .setPrecisionInMilliSeconds(decodeTimestampPrecision(reqData));
+ wssConfig.setPrecisionInMilliSeconds(
+ decodeTimestampPrecision(reqData)
+ );
reqData.setWssConfig(wssConfig);
Object mc = reqData.getMsgContext();
@@ -108,8 +110,9 @@
secHeader.insertSecurityHeader(doc);
reqData.setSecHeader(secHeader);
- reqData.setSoapConstants(WSSecurityUtil.getSOAPConstants(doc
- .getDocumentElement()));
+ reqData.setSoapConstants(
+ WSSecurityUtil.getSOAPConstants(doc.getDocumentElement())
+ );
/*
* Here we have action, username, password, and actor, mustUnderstand.
* Now get the action specific parameters.
@@ -220,12 +223,12 @@
}
}
}
+
/*
* If this is a request then store all signature values. Add ours to
* already gathered values because of chained handlers, e.g. for
* other actors.
*/
-
if (wssConfig.isEnableSignatureConfirmation()
&& isRequest
&& reqData.getSignatureValues().size() > 0) {
@@ -247,8 +250,9 @@
throws WSSecurityException {
WSSConfig wssConfig = WSSConfig.getNewInstance();
- wssConfig
- .setEnableSignatureConfirmation(decodeEnableSignatureConfirmation(reqData));
+ wssConfig.setEnableSignatureConfirmation(
+ decodeEnableSignatureConfirmation(reqData)
+ );
wssConfig.setTimeStampStrict(decodeTimestampStrict(reqData));
wssConfig.setHandleCustomPasswordTypes(decodeCustomPasswordTypes(reqData));
reqData.setWssConfig(wssConfig);
@@ -300,7 +304,7 @@
}
/*
- * First get all Signature value stored during sending the request
+ * First get all Signature values stored during sending the request
*/
Vector sigv = (Vector) getProperty(reqData.getMsgContext(),
WSHandlerConstants.SEND_SIGV);
@@ -327,12 +331,15 @@
byte[] sigVal = sc.getSignatureValue();
if (sigVal != null) {
if (sigv == null || sigv.size() == 0) {
- //If there are no store signature values
- if(sigVal.length != 0) {
- //If there's no value in the case where there are no
- //stored SV it is valid. Therefore if there IS a value
- //in the sig confirmation element
- throw new WSSecurityException("WSHandler: Check Signature confirmation: got a SC element, but no stored SV");
+ // If there are no stored signature values
+ if (sigVal.length != 0) {
+ // If there's no value in the case where there are no
+ // stored SV it is valid. Therefore if there IS a value
+ // in the sig confirmation element
+ throw new WSSecurityException(
+ "WSHandler: Check Signature confirmation: got a SC element, "
+ + "but no stored SV"
+ );
}
} else {
//If we have stored signature values
@@ -347,7 +354,9 @@
}
if (!found) {
throw new WSSecurityException(
- "WSHandler: Check Signature confirmation: got SC element, but no matching SV");
+ "WSHandler: Check Signature confirmation: got SC element, "
+ + "but no matching SV"
+ );
}
}
}
@@ -360,10 +369,13 @@
if (!reqData.isNoSerialization()) {
log.debug("Check Signature confirmation - last handler");
if (sigv != null && !sigv.isEmpty()) {
- throw new WSSecurityException("WSHandler: Check Signature confirmation: stored SV vector not empty");
+ throw new WSSecurityException(
+ "WSHandler: Check Signature confirmation: stored SV vector not empty"
+ );
}
}
}
+
/**
* Hook to allow subclasses to load their Signature Crypto however they see
* fit.
@@ -380,21 +392,19 @@
if (sigPropFile != null) {
crypto = (Crypto) cryptos.get(sigPropFile);
if (crypto == null) {
- crypto = CryptoFactory.getInstance(sigPropFile, this
- .getClassLoader(reqData.getMsgContext()));
+ crypto = CryptoFactory.getInstance(
+ sigPropFile, this.getClassLoader(reqData.getMsgContext()));
cryptos.put(sigPropFile, crypto);
}
- } else if (getString(WSHandlerConstants.SIG_PROP_REF_ID, reqData
- .getMsgContext()) != null) {
+ } else if (getString(WSHandlerConstants.SIG_PROP_REF_ID, reqData.getMsgContext()) != null) {
/*
- * If the property file is missing then
- * look for the Properties object
+ * If the property file is missing then look for the Properties object
*/
- String refId = getString(WSHandlerConstants.SIG_PROP_REF_ID,
- reqData.getMsgContext());
+ String refId =
+ getString(WSHandlerConstants.SIG_PROP_REF_ID, reqData.getMsgContext());
if (refId != null) {
Object propObj = getProperty(reqData.getMsgContext(), refId);
- if(propObj instanceof Properties) {
+ if (propObj instanceof Properties) {
crypto = (Crypto) cryptos.get(refId);
if (crypto == null) {
crypto = CryptoFactory.getInstance((Properties)propObj);
@@ -403,7 +413,7 @@
} else {
throw new WSSecurityException(
"WSHandler: Signature: signaturePropRefId must hold a "
- + "java.util.Properties object"
+ + "java.util.Properties object"
);
}
}
@@ -426,26 +436,24 @@
* Get encryption crypto property file. If non specified take crypto
* instance from signature, if that fails: throw fault
*/
- String encPropFile = getString(WSHandlerConstants.ENC_PROP_FILE,
- reqData.getMsgContext());
+ String encPropFile =
+ getString(WSHandlerConstants.ENC_PROP_FILE, reqData.getMsgContext());
if (encPropFile != null) {
crypto = (Crypto) cryptos.get(encPropFile);
if (crypto == null) {
- crypto = CryptoFactory.getInstance(encPropFile, this
- .getClassLoader(reqData.getMsgContext()));
+ crypto =
+ CryptoFactory.getInstance(encPropFile, this.getClassLoader(reqData.getMsgContext()));
cryptos.put(encPropFile, crypto);
}
- } else if (getString(WSHandlerConstants.ENC_PROP_REF_ID, reqData
- .getMsgContext()) != null) {
+ } else if (getString(WSHandlerConstants.ENC_PROP_REF_ID, reqData.getMsgContext()) != null) {
/*
- * If the property file is missing then
- * look for the Properties object
+ * If the property file is missing then look for the Properties object
*/
- String refId = getString(WSHandlerConstants.ENC_PROP_REF_ID,
- reqData.getMsgContext());
- if(refId != null) {
+ String refId =
+ getString(WSHandlerConstants.ENC_PROP_REF_ID, reqData.getMsgContext());
+ if (refId != null) {
Object propObj = getProperty(reqData.getMsgContext(), refId);
- if(propObj instanceof Properties) {
+ if (propObj instanceof Properties) {
crypto = (Crypto) cryptos.get(refId);
if (crypto == null) {
crypto = CryptoFactory.getInstance((Properties)propObj);
@@ -454,7 +462,7 @@
} else {
throw new WSSecurityException(
"WSHandler: Encryption: encryptionPropRefId must hold a"
- + " java.util.Properties object"
+ + " java.util.Properties object"
);
}
}
@@ -472,11 +480,11 @@
String type = getString(WSHandlerConstants.PASSWORD_TYPE, mc);
if (type != null) {
- if(WSConstants.PW_TEXT.equals(type)) {
+ if (WSConstants.PW_TEXT.equals(type)) {
reqData.setPwType(WSConstants.PASSWORD_TEXT);
- } else if(WSConstants.PW_DIGEST.equals(type)) {
+ } else if (WSConstants.PW_DIGEST.equals(type)) {
reqData.setPwType(WSConstants.PASSWORD_DIGEST);
- } else if(WSConstants.PW_NONE.equals(type)) {
+ } else if (WSConstants.PW_NONE.equals(type)) {
// No password requested.
reqData.setPwType(null);
} else {
@@ -585,10 +593,15 @@
String mu =
getString(WSHandlerConstants.MUST_UNDERSTAND, reqData.getMsgContext());
- if (mu == null) {return true;}
-
- if ("0".equals(mu) || "false".equals(mu)) {return false;}
- if ("1".equals(mu) || "true".equals(mu)) {return true;}
+ if (mu == null) {
+ return true;
+ }
+ if ("0".equals(mu) || "false".equals(mu)) {
+ return false;
+ }
+ if ("1".equals(mu) || "true".equals(mu)) {
+ return true;
+ }
throw new WSSecurityException(
"WSHandler: illegal mustUnderstand parameter"
@@ -617,10 +630,15 @@
String value = getString(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION,
reqData.getMsgContext());
- if (value == null) {return true;}
-
- if ("0".equals(value) || "false".equals(value)) {return false;}
- if ("1".equals(value) || "true".equals(value)) {return true;}
+ if (value == null) {
+ return true;
+ }
+ if ("0".equals(value) || "false".equals(value)) {
+ return false;
+ }
+ if ("1".equals(value) || "true".equals(value)) {
+ return true;
+ }
throw new WSSecurityException(
"WSHandler: illegal enableSignatureConfirmation parameter"
@@ -632,10 +650,15 @@
String value = getString(WSHandlerConstants.TIMESTAMP_PRECISION,
reqData.getMsgContext());
- if (value == null) {return true;}
-
- if ("0".equals(value) || "false".equals(value)) {return false;}
- if ("1".equals(value) || "true".equals(value)) {return true;}
+ if (value == null) {
+ return true;
+ }
+ if ("0".equals(value) || "false".equals(value)) {
+ return false;
+ }
+ if ("1".equals(value) || "true".equals(value)) {
+ return true;
+ }
throw new WSSecurityException(
"WSHandler: illegal precisionInMilliSeconds parameter"
@@ -649,10 +672,15 @@
reqData.getMsgContext()
);
- if (value == null) {return false;}
-
- if ("0".equals(value) || "false".equals(value)) {return false;}
- if ("1".equals(value) || "true".equals(value)) {return true;}
+ if (value == null) {
+ return false;
+ }
+ if ("0".equals(value) || "false".equals(value)) {
+ return false;
+ }
+ if ("1".equals(value) || "true".equals(value)) {
+ return true;
+ }
throw new WSSecurityException(
"WSHandler: illegal handleCustomPasswordTypes parameter"
@@ -664,10 +692,15 @@
String value = getString(WSHandlerConstants.TIMESTAMP_STRICT,
reqData.getMsgContext());
- if (value == null) {return true;}
-
- if ("0".equals(value) || "false".equals(value)) {return false;}
- if ("1".equals(value) || "true".equals(value)) {return true;}
+ if (value == null) {
+ return true;
+ }
+ if ("0".equals(value) || "false".equals(value)) {
+ return false;
+ }
+ if ("1".equals(value) || "true".equals(value)) {
+ return true;
+ }
throw new WSSecurityException(
"WSHandler: illegal timestampStrict parameter"
@@ -719,21 +752,21 @@
Class cbClass = null;
CallbackHandler cbHandler = null;
try {
- cbClass = Loader.loadClass(getClassLoader(requestData
- .getMsgContext()), callback);
+ cbClass =
+ Loader.loadClass(getClassLoader(requestData.getMsgContext()), callback);
} catch (ClassNotFoundException e) {
- throw new WSSecurityException("WSHandler: cannot load password callback class: "
- + callback,
- e);
+ throw new WSSecurityException(
+ "WSHandler: cannot load password callback class: " + callback, e
+ );
}
try {
cbHandler = (CallbackHandler) cbClass.newInstance();
} catch (Exception e) {
- throw new WSSecurityException("WSHandler: cannot create instance of password callback: "
- + callback,
- e);
+ throw new WSSecurityException(
+ "WSHandler: cannot create instance of password callback: " + callback, e
+ );
}
- return (performCallback(cbHandler, username, doAction));
+ return performCallback(cbHandler, username, doAction);
}
/**
@@ -818,13 +851,9 @@
}
String element = partDef[2].trim();
if (doDebug) {
- log.debug("partDefs: '"
- + mode
- + "' ,'"
- + nmSpace
- + "' ,'"
- + element
- + "'");
+ log.debug(
+ "partDefs: '" + mode + "' ,'" + nmSpace + "' ,'" + element + "'"
+ );
}
encPart = new WSEncryptionPart(element, nmSpace, mode);
} else {
@@ -883,26 +912,24 @@
throws WSSecurityException {
Crypto crypto = null;
- String decPropFile = getString(WSHandlerConstants.DEC_PROP_FILE,
- reqData.getMsgContext());
+ String decPropFile =
+ getString(WSHandlerConstants.DEC_PROP_FILE, reqData.getMsgContext());
if (decPropFile != null) {
crypto = (Crypto) cryptos.get(decPropFile);
if (crypto == null) {
- crypto = CryptoFactory.getInstance(decPropFile, this
- .getClassLoader(reqData.getMsgContext()));
+ crypto =
+ CryptoFactory.getInstance(decPropFile, this.getClassLoader(reqData.getMsgContext()));
cryptos.put(decPropFile, crypto);
}
- } else if (getString(WSHandlerConstants.DEC_PROP_REF_ID, reqData
- .getMsgContext()) != null) {
+ } else if (getString(WSHandlerConstants.DEC_PROP_REF_ID, reqData.getMsgContext()) != null) {
/*
- * If the property file is missing then
- * look for the Properties object
+ * If the property file is missing then look for the Properties object
*/
- String refId = getString(WSHandlerConstants.DEC_PROP_REF_ID,
- reqData.getMsgContext());
- if(refId != null) {
+ String refId =
+ getString(WSHandlerConstants.DEC_PROP_REF_ID, reqData.getMsgContext());
+ if (refId != null) {
Object propObj = getProperty(reqData.getMsgContext(), refId);
- if(propObj instanceof Properties) {
+ if (propObj instanceof Properties) {
crypto = (Crypto) cryptos.get(refId);
if (crypto == null) {
crypto = CryptoFactory.getInstance((Properties)propObj);
@@ -911,7 +938,7 @@
} else {
throw new WSSecurityException(
"WSHandler: Decrytion: decryptionPropRefId must hold a"
- + " java.util.Properties object"
+ + " java.util.Properties object"
);
}
}
@@ -960,26 +987,27 @@
if (callback != null) {
Class cbClass = null;
try {
- cbClass = Loader.loadClass(getClassLoader(reqData
- .getMsgContext()), callback);
+ cbClass =
+ Loader.loadClass(getClassLoader(reqData.getMsgContext()), callback);
} catch (ClassNotFoundException e) {
throw new WSSecurityException(
- "WSHandler: cannot load password callback class: "
- + callback, e);
+ "WSHandler: cannot load password callback class: " + callback, e
+ );
}
try {
cbHandler = (CallbackHandler) cbClass.newInstance();
} catch (java.lang.Exception e) {
throw new WSSecurityException(
- "WSHandler: cannot create instance of password callback: "
- + callback, e);
+ "WSHandler: cannot create instance of password callback: " + callback, e
+ );
}
} else {
- cbHandler = (CallbackHandler) getProperty(mc,
- WSHandlerConstants.PW_CALLBACK_REF);
+ cbHandler =
+ (CallbackHandler) getProperty(mc, WSHandlerConstants.PW_CALLBACK_REF);
if (cbHandler == null) {
throw new WSSecurityException(
- "WSHandler: no reference in callback property");
+ "WSHandler: no reference in callback property"
+ );
}
}
return cbHandler;
@@ -993,10 +1021,12 @@
* 1. Search the keystore for the transmitted certificate
* 2. Search the keystore for a connection to the transmitted certificate
* (that is, search for certificate(s) of the issuer of the transmitted certificate
- * 3. Verify the trust path for those certificates found because the search for the issuer might be fooled by a phony DN (String!)
+ * 3. Verify the trust path for those certificates found because the search for the issuer
+ * might be fooled by a phony DN (String!)
*
* @param cert the certificate that should be validated against the keystore
- * @return true if the certificate is trusted, false if not (AxisFault is thrown for exceptions during CertPathValidation)
+ * @return true if the certificate is trusted, false if not (AxisFault is thrown for exceptions
+ * during CertPathValidation)
* @throws WSSecurityException
*/
protected boolean verifyTrust(X509Certificate cert, RequestData reqData)
@@ -1017,7 +1047,10 @@
if (doDebug) {
log.debug("WSHandler: Transmitted certificate has subject " + subjectString);
- log.debug("WSHandler: Transmitted certificate has issuer " + issuerString + " (serial " + issuerSerial + ")");
+ log.debug(
+ "WSHandler: Transmitted certificate has issuer " + issuerString
+ + " (serial " + issuerSerial + ")"
+ );
}
// FIRST step
@@ -1027,7 +1060,9 @@
try {
alias = reqData.getSigCrypto().getAliasForX509Cert(issuerString, issuerSerial);
} catch (WSSecurityException ex) {
- throw new WSSecurityException("WSHandler: Could not get alias for certificate with " + subjectString, ex);
+ throw new WSSecurityException(
+ "WSHandler: Could not get alias for certificate with " + subjectString, ex
+ );
}
if (alias != null) {
@@ -1035,7 +1070,9 @@
try {
certs = reqData.getSigCrypto().getCertificates(alias);
} catch (WSSecurityException ex) {
- throw new WSSecurityException("WSHandler: Could not get certificates for alias " + alias, ex);
+ throw new WSSecurityException(
+ "WSHandler: Could not get certificates for alias " + alias, ex
+ );
}
// If certificates have been found, the certificates must be compared
@@ -1048,7 +1085,10 @@
}
} else {
if (doDebug) {
- log.debug("No alias found for subject from issuer with " + issuerString + " (serial " + issuerSerial + ")");
+ log.debug(
+ "No alias found for subject from issuer with " + issuerString
+ + " (serial " + issuerSerial + ")"
+ );
}
}
@@ -1059,14 +1099,19 @@
try {
aliases = reqData.getSigCrypto().getAliasesForDN(issuerString);
} catch (WSSecurityException ex) {
- throw new WSSecurityException("WSHandler: Could not get alias for certificate with " + issuerString, ex);
+ throw new WSSecurityException(
+ "WSHandler: Could not get alias for certificate with " + issuerString, ex
+ );
}
// If the alias has not been found, the issuer is not in the keystore
// As a direct result, do not trust the transmitted certificate
if (aliases == null || aliases.length < 1) {
if (doDebug) {
- log.debug("No aliases found in keystore for issuer " + issuerString + " of certificate for " + subjectString);
+ log.debug(
+ "No aliases found in keystore for issuer " + issuerString
+ + " of certificate for " + subjectString
+ );
}
return false;
}
@@ -1077,20 +1122,27 @@
alias = aliases[i];
if (doDebug) {
- log.debug("Preparing to validate certificate path with alias " + alias + " for issuer " + issuerString);
+ log.debug(
+ "Preparing to validate certificate path with alias " + alias
+ + " for issuer " + issuerString
+ );
}
// Retrieve the certificate(s) for the alias from the keystore
try {
certs = reqData.getSigCrypto().getCertificates(alias);
} catch (WSSecurityException ex) {
- throw new WSSecurityException("WSHandler: Could not get certificates for alias " + alias, ex);
+ throw new WSSecurityException(
+ "WSHandler: Could not get certificates for alias " + alias, ex
+ );
}
// If no certificates have been found, there has to be an error:
// The keystore can find an alias but no certificate(s)
if (certs == null || certs.length < 1) {
- throw new WSSecurityException("WSHandler: Could not get certificates for alias " + alias);
+ throw new WSSecurityException(
+ "WSHandler: Could not get certificates for alias " + alias
+ );
}
// Form a certificate chain from the transmitted certificate
@@ -1105,27 +1157,38 @@
}
certs = x509certs;
- // Use the validation method from the crypto to check whether the subjects certificate was really signed by the issuer stated in the certificate
+ // Use the validation method from the crypto to check whether the subjects'
+ // certificate was really signed by the issuer stated in the certificate
try {
if (reqData.getSigCrypto().validateCertPath(certs)) {
if (doDebug) {
- log.debug("WSHandler: Certificate path has been verified for certificate with subject " + subjectString);
+ log.debug(
+ "WSHandler: Certificate path has been verified for certificate "
+ + "with subject " + subjectString
+ );
}
return true;
}
} catch (WSSecurityException ex) {
- throw new WSSecurityException("WSHandler: Certificate path verification failed for certificate with subject " + subjectString, ex);
+ throw new WSSecurityException(
+ "WSHandler: Certificate path verification failed for certificate "
+ + "with subject " + subjectString, ex
+ );
}
}
- log.debug("WSHandler: Certificate path could not be verified for certificate with subject " + subjectString);
+ if (doDebug) {
+ log.debug(
+ "WSHandler: Certificate path could not be verified for "
+ + "certificate with subject " + subjectString
+ );
+ }
return false;
}
/**
- * Evaluate whether a timestamp is considered valid on receiverside. Hook to
- * allow subclasses to implement custom validation methods however they see
- * fit.
+ * Evaluate whether a timestamp is considered valid on the receivers' side. Hook to
+ * allow subclasses to implement custom validation methods however they see fit.
*
* Policy used in this implementation:
*
@@ -1137,7 +1200,7 @@
* @param timestamp
* the timestamp that is validated
* @param timeToLive
- * the limit on receiverside, the timestamp is validated against
+ * the limit on the receivers' side, that the timestamp is validated against
* @return true if the timestamp is before (now-timeToLive), false otherwise
* @throws WSSecurityException
*/
@@ -1218,19 +1281,6 @@
}
}
-// /**
-// * Returns the classloader to be used for loading the callback class
-// *
-// * @return class loader
-// */
-// public ClassLoader getClassLoader() {
-// try {
-// return Loader.getTCL();
-// } catch (Throwable t) {
-// return null;
-// }
-// }
-
/**
* Returns the classloader to be used for loading the callback class
* @param msgCtx The MessageContext
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecTimestamp.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecTimestamp.java?rev=731979&r1=731978&r2=731979&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecTimestamp.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecTimestamp.java Tue Jan 6 07:44:39 2009
@@ -66,7 +66,7 @@
* value is not suitable.
*
* @param doc
- * The SOAP enevlope as W3C document
+ * The SOAP envelope as W3C document
*/
public void prepare(Document doc) {
ts = new Timestamp(wssConfig.isPrecisionInMilliSeconds(), doc, timeToLive);
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/Timestamp.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/Timestamp.java?rev=731979&r1=731978&r2=731979&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/Timestamp.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/Timestamp.java Tue Jan 6 07:44:39 2009
@@ -73,19 +73,19 @@
WSConstants.WSU_NS.equals(currentChild.getNamespaceURI())) {
if (strCreated == null) {
strCreated = ((Text) ((Element) currentChild).getFirstChild()).getData();
- }
- else {
- throw new WSSecurityException(WSSecurityException.INVALID_SECURITY,
- "invalidTimestamp");
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "invalidTimestamp"
+ );
}
} else if (WSConstants.EXPIRES_LN.equals(currentChild.getLocalName()) &&
WSConstants.WSU_NS.equals(currentChild.getNamespaceURI())) {
if (strExpires == null) {
strExpires = ((Text) ((Element) currentChild).getFirstChild()).getData();
- }
- else {
- throw new WSSecurityException(WSSecurityException.INVALID_SECURITY,
- "invalidTimestamp");
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "invalidTimestamp"
+ );
}
} else {
customElements.add((Element) currentChild);
@@ -105,9 +105,8 @@
expires.setTime(zulu.parse(strExpires));
}
} catch (ParseException e) {
- throw new WSSecurityException(WSSecurityException.INVALID_SECURITY,
- "invalidTimestamp",
- null, e);
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "invalidTimestamp", null, e);
}
}
@@ -133,8 +132,7 @@
DateFormat zulu = null;
if (milliseconds) {
zulu = new XmlSchemaDateFormat();
- }
- else {
+ } else {
zulu = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
zulu.setTimeZone(TimeZone.getTimeZone("UTC"));
}
@@ -240,8 +238,7 @@
}
/**
- * Returns the value of the wsu:Id attribute
- * @return TODO
+ * @return the value of the wsu:Id attribute
*/
public String getID() {
return this.element.getAttributeNS(WSConstants.WSU_NS, "Id");
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java?rev=731979&r1=731978&r2=731979&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java Tue Jan 6 07:44:39 2009
@@ -48,7 +48,7 @@
/*
* Decode Timestamp, add the found time (created/expiry) to result
*/
- Timestamp timestamp = new Timestamp((Element) elem);
+ Timestamp timestamp = new Timestamp(elem);
handleTimestamp(timestamp);
returnResults.add(0,
new WSSecurityEngineResult(WSConstants.TS,
@@ -76,13 +76,16 @@
}
// Validate whether the security semantics have expired
- Calendar rightNow = Calendar.getInstance();
Calendar exp = timestamp.getExpires();
- if (exp != null && wssConfig.isTimeStampStrict() && exp.before(rightNow)) {
- throw new WSSecurityException(
+ if (exp != null && wssConfig.isTimeStampStrict()) {
+ Calendar rightNow = Calendar.getInstance();
+ if (exp.before(rightNow)) {
+ throw new WSSecurityException(
WSSecurityException.MESSAGE_EXPIRED,
"invalidTimestamp",
- new Object[] { "The security semantics of message have expired" });
+ new Object[] { "The security semantics of the message have expired" }
+ );
+ }
}
}
Modified: webservices/wss4j/trunk/test/wssec/PackageTests.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/PackageTests.java?rev=731979&r1=731978&r2=731979&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/PackageTests.java (original)
+++ webservices/wss4j/trunk/test/wssec/PackageTests.java Tue Jan 6 07:44:39 2009
@@ -84,6 +84,7 @@
suite.addTestSuite(TestWSSecurityWSS60.class);
suite.addTestSuite(TestWSSecurityWSS86.class);
suite.addTestSuite(TestWSSecurityKerberosTokenProfile.class);
+ suite.addTestSuite(TestWSSecurityTimestamp.class);
return suite;
}
Added: webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java?rev=731979&view=auto
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java (added)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java Tue Jan 6 07:44:39 2009
@@ -0,0 +1,312 @@
+/*
+ * Copyright 2003-2004 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package wssec;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+import org.apache.axis.Message;
+import org.apache.axis.MessageContext;
+import org.apache.axis.client.AxisClient;
+import org.apache.axis.configuration.NullProvider;
+import org.apache.axis.message.SOAPEnvelope;
+import org.apache.axis.utils.XMLUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.handler.WSHandler;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.WSSecTimestamp;
+import org.apache.ws.security.message.token.Timestamp;
+import org.w3c.dom.Document;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.io.PrintWriter;
+import java.util.Vector;
+
+/**
+ * WS-Security Test Case for Timestamps.
+ */
+public class TestWSSecurityTimestamp extends TestCase {
+ private static Log log = LogFactory.getLog(TestWSSecurityTimestamp.class);
+ static final String NS = "http://www.w3.org/2000/09/xmldsig#";
+ static final String soapMsg = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" + "<SOAP-ENV:Body>" + "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">" + "<value xmlns=\"\">15</value>" + "</add>" + "</SOAP-ENV:Body>\r\n \r\n" + "</SOAP-ENV:Envelope>";
+ static final WSSecurityEngine secEngine = new WSSecurityEngine();
+
+ MessageContext msgContext;
+ SOAPEnvelope unsignedEnvelope;
+
+ /**
+ * TestWSSecurity constructor
+ * <p/>
+ *
+ * @param name name of the test
+ */
+ public TestWSSecurityTimestamp(String name) {
+ super(name);
+ }
+
+ /**
+ * JUnit suite
+ * <p/>
+ *
+ * @return a junit test suite
+ */
+ public static Test suite() {
+ return new TestSuite(TestWSSecurityTimestamp.class);
+ }
+
+ /**
+ * Main method
+ * <p/>
+ *
+ * @param args command line args
+ */
+ public static void main(String[] args) {
+ junit.textui.TestRunner.run(suite());
+ }
+
+ /**
+ * Setup method
+ * <p/>
+ *
+ * @throws java.lang.Exception Thrown when there is a problem in setup
+ */
+ protected void setUp() throws Exception {
+ AxisClient tmpEngine = new AxisClient(new NullProvider());
+ msgContext = new MessageContext(tmpEngine);
+ unsignedEnvelope = getSOAPEnvelope();
+ }
+
+ /**
+ * Constructs a soap envelope
+ * <p/>
+ *
+ * @return soap envelope
+ * @throws java.lang.Exception if there is any problem constructing the soap envelope
+ */
+ protected SOAPEnvelope getSOAPEnvelope() throws Exception {
+ InputStream in = new ByteArrayInputStream(soapMsg.getBytes());
+ Message msg = new Message(in);
+ msg.setMessageContext(msgContext);
+ return msg.getSOAPEnvelope();
+ }
+
+
+ /**
+ * This is a test for processing a valid Timestamp.
+ */
+ public void testValidTimestamp() throws Exception {
+
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecTimestamp timestamp = new WSSecTimestamp();
+ timestamp.setTimeToLive(300);
+ Document createdDoc = timestamp.build(doc, secHeader);
+
+ Message msg = SOAPUtil.toAxisMessage(createdDoc);
+ if (log.isDebugEnabled()) {
+ XMLUtils.PrettyElementToWriter(msg.getSOAPEnvelope().getAsDOM(), new PrintWriter(System.out));
+ }
+
+ createdDoc = msg.getSOAPEnvelope().getAsDocument();
+ //
+ // Do some processing
+ //
+ Vector wsResult = verify(createdDoc);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(wsResult, WSConstants.TS);
+ assertTrue(actionResult != null);
+
+ Timestamp receivedTimestamp =
+ (Timestamp)actionResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
+ assertTrue(receivedTimestamp != null);
+
+ MyHandler myHandler = new MyHandler();
+ if (!myHandler.publicVerifyTimestamp(receivedTimestamp, 300)) {
+ fail("The timestamp could not be validated");
+ }
+ }
+
+
+ /**
+ * This is a test for processing a valid Timestamp with no expires element
+ */
+ public void testValidTimestampNoExpires() throws Exception {
+
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecTimestamp timestamp = new WSSecTimestamp();
+ timestamp.setTimeToLive(0);
+ Document createdDoc = timestamp.build(doc, secHeader);
+
+ Message msg = SOAPUtil.toAxisMessage(createdDoc);
+ if (log.isDebugEnabled()) {
+ XMLUtils.PrettyElementToWriter(msg.getSOAPEnvelope().getAsDOM(), new PrintWriter(System.out));
+ }
+
+ createdDoc = msg.getSOAPEnvelope().getAsDocument();
+ //
+ // Do some processing
+ //
+ Vector wsResult = verify(createdDoc);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(wsResult, WSConstants.TS);
+ assertTrue(actionResult != null);
+
+ Timestamp receivedTimestamp =
+ (Timestamp)actionResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
+ assertTrue(receivedTimestamp != null);
+
+ MyHandler myHandler = new MyHandler();
+ if (!myHandler.publicVerifyTimestamp(receivedTimestamp, 300)) {
+ fail("The timestamp could not be validated");
+ }
+ }
+
+
+ /**
+ * This is a test for processing an expired Timestamp.
+ */
+ public void testExpiredTimestamp() throws Exception {
+
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecTimestamp timestamp = new WSSecTimestamp();
+ timestamp.setTimeToLive(-1);
+ Document createdDoc = timestamp.build(doc, secHeader);
+
+ Message msg = SOAPUtil.toAxisMessage(createdDoc);
+ if (log.isDebugEnabled()) {
+ XMLUtils.PrettyElementToWriter(msg.getSOAPEnvelope().getAsDOM(), new PrintWriter(System.out));
+ }
+
+ createdDoc = msg.getSOAPEnvelope().getAsDocument();
+ try {
+ //
+ // Note that "expired" verification is done in the TimestampProcessor, whereas
+ // "created" verification is done in the WSHandler
+ //
+ verify(createdDoc);
+ fail("Expected failure on an expired timestamp");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getErrorCode() == WSSecurityException.MESSAGE_EXPIRED);
+ }
+ }
+
+
+ /**
+ * This is a test for processing an "old" Timestamp, i.e. one with a "Created" element that is
+ * out of date
+ */
+ public void testOldTimestamp() throws Exception {
+
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecTimestamp timestamp = new WSSecTimestamp();
+ Document createdDoc = timestamp.build(doc, secHeader);
+
+ Message msg = SOAPUtil.toAxisMessage(createdDoc);
+ if (log.isDebugEnabled()) {
+ XMLUtils.PrettyElementToWriter(msg.getSOAPEnvelope().getAsDOM(), new PrintWriter(System.out));
+ }
+
+ createdDoc = msg.getSOAPEnvelope().getAsDocument();
+ //
+ // Do some processing
+ //
+ Vector wsResult = verify(createdDoc);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(wsResult, WSConstants.TS);
+ assertTrue(actionResult != null);
+
+ Timestamp receivedTimestamp =
+ (Timestamp)actionResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
+ assertTrue(receivedTimestamp != null);
+
+ MyHandler myHandler = new MyHandler();
+ if (myHandler.publicVerifyTimestamp(receivedTimestamp, -1)) {
+ fail("The timestamp validation should have failed");
+ }
+ }
+
+
+ /**
+ * Verifies the soap envelope
+ *
+ * @param env soap envelope
+ * @throws java.lang.Exception Thrown when there is a problem in verification
+ */
+ private Vector verify(Document doc) throws Exception {
+ return secEngine.processSecurityHeader(doc, null, null, null);
+ }
+
+ /**
+ * a trivial extension of the WSHandler type
+ */
+ public static class MyHandler extends WSHandler {
+
+ public Object
+ getOption(String key) {
+ return null;
+ }
+
+ public void
+ setProperty(
+ Object msgContext,
+ String key,
+ Object value
+ ) {
+ }
+
+ public Object
+ getProperty(Object ctx, String key) {
+ return null;
+ }
+
+ public void
+ setPassword(Object msgContext, String password) {
+ }
+
+ public String
+ getPassword(Object msgContext) {
+ return null;
+ }
+
+ boolean publicVerifyTimestamp(
+ Timestamp timestamp,
+ int ttl
+ ) throws org.apache.ws.security.WSSecurityException {
+ return verifyTimestamp(timestamp, ttl);
+ }
+ }
+
+}
Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org