You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by ru...@apache.org on 2006/11/20 01:40:41 UTC
svn commit: r476999 - in
/webservices/axis2/branches/java/1_1/modules/security:
src/org/apache/rampart/ src/org/apache/rampart/builder/
src/org/apache/rampart/handler/config/ src/org/apache/rampart/util/
test/org/apache/rampart/
Author: ruchithf
Date: Sun Nov 19 16:40:40 2006
New Revision: 476999
URL: http://svn.apache.org/viewvc?view=rev&rev=476999
Log:
- Updated AsymmBindingBuilder, RampartUtil and RampartEngine to be able to correctly handle the case where we have to use DerivedKeys base on an ephmeral key.
- Deprecated InflowConfiguration and OutflowConfiguration classes
- Updated HandlerParameterDecoder to trim configuration values
Modified:
webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/RampartEngine.java
webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/RampartMessageData.java
webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/builder/AsymmetricBindingBuilder.java
webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/handler/config/InflowConfiguration.java
webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/handler/config/OutflowConfiguration.java
webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/util/HandlerParameterDecoder.java
webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/util/RampartUtil.java
webservices/axis2/branches/java/1_1/modules/security/test/org/apache/rampart/MessageBuilderTestBase.java
Modified: webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/RampartEngine.java
URL: http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/RampartEngine.java?view=diff&rev=476999&r1=476998&r2=476999
==============================================================================
--- webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/RampartEngine.java (original)
+++ webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/RampartEngine.java Sun Nov 19 16:40:40 2006
@@ -71,7 +71,7 @@
} else {
results = engine.processSecurityHeader(rmd.getDocument(),
null,
- RampartUtil.getPasswordCB(rmd),
+ new TokenCallbackHandler(rmd.getTokenStorage(), RampartUtil.getPasswordCB(rmd)),
RampartUtil.getSignatureCrypto(rpd.getRampartConfig(),
msgCtx.getAxisService().getClassLoader()),
RampartUtil.getEncryptionCrypto(rpd.getRampartConfig(),
Modified: webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/RampartMessageData.java
URL: http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/RampartMessageData.java?view=diff&rev=476999&r1=476998&r2=476999
==============================================================================
--- webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/RampartMessageData.java (original)
+++ webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/RampartMessageData.java Sun Nov 19 16:40:40 2006
@@ -473,8 +473,7 @@
return this.tokenStorage;
}
- TokenStorage storage = (TokenStorage) this.msgContext
- .getConfigurationContext().getProperty(
+ TokenStorage storage = (TokenStorage) this.msgContext.getProperty(
TokenStorage.TOKEN_STORAGE_KEY);
if (storage != null) {
@@ -506,7 +505,7 @@
}
-// /Set the storage instance
+ //Set the storage instance
this.msgContext.getConfigurationContext().setProperty(
TokenStorage.TOKEN_STORAGE_KEY, this.tokenStorage);
}
Modified: webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/builder/AsymmetricBindingBuilder.java
URL: http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/builder/AsymmetricBindingBuilder.java?view=diff&rev=476999&r1=476998&r2=476999
==============================================================================
--- webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/builder/AsymmetricBindingBuilder.java (original)
+++ webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/builder/AsymmetricBindingBuilder.java Sun Nov 19 16:40:40 2006
@@ -19,6 +19,7 @@
import org.apache.axiom.om.OMElement;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.rahas.TrustException;
import org.apache.rampart.RampartException;
import org.apache.rampart.RampartMessageData;
import org.apache.rampart.policy.RampartPolicyData;
@@ -31,6 +32,7 @@
import org.apache.ws.security.WSEncryptionPart;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationException;
+import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.message.WSSecDKEncrypt;
import org.apache.ws.security.message.WSSecDKSign;
import org.apache.ws.security.message.WSSecEncrypt;
@@ -52,6 +54,10 @@
private WSSecSignature sig;
private WSSecEncryptedKey encrKey;
+
+ private String encryptedKeyId;
+
+ private byte[] encryptedKeyValue;
private Vector signatureValues = new Vector();
@@ -107,26 +113,12 @@
if (encryptionToken != null && encrParts.size() > 0) {
if (encryptionToken.isDerivedKeys()) {
try {
- // Set up the encrypted key to use
- encrKey = this.getEncryptedKeyBuilder(rmd, encryptionToken);
-
- Element bstElem = encrKey.getBinarySecurityTokenElement();
- if (bstElem != null) {
- // If a BST is available then use it
- RampartUtil.appendChildToSecHeader(rmd, bstElem);
- }
-
-
- // Add the EncryptedKey
- encrTokenElement = encrKey.getEncryptedKeyElement();
- this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
- encrTokenElement);
-
+ this.setupEncryptedKey(rmd, encryptionToken);
// Create the DK encryption builder
dkEncr = new WSSecDKEncrypt();
dkEncr.setParts(encrParts);
- dkEncr.setExternalKey(encrKey.getEphemeralKey(), encrKey
- .getId());
+ dkEncr.setExternalKey(this.encryptedKeyValue,
+ this.encryptedKeyId);
dkEncr.prepare(doc);
// Get and add the DKT element
@@ -343,10 +335,10 @@
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
if(this.encrKey == null) {
- this.setupEncryptedKey(rmd);
+ this.setupEncryptedKey(rmd, encrToken);
}
- dkEncr.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
+ dkEncr.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
dkEncr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
dkEncr.prepare(doc);
Element encrDKTokenElem = null;
@@ -429,11 +421,11 @@
if (sigToken.isDerivedKeys()) {
// Set up the encrypted key to use
if(this.encrKey == null) {
- setupEncryptedKey(rmd);
+ setupEncryptedKey(rmd, sigToken);
}
WSSecDKSign dkSign = new WSSecDKSign();
- dkSign.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
+ dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
// Set the algo info
dkSign.setSignatureAlgorithm(rpd.getAlgorithmSuite()
@@ -512,19 +504,53 @@
* @param rmd
* @throws RampartException
*/
- private void setupEncryptedKey(RampartMessageData rmd) throws RampartException {
- encrKey = this.getEncryptedKeyBuilder(rmd, sigToken);
-
- Element bstElem = encrKey.getBinarySecurityTokenElement();
- if (bstElem != null) {
- // If a BST is available then use it
- this.setInsertionLocation(RampartUtil.insertSiblingAfter(rmd,
- this.getInsertionLocation(), bstElem));
- }
+ private void setupEncryptedKey(RampartMessageData rmd, Token token)
+ throws RampartException {
+ if(!rmd.isClientSide() && token.isDerivedKeys()) {
+
+ //If we already have them, simply return
+ if(this.encryptedKeyId != null && this.encryptedKeyValue != null) {
+ return;
+ }
+
+ //Use the secret from the incoming EncryptedKey element
+ Object resultsObj = rmd.getMsgContext().getProperty(WSHandlerConstants.RECV_RESULTS);
+ if(resultsObj != null) {
+ encryptedKeyId = RampartUtil.getRequestEncryptedKeyId((Vector)resultsObj);
+ encryptedKeyValue = RampartUtil.getRequestEncryptedKeyValue((Vector)resultsObj);
+ if(encryptedKeyId == null || encryptedKeyValue == null) {
+ throw new RampartException("missingEncryptedKeyInRequest");
+ }
+ } else {
+ throw new RampartException("noSecurityResults");
+ }
+ } else {
+ //Set up the encrypted key to use
+ encrKey = this.getEncryptedKeyBuilder(rmd, token);
- // Add the EncryptedKey
- this.encrTokenElement = encrKey.getEncryptedKeyElement();
- this.setInsertionLocation(RampartUtil.insertSiblingAfter(rmd,
- this.getInsertionLocation(), encrTokenElement));
+ Element bstElem = encrKey.getBinarySecurityTokenElement();
+ if (bstElem != null) {
+ // If a BST is available then use it
+ RampartUtil.appendChildToSecHeader(rmd, bstElem);
+ }
+
+ // Add the EncryptedKey
+ encrTokenElement = encrKey.getEncryptedKeyElement();
+ this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
+ encrTokenElement);
+ encryptedKeyValue = encrKey.getEphemeralKey();
+ encryptedKeyId = encrKey.getId();
+
+ //Store the token for client - response verification
+ // and server - response creation
+ try {
+ org.apache.rahas.Token tok = new org.apache.rahas.Token(
+ encryptedKeyId, (OMElement)encrTokenElement , null, null);
+ tok.setSecret(encryptedKeyValue);
+ rmd.getTokenStorage().add(tok);
+ } catch (TrustException e) {
+ throw new RampartException("errorInAddingTokenIntoStore", e);
+ }
+ }
}
}
Modified: webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/handler/config/InflowConfiguration.java
URL: http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/handler/config/InflowConfiguration.java?view=diff&rev=476999&r1=476998&r2=476999
==============================================================================
--- webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/handler/config/InflowConfiguration.java (original)
+++ webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/handler/config/InflowConfiguration.java Sun Nov 19 16:40:40 2006
@@ -29,6 +29,8 @@
/**
* This is the representation of the inflow configurations of the security
* module.
+ *
+ * @deprecated
*/
public class InflowConfiguration {
Modified: webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/handler/config/OutflowConfiguration.java
URL: http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/handler/config/OutflowConfiguration.java?view=diff&rev=476999&r1=476998&r2=476999
==============================================================================
--- webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/handler/config/OutflowConfiguration.java (original)
+++ webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/handler/config/OutflowConfiguration.java Sun Nov 19 16:40:40 2006
@@ -29,6 +29,8 @@
/**
* This is the representation of the outflow configurations of the security
* module.
+ *
+ * @deprecated
*/
public class OutflowConfiguration {
Modified: webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/util/HandlerParameterDecoder.java
URL: http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/util/HandlerParameterDecoder.java?view=diff&rev=476999&r1=476998&r2=476999
==============================================================================
--- webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/util/HandlerParameterDecoder.java (original)
+++ webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/util/HandlerParameterDecoder.java Sun Nov 19 16:40:40 2006
@@ -94,7 +94,7 @@
Iterator childElements = actionElem.getChildElements();
while (childElements.hasNext()) {
OMElement element = (OMElement) childElements.next();
- msgCtx.setProperty(element.getLocalName(), element.getText());
+ msgCtx.setProperty(element.getLocalName(), element.getText().trim());
}
}
@@ -126,7 +126,7 @@
while (paramElements.hasNext()) {
OMElement elem = (OMElement) paramElements.next();
String localName = elem.getLocalName();
- String text = elem.getText();
+ String text = elem.getText().trim();
if(localName.equals(WSSHandlerConstants.SIGN_ALL_HEADERS)) {
signAllHeaders = true;
} else if(localName.equals(WSSHandlerConstants.SIGN_BODY)) {
@@ -171,18 +171,19 @@
OMElement element = (OMElement) childElements.next();
String localName = element.getLocalName();
+ String text = element.getText().trim();
if(localName.equals(WSHandlerConstants.PW_CALLBACK_CLASS)) {
- outflowConfiguration.setPasswordCallbackClass(element.getText());
+ outflowConfiguration.setPasswordCallbackClass(text);
} else if(localName.equals(WSHandlerConstants.SIG_PROP_FILE)) {
- outflowConfiguration.setSignaturePropFile(element.getText());
+ outflowConfiguration.setSignaturePropFile(text);
} else if(localName.equals(WSHandlerConstants.ENC_PROP_FILE)) {
- outflowConfiguration.setEncryptionPropFile(element.getText());
+ outflowConfiguration.setEncryptionPropFile(text);
} else if(localName.equals(WSHandlerConstants.ENC_CALLBACK_CLASS)) {
- outflowConfiguration.setEmbeddedKeyCallbackClass(element.getText());
+ outflowConfiguration.setEmbeddedKeyCallbackClass(text);
} else if(localName.equals(WSHandlerConstants.USER)) {
- outflowConfiguration.setUser(element.getText());
+ outflowConfiguration.setUser(text);
} else if(localName.equals(WSHandlerConstants.ENCRYPTION_USER)) {
- outflowConfiguration.setEncryptionUser(element.getText());
+ outflowConfiguration.setEncryptionUser(text);
}
}
return outflowConfiguration;
@@ -210,16 +211,18 @@
OMElement element = (OMElement) childElements.next();
String localName = element.getLocalName();
+ String text = element.getText().trim();
+
if(localName.equals(WSHandlerConstants.PW_CALLBACK_CLASS)) {
- inflowConfiguration.setPasswordCallbackClass(element.getText());
+ inflowConfiguration.setPasswordCallbackClass(text);
} else if(localName.equals(WSHandlerConstants.SIG_PROP_FILE)) {
- inflowConfiguration.setSignaturePropFile(element.getText());
+ inflowConfiguration.setSignaturePropFile(text);
} else if(localName.equals(WSHandlerConstants.DEC_PROP_FILE)) {
- inflowConfiguration.setDecryptionPropFile(element.getText());
+ inflowConfiguration.setDecryptionPropFile(text);
} else if (WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION
.equals(localName)) {
- if ("false".equals(element.getText())
- || "0".equals(element.getText())) {
+ if ("false".equals(text)
+ || "0".equals(text)) {
inflowConfiguration
.setEnableSignatureConfirmation(false);
}
Modified: webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/util/RampartUtil.java
URL: http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/util/RampartUtil.java?view=diff&rev=476999&r1=476998&r2=476999
==============================================================================
--- webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/util/RampartUtil.java (original)
+++ webservices/axis2/branches/java/1_1/modules/security/src/org/apache/rampart/util/RampartUtil.java Sun Nov 19 16:40:40 2006
@@ -627,6 +627,8 @@
Object resultsObj = rmd.getMsgContext().getProperty(WSHandlerConstants.RECV_RESULTS);
if(resultsObj != null) {
encrKeyBuilder.setUseThisCert(getReqSigCert((Vector)resultsObj));
+ } else {
+ throw new RampartException("noSecurityResults");
}
} else {
encrKeyBuilder.setUserInfo(encrUser);
@@ -660,4 +662,53 @@
return null;
}
+ public static String getRequestEncryptedKeyId(Vector results) {
+
+ for (int i = 0; i < results.size(); i++) {
+ WSHandlerResult rResult =
+ (WSHandlerResult) results.get(i);
+
+ Vector wsSecEngineResults = rResult.getResults();
+ /*
+ * Scan the results for the first Signature action. Use the
+ * certificate of this Signature to set the certificate for the
+ * encryption action :-).
+ */
+ for (int j = 0; j < wsSecEngineResults.size(); j++) {
+ WSSecurityEngineResult wser =
+ (WSSecurityEngineResult) wsSecEngineResults.get(j);
+ if (wser.getAction() == WSConstants.ENCR &&
+ wser.getEncryptedKeyId() != null) {
+ return wser.getEncryptedKeyId();
+ }
+ }
+ }
+
+ return null;
+ }
+
+ public static byte[] getRequestEncryptedKeyValue(Vector results) {
+
+ for (int i = 0; i < results.size(); i++) {
+ WSHandlerResult rResult =
+ (WSHandlerResult) results.get(i);
+
+ Vector wsSecEngineResults = rResult.getResults();
+ /*
+ * Scan the results for the first Signature action. Use the
+ * certificate of this Signature to set the certificate for the
+ * encryption action :-).
+ */
+ for (int j = 0; j < wsSecEngineResults.size(); j++) {
+ WSSecurityEngineResult wser =
+ (WSSecurityEngineResult) wsSecEngineResults.get(j);
+ if (wser.getAction() == WSConstants.ENCR &&
+ wser.getDecryptedKey() != null) {
+ return wser.getDecryptedKey();
+ }
+ }
+ }
+
+ return null;
+ }
}
Modified: webservices/axis2/branches/java/1_1/modules/security/test/org/apache/rampart/MessageBuilderTestBase.java
URL: http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_1/modules/security/test/org/apache/rampart/MessageBuilderTestBase.java?view=diff&rev=476999&r1=476998&r2=476999
==============================================================================
--- webservices/axis2/branches/java/1_1/modules/security/test/org/apache/rampart/MessageBuilderTestBase.java (original)
+++ webservices/axis2/branches/java/1_1/modules/security/test/org/apache/rampart/MessageBuilderTestBase.java Sun Nov 19 16:40:40 2006
@@ -22,11 +22,13 @@
import org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder;
import org.apache.axis2.AxisFault;
import org.apache.axis2.client.Options;
+import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.context.ServiceContext;
import org.apache.axis2.context.ServiceGroupContext;
import org.apache.axis2.description.AxisService;
import org.apache.axis2.description.OutInAxisOperation;
+import org.apache.axis2.engine.AxisConfiguration;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyEngine;
import org.apache.ws.security.WSConstants;
@@ -59,8 +61,12 @@
*/
protected MessageContext getMsgCtx() throws Exception {
MessageContext ctx = new MessageContext();
+
+ ctx.setConfigurationContext(new ConfigurationContext(new AxisConfiguration()));
AxisService axisService = new AxisService("TestService");
- ctx.setServiceContext(new ServiceContext(axisService, new ServiceGroupContext(null, null)));
+ ServiceContext serviceContext = new ServiceContext(axisService,
+ new ServiceGroupContext(null, null));
+ ctx.setServiceContext(serviceContext);
ctx.setAxisService(axisService);
ctx.setAxisOperation(new OutInAxisOperation(new QName("http://rampart.org", "test")));
Options options = new Options();
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org