You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by na...@apache.org on 2009/07/07 12:43:31 UTC
svn commit: r791787 - in
/webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart:
PolicyBasedResultsValidator.java util/RampartUtil.java
Author: nandana
Date: Tue Jul 7 10:43:31 2009
New Revision: 791787
URL: http://svn.apache.org/viewvc?rev=791787&view=rev
Log:
RAMPART-232 Applying the patch from Stefan with some minor modifications. Some of the fixes in the patch are already available on the trunk
Modified:
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
Modified: webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java?rev=791787&r1=791786&r2=791787&view=diff
==============================================================================
--- webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java (original)
+++ webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java Tue Jul 7 10:43:31 2009
@@ -17,6 +17,8 @@
package org.apache.rampart;
import org.apache.axiom.soap.SOAPEnvelope;
+import org.apache.axiom.om.xpath.AXIOMXPath;
+import org.apache.axiom.om.OMNamespace;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.rampart.policy.RampartPolicyData;
@@ -28,6 +30,8 @@
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
+import org.jaxen.XPath;
+import org.jaxen.JaxenException;
import javax.xml.namespace.QName;
import java.math.BigInteger;
@@ -390,6 +394,45 @@
ArrayList encrRefs = getEncryptedReferences(results);
RampartPolicyData rpd = rmd.getPolicyData();
+
+ // build the list of encrypted nodes based on the dataRefs xpath expressions
+ SOAPEnvelope envelope = rmd.getMsgContext().getEnvelope();
+ Set namespaces = RampartUtil.findAllPrefixNamespaces(envelope,
+ rpd.getDeclaredNamespaces());
+
+ Map decryptedElements = new HashMap();
+ for (int i = 0; i < encrRefs.size() ; i++) {
+ WSDataRef dataRef = (WSDataRef)encrRefs.get(i);
+
+ if(dataRef == null || dataRef.getXpath() == null) {
+ continue;
+ }
+
+ try {
+ XPath xp = new AXIOMXPath(dataRef.getXpath());
+
+ Iterator nsIter = namespaces.iterator();
+
+ while (nsIter.hasNext())
+ {
+ OMNamespace tmpNs = (OMNamespace)nsIter.next();
+ xp.addNamespace(tmpNs.getPrefix(), tmpNs.getNamespaceURI());
+ }
+
+ Iterator nodesIterator = xp.selectNodes(envelope).iterator();
+
+ while (nodesIterator.hasNext()) {
+ decryptedElements.put(nodesIterator.next(), Boolean.valueOf(dataRef.isContent()));
+ }
+
+
+ } catch (JaxenException e) {
+ // This has to be changed to propagate an instance of a RampartException up
+ throw new RampartException("An error occurred while searching for decrypted elements.", e);
+ }
+
+ }
+
//Check for encrypted body
if(rpd.isEncryptBody()) {
@@ -418,14 +461,41 @@
}
continue;
}
-
- if (encPart.getEncId() == null) {
- throw new RampartException("encryptedPartMissing",
- new String[]{encPart.getNamespace()+":"+encPart.getName()});
- } else if (!isRefIdPresent(encrRefs, encPart.getEncId())) {
- throw new RampartException("encryptedPartMissing",
- new String[]{encPart.getNamespace()+":"+encPart.getName()});
- }
+
+ // it is not a header or body part... verify encrypted xpath elements
+ String xpath = encPart.getXpath();
+ boolean found = false;
+ try {
+ XPath xp = new AXIOMXPath(xpath);
+ Iterator nsIter = namespaces.iterator();
+
+ while (nsIter.hasNext()) {
+ OMNamespace tmpNs = (OMNamespace) nsIter.next();
+ xp.addNamespace(tmpNs.getPrefix(), tmpNs.getNamespaceURI());
+ }
+
+ Iterator nodesIterator = xp.selectNodes(envelope).iterator();
+
+ while (nodesIterator.hasNext()) {
+ Object result = decryptedElements.get(nodesIterator.next());
+ if (result != null &&
+ ("Element".equals(encPart.getEncModifier())
+ ^ ((Boolean) result).booleanValue())) {
+ found = true;
+ break;
+ }
+ }
+
+ if (!found) {
+ throw new RampartException("encryptedPartMissing",
+ new String[]{xpath});
+ }
+
+
+ } catch (JaxenException e) {
+ // This has to be changed to propagate an instance of a RampartException up
+ throw new RampartException("An error occurred while searching for decrypted elements.", e);
+ }
}
Modified: webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?rev=791787&r1=791786&r2=791787&view=diff
==============================================================================
--- webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java (original)
+++ webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java Tue Jul 7 10:43:31 2009
@@ -810,7 +810,7 @@
return getPartsAndElements(true, envelope, rpd.isSignBody(), rpd.getSignedParts(), rpd.getSignedElements(), rpd.getDeclaredNamespaces());
}
- private static Set findAllPrefixNamespaces(OMElement currentElement, HashMap decNamespacess)
+ public static Set findAllPrefixNamespaces(OMElement currentElement, HashMap decNamespacess)
{
Set results = new HashSet();
@@ -896,7 +896,12 @@
{
OMElement e = (OMElement)nodesIter.next();
- WSEncryptionPart encryptedElem = new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Content");
+ WSEncryptionPart encryptedElem = new WSEncryptionPart(e.getLocalName(),
+ e.getNamespace().getNamespaceURI(),
+ "Content",
+ WSConstants.PART_TYPE_ELEMENT);
+
+ encryptedElem.setXpath(expression);
OMAttribute wsuId = e.getAttribute(new QName(WSConstants.WSU_NS, "Id"));
if ( wsuId != null ) {
@@ -1015,10 +1020,15 @@
OMElement e = (OMElement)nodesIter.next();
if (sign) {
- result.add(new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Content", WSConstants.PART_TYPE_ELEMENT));
- } else {
-
- WSEncryptionPart encryptedElem = new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Element",WSConstants.PART_TYPE_ELEMENT);
+ WSEncryptionPart encryptedElem = new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Content", WSConstants.PART_TYPE_ELEMENT);
+ encryptedElem.setXpath(expression);
+ result.add(encryptedElem);
+
+ } else {
+
+ WSEncryptionPart encryptedElem = new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Element", WSConstants.PART_TYPE_ELEMENT);
+ encryptedElem.setXpath(expression);
+
OMAttribute wsuId = e.getAttribute(new QName(WSConstants.WSU_NS, "Id"));
if ( wsuId != null ) {
@@ -1400,13 +1410,13 @@
}
// Checking for signed parts and elements
- if (rpd.isSignBody() || rpd.getSignedParts().size() != 0 &&
+ if (rpd.isSignBody() || rpd.getSignedParts().size() != 0 ||
rpd.getSignedElements().size() != 0) {
return true;
}
// Checking for encrypted parts and elements
- if (rpd.isEncryptBody() || rpd.getEncryptedParts().size() != 0 &&
+ if (rpd.isEncryptBody() || rpd.getEncryptedParts().size() != 0 ||
rpd.getEncryptedElements().size() != 0 ) {
return true;
}
@@ -1470,9 +1480,13 @@
Element encHeader = (Element)encDataElem.getParentNode();
String encHeaderId = encHeader.getAttributeNS(WSConstants.WSU_NS, "Id");
- signedParts.remove(signedPart);
- WSEncryptionPart encHeaderToSign = new WSEncryptionPart(encHeaderId);
- signedParts.add(encHeaderToSign);
+ //For some reason the id might not be available
+ // so the part/element with empty/null id won't be recognized afterwards.
+ if (encHeaderId != null && !"".equals(encHeaderId.trim())) {
+ signedParts.remove(signedPart);
+ WSEncryptionPart encHeaderToSign = new WSEncryptionPart(encHeaderId);
+ signedParts.add(encHeaderToSign);
+ }
}
}