You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/03/13 15:18:40 UTC
cxf git commit: Refactoring of the CryptoCoverageChecker stuff
Repository: cxf
Updated Branches:
refs/heads/master e47f87b16 -> dfecaa60e
Refactoring of the CryptoCoverageChecker stuff
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/dfecaa60
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/dfecaa60
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/dfecaa60
Branch: refs/heads/master
Commit: dfecaa60ea6082fda8f2959c083ba2f2f7a03112
Parents: e47f87b
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Mar 13 14:18:18 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Mar 13 14:18:18 2015 +0000
----------------------------------------------------------------------
.../security/wss4j/CryptoCoverageChecker.java | 59 ++++++++----------
.../ws/security/wss4j/CryptoCoverageUtil.java | 63 ++------------------
.../wss4j/PolicyBasedWSS4JInInterceptor.java | 2 +-
3 files changed, 29 insertions(+), 95 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/dfecaa60/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
index b5a0d97..9a71a9e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
@@ -51,7 +51,6 @@ import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
/**
* Utility to enable the checking of WS-Security signature/encryption
@@ -66,12 +65,12 @@ public class CryptoCoverageChecker extends AbstractSoapInterceptor {
* that must be covered. See {@link #prefixMap}
* for namespace prefixes available.
*/
- protected List<XPathExpression> xPaths = new ArrayList<XPathExpression>();
+ protected List<XPathExpression> xPaths = new ArrayList<>();
/**
* Mapping of namespace prefixes to namespace URIs.
*/
- protected Map<String, String> prefixMap = new HashMap<String, String>();
+ protected Map<String, String> prefixMap = new HashMap<>();
private boolean checkFaults = true;
@@ -132,43 +131,33 @@ public class CryptoCoverageChecker extends AbstractSoapInterceptor {
throw new SoapFault("Error obtaining SOAP document", Fault.FAULT_CODE_CLIENT);
}
- final Collection<WSDataRef> signed = new HashSet<WSDataRef>();
- final Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
+ final Collection<WSDataRef> signed = new HashSet<>();
+ final Collection<WSDataRef> encrypted = new HashSet<>();
List<WSHandlerResult> results = CastUtils.cast(
(List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
- for (final WSHandlerResult wshr : results) {
- final List<WSSecurityEngineResult> wsSecurityEngineSignResults =
- WSSecurityUtil.fetchAllActionResults(wshr.getResults(), WSConstants.SIGN);
-
- final List<WSSecurityEngineResult> wsSecurityEngineEncResults =
- WSSecurityUtil.fetchAllActionResults(wshr.getResults(), WSConstants.ENCR);
-
- for (WSSecurityEngineResult wser : wsSecurityEngineSignResults) {
-
- List<WSDataRef> sl = CastUtils.cast((List<?>) wser
- .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
- if (sl != null) {
- if (sl.size() == 1
- && sl.get(0).getName().equals(new QName(WSConstants.SIG_NS, WSConstants.SIG_LN))) {
- //endorsing the signature so don't include
- break;
- }
-
- for (WSDataRef r : sl) {
- signed.add(r);
+ // Get all encrypted and signed references
+ for (WSHandlerResult wshr : results) {
+ for (WSSecurityEngineResult result : wshr.getResults()) {
+ Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt == WSConstants.SIGN) {
+ List<WSDataRef> sl =
+ CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ if (sl != null) {
+ if (sl.size() == 1
+ && sl.get(0).getName().equals(new QName(WSConstants.SIG_NS, WSConstants.SIG_LN))) {
+ //endorsing the signature so don't include
+ continue;
+ }
+
+ signed.addAll(sl);
}
- }
- }
-
- for (WSSecurityEngineResult wser : wsSecurityEngineEncResults) {
- List<WSDataRef> el = CastUtils.cast((List<?>) wser
- .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
-
- if (el != null) {
- for (WSDataRef r : el) {
- encrypted.add(r);
+ } else if (actInt == WSConstants.ENCR) {
+ List<WSDataRef> el =
+ CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ if (el != null) {
+ encrypted.addAll(el);
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/dfecaa60/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
index fde339c..c2dba48 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
@@ -22,7 +22,6 @@ package org.apache.cxf.ws.security.wss4j;
import java.util.Arrays;
import java.util.Collection;
-import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
@@ -68,14 +67,11 @@ public final class CryptoCoverageUtil {
public static void reconcileEncryptedSignedRefs(final Collection<WSDataRef> signedRefs,
final Collection<WSDataRef> encryptedRefs) {
- final List<WSDataRef> encryptedSignedRefs = new LinkedList<WSDataRef>();
+ final List<WSDataRef> encryptedSignedRefs = new LinkedList<>();
for (WSDataRef encryptedRef : encryptedRefs) {
- final Iterator<WSDataRef> signedRefsIt = signedRefs.iterator();
- while (signedRefsIt.hasNext()) {
- final WSDataRef signedRef = signedRefsIt.next();
-
- if (isSignedEncryptionRef(encryptedRef, signedRef)) {
+ for (WSDataRef signedRef : signedRefs) {
+ if (signedRef.getProtectedElement() == encryptedRef.getEncryptedElement()) {
final WSDataRef encryptedSignedRef = new WSDataRef();
encryptedSignedRef.setWsuId(signedRef.getWsuId());
@@ -84,11 +80,7 @@ public final class CryptoCoverageUtil {
encryptedSignedRef.setName(encryptedRef.getName());
encryptedSignedRef.setProtectedElement(encryptedRef
.getProtectedElement());
- // This value is the ID of the encrypted element, not
- // the value of the ID in the decrypted content
- // (WSS4J 1.5.8). Therefore, passing it along does
- // not provide much value.
- //encryptedSignedRef.setWsuId(encryptedRef.getWsuId());
+
encryptedSignedRef.setXpath(encryptedRef.getXpath());
encryptedSignedRefs.add(encryptedSignedRef);
@@ -350,53 +342,6 @@ public final class CryptoCoverageUtil {
}
}
- /**
- * Determines if {@code signedRef} points to the encrypted content represented by
- * {@code encryptedRef} using the following algorithm.
- *
- * <ol>
- * <li>Check that the signed content is an XML Encryption element.</li>
- * <li>Check that the reference Ids of the signed content and encrypted content
- * (not the decrypted version of the encrypted content) match. Check that the
- * reference Id of the signed content matches the reference Id of the encrypted
- * content prepended with a #.
- * <li>Check for other Id attributes on the signed element that may match the
- * referenced identifier for the encrypted content. This is a workaround for
- * WSS-242.</li>
- * </ol>
- *
- * @param encryptedRef the ref representing the encrpted content
- * @param signedRef the ref representing the signed content
- */
- private static boolean isSignedEncryptionRef(WSDataRef encryptedRef, WSDataRef signedRef) {
-
- // Don't even bother if the signed element wasn't an XML Enc element.
- if (!WSConstants.ENC_NS.equals(signedRef.getProtectedElement()
- .getNamespaceURI())) {
- return false;
- }
-
- if (signedRef.getWsuId().equals(encryptedRef.getWsuId())
- || signedRef.getWsuId().equals("#" + encryptedRef.getWsuId())) {
- return true;
- }
-
- // There should be no other Ids on an EncryptedData or EncryptedKey element;
- // however, WSS4J will happily add them on the outbound side. See WSS-242.
- // The following code looks for the specific behavior that exists in
- // 1.5.8 and earlier version.
-
- String wsuId = signedRef.getProtectedElement().getAttributeNS(
- WSConstants.WSU_NS, "Id");
-
- if (signedRef.getWsuId().equals(wsuId)
- || signedRef.getWsuId().equals("#" + wsuId)) {
- return true;
- }
-
- return false;
- }
-
private static boolean matchElement(Collection<WSDataRef> refs,
CoverageType type, CoverageScope scope, Element el) {
final boolean content;
http://git-wip-us.apache.org/repos/asf/cxf/blob/dfecaa60/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 47629d3..116e2a0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -720,7 +720,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
//
// Pre-fetch various results
//
- final List<Integer> actions = new ArrayList<Integer>(2);
+ final List<Integer> actions = new ArrayList<Integer>(3);
actions.add(WSConstants.SIGN);
actions.add(WSConstants.UT_SIGN);
actions.add(WSConstants.ST_SIGNED);