You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2017/02/06 10:24:19 UTC
svn commit: r1781868 - in
/axis/axis2/java/rampart/branches/RAMPART-401/modules:
rampart-core/src/main/java/org/apache/rampart/
rampart-tests/src/test/java/org/apache/rampart/
rampart-tests/test-resources/policy/
Author: veithen
Date: Mon Feb 6 10:24:19 2017
New Revision: 1781868
URL: http://svn.apache.org/viewvc?rev=1781868&view=rev
Log:
RAMPART-401: Apply patch provided by Nathan Clement.
Added:
axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/test-resources/policy/rampart-hashed-password.xml
axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/test-resources/policy/soapmessage-stale-username-token.xml
Modified:
axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/src/test/java/org/apache/rampart/PolicyAssertionsTest.java
Modified: axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java?rev=1781868&r1=1781867&r2=1781868&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java Mon Feb 6 10:24:19 2017
@@ -31,6 +31,7 @@ import org.apache.ws.security.components
import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.ws.security.util.XmlSchemaDateFormat;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
@@ -39,7 +40,10 @@ import org.jaxen.JaxenException;
import javax.xml.namespace.QName;
import java.math.BigInteger;
+import java.security.KeyStore;
import java.security.cert.X509Certificate;
+import java.text.DateFormat;
+import java.text.ParseException;
import java.util.*;
public class PolicyBasedResultsValidator implements ExtendedPolicyValidatorCallbackHandler {
@@ -285,17 +289,18 @@ public class PolicyBasedResultsValidator
throws RampartException {
//Check for UsernameToken
- RampartPolicyData rpd = data.getRampartMessageData().getPolicyData();
+ RampartMessageData rmd = data.getRampartMessageData();
+ RampartPolicyData rpd = rmd.getPolicyData();
List<SupportingToken> supportingTokens = rpd.getSupportingTokensList();
for (SupportingToken suppTok : supportingTokens) {
- handleSupportingTokens(results, suppTok);
+ handleSupportingTokens(results, suppTok, rmd);
}
SupportingToken signedSuppToken = rpd.getSignedSupportingTokens();
- handleSupportingTokens(results, signedSuppToken);
+ handleSupportingTokens(results, signedSuppToken, rmd);
SupportingToken signedEndSuppToken = rpd.getSignedEndorsingSupportingTokens();
- handleSupportingTokens(results, signedEndSuppToken);
+ handleSupportingTokens(results, signedEndSuppToken, rmd);
SupportingToken endSuppToken = rpd.getEndorsingSupportingTokens();
- handleSupportingTokens(results, endSuppToken);
+ handleSupportingTokens(results, endSuppToken, rmd);
}
/**
@@ -303,7 +308,10 @@ public class PolicyBasedResultsValidator
* @param suppTok
* @throws RampartException
*/
- protected void handleSupportingTokens(List<WSSecurityEngineResult> results, SupportingToken suppTok) throws RampartException {
+ protected void handleSupportingTokens(List<WSSecurityEngineResult> results,
+ SupportingToken suppTok,
+ RampartMessageData rmd)
+ throws RampartException {
if(suppTok == null) {
return;
@@ -335,7 +343,9 @@ public class PolicyBasedResultsValidator
throw new RampartException("invalidUsernameTokenType");
}
-
+ if (!verifyUsernameTokenTimestamp(wssUt, rmd)) {
+ throw new RampartException("cannotValidateTimestamp");
+ }
} else if (token instanceof IssuedToken) {
//TODO is is enough to check for ST_UNSIGNED results ??
@@ -710,7 +720,37 @@ public class PolicyBasedResultsValidator
return true;
}
+
+ /*
+ * Verify that ut->Created is not before or after 'now' (accounting for clock skew)
+ */
+ protected boolean verifyUsernameTokenTimestamp(
+ org.apache.ws.security.message.token.UsernameToken token, RampartMessageData rmd) throws RampartException {
+
+ String createdString = token.getCreated();
+ if (createdString != null && createdString.length() > 0) {
+ try {
+ DateFormat zulu = new XmlSchemaDateFormat();
+ Date createdTime = zulu.parse(createdString);
+
+ long now = Calendar.getInstance().getTimeInMillis();
+ // adjust 'now' with allowed timeskew
+ long maxSkew = RampartUtil.getTimestampMaxSkew(rmd);
+ maxSkew = maxSkew < 0 ? 0 : maxSkew;
+ maxSkew *= 1000;
+
+ // fail if ts->Created is after or before 'now' (accounting for clock skew)
+ if (createdTime.getTime() > now + maxSkew || createdTime.getTime() < now - maxSkew) {
+ return false;
+ }
+ } catch (ParseException e) {
+ throw new RampartException("invalidDateTime", new Object[] {createdString});
+ }
+ }
+ return true;
+ }
+
/**
* Evaluate whether a given certificate should be trusted.
* Hook to allow subclasses to implement custom validation methods however they see fit.
Modified: axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties?rev=1781868&r1=1781867&r2=1781868&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties (original)
+++ axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties Mon Feb 6 10:24:19 2017
@@ -104,3 +104,4 @@ invalidNonceLifeTime = Invalid value for
invalidIssuerAddress = Invalid value for Issuer
invalidSignatureAlgo=Invalid signature algorithm for Asymmetric binding
invalidUsernameTokenType = Invalid UsernameToken Type.
+invalidDateTime = Invalid XML dateTime {0}
\ No newline at end of file
Modified: axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/src/test/java/org/apache/rampart/PolicyAssertionsTest.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/src/test/java/org/apache/rampart/PolicyAssertionsTest.java?rev=1781868&r1=1781867&r2=1781868&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/src/test/java/org/apache/rampart/PolicyAssertionsTest.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/src/test/java/org/apache/rampart/PolicyAssertionsTest.java Mon Feb 6 10:24:19 2017
@@ -19,6 +19,8 @@ import org.apache.axis2.context.MessageC
import org.apache.neethi.Policy;
import java.io.ByteArrayInputStream;
+import java.io.FileInputStream;
+import java.io.InputStream;
public class PolicyAssertionsTest extends MessageBuilderTestBase {
@@ -78,6 +80,41 @@ public class PolicyAssertionsTest extend
} catch (RampartException expected) {
// Ignore intentionally as the test is supposed to throw an exception
}
+
+ }
+
+ public void testStaleUsernameToken() throws Exception {
+
+ MessageContext ctx = getMsgCtx();
+
+ String policyXml = "test-resources/policy/rampart-hashed-password.xml";
+ Policy policy = loadPolicy(policyXml);
+
+ ctx.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
+
+ ctx.getOptions().setUserName( "Ron" );
+ ctx.getOptions().setPassword( "noR" );
+
+ // Building the SOAP envelope from the OMElement
+ SOAPBuilder soapBuilder = new SOAPBuilder();
+ InputStream inStream =
+ new FileInputStream("test-resources/policy/soapmessage-stale-username-token.xml");
+ SOAPEnvelope env = (SOAPEnvelope) soapBuilder.processDocument(inStream, "text/xml", ctx);
+ ctx.setEnvelope(env);
+
+ ctx.setServerSide(true);
+
+ ctx.setProperty(RampartMessageData.KEY_RAMPART_POLICY, policy);
+ ctx.setProperty(WSHandlerConstants.PW_CALLBACK_REF, new TestCBHandler());
+
+ RampartEngine engine = new RampartEngine();
+
+ try {
+ engine.process(ctx);
+ fail(" This should have thrown RampartException: The timestamp could not be validated.");
+ } catch (RampartException expected) {
+ // Ignore intentionally as the test is supposed to throw an exception
+ }
}
}
Added: axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/test-resources/policy/rampart-hashed-password.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/test-resources/policy/rampart-hashed-password.xml?rev=1781868&view=auto
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/test-resources/policy/rampart-hashed-password.xml (added)
+++ axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/test-resources/policy/rampart-hashed-password.xml Mon Feb 6 10:24:19 2017
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<wsp:Policy wsu:Id="UTOverTransport"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:HashPassword/>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+</wsp:Policy>
Added: axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/test-resources/policy/soapmessage-stale-username-token.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/test-resources/policy/soapmessage-stale-username-token.xml?rev=1781868&view=auto
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/test-resources/policy/soapmessage-stale-username-token.xml (added)
+++ axis/axis2/java/rampart/branches/RAMPART-401/modules/rampart-tests/test-resources/policy/soapmessage-stale-username-token.xml Mon Feb 6 10:24:19 2017
@@ -0,0 +1,17 @@
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:axis2="http://ws.apache.org/namespaces/axis2" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <soapenv:Header xmlns:fabrikam="http://example.com/fabrikam">
+ <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soapenv:mustUnderstand="1">
+ <wsse:UsernameToken wsu:Id="UsernameToken-23">
+ <wsse:Username>Ron</wsse:Username>
+ <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">6AAnvDR1kc48ztQV9+wxyWY92M4=</wsse:Password>
+ <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">8b+d7vyjy+qqHf3ElGFehQ==</wsse:Nonce>
+ <wsu:Created>2013-03-07T00:29:44.106Z</wsu:Created>
+ </wsse:UsernameToken>
+ </wsse:Security>
+ </soapenv:Header>
+ <soapenv:Body>
+ <ns1:getBalance xmlns:ns1="http://localhost:8081/axis/services/BankPort" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+ <accountNo href="#id0" />
+ </ns1:getBalance>
+ </soapenv:Body>
+</soapenv:Envelope>