You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/02/25 12:07:48 UTC
git commit: Allow tokens that are encrypted before being signed
Repository: cxf
Updated Branches:
refs/heads/master 98347e4ee -> 2d9257621
Allow tokens that are encrypted before being signed
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2d925762
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2d925762
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2d925762
Branch: refs/heads/master
Commit: 2d92576212e60146e57c1050fa9a63342fe05bee
Parents: 98347e4
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Feb 25 10:59:22 2014 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Feb 25 11:00:40 2014 +0000
----------------------------------------------------------------------
.../AbstractSupportingTokenPolicyValidator.java | 30 ++++++++++++++++++--
1 file changed, 27 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2d925762/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index 0fe5766..93cb1f6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -794,7 +794,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
List<WSDataRef> dataRefs =
CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
for (WSDataRef dataRef : dataRefs) {
- if (token == dataRef.getProtectedElement()) {
+ if (token == dataRef.getProtectedElement()
+ || isEncryptedTokenSigned(token, dataRef)) {
return true;
}
}
@@ -802,13 +803,36 @@ public abstract class AbstractSupportingTokenPolicyValidator
return false;
}
+ private boolean isEncryptedTokenSigned(Element token, WSDataRef signedRef) {
+ if (signedRef.getProtectedElement() != null
+ && "EncryptedData".equals(signedRef.getProtectedElement().getLocalName())
+ && WSConstants.ENC_NS.equals(signedRef.getProtectedElement().getNamespaceURI())) {
+ String encryptedDataId =
+ signedRef.getProtectedElement().getAttributeNS(null, "Id");
+ for (WSSecurityEngineResult result : encryptedResults) {
+ List<WSDataRef> encryptedDataRefs =
+ CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ if (encryptedDataRefs != null) {
+ for (WSDataRef encryptedDataRef : encryptedDataRefs) {
+ if (token == encryptedDataRef.getProtectedElement()
+ && (encryptedDataRef.getWsuId() != null
+ && encryptedDataRef.getWsuId().equals(encryptedDataId))) {
+ return true;
+ }
+ }
+ }
+ }
+ }
+ return false;
+ }
+
/**
* Return true if a token was encrypted, false otherwise.
*/
private boolean isTokenEncrypted(Element token) {
- for (WSSecurityEngineResult signedResult : encryptedResults) {
+ for (WSSecurityEngineResult result : encryptedResults) {
List<WSDataRef> dataRefs =
- CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (dataRefs == null) {
return false;
}