You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/05/07 12:01:19 UTC
svn commit: r772577 - in /webservices/wss4j/trunk:
src/org/apache/ws/axis/security/ src/org/apache/ws/security/
src/org/apache/ws/security/handler/ src/org/apache/ws/security/processor/
test/wssec/
Author: coheigea
Date: Thu May 7 10:01:18 2009
New Revision: 772577
URL: http://svn.apache.org/viewvc?rev=772577&view=rev
Log:
[WSS-186] - Move TTL validation to the TimestampProcessor
Modified:
webservices/wss4j/trunk/src/org/apache/ws/axis/security/WSDoAllReceiver.java
webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/axis/security/WSDoAllReceiver.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/axis/security/WSDoAllReceiver.java?rev=772577&r1=772576&r2=772577&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/axis/security/WSDoAllReceiver.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/axis/security/WSDoAllReceiver.java Thu May 7 10:01:18 2009
@@ -38,7 +38,6 @@
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.utils.XMLUtils;
import org.w3c.dom.Document;
@@ -81,6 +80,7 @@
}
RequestData reqData = new RequestData();
+ reqData.setWssConfig(secEngine.getWssConfig());
/*
* The overall try, just to have a finally at the end to perform some
* housekeeping.
@@ -154,7 +154,6 @@
* they may be used for encryption too.
*/
doReceiverAction(doAction, reqData);
-
Vector wsResult = null;
if (tlog.isDebugEnabled()) {
t1 = System.currentTimeMillis();
@@ -297,30 +296,6 @@
}
/*
- * Perform further checks on the timestamp that was transmitted in
- * the header. In the following implementation the timestamp is
- * valid if it was created after (now-ttl), where ttl is set on
- * server side, not by the client.
- *
- * Note: the method verifyTimestamp(Timestamp) allows custom
- * implementations with other validation algorithms for subclasses.
- */
-
- // Extract the timestamp action result from the action vector
- actionResult = WSSecurityUtil.fetchActionResult(wsResult,
- WSConstants.TS);
-
- if (actionResult != null) {
- Timestamp timestamp =
- (Timestamp)actionResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
-
- if (timestamp != null
- && !verifyTimestamp(timestamp, decodeTimeToLive(reqData))) {
- throw new AxisFault("WSDoAllReceiver: The timestamp could not be validated");
- }
- }
-
- /*
* now check the security actions: do they match, in right order?
*/
if (!checkReceiverResults(wsResult, actions)) {
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java?rev=772577&r1=772576&r2=772577&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSSConfig.java Thu May 7 10:01:18 2009
@@ -190,6 +190,12 @@
protected boolean timeStampStrict = true;
/**
+ * The time in seconds between creation and expiry for a Timestamp. The default
+ * is 300 seconds (5 minutes).
+ */
+ protected int timeStampTTL = 300;
+
+ /**
* This variable controls whether types other than PasswordDigest or PasswordText
* are allowed when processing UsernameTokens.
*
@@ -398,6 +404,21 @@
}
/**
+ * @return Returns the TTL of a Timestamp in seconds
+ */
+ public int getTimeStampTTL() {
+ return timeStampTTL;
+ }
+
+ /**
+ * @param timeStampTTL
+ * The new value for timeStampTTL
+ */
+ public void setTimeStampTTL(int timeStampTTL) {
+ this.timeStampTTL = timeStampTTL;
+ }
+
+ /**
* @return Returns the WsuIdAllocator used to generate wsu:Id attributes
*/
public WsuIdAllocator getIdAllocator() {
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java?rev=772577&r1=772576&r2=772577&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java Thu May 7 10:01:18 2009
@@ -257,6 +257,7 @@
decodeEnableSignatureConfirmation(reqData)
);
wssConfig.setTimeStampStrict(decodeTimestampStrict(reqData));
+ wssConfig.setTimeStampTTL(decodeTimeToLive(reqData));
wssConfig.setHandleCustomPasswordTypes(decodeCustomPasswordTypes(reqData));
reqData.setWssConfig(wssConfig);
@@ -271,6 +272,7 @@
if ((doAction & WSConstants.ENCR) == WSConstants.ENCR) {
decodeDecryptionParameter(reqData);
}
+
if ((doAction & WSConstants.NO_SERIALIZE) == WSConstants.NO_SERIALIZE) {
reqData.setNoSerialization(true);
}
@@ -1235,6 +1237,7 @@
* @param timeToLive
* the limit on the receivers' side, that the timestamp is validated against
* @return true if the timestamp is before (now-timeToLive), false otherwise
+ * @deprecated TTL validation is now done by default in the TimestampProcessor
* @throws WSSecurityException
*/
protected boolean verifyTimestamp(Timestamp timestamp, int timeToLive) throws WSSecurityException {
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java?rev=772577&r1=772576&r2=772577&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java Thu May 7 10:01:18 2009
@@ -738,11 +738,11 @@
/**
* Set the value of this parameter to true to enable strict timestamp
- * handling.
+ * handling (default is true).
*
* Strict Timestamp handling: throw an exception if a Timestamp contains
* an <code>Expires</code> element and the semantics of the request are
- * expired, i.e. the current time at the receiver is past the expires time.
+ * expired, i.e. the current time at the receiver is past the expires time.
*/
public static final String TIMESTAMP_STRICT = "timestampStrict";
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java?rev=772577&r1=772576&r2=772577&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java Thu May 7 10:01:18 2009
@@ -25,7 +25,6 @@
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.utils.XMLUtils;
import org.w3c.dom.Document;
@@ -135,6 +134,7 @@
public boolean processMessage(MessageContext mc, boolean isRequestMessage) throws WSSecurityException {
RequestData reqData = new RequestData();
+ reqData.setWssConfig(secEngine.getWssConfig());
reqData.setMsgContext(mc);
doDebug = log.isDebugEnabled();
@@ -386,7 +386,6 @@
* may be used for encryption too.
*/
doReceiverAction(doAction, reqData);
-
Vector wsResult = null;
try {
wsResult =
@@ -497,28 +496,6 @@
}
/*
- * Perform further checks on the timestamp that was transmitted in the header.
- * In the following implementation the timestamp is valid if it was
- * created after (now-ttl), where ttl is set on server side, not by the client.
- *
- * Note: the method verifyTimestamp(Timestamp) allows custom
- * implementations with other validation algorithms for subclasses.
- */
-
- // Extract the timestamp action result from the action vector
- actionResult = WSSecurityUtil.fetchActionResult(wsResult, WSConstants.TS);
-
- if (actionResult != null) {
- Timestamp timestamp =
- (Timestamp)actionResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
-
- if (timestamp != null && reqData.getWssConfig().isTimeStampStrict()
- && !verifyTimestamp(timestamp, decodeTimeToLive(reqData))) {
- throw new JAXRPCException("WSS4JHandler: The timestamp could not be validated");
- }
- }
-
- /*
* now check the security actions: do they match, in right order?
*/
if (!checkReceiverResults(wsResult, actions)) {
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java?rev=772577&r1=772576&r2=772577&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/TimestampProcessor.java Thu May 7 10:01:18 2009
@@ -38,6 +38,7 @@
private WSSConfig wssConfig = null;
private String tsId;
+ private int timeToLive = 300;
public void handleToken(
Element elem,
@@ -52,6 +53,7 @@
log.debug("Found Timestamp list element");
}
wssConfig = wsc;
+ timeToLive = wssConfig.getTimeStampTTL();
//
// Decode Timestamp, add the found time (created/expiry) to result
//
@@ -70,7 +72,8 @@
}
// Validate whether the security semantics have expired
- if (wssConfig.isTimeStampStrict() && timestamp.isExpired()) {
+ if ((wssConfig.isTimeStampStrict() && timestamp.isExpired())
+ || !timestamp.verifyCreated(timeToLive)) {
throw new WSSecurityException(
WSSecurityException.MESSAGE_EXPIRED,
"invalidTimestamp",
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java?rev=772577&r1=772576&r2=772577&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityTimestamp.java Thu May 7 10:01:18 2009
@@ -30,11 +30,11 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.WSSecurityEngine;
-import org.apache.ws.security.handler.WSHandler;
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.message.WSSecTimestamp;
import org.apache.ws.security.message.token.Timestamp;
@@ -135,7 +135,7 @@
//
// Do some processing
//
- Vector wsResult = verify(createdDoc);
+ Vector wsResult = verify(createdDoc, WSSConfig.getNewInstance());
WSSecurityEngineResult actionResult =
WSSecurityUtil.fetchActionResult(wsResult, WSConstants.TS);
assertTrue(actionResult != null);
@@ -143,11 +143,6 @@
Timestamp receivedTimestamp =
(Timestamp)actionResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
assertTrue(receivedTimestamp != null);
-
- MyHandler myHandler = new MyHandler();
- if (!myHandler.publicVerifyTimestamp(receivedTimestamp, 300)) {
- fail("The timestamp could not be validated");
- }
}
@@ -173,7 +168,7 @@
//
// Do some processing
//
- Vector wsResult = verify(createdDoc);
+ Vector wsResult = verify(createdDoc, WSSConfig.getNewInstance());
WSSecurityEngineResult actionResult =
WSSecurityUtil.fetchActionResult(wsResult, WSConstants.TS);
assertTrue(actionResult != null);
@@ -181,11 +176,6 @@
Timestamp receivedTimestamp =
(Timestamp)actionResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
assertTrue(receivedTimestamp != null);
-
- MyHandler myHandler = new MyHandler();
- if (!myHandler.publicVerifyTimestamp(receivedTimestamp, 300)) {
- fail("The timestamp could not be validated");
- }
}
@@ -209,11 +199,7 @@
}
try {
- //
- // Note that "expired" verification is done in the TimestampProcessor, whereas
- // "created" verification is done in the WSHandler
- //
- verify(createdDoc);
+ verify(createdDoc, WSSConfig.getNewInstance());
fail("Expected failure on an expired timestamp");
} catch (WSSecurityException ex) {
assertTrue(ex.getErrorCode() == WSSecurityException.MESSAGE_EXPIRED);
@@ -243,19 +229,14 @@
//
// Do some processing
//
- Vector wsResult = verify(createdDoc);
- WSSecurityEngineResult actionResult =
- WSSecurityUtil.fetchActionResult(wsResult, WSConstants.TS);
- assertTrue(actionResult != null);
-
- Timestamp receivedTimestamp =
- (Timestamp)actionResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
- assertTrue(receivedTimestamp != null);
-
- MyHandler myHandler = new MyHandler();
- if (myHandler.publicVerifyTimestamp(receivedTimestamp, -1)) {
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ wssConfig.setTimeStampTTL(-1);
+ try {
+ verify(createdDoc, wssConfig);
fail("The timestamp validation should have failed");
- }
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getErrorCode() == WSSecurityException.MESSAGE_EXPIRED);
+ }
}
@@ -263,50 +244,13 @@
* Verifies the soap envelope
*
* @param env soap envelope
+ * @param wssConfig
* @throws java.lang.Exception Thrown when there is a problem in verification
*/
- private Vector verify(Document doc) throws Exception {
+ private Vector verify(Document doc, WSSConfig wssConfig) throws Exception {
+ secEngine.setWssConfig(wssConfig);
return secEngine.processSecurityHeader(doc, null, null, null);
}
- /**
- * a trivial extension of the WSHandler type
- */
- public static class MyHandler extends WSHandler {
-
- public Object
- getOption(String key) {
- return null;
- }
-
- public void
- setProperty(
- Object msgContext,
- String key,
- Object value
- ) {
- }
-
- public Object
- getProperty(Object ctx, String key) {
- return null;
- }
-
- public void
- setPassword(Object msgContext, String password) {
- }
-
- public String
- getPassword(Object msgContext) {
- return null;
- }
-
- boolean publicVerifyTimestamp(
- Timestamp timestamp,
- int ttl
- ) throws org.apache.ws.security.WSSecurityException {
- return verifyTimestamp(timestamp, ttl);
- }
- }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org