You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/07/15 16:32:58 UTC
[cxf] branch master updated: CXF-8076 - Check for recursive calls
when invoking on an STS using its own IssuedToken policy
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new d520059 CXF-8076 - Check for recursive calls when invoking on an STS using its own IssuedToken policy
d520059 is described below
commit d520059ce1d04448fb2354966a7e16b39c3fcbda
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon Jul 15 17:32:38 2019 +0100
CXF-8076 - Check for recursive calls when invoking on an STS using its own IssuedToken policy
---
.../apache/cxf/rt/security/SecurityConstants.java | 12 +++-
.../cxf/ws/security/trust/Messages.properties | 1 +
.../org/apache/cxf/ws/security/trust/STSUtils.java | 29 +++++++++
.../systest/sts/cross_domain/CrossDomainTest.java | 40 +++++++++++++
.../cxf/systest/sts/cross_domain/cxf-client-b.xml | 68 ++++++++++++++++++++++
.../sts/stsclient/AbstractSTSTokenTest.java | 3 +
6 files changed, 152 insertions(+), 1 deletion(-)
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
index 175506c..01a1339 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
@@ -364,6 +364,15 @@ public class SecurityConstants {
"security.sts.token.cacher.impl";
/**
+ * Check that we are not invoking on the STS using its own IssuedToken policy - in which case we
+ * will end up with a recursive loop. This check might be a problem in the unlikely scenario that the
+ * remote endpoint has the same service / port QName as the STS, so this configuration flag allows to
+ * disable this check for that scenario. The default is "true".
+ */
+ public static final String STS_CHECK_FOR_RECURSIVE_CALL =
+ "security.sts.check.for.recursive.call";
+
+ /**
* This property contains a comma separated String corresponding to a list of audience restriction URIs.
* The default value for this property contains the request URL and the Service QName. If the
* AUDIENCE_RESTRICTION_VALIDATION property is "true", and if a received SAML Token contains audience
@@ -386,7 +395,8 @@ public class SecurityConstants {
DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO,
STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS, STS_TOKEN_ON_BEHALF_OF,
STS_CLIENT, STS_APPLIES_TO, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
- STS_TOKEN_IMMINENT_EXPIRY_VALUE, STS_TOKEN_CACHER_IMPL, AUDIENCE_RESTRICTIONS
+ STS_TOKEN_IMMINENT_EXPIRY_VALUE, STS_TOKEN_CACHER_IMPL, AUDIENCE_RESTRICTIONS,
+ STS_CHECK_FOR_RECURSIVE_CALL
}));
COMMON_PROPERTIES = Collections.unmodifiableSet(s);
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties
index 3bf9456..486aa92 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/Messages.properties
@@ -28,3 +28,4 @@ NO_USER_PASSWORD=No user name and/or password is available, name: {0}
ADDRESS_NOT_MATCHED=Cannot match the address {0} to the WSDL received via WS-MEX
WS_MEX_ERROR=Exception when trying to retrieve/process a WSDL via WS-MEX
NO_LOCATION=The STSClient is not configured with either a location or wsdlLocation property
+ISSUED_TOKEN_POLICY_ERR=Calling an STS with an IssuedToken policy that points to the same STS is not allowed.
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
index b77d852..895585e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.trust;
import java.util.HashMap;
import java.util.Map;
+import java.util.logging.Logger;
import javax.xml.bind.JAXBException;
import javax.xml.namespace.QName;
@@ -32,6 +33,7 @@ import org.apache.cxf.BusException;
import org.apache.cxf.binding.BindingFactory;
import org.apache.cxf.binding.BindingFactoryManager;
import org.apache.cxf.binding.soap.model.SoapOperationInfo;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.configuration.Configurer;
import org.apache.cxf.databinding.source.SourceDataBinding;
import org.apache.cxf.endpoint.Endpoint;
@@ -85,6 +87,8 @@ public final class STSUtils {
"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
private static final QName STS_SERVICE_NAME = new QName(WST_NS_05_12 + "/", "SecurityTokenService");
+ private static final Logger LOG = LogUtils.getL7dLogger(STSUtils.class);
+
private STSUtils() {
//utility class
}
@@ -150,6 +154,8 @@ public final class STSUtils {
wsMexClient = createSTSClient(message, type);
}
wsMexClient.configureViaEPR(epr, false);
+
+ checkForRecursiveCall(wsMexClient, message);
return wsMexClient;
} else if (configureViaEPR(client, epr)) {
// Only use WS-MEX here if the pre-configured STSClient has no location/wsdllocation
@@ -158,13 +164,36 @@ public final class STSUtils {
SecurityConstants.DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, message));
client.configureViaEPR(epr, useEPRWSAAddrAsMEXLocation);
+ checkForRecursiveCall(client, message);
return client;
}
}
+ checkForRecursiveCall(client, message);
+
return client;
}
+ /**
+ * Check that we are not invoking on the STS using its own IssuedToken policy - in which case we
+ * will end up with a recursive loop
+ */
+ private static void checkForRecursiveCall(STSClient client, Message message) {
+ boolean checkForRecursiveCall =
+ SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.STS_CHECK_FOR_RECURSIVE_CALL,
+ message,
+ true);
+
+ if (checkForRecursiveCall) {
+ EndpointInfo endpointInfo = message.getExchange().getEndpoint().getEndpointInfo();
+ if ((endpointInfo.getName().equals(client.getEndpointQName())
+ && endpointInfo.getService().getName().equals(client.getServiceQName()))
+ || client.getLocation() != null && client.getLocation().equals(endpointInfo.getAddress())) {
+ throw new TrustException("ISSUED_TOKEN_POLICY_ERR", LOG);
+ }
+ }
+ }
+
public static boolean configureViaEPR(STSClient client, EndpointReferenceType epr) {
return epr != null && client.getLocation() == null && client.getWsdlLocation() == null;
}
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/cross_domain/CrossDomainTest.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/cross_domain/CrossDomainTest.java
index 993b6ed..779c6b8 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/cross_domain/CrossDomainTest.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/cross_domain/CrossDomainTest.java
@@ -24,6 +24,7 @@ import java.net.URL;
import javax.xml.namespace.QName;
import javax.xml.ws.Service;
+import javax.xml.ws.soap.SOAPFaultException;
import org.apache.cxf.Bus;
import org.apache.cxf.BusFactory;
@@ -36,6 +37,7 @@ import org.junit.BeforeClass;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
/**
* Some tests that illustrate how CXF clients can get tokens from different STS instances for
@@ -155,6 +157,44 @@ public class CrossDomainTest extends AbstractBusClientServerTestBase {
bus.shutdown(true);
}
+ // Here the service references STS "b". The WSDL of STS "b" has an IssuedToken. However our STS
+ // client config references STS "b". This could lead to an infinite loop - this test is to make
+ // sure that this doesn't happen.
+ @org.junit.Test
+ public void testIssuedTokenPointingToSameSTS() throws Exception {
+
+ if (!portFree) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = CrossDomainTest.class.getResource("cxf-client-b.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ BusFactory.setDefaultBus(bus);
+ BusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = CrossDomainTest.class.getResource("DoubleIt.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItCrossDomainMEXPort");
+ DoubleItPortType transportPort =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportPort, PORT);
+
+ // Transport port
+ try {
+ doubleIt(transportPort, 25);
+ fail("Failure expected on talking to an STS with an IssuedToken policy that points to the same STS");
+ } catch (SOAPFaultException ex) {
+ String expectedError =
+ "Calling an STS with an IssuedToken policy that points to the same STS is not allowed";
+ assertTrue(ex.getMessage().contains(expectedError));
+ }
+
+ ((java.io.Closeable)transportPort).close();
+ bus.shutdown(true);
+ }
+
private static void doubleIt(DoubleItPortType port, int numToDouble) {
int resp = port.doubleIt(numToDouble);
assertEquals(numToDouble * 2, resp);
diff --git a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/cross_domain/cxf-client-b.xml b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/cross_domain/cxf-client-b.xml
new file mode 100644
index 0000000..e09f069
--- /dev/null
+++ b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/cross_domain/cxf-client-b.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:jaxws="http://cxf.apache.org/jaxws"
+ xmlns:cxf="http://cxf.apache.org/core"
+ xmlns:http="http://cxf.apache.org/transports/http/configuration"
+ xmlns:sec="http://cxf.apache.org/configuration/security"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd">
+ <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItCrossDomainMEXPort" createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="security.sts.prefer-wsmex" value="true"/>
+ <entry key="security.sts.client">
+ <bean class="org.apache.cxf.ws.security.trust.STSClient">
+ <constructor-arg ref="cxf"/>
+ <property name="wsdlLocation" value="https://localhost:30102/SecurityTokenService/b?wsdl"/>
+ <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
+ <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_STSB_Port"/>
+ <property name="properties">
+ <map>
+ <entry key="security.username" value="alice"/>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="security.sts.token.username" value="myclientkey"/>
+ <entry key="security.sts.token.properties" value="clientKeystore.properties"/>
+ <entry key="security.sts.token.usecert" value="true"/>
+ </map>
+ </property>
+ <property name="enableAppliesTo" value="false"/>
+ </bean>
+ </entry>
+ </jaxws:properties>
+ </jaxws:client>
+
+ <http:conduit name="https://localhost:.*">
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:keyManagers keyPassword="ckpass">
+ <sec:keyStore type="jks" password="cspass" resource="keys/clientstore.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="cspass" resource="keys/clientstore.jks"/>
+ </sec:trustManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+</beans>
\ No newline at end of file
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/AbstractSTSTokenTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/AbstractSTSTokenTest.java
index 8f8bf95..b7e2c01 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/AbstractSTSTokenTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/stsclient/AbstractSTSTokenTest.java
@@ -31,6 +31,7 @@ import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import javax.xml.namespace.QName;
import org.apache.cxf.Bus;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
@@ -157,8 +158,10 @@ public abstract class AbstractSTSTokenTest extends AbstractBusClientServerTestBa
Exchange exchange = new ExchangeImpl();
ServiceInfo si = new ServiceInfo();
+ si.setName(new QName("http://www.apache.org", "ServiceName"));
Service s = new ServiceImpl(si);
EndpointInfo ei = new EndpointInfo();
+ ei.setName(new QName("http://www.apache.org", "EndpointName"));
Endpoint ep = new EndpointImpl(bus, s, ei);
ei.setBinding(new BindingInfo(si, null));
message.setExchange(exchange);