You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2011/02/11 17:33:48 UTC
svn commit: r1069865 [1/3] - in /cxf/trunk: ./
distribution/src/main/release/samples/ws_security/interopfest/wssc/src/main/java/interop/client/
distribution/src/main/release/samples/ws_security/interopfest/wssec11/src/main/java/interop/server/
rt/ws/se...
Author: coheigea
Date: Fri Feb 11 16:33:46 2011
New Revision: 1069865
URL: http://svn.apache.org/viewvc?rev=1069865&view=rev
Log:
Merging wss4j-1.6-snapshot branch to trunk.
Removed:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenProcessorWithoutCallbacks.java
Modified:
cxf/trunk/ (props changed)
cxf/trunk/distribution/src/main/release/samples/ws_security/interopfest/wssc/src/main/java/interop/client/KeystorePasswordCallback.java
cxf/trunk/distribution/src/main/release/samples/ws_security/interopfest/wssec11/src/main/java/interop/server/KeystorePasswordCallback.java
cxf/trunk/rt/ws/security/pom.xml
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/ContentEncryptedElements.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredElements.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedElements.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SignatureConfirmationTest.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptorTest.java
cxf/trunk/systests/databinding/src/test/resources/aegisJaxWsBeans.xml
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssc/server/Server.java
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/UTPasswordCallback.java
cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec11/server/KeystorePasswordCallback.java
Propchange: cxf/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (added)
+++ svn:mergeinfo Fri Feb 11 16:33:46 2011
@@ -0,0 +1,2 @@
+/cxf/branches/wss4j-1.6-port:1043100-1069432
+/cxf/sandbox/wss4j-1.6-port:1031652-1043098
Modified: cxf/trunk/distribution/src/main/release/samples/ws_security/interopfest/wssc/src/main/java/interop/client/KeystorePasswordCallback.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/ws_security/interopfest/wssc/src/main/java/interop/client/KeystorePasswordCallback.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/ws_security/interopfest/wssc/src/main/java/interop/client/KeystorePasswordCallback.java (original)
+++ cxf/trunk/distribution/src/main/release/samples/ws_security/interopfest/wssc/src/main/java/interop/client/KeystorePasswordCallback.java Fri Feb 11 16:33:46 2011
@@ -61,17 +61,11 @@ public class KeystorePasswordCallback im
//The above is an issue when doing encrypt or signing only.
//Perhaps using a more suitable keystore format like .jks would be better
pc.setPassword("password");
- return;
} catch (NumberFormatException nfe) {
- //not a pfx alias, carry on to next
- }
-
- String pass = passwords.get(pc.getIdentifier());
- if (pass != null) {
- pc.setPassword(pass);
- return;
- } else {
- pc.setPassword("password");
+ String pass = passwords.get(pc.getIdentifier());
+ if (pass != null) {
+ pc.setPassword(pass);
+ }
}
}
}
Modified: cxf/trunk/distribution/src/main/release/samples/ws_security/interopfest/wssec11/src/main/java/interop/server/KeystorePasswordCallback.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/ws_security/interopfest/wssec11/src/main/java/interop/server/KeystorePasswordCallback.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/ws_security/interopfest/wssec11/src/main/java/interop/server/KeystorePasswordCallback.java (original)
+++ cxf/trunk/distribution/src/main/release/samples/ws_security/interopfest/wssec11/src/main/java/interop/server/KeystorePasswordCallback.java Fri Feb 11 16:33:46 2011
@@ -42,6 +42,8 @@ public class KeystorePasswordCallback im
passwords.put("alice", "abcd!1234");
passwords.put("Bob", "abcd!1234");
passwords.put("bob", "abcd!1234");
+ passwords.put("350334201beea6502d11342f93eea09fc0b5df01", "password");
+ passwords.put("abcd", "dcba");
}
/**
@@ -55,9 +57,6 @@ public class KeystorePasswordCallback im
String pass = passwords.get(pc.getIdentifier());
if (pass != null) {
pc.setPassword(pass);
- return;
- } else {
- pc.setPassword("password");
}
}
}
Modified: cxf/trunk/rt/ws/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/pom.xml?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/pom.xml (original)
+++ cxf/trunk/rt/ws/security/pom.xml Fri Feb 11 16:33:46 2011
@@ -91,21 +91,9 @@
<dependency>
<groupId>org.apache.ws.security</groupId>
<artifactId>wss4j</artifactId>
- <version>1.5.11</version>
+ <version>1.6-SNAPSHOT</version>
<exclusions>
<exclusion>
- <groupId>axis</groupId>
- <artifactId>axis</artifactId>
- </exclusion>
- <exclusion>
- <groupId>opensaml</groupId>
- <artifactId>opensaml</artifactId>
- </exclusion>
- <exclusion>
- <groupId>axis</groupId>
- <artifactId>axis-ant</artifactId>
- </exclusion>
- <exclusion>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
</exclusion>
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java Fri Feb 11 16:33:46 2011
@@ -31,6 +31,7 @@ public final class SecurityConstants {
public static final String USERNAME = "ws-security.username";
public static final String PASSWORD = "ws-security.password";
public static final String VALIDATE_TOKEN = "ws-security.validate.token";
+ public static final String USERNAME_TOKEN_VALIDATOR = "ws-security.ut.validator";
public static final String CALLBACK_HANDLER = "ws-security.callback-handler";
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java Fri Feb 11 16:33:46 2011
@@ -21,7 +21,6 @@ package org.apache.cxf.ws.security.polic
import javax.xml.namespace.QName;
import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
public final class SP11Constants extends SPConstants {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java Fri Feb 11 16:33:46 2011
@@ -21,8 +21,6 @@ package org.apache.cxf.ws.security.polic
import javax.xml.namespace.QName;
import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
-import org.apache.cxf.ws.security.policy.SPConstants.Version;
public final class SP12Constants extends SPConstants {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java Fri Feb 11 16:33:46 2011
@@ -22,11 +22,11 @@ package org.apache.cxf.ws.security.polic
import java.security.Principal;
import java.util.Arrays;
import java.util.Collection;
-import java.util.Vector;
-
+import java.util.List;
import org.apache.cxf.Bus;
import org.apache.cxf.endpoint.Endpoint;
+import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
@@ -213,14 +213,11 @@ public class IssuedTokenInterceptorProvi
}
if (!isRequestor(message)) {
boolean found = false;
- Vector results = (Vector)message.get(WSHandlerConstants.RECV_RESULTS);
+ List<WSHandlerResult> results =
+ CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
if (results != null) {
- for (int i = 0; i < results.size(); i++) {
- WSHandlerResult rResult =
- (WSHandlerResult) results.get(i);
-
- Vector wsSecEngineResults = rResult.getResults();
- SecurityToken token = findIssuedToken(wsSecEngineResults);
+ for (WSHandlerResult rResult : results) {
+ SecurityToken token = findIssuedToken(rResult.getResults());
if (token != null) {
found = true;
message.getExchange().put(SecurityConstants.TOKEN, token);
@@ -239,10 +236,10 @@ public class IssuedTokenInterceptorProvi
}
}
- private SecurityToken findIssuedToken(Vector wsSecEngineResults) {
- for (int j = 0; j < wsSecEngineResults.size(); j++) {
- WSSecurityEngineResult wser =
- (WSSecurityEngineResult) wsSecEngineResults.get(j);
+ private SecurityToken findIssuedToken(
+ List<WSSecurityEngineResult> wsSecEngineResults
+ ) {
+ for (WSSecurityEngineResult wser : wsSecEngineResults) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.SIGN) {
Principal principal =
@@ -251,13 +248,13 @@ public class IssuedTokenInterceptorProvi
CustomTokenPrincipal customPrincipal =
(CustomTokenPrincipal)principal;
byte[] secretKey =
- (byte[])wser.get(WSSecurityEngineResult.TAG_DECRYPTED_KEY);
+ (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
if (secretKey != null) {
SecurityToken token =
new SecurityToken(
customPrincipal.getName(),
- (java.util.Calendar)null,
- (java.util.Calendar)null
+ (java.util.Date)null,
+ (java.util.Date)null
);
token.setSecret(secretKey);
return token;
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java Fri Feb 11 16:33:46 2011
@@ -19,10 +19,9 @@
package org.apache.cxf.ws.security.policy.interceptors;
-import java.util.Calendar;
import java.util.Collection;
+import java.util.Date;
import java.util.List;
-import java.util.Vector;
import java.util.logging.Logger;
import javax.xml.transform.dom.DOMSource;
@@ -36,6 +35,7 @@ import org.apache.cxf.binding.soap.SoapB
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.endpoint.Endpoint;
+import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.Interceptor;
@@ -86,8 +86,8 @@ import org.apache.ws.security.handler.WS
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.token.SecurityContextToken;
import org.apache.ws.security.message.token.SecurityTokenReference;
+import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.XmlSchemaDateFormat;
-import org.apache.xml.security.utils.Base64;
class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
static final Logger LOG = LogUtils.getL7dLogger(SecureConversationInInterceptor.class);
@@ -385,10 +385,10 @@ class SecureConversationInInterceptor ex
new SecurityContextToken(SecureConversationTokenInterceptorProvider
.getWSCVersion(tokenType), writer.getDocument());
- Calendar created = Calendar.getInstance();
- Calendar expires = Calendar.getInstance();
- expires.setTimeInMillis(System.currentTimeMillis() + ttl);
-
+ Date created = new Date();
+ Date expires = new Date();
+ expires.setTime(created.getTime() + (ttl * 1000));
+
SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires);
token.setToken(sct.getElement());
token.setTokenType(WSConstants.WSC_SCT);
@@ -457,17 +457,13 @@ class SecureConversationInInterceptor ex
public void handleMessage(SoapMessage message) throws Fault {
//Find the SC token
boolean found = false;
- List results = (List)message.get(WSHandlerConstants.RECV_RESULTS);
+ List<WSHandlerResult> results =
+ CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
if (results != null) {
- for (int i = 0; i < results.size(); i++) {
- WSHandlerResult rResult =
- (WSHandlerResult) results.get(i);
+ for (WSHandlerResult rResult : results) {
+ List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
- Vector wsSecEngineResults = rResult.getResults();
-
- for (int j = 0; j < wsSecEngineResults.size(); j++) {
- WSSecurityEngineResult wser =
- (WSSecurityEngineResult) wsSecEngineResults.get(j);
+ for (WSSecurityEngineResult wser : wsSecEngineResults) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
if (actInt.intValue() == WSConstants.SCT) {
SecurityContextToken tok
@@ -522,6 +518,7 @@ class SecureConversationInInterceptor ex
doCancel(message, aim, tok);
}
+
private void doCancel(SoapMessage message, AssertionInfoMap aim, SecureConversationToken itok) {
Message m2 = message.getExchange().getOutMessage();
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java Fri Feb 11 16:33:46 2011
@@ -20,7 +20,6 @@
package org.apache.cxf.ws.security.policy.interceptors;
import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
@@ -67,8 +66,8 @@ import org.apache.ws.security.conversati
import org.apache.ws.security.conversation.dkalgo.P_SHA1;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
+import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.xml.security.utils.Base64;
/**
*
@@ -96,6 +95,7 @@ public class SecureConversationTokenInte
}
return (Trust10)ais.iterator().next().getAssertion();
}
+
static final Trust13 getTrust13(AssertionInfoMap aim) {
Collection<AssertionInfo> ais = aim.get(SP12Constants.TRUST_13);
if (ais == null || ais.isEmpty()) {
@@ -114,6 +114,7 @@ public class SecureConversationTokenInte
}
return tokenStore;
}
+
static PolicyAssertion getAddressingPolicy(AssertionInfoMap aim, boolean optional) {
Collection<AssertionInfo> lst = aim.get(MetadataConstants.USING_ADDRESSING_2004_QNAME);
PolicyAssertion assertion = null;
@@ -233,6 +234,7 @@ public class SecureConversationTokenInte
}
return client;
}
+
static byte[] writeProofToken(String prefix,
String namespace,
W3CDOMStreamWriter writer,
@@ -242,9 +244,7 @@ public class SecureConversationTokenInte
byte secret[] = null;
writer.writeStartElement(prefix, "RequestedProofToken", namespace);
if (clientEntropy == null) {
- SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
- secret = new byte[keySize / 8];
- random.nextBytes(secret);
+ secret = WSSecurityUtil.generateNonce(keySize / 8);
writer.writeStartElement(prefix, "BinarySecret", namespace);
writer.writeAttribute("Type", namespace + "/Nonce");
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/ContentEncryptedElements.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/ContentEncryptedElements.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/ContentEncryptedElements.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/ContentEncryptedElements.java Fri Feb 11 16:33:46 2011
@@ -109,8 +109,8 @@ public class ContentEncryptedElements ex
String xpathExpression;
- for (Iterator iterator = xPathExpressions.iterator(); iterator.hasNext();) {
- xpathExpression = (String)iterator.next();
+ for (Iterator<String> iterator = xPathExpressions.iterator(); iterator.hasNext();) {
+ xpathExpression = iterator.next();
// <sp:XPath ..>
writer.writeStartElement(prefix, SPConstants.XPATH_EXPR, namespaceURI);
writer.writeCharacters(xpathExpression);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredElements.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredElements.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredElements.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredElements.java Fri Feb 11 16:33:46 2011
@@ -109,8 +109,8 @@ public class RequiredElements extends Ab
String xpathExpression;
- for (Iterator iterator = xPathExpressions.iterator(); iterator.hasNext();) {
- xpathExpression = (String)iterator.next();
+ for (Iterator<String> iterator = xPathExpressions.iterator(); iterator.hasNext();) {
+ xpathExpression = iterator.next();
// <sp:XPath ..>
writer.writeStartElement(prefix, SPConstants.XPATH_EXPR, namespaceURI);
writer.writeCharacters(xpathExpression);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java Fri Feb 11 16:33:46 2011
@@ -82,8 +82,8 @@ public class RequiredParts extends Abstr
writer.writeNamespace(prefix, namespaceURI);
Header header;
- for (Iterator iterator = headers.iterator(); iterator.hasNext();) {
- header = (Header)iterator.next();
+ for (Iterator<Header> iterator = headers.iterator(); iterator.hasNext();) {
+ header = iterator.next();
// <sp:Header Name=".." Namespace=".." />
writer.writeStartElement(prefix, SPConstants.HEADER, namespaceURI);
// Name attribute is optional
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedElements.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedElements.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedElements.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedElements.java Fri Feb 11 16:33:46 2011
@@ -114,8 +114,8 @@ public class SignedEncryptedElements ext
String xpathExpression;
- for (Iterator iterator = xPathExpressions.iterator(); iterator.hasNext();) {
- xpathExpression = (String)iterator.next();
+ for (Iterator<String> iterator = xPathExpressions.iterator(); iterator.hasNext();) {
+ xpathExpression = iterator.next();
// <sp:XPath ..>
writer.writeStartElement(prefix, SPConstants.XPATH_EXPR, namespaceURI);
writer.writeCharacters(xpathExpression);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java Fri Feb 11 16:33:46 2011
@@ -140,8 +140,8 @@ public class SignedEncryptedParts extend
}
Header header;
- for (Iterator iterator = headers.iterator(); iterator.hasNext();) {
- header = (Header)iterator.next();
+ for (Iterator<Header> iterator = headers.iterator(); iterator.hasNext();) {
+ header = iterator.next();
// <sp:Header Name=".." Namespace=".." />
writer.writeStartElement(prefix, SPConstants.HEADER, namespaceURI);
// Name attribute is optional
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java Fri Feb 11 16:33:46 2011
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.token
import java.util.ArrayList;
import java.util.Collection;
+import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
@@ -108,18 +109,19 @@ public class MemoryTokenStore implements
}
protected void processTokenExpiry() {
- long time = System.currentTimeMillis();
for (SecurityToken token : tokens.values()) {
if (token.getState() == State.EXPIRED
|| token.getState() == State.CANCELLED) {
if (autoRemove) {
remove(token);
}
- } else if (token.getExpires() != null
- && token.getExpires().getTimeInMillis() < time) {
- token.setState(SecurityToken.State.EXPIRED);
- if (autoRemove) {
- remove(token);
+ } else if (token.getExpires() != null) {
+ Date current = new Date();
+ if (token.getExpires().before(current)) {
+ token.setState(SecurityToken.State.EXPIRED);
+ if (autoRemove) {
+ remove(token);
+ }
}
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java Fri Feb 11 16:33:46 2011
@@ -20,12 +20,11 @@
package org.apache.cxf.ws.security.tokenstore;
import java.security.cert.X509Certificate;
-import java.util.Calendar;
+import java.text.DateFormat;
+import java.text.ParseException;
+import java.util.Date;
import java.util.Properties;
-import javax.xml.datatype.DatatypeConfigurationException;
-import javax.xml.datatype.DatatypeFactory;
-
import org.w3c.dom.Element;
import org.apache.cxf.helpers.DOMUtils;
@@ -34,6 +33,7 @@ import org.apache.cxf.staxutils.W3CDOMSt
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.message.token.Reference;
+import org.apache.ws.security.util.XmlSchemaDateFormat;
/**
@@ -106,12 +106,12 @@ public class SecurityToken {
/**
* Created time
*/
- private Calendar created;
+ private Date created;
/**
* Expiration time
*/
- private Calendar expires;
+ private Date expires;
/**
* Issuer end point address
@@ -136,7 +136,7 @@ public class SecurityToken {
public SecurityToken() {
}
- public SecurityToken(String id, Calendar created, Calendar expires) {
+ public SecurityToken(String id, Date created, Date expires) {
this.id = id;
this.created = created;
this.expires = expires;
@@ -144,8 +144,8 @@ public class SecurityToken {
public SecurityToken(String id,
Element tokenElem,
- Calendar created,
- Calendar expires) {
+ Date created,
+ Date expires) {
this.id = id;
this.token = cloneElement(tokenElem);
this.created = created;
@@ -178,22 +178,20 @@ public class SecurityToken {
*/
private void processLifeTime(Element lifetimeElem) {
try {
- DatatypeFactory factory = DatatypeFactory.newInstance();
-
Element createdElem =
DOMUtils.getFirstChildWithName(lifetimeElem,
WSConstants.WSU_NS,
WSConstants.CREATED_LN);
- this.created = factory.newXMLGregorianCalendar(DOMUtils.getContent(createdElem))
- .toGregorianCalendar();
+ DateFormat zulu = new XmlSchemaDateFormat();
+
+ this.created = zulu.parse(DOMUtils.getContent(createdElem));
Element expiresElem =
DOMUtils.getFirstChildWithName(lifetimeElem,
WSConstants.WSU_NS,
WSConstants.EXPIRES_LN);
- this.expires = factory.newXMLGregorianCalendar(DOMUtils.getContent(expiresElem))
- .toGregorianCalendar();
- } catch (DatatypeConfigurationException e) {
+ this.expires = zulu.parse(DOMUtils.getContent(expiresElem));
+ } catch (ParseException e) {
//shouldn't happen
}
}
@@ -324,21 +322,21 @@ public class SecurityToken {
/**
* @return Returns the created.
*/
- public Calendar getCreated() {
+ public Date getCreated() {
return created;
}
/**
* @return Returns the expires.
*/
- public Calendar getExpires() {
+ public Date getExpires() {
return expires;
}
/**
* @param expires The expires to set.
*/
- public void setExpires(Calendar expires) {
+ public void setExpires(Date expires) {
this.expires = expires;
}
@@ -350,7 +348,6 @@ public class SecurityToken {
this.issuerAddress = issuerAddress;
}
-
/**
* @param sha SHA1 of the encrypted key
*/
@@ -407,16 +404,18 @@ public class SecurityToken {
}
return null;
}
+
public void setX509Certificate(X509Certificate cert, Crypto cpt) {
x509cert = cert;
crypto = cpt;
}
+
public X509Certificate getX509Certificate() {
return x509cert;
}
+
public Crypto getCrypto() {
return crypto;
}
-
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java Fri Feb 11 16:33:46 2011
@@ -32,7 +32,6 @@ import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
-import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -101,7 +100,8 @@ import org.apache.neethi.ExactlyOne;
import org.apache.neethi.Policy;
import org.apache.neethi.PolicyComponent;
import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSDocInfo;
+import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
@@ -288,6 +288,7 @@ public class STSClient implements Config
public void setKeySize(int i) {
keySize = i;
}
+
public int getKeySize() {
return keySize;
}
@@ -311,9 +312,9 @@ public class STSClient implements Config
protected void setPolicyInternal(Policy newPolicy) {
this.policy = newPolicy;
if (algorithmSuite == null) {
- Iterator i = policy.getAlternatives();
+ Iterator<?> i = policy.getAlternatives();
while (i.hasNext() && algorithmSuite == null) {
- List<PolicyComponent> p = CastUtils.cast((List)i.next());
+ List<PolicyComponent> p = CastUtils.cast((List<?>)i.next());
for (PolicyComponent p2 : p) {
if (p2 instanceof Binding) {
algorithmSuite = ((Binding)p2).getAlgorithmSuite();
@@ -578,10 +579,12 @@ public class STSClient implements Config
String ns = "http://schemas.xmlsoap.org/ws/2004/08/addressing/policy";
return new PrimitiveAssertion(new QName(ns, "UsingAddressing"));
}
+
public boolean validateSecurityToken(SecurityToken tok) throws Exception {
return validateSecurityToken(tok,
namespace + "/RSTR/Status");
}
+
private boolean validateSecurityToken(SecurityToken tok, String string)
throws Exception {
createClient();
@@ -887,13 +890,14 @@ public class STSClient implements Config
secret = Base64.decode(b64Secret);
} else if (childQname.equals(new QName(namespace, WSConstants.ENC_KEY_LN))) {
try {
-
- EncryptedKeyProcessor processor = new EncryptedKeyProcessor();
-
- processor.handleToken(child, null, createCrypto(true), createHandler(), null,
- new Vector(), null);
-
- secret = processor.getDecryptedBytes();
+ EncryptedKeyProcessor proc = new EncryptedKeyProcessor();
+ WSDocInfo docInfo = new WSDocInfo(child.getOwnerDocument());
+ List<WSSecurityEngineResult> result =
+ proc.handleToken(child, null, createCrypto(true), createHandler(), docInfo, null);
+ secret =
+ (byte[])result.get(0).get(
+ WSSecurityEngineResult.TAG_SECRET
+ );
} catch (IOException e) {
throw new TrustException("ENCRYPTED_KEY_ERROR", LOG, e);
}
@@ -959,7 +963,6 @@ public class STSClient implements Config
}
private Crypto createCrypto(boolean decrypt) throws IOException {
- WSSConfig.getDefaultWSConfig();
Crypto crypto = (Crypto)getProperty(SecurityConstants.STS_TOKEN_CRYPTO + (decrypt ? ".decrypt" : ""));
if (crypto != null) {
return crypto;
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java Fri Feb 11 16:33:46 2011
@@ -18,15 +18,12 @@
*/
package org.apache.cxf.ws.security.wss4j;
-import java.io.IOException;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Logger;
import javax.security.auth.Subject;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import org.apache.cxf.binding.soap.SoapMessage;
@@ -38,13 +35,10 @@ import org.apache.cxf.interceptor.securi
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.security.SecurityContext;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.WSUsernameTokenPrincipal;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.processor.Processor;
+import org.apache.ws.security.validate.UsernameTokenValidator;
+import org.apache.ws.security.validate.Validator;
/**
@@ -174,83 +168,61 @@ public abstract class AbstractUsernameTo
String nonce,
String created) throws SecurityException;
-
- /**
- * {@inheritDoc}
- *
- */
- @Override
- protected CallbackHandler getCallback(RequestData reqData, int doAction, boolean utNoCallbacks)
- throws WSSecurityException {
-
- // Given that a custom UT processor is used for dealing with digests
- // no callback handler is required when the request UT contains a digest;
- // however a custom callback may still be needed for decrypting the encrypted UT
-
- if ((doAction & WSConstants.UT) != 0) {
- CallbackHandler pwdCallback = null;
- try {
- pwdCallback = super.getCallback(reqData, doAction, false);
- } catch (Exception ex) {
- // ignore
- }
- return new SubjectCreatingCallbackHandler(pwdCallback);
- }
-
- return super.getCallback(reqData, doAction, false);
- }
-
@Override
protected WSSecurityEngine getSecurityEngine(boolean utNoCallbacks) {
- if (!supportDigestPasswords) {
- return super.getSecurityEngine(true);
- }
- Map<QName, Object> profiles = new HashMap<QName, Object>(3);
+ Map<QName, Object> profiles = new HashMap<QName, Object>(1);
- Processor processor = new CustomUsernameTokenProcessor();
- profiles.put(new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN), processor);
- profiles.put(new QName(WSConstants.WSSE11_NS, WSConstants.USERNAME_TOKEN_LN), processor);
+ Validator validator = new CustomValidator();
+ profiles.put(WSSecurityEngine.USERNAME_TOKEN, validator);
return createSecurityEngine(profiles);
}
- protected class SubjectCreatingCallbackHandler extends DelegatingCallbackHandler {
-
- public SubjectCreatingCallbackHandler(CallbackHandler pwdHandler) {
- super(pwdHandler);
+ protected class CustomValidator extends UsernameTokenValidator {
+
+ @Override
+ protected void verifyCustomPassword(
+ org.apache.ws.security.message.token.UsernameToken usernameToken
+ ) throws WSSecurityException {
+ AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
+ usernameToken.getName(), usernameToken.getPassword(), false, null, null
+ );
+ }
+
+ @Override
+ protected void verifyPlaintextPassword(
+ org.apache.ws.security.message.token.UsernameToken usernameToken
+ ) throws WSSecurityException {
+ AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
+ usernameToken.getName(), usernameToken.getPassword(), false, null, null
+ );
}
@Override
- protected void handleCallback(Callback c) throws IOException {
- if (c instanceof WSPasswordCallback) {
- WSPasswordCallback pc = (WSPasswordCallback)c;
- if (WSConstants.PASSWORD_TEXT.equals(pc.getPasswordType())
- && pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN) {
- AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
- pc.getIdentifier(), pc.getPassword(), false, null, null);
- }
+ protected void verifyDigestPassword(
+ org.apache.ws.security.message.token.UsernameToken usernameToken
+ ) throws WSSecurityException {
+ if (!supportDigestPasswords) {
+ throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
+ String user = usernameToken.getName();
+ String password = usernameToken.getPassword();
+ boolean isHashed = usernameToken.isDerivedKey();
+ String nonce = usernameToken.getNonce();
+ String createdTime = usernameToken.getCreated();
+ AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
+ user, password, isHashed, nonce, createdTime
+ );
}
- }
-
- /**
- * Custom UsernameTokenProcessor
- * Unfortunately, WSS4J UsernameTokenProcessor makes it impossible to
- * override its handleUsernameToken only.
- *
- */
- protected class CustomUsernameTokenProcessor extends UsernameTokenProcessorWithoutCallbacks {
@Override
- protected WSUsernameTokenPrincipal createPrincipal(String user,
- String password,
- boolean isHashed,
- String nonce,
- String createdTime,
- String pwType) throws WSSecurityException {
+ protected void verifyUnknownPassword(
+ org.apache.ws.security.message.token.UsernameToken usernameToken
+ ) throws WSSecurityException {
AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
- user, password, isHashed, nonce, createdTime);
- return super.createPrincipal(user, password, isHashed, nonce, createdTime, pwType);
+ usernameToken.getName(), null, false, null, null
+ );
}
+
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java Fri Feb 11 16:33:46 2011
@@ -26,7 +26,6 @@ import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
-import java.util.concurrent.ConcurrentHashMap;
import javax.xml.namespace.QName;
@@ -39,12 +38,10 @@ import org.apache.cxf.message.MessageUti
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.resource.ResourceManager;
import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandler;
-import org.apache.ws.security.handler.WSHandlerConstants;
public abstract class AbstractWSS4JInterceptor extends WSHandler implements SoapInterceptor,
PhaseInterceptor<SoapMessage> {
@@ -61,7 +58,6 @@ public abstract class AbstractWSS4JInter
private Set<String> after = new HashSet<String>();
private String phase;
private String id;
- private Map<String, Crypto> cryptoTable = new ConcurrentHashMap<String, Crypto>();
public AbstractWSS4JInterceptor() {
super();
@@ -154,56 +150,7 @@ public abstract class AbstractWSS4JInter
return MessageUtils.isRequestor(message);
}
- protected boolean decodeEnableSignatureConfirmation(RequestData reqData) throws WSSecurityException {
-
- String value = getString(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION,
- reqData.getMsgContext());
-
- //we need the default to be false to not break older applications and such
- if (value == null) {
- return false;
- }
- return super.decodeEnableSignatureConfirmation(reqData);
- }
-
- public Crypto loadSignatureCrypto(RequestData reqData)
- throws WSSecurityException {
- Crypto crypto = null;
- /*
- *Get crypto property file for signature. If none specified throw
- * fault, otherwise get a crypto instance.
- */
- String sigPropFile = getString(WSHandlerConstants.SIG_PROP_FILE,
- reqData.getMsgContext());
- String refId = null;
- if (sigPropFile != null) {
- crypto = cryptoTable.get(sigPropFile);
- if (crypto == null) {
- crypto = loadCryptoFromPropertiesFile(sigPropFile, reqData);
- cryptoTable.put(sigPropFile, crypto);
- }
- } else if (getString(WSHandlerConstants.SIG_PROP_REF_ID, reqData
- .getMsgContext()) != null) {
- /*
- * If the property file is missing then
- * look for the Properties object
- */
- refId = getString(WSHandlerConstants.SIG_PROP_REF_ID,
- reqData.getMsgContext());
- if (refId != null) {
- Object propObj = getProperty(reqData.getMsgContext(), refId);
- if (propObj instanceof Properties) {
- crypto = cryptoTable.get(refId);
- if (crypto == null) {
- crypto = CryptoFactory.getInstance((Properties)propObj);
- cryptoTable.put(refId, crypto);
- }
- }
- }
- }
- return crypto;
- }
-
+ @Override
protected Crypto loadCryptoFromPropertiesFile(String propFilename, RequestData reqData) {
ClassLoader orig = Thread.currentThread().getContextClassLoader();
try {
@@ -235,78 +182,4 @@ public abstract class AbstractWSS4JInter
}
}
- protected Crypto loadDecryptionCrypto(RequestData reqData)
- throws WSSecurityException {
- Crypto crypto = null;
- String decPropFile = getString(WSHandlerConstants.DEC_PROP_FILE,
- reqData.getMsgContext());
- String refId = null;
- if (decPropFile != null) {
- crypto = cryptoTable.get(decPropFile);
- if (crypto == null) {
- crypto = loadCryptoFromPropertiesFile(decPropFile, reqData);
- cryptoTable.put(decPropFile, crypto);
- }
- } else if (getString(WSHandlerConstants.DEC_PROP_REF_ID, reqData
- .getMsgContext()) != null) {
- /*
- * If the property file is missing then
- * look for the Properties object
- */
- refId = getString(WSHandlerConstants.DEC_PROP_REF_ID,
- reqData.getMsgContext());
- if (refId != null) {
- Object propObj = getProperty(reqData.getMsgContext(), refId);
- if (propObj instanceof Properties) {
- crypto = cryptoTable.get(refId);
- if (crypto == null) {
- crypto = CryptoFactory.getInstance((Properties)propObj);
- cryptoTable.put(refId, crypto);
- }
- }
- }
- }
- return crypto;
- }
-
- protected Crypto loadEncryptionCrypto(RequestData reqData)
- throws WSSecurityException {
- Crypto crypto = null;
- /*
- * Get encryption crypto property file. If non specified take crypto
- * instance from signature, if that fails: throw fault
- */
- String encPropFile = getString(WSHandlerConstants.ENC_PROP_FILE,
- reqData.getMsgContext());
- String refId = null;
- if (encPropFile != null) {
- crypto = cryptoTable.get(encPropFile);
- if (crypto == null) {
- crypto = loadCryptoFromPropertiesFile(encPropFile, reqData);
- cryptoTable.put(encPropFile, crypto);
- }
- } else if (getString(WSHandlerConstants.ENC_PROP_REF_ID, reqData
- .getMsgContext()) != null) {
- /*
- * If the property file is missing then
- * look for the Properties object
- */
- refId = getString(WSHandlerConstants.ENC_PROP_REF_ID,
- reqData.getMsgContext());
- if (refId != null) {
- Object propObj = getProperty(reqData.getMsgContext(), refId);
- if (propObj instanceof Properties) {
- crypto = cryptoTable.get(refId);
- if (crypto == null) {
- crypto = CryptoFactory.getInstance((Properties)propObj);
- cryptoTable.put(refId, crypto);
- }
- }
- }
- } else if (reqData.getSigCrypto() == null) {
- return crypto;
- }
- return crypto;
- }
-
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java Fri Feb 11 16:33:46 2011
@@ -116,14 +116,14 @@ public class CryptoCoverageChecker exten
final Collection<WSDataRef> signed = new HashSet<WSDataRef>();
final Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
- List<Object> results = CastUtils.cast(
+ List<WSHandlerResult> results = CastUtils.cast(
(List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
- for (Object result : results) {
-
- final WSHandlerResult wshr = (WSHandlerResult) result;
- final Vector<Object> wsSecurityEngineSignResults = new Vector<Object>();
- final Vector<Object> wsSecurityEngineEncResults = new Vector<Object>();
+ for (final WSHandlerResult wshr : results) {
+ final List<WSSecurityEngineResult> wsSecurityEngineSignResults =
+ new Vector<WSSecurityEngineResult>();
+ final List<WSSecurityEngineResult> wsSecurityEngineEncResults =
+ new Vector<WSSecurityEngineResult>();
WSSecurityUtil.fetchAllActionResults(wshr.getResults(),
WSConstants.SIGN, wsSecurityEngineSignResults);
@@ -131,8 +131,7 @@ public class CryptoCoverageChecker exten
WSSecurityUtil.fetchAllActionResults(wshr.getResults(),
WSConstants.ENCR, wsSecurityEngineEncResults);
- for (Object o : wsSecurityEngineSignResults) {
- WSSecurityEngineResult wser = (WSSecurityEngineResult) o;
+ for (WSSecurityEngineResult wser : wsSecurityEngineSignResults) {
List<WSDataRef> sl = CastUtils.cast((List<?>) wser
.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
@@ -149,9 +148,7 @@ public class CryptoCoverageChecker exten
}
}
- for (Object o : wsSecurityEngineEncResults) {
- WSSecurityEngineResult wser = (WSSecurityEngineResult) o;
-
+ for (WSSecurityEngineResult wser : wsSecurityEngineEncResults) {
List<WSDataRef> el = CastUtils.cast((List<?>) wser
.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java Fri Feb 11 16:33:46 2011
@@ -82,9 +82,9 @@ public final class CryptoCoverageUtil {
final WSDataRef signedRef = signedRefsIt.next();
if (isSignedEncryptionRef(encryptedRef, signedRef)) {
-
- final WSDataRef encryptedSignedRef =
- new WSDataRef(signedRef.getDataref());
+
+ final WSDataRef encryptedSignedRef = new WSDataRef();
+ encryptedSignedRef.setWsuId(signedRef.getWsuId());
encryptedSignedRef.setContent(false);
encryptedSignedRef.setName(encryptedRef.getName());
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Fri Feb 11 16:33:46 2011
@@ -27,7 +27,6 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;
-import java.util.Vector;
import java.util.concurrent.ConcurrentHashMap;
import javax.xml.namespace.QName;
@@ -459,7 +458,8 @@ public class PolicyBasedWSS4JInIntercept
}
protected void doResults(SoapMessage msg, String actor,
- SOAPMessage doc, Vector results, boolean utWithCallbacks)
+ SOAPMessage doc, List<WSSecurityEngineResult> results,
+ boolean utWithCallbacks)
throws SOAPException, XMLStreamException, WSSecurityException {
AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
@@ -469,9 +469,7 @@ public class PolicyBasedWSS4JInIntercept
boolean hasEndorsement = false;
Protections prots = Protections.NONE;
- for (int j = 0; j < results.size(); j++) {
- WSSecurityEngineResult wser =
- (WSSecurityEngineResult) results.get(j);
+ for (WSSecurityEngineResult wser : results) {
Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
switch (actInt.intValue()) {
case WSConstants.SIGN:
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java Fri Feb 11 16:33:46 2011
@@ -21,14 +21,18 @@ package org.apache.cxf.ws.security.wss4j
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
+import java.util.logging.Logger;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
import org.w3c.dom.Element;
+import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor;
+import org.apache.cxf.common.i18n.Message;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
@@ -44,12 +48,16 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler;
import org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler;
import org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.message.WSSecHeader;
public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
public static final String SECURITY_PROCESSED = PolicyBasedWSS4JOutInterceptor.class.getName() + ".DONE";
public static final PolicyBasedWSS4JOutInterceptor INSTANCE = new PolicyBasedWSS4JOutInterceptor();
+ private static final Logger LOG = LogUtils.getL7dLogger(PolicyBasedWSS4JOutInterceptor.class);
+
+
private PolicyBasedWSS4JOutInterceptorInternal ending;
private SAAJOutInterceptor saajOut = new SAAJOutInterceptor();
@@ -122,7 +130,14 @@ public class PolicyBasedWSS4JOutIntercep
if (transport != null) {
WSSecHeader secHeader = new WSSecHeader(actor, mustUnderstand);
- Element el = secHeader.insertSecurityHeader(saaj.getSOAPPart());
+ Element el = null;
+ try {
+ el = secHeader.insertSecurityHeader(saaj.getSOAPPart());
+ } catch (WSSecurityException e) {
+ throw new SoapFault(
+ new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
+ );
+ }
try {
//move to end
saaj.getSOAPHeader().removeChild(el);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java Fri Feb 11 16:33:46 2011
@@ -20,11 +20,11 @@
package org.apache.cxf.ws.security.wss4j;
import java.security.Principal;
+import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
-import java.util.Vector;
import java.util.logging.Logger;
import javax.security.auth.Subject;
@@ -57,6 +57,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.UsernameToken;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
@@ -65,6 +66,7 @@ import org.apache.ws.security.handler.WS
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.WSSecUsernameToken;
import org.apache.ws.security.processor.UsernameTokenProcessor;
+import org.apache.ws.security.validate.Validator;
/**
*
@@ -128,12 +130,16 @@ public class UsernameTokenInterceptor ex
try {
final WSUsernameTokenPrincipal princ = getPrincipal(child, message);
if (princ != null) {
- Vector<WSSecurityEngineResult>v = new Vector<WSSecurityEngineResult>();
- v.add(0, new WSSecurityEngineResult(WSConstants.UT, princ, null, null, null));
- List<Object> results = CastUtils.cast((List)message
+ List<WSSecurityEngineResult>v = new ArrayList<WSSecurityEngineResult>();
+ int action = WSConstants.UT;
+ if (princ.getPassword() == null) {
+ action = WSConstants.UT_NOPASSWORD;
+ }
+ v.add(0, new WSSecurityEngineResult(action, princ, null, null, null));
+ List<WSHandlerResult> results = CastUtils.cast((List<?>)message
.get(WSHandlerConstants.RECV_RESULTS));
if (results == null) {
- results = new Vector<Object>();
+ results = new ArrayList<WSHandlerResult>();
message.put(WSHandlerConstants.RECV_RESULTS, results);
}
WSHandlerResult rResult = new WSHandlerResult(null, v);
@@ -166,7 +172,15 @@ public class UsernameTokenInterceptor ex
MessageUtils.getContextualBoolean(message, SecurityConstants.VALIDATE_TOKEN, true);
if (utWithCallbacks) {
UsernameTokenProcessor p = new UsernameTokenProcessor();
- return p.handleUsernameToken(tokenElement, getCallback(message));
+ Object validator =
+ message.getContextualProperty(SecurityConstants.USERNAME_TOKEN_VALIDATOR);
+ if (validator instanceof Validator) {
+ p.setValidator((Validator)validator);
+ }
+ WSDocInfo wsDocInfo = new WSDocInfo(tokenElement.getOwnerDocument());
+ List<WSSecurityEngineResult> results =
+ p.handleToken(tokenElement, null, null, getCallback(message), wsDocInfo, null);
+ return (WSUsernameTokenPrincipal)results.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
} else {
WSUsernameTokenPrincipal principal = parseTokenAndCreatePrincipal(tokenElement);
WSS4JTokenConverter.convertToken(message, principal);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1069865&r1=1069864&r2=1069865&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Fri Feb 11 16:33:46 2011
@@ -20,11 +20,10 @@ package org.apache.cxf.ws.security.wss4j
import java.io.IOException;
import java.security.Principal;
-import java.security.cert.X509Certificate;
+import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -63,14 +62,14 @@ import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.token.SecurityTokenReference;
-import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.processor.Processor;
import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.ws.security.validate.NoOpValidator;
+import org.apache.ws.security.validate.Validator;
/**
* Performs WS-Security inbound actions.
@@ -83,6 +82,7 @@ public class WSS4JInInterceptor extends
public static final String SIGNATURE_RESULT = "wss4j.signature.result";
public static final String PRINCIPAL_RESULT = "wss4j.principal.result";
public static final String PROCESSOR_MAP = "wss4j.processor.map";
+ public static final String VALIDATOR_MAP = "wss4j.validator.map";
public static final String SECURITY_PROCESSED = WSS4JInInterceptor.class.getName() + ".DONE";
@@ -113,10 +113,21 @@ public class WSS4JInInterceptor extends
public WSS4JInInterceptor(Map<String, Object> properties) {
this();
setProperties(properties);
- final Map<QName, Object> map = CastUtils.cast(
- (Map)properties.get(PROCESSOR_MAP));
- if (map != null) {
- secEngineOverride = createSecurityEngine(map);
+ final Map<QName, Object> processorMap = CastUtils.cast(
+ (Map<?, ?>)properties.get(PROCESSOR_MAP));
+ final Map<QName, Object> validatorMap = CastUtils.cast(
+ (Map<?, ?>)properties.get(VALIDATOR_MAP));
+
+ if (processorMap != null) {
+ if (validatorMap != null) {
+ processorMap.putAll(validatorMap);
+ }
+ secEngineOverride = createSecurityEngine(processorMap);
+ } else if (validatorMap != null) {
+ if (processorMap != null) {
+ validatorMap.putAll(processorMap);
+ }
+ secEngineOverride = createSecurityEngine(validatorMap);
}
}
@@ -188,6 +199,7 @@ public class WSS4JInInterceptor extends
}
RequestData reqData = new RequestData();
+ reqData.setWssConfig(engine.getWssConfig());
/*
* The overall try, just to have a finally at the end to perform some
* housekeeping.
@@ -195,7 +207,7 @@ public class WSS4JInInterceptor extends
try {
reqData.setMsgContext(msg);
computeAction(msg, reqData);
- Vector actions = new Vector();
+ List<Integer> actions = new ArrayList<Integer>();
String action = getAction(msg, version);
int doAction = WSSecurityUtil.decodeAction(action, actions);
@@ -203,6 +215,11 @@ public class WSS4JInInterceptor extends
String actor = (String)getOption(WSHandlerConstants.ACTOR);
CallbackHandler cbHandler = getCallback(reqData, doAction, utWithCallbacks);
+
+ String passwordTypeStrict = (String)getOption(WSHandlerConstants.PASSWORD_TYPE_STRICT);
+ if (passwordTypeStrict == null) {
+ setProperty(WSHandlerConstants.PASSWORD_TYPE_STRICT, "true");
+ }
/*
* Get and check the Signature specific parameters first because
@@ -210,12 +227,11 @@ public class WSS4JInInterceptor extends
*/
doReceiverAction(doAction, reqData);
- Vector wsResult = null;
if (doTimeLog) {
t1 = System.currentTimeMillis();
}
- wsResult = engine.processSecurityHeader(
+ List<WSSecurityEngineResult> wsResult = engine.processSecurityHeader(
doc.getSOAPPart(),
actor,
cbHandler,
@@ -232,14 +248,14 @@ public class WSS4JInInterceptor extends
checkSignatureConfirmation(reqData, wsResult);
}
- checkSignatures(msg, reqData, wsResult);
- checkTimestamps(msg, reqData, wsResult);
+ storeSignature(msg, reqData, wsResult);
+ storeTimestamp(msg, reqData, wsResult);
checkActions(msg, reqData, wsResult, actions);
doResults(msg, actor, doc, wsResult, utWithCallbacks);
} else { // no security header found
- // Create an empty result vector to pass into the required validation
+ // Create an empty result list to pass into the required validation
// methods.
- wsResult = new Vector<Object>();
+ wsResult = new ArrayList<WSSecurityEngineResult>();
if (doc.getSOAPPart().getEnvelope().getBody().hasFault()) {
LOG.warning("Request does not contain Security header, "
@@ -287,8 +303,12 @@ public class WSS4JInInterceptor extends
}
}
- private void checkActions(SoapMessage msg, RequestData reqData, Vector wsResult, Vector actions)
- throws WSSecurityException {
+ private void checkActions(
+ SoapMessage msg,
+ RequestData reqData,
+ List<WSSecurityEngineResult> wsResult,
+ List<Integer> actions
+ ) throws WSSecurityException {
/*
* now check the security actions: do they match, in any order?
*/
@@ -297,76 +317,31 @@ public class WSS4JInInterceptor extends
throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
}
}
- private void checkSignatures(SoapMessage msg, RequestData reqData, Vector wsResult)
- throws WSSecurityException {
- /*
- * Now we can check the certificate used to sign the message. In the
- * following implementation the certificate is only trusted if
- * either it itself or the certificate of the issuer is installed in
- * the keystore. Note: the method verifyTrust(X509Certificate)
- * allows custom implementations with other validation algorithms
- * for subclasses.
- */
-
- // Extract the signature action result from the action vector
- Vector signatureResults = new Vector();
+
+ private void storeSignature(
+ SoapMessage msg, RequestData reqData, List<WSSecurityEngineResult> wsResult
+ ) throws WSSecurityException {
+ // Extract the signature action result from the action list
+ List<WSSecurityEngineResult> signatureResults = new ArrayList<WSSecurityEngineResult>();
signatureResults =
WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.SIGN, signatureResults);
+ // Store the last signature result
if (!signatureResults.isEmpty()) {
- for (int i = 0; i < signatureResults.size(); i++) {
- WSSecurityEngineResult result =
- (WSSecurityEngineResult) signatureResults.get(i);
-
- //
- // Verify the certificate chain associated with signature verification if
- // it exists. If it does not, then try to verify the (single) certificate
- // used for signature verification
- //
- X509Certificate returnCert = (X509Certificate)result
- .get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
- X509Certificate[] returnCertChain = (X509Certificate[])result
- .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
-
- if (returnCertChain != null && !verifyTrust(returnCertChain, reqData)) {
- LOG.warning("The certificate chain used for the signature is not trusted");
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
- } else if (returnCert != null && !verifyTrust(returnCert, reqData)) {
- LOG.warning("The certificate used for the signature is not trusted");
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
- }
- msg.put(SIGNATURE_RESULT, result);
- }
+ msg.put(SIGNATURE_RESULT, signatureResults.get(signatureResults.size() - 1));
}
}
- protected void checkTimestamps(SoapMessage msg, RequestData reqData, Vector wsResult)
- throws WSSecurityException {
- /*
- * Perform further checks on the timestamp that was transmitted in
- * the header. In the following implementation the timestamp is
- * valid if it was created after (now-ttl), where ttl is set on
- * server side, not by the client. Note: the method
- * verifyTimestamp(Timestamp) allows custom implementations with
- * other validation algorithms for subclasses.
- */
- // Extract the timestamp action result from the action vector
- Vector timestampResults = new Vector();
+ private void storeTimestamp(
+ SoapMessage msg, RequestData reqData, List<WSSecurityEngineResult> wsResult
+ ) throws WSSecurityException {
+ // Extract the timestamp action result from the action list
+ List<WSSecurityEngineResult> timestampResults = new ArrayList<WSSecurityEngineResult>();
timestampResults =
WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.TS, timestampResults);
if (!timestampResults.isEmpty()) {
- for (int i = 0; i < timestampResults.size(); i++) {
- WSSecurityEngineResult result =
- (WSSecurityEngineResult) timestampResults.get(i);
- Timestamp timestamp = (Timestamp)result.get(WSSecurityEngineResult.TAG_TIMESTAMP);
-
- if (timestamp != null && !verifyTimestamp(timestamp, decodeTimeToLive(reqData))) {
- LOG.warning("The timestamp could not be validated");
- throw new WSSecurityException(WSSecurityException.MESSAGE_EXPIRED);
- }
- msg.put(TIMESTAMP_RESULT, result);
- }
+ msg.put(TIMESTAMP_RESULT, timestampResults.get(timestampResults.size() - 1));
}
}
@@ -381,20 +356,23 @@ public class WSS4JInInterceptor extends
}
- protected void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult)
- throws SOAPException, XMLStreamException, WSSecurityException {
+ protected void doResults(
+ SoapMessage msg, String actor, SOAPMessage doc, List<WSSecurityEngineResult> wsResult
+ ) throws SOAPException, XMLStreamException, WSSecurityException {
doResults(msg, actor, doc, wsResult, false);
}
- protected void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult,
- boolean utWithCallbacks) throws SOAPException, XMLStreamException, WSSecurityException {
+ protected void doResults(
+ SoapMessage msg, String actor, SOAPMessage doc, List<WSSecurityEngineResult> wsResult,
+ boolean utWithCallbacks
+ ) throws SOAPException, XMLStreamException, WSSecurityException {
/*
* All ok up to this point. Now construct and setup the security result
* structure. The service may fetch this and check it.
*/
- List<Object> results = CastUtils.cast((List)msg.get(WSHandlerConstants.RECV_RESULTS));
+ List<WSHandlerResult> results = CastUtils.cast((List<?>)msg.get(WSHandlerConstants.RECV_RESULTS));
if (results == null) {
- results = new Vector<Object>();
+ results = new ArrayList<WSHandlerResult>();
msg.put(WSHandlerConstants.RECV_RESULTS, results);
}
WSHandlerResult rResult = new WSHandlerResult(actor, wsResult);
@@ -412,23 +390,7 @@ public class WSS4JInInterceptor extends
i++;
}
msg.setContent(XMLStreamReader.class, reader);
- String pwType = (String)getProperty(msg, "passwordType");
- if ("PasswordDigest".equals(pwType)) {
- //CXF-2150 - we need to check the UsernameTokens
- for (WSSecurityEngineResult o : CastUtils.cast(wsResult, WSSecurityEngineResult.class)) {
- Integer actInt = (Integer)o.get(WSSecurityEngineResult.TAG_ACTION);
- if (actInt == WSConstants.UT) {
- WSUsernameTokenPrincipal princ
- = (WSUsernameTokenPrincipal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);
- if (!princ.isPasswordDigest()) {
- LOG.warning("Non-digest UsernameToken found, but digest required");
- throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
- }
- }
- }
- }
-
- for (WSSecurityEngineResult o : CastUtils.cast(wsResult, WSSecurityEngineResult.class)) {
+ for (WSSecurityEngineResult o : wsResult) {
final Principal p = (Principal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);
if (p != null) {
msg.put(PRINCIPAL_RESULT, p);
@@ -483,7 +445,7 @@ public class WSS4JInInterceptor extends
String id = pc.getIdentifier();
- if (SecurityTokenReference.ENC_KEY_SHA1_URI.equals(pc.getKeyType())) {
+ if (SecurityTokenReference.ENC_KEY_SHA1_URI.equals(pc.getType())) {
for (SecurityToken token : store.getValidTokens()) {
if (id.equals(token.getSHA1())) {
pc.setKey(token.getSecret());
@@ -508,7 +470,8 @@ public class WSS4JInInterceptor extends
protected CallbackHandler getCallback(RequestData reqData, int doAction, boolean utWithCallbacks)
throws WSSecurityException {
- if (!utWithCallbacks && (doAction & WSConstants.UT) != 0) {
+ if (!utWithCallbacks
+ && ((doAction & WSConstants.UT) != 0 || (doAction & WSConstants.UT_NOPASSWORD) != 0)) {
CallbackHandler pwdCallback = null;
try {
pwdCallback = getCallback(reqData, doAction);
@@ -575,9 +538,6 @@ public class WSS4JInInterceptor extends
* construction); otherwise, it is taken to be the default
* WSSecEngine instance (currently defined in the WSHandler
* base class).
- *
- * TODO the WSHandler base class defines secEngine to be static, which
- * is really bad, because the engine has mutable state on it.
*/
protected WSSecurityEngine getSecurityEngine(boolean utWithCallbacks) {
if (secEngineOverride != null) {
@@ -585,10 +545,9 @@ public class WSS4JInInterceptor extends
}
if (!utWithCallbacks) {
- Map<QName, Object> profiles = new HashMap<QName, Object>(3);
- Processor processor = new UsernameTokenProcessorWithoutCallbacks();
- profiles.put(new QName(WSConstants.WSSE_NS, WSConstants.USERNAME_TOKEN_LN), processor);
- profiles.put(new QName(WSConstants.WSSE11_NS, WSConstants.USERNAME_TOKEN_LN), processor);
+ Map<QName, Object> profiles = new HashMap<QName, Object>(1);
+ Validator validator = new NoOpValidator();
+ profiles.put(WSSecurityEngine.USERNAME_TOKEN, validator);
return createSecurityEngine(profiles);
}
@@ -599,9 +558,6 @@ public class WSS4JInInterceptor extends
* @return a freshly minted WSSecurityEngine instance, using the
* (non-null) processor map, to be used to initialize the
* WSSecurityEngine instance.
- *
- * TODO The WSS4J APIs leave something to be desired here, but hopefully
- * we'll clean all this up in WSS4J-2.0
*/
protected static WSSecurityEngine
createSecurityEngine(
@@ -612,17 +568,14 @@ public class WSS4JInInterceptor extends
for (Map.Entry<QName, Object> entry : map.entrySet()) {
final QName key = entry.getKey();
Object val = entry.getValue();
-
- if (val instanceof String) {
- String valStr = ((String)val).trim();
- if ("null".equals(valStr) || valStr.length() == 0) {
- valStr = null;
- }
- config.setProcessor(key, valStr);
+ if (val instanceof Class<?>) {
+ config.setProcessor(key, (Class<?>)val);
} else if (val instanceof Processor) {
config.setProcessor(key, (Processor)val);
+ } else if (val instanceof Validator) {
+ config.setValidator(key, (Validator)val);
} else if (val == null) {
- config.setProcessor(key, (String)val);
+ config.setProcessor(key, (Class<?>)val);
}
}
final WSSecurityEngine ret = new WSSecurityEngine();