You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/12/21 13:02:58 UTC
svn commit: r1424885 - in /cxf/branches/2.5.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/ s...
Author: coheigea
Date: Fri Dec 21 12:02:58 2012
New Revision: 1424885
URL: http://svn.apache.org/viewvc?rev=1424885&view=rev
Log:
Merged revisions 1424856 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1424856 | coheigea | 2012-12-21 10:42:07 +0000 (Fri, 21 Dec 2012) | 2 lines
[CXF-4718] - UsernameTokenInterceptor is not caching nonces
........
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Added:
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
Modified:
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java?rev=1424885&r1=1424884&r2=1424885&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java Fri Dec 21 12:02:58 2012
@@ -63,6 +63,7 @@ import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSUsernameTokenPrincipal;
+import org.apache.ws.security.cache.ReplayCache;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
@@ -189,6 +190,14 @@ public class UsernameTokenInterceptor ex
return (Validator)validator;
}
};
+
+ // Configure replay caching
+ ReplayCache nonceCache =
+ WSS4JUtils.getReplayCache(
+ message, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
+ );
+ data.setNonceReplayCache(nonceCache);
+
WSSConfig config = WSSConfig.getNewInstance();
config.setWsiBSPCompliant(bspCompliant);
data.setWssConfig(config);
Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1424885&r1=1424884&r2=1424885&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Fri Dec 21 12:02:58 2012
@@ -65,10 +65,8 @@ import org.apache.cxf.phase.Phase;
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.security.LoginSecurityContext;
import org.apache.cxf.security.SecurityContext;
-import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.cache.ReplayCacheFactory;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.ws.security.CustomTokenPrincipal;
@@ -743,37 +741,9 @@ public class WSS4JInInterceptor extends
protected ReplayCache getReplayCache(
SoapMessage message, String booleanKey, String instanceKey
) {
- Object o = message.getContextualProperty(booleanKey);
- if (o == null || !MessageUtils.isTrue(o)) {
- return null;
- }
-
- Endpoint ep = message.getExchange().get(Endpoint.class);
- if (ep != null && ep.getEndpointInfo() != null) {
- EndpointInfo info = ep.getEndpointInfo();
- synchronized (info) {
- ReplayCache replayCache =
- (ReplayCache)message.getContextualProperty(instanceKey);
- if (replayCache == null) {
- replayCache = (ReplayCache)info.getProperty(instanceKey);
- }
- if (replayCache == null) {
- ReplayCacheFactory replayCacheFactory = ReplayCacheFactory.newInstance();
- String cacheKey = instanceKey;
- if (info.getName() != null) {
- cacheKey += "-" + info.getName().toString().hashCode();
- }
- replayCache = replayCacheFactory.newReplayCache(cacheKey, message);
- info.setProperty(instanceKey, replayCache);
- }
- return replayCache;
- }
- }
- return null;
+ return WSS4JUtils.getReplayCache(message, booleanKey, instanceKey);
}
-
-
/**
* Create a SoapFault from a WSSecurityException, following the SOAP Message Security
* 1.1 specification, chapter 12 "Error Handling".
Added: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java?rev=1424885&view=auto
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java (added)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java Fri Dec 21 12:02:58 2012
@@ -0,0 +1,82 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.wss4j;
+
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.endpoint.Endpoint;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.service.model.EndpointInfo;
+import org.apache.cxf.ws.security.cache.ReplayCacheFactory;
+import org.apache.ws.security.cache.ReplayCache;
+
+/**
+ * Some common functionality that can be shared between the WSS4JInInterceptor and the
+ * UsernameTokenInterceptor.
+ */
+public final class WSS4JUtils {
+
+ private WSS4JUtils() {
+ // complete
+ }
+
+ /**
+ * Get a ReplayCache instance. It first checks to see whether caching has been explicitly
+ * enabled or disabled via the booleanKey argument. If it has been set to false then no
+ * replay caching is done (for this booleanKey). If it has not been specified, then caching
+ * is enabled only if we are not the initiator of the exchange. If it has been specified, then
+ * caching is enabled.
+ *
+ * It tries to get an instance of ReplayCache via the instanceKey argument from a
+ * contextual property, and failing that the message exchange. If it can't find any, then it
+ * defaults to using an EH-Cache instance and stores that on the message exchange.
+ */
+ public static ReplayCache getReplayCache(
+ SoapMessage message, String booleanKey, String instanceKey
+ ) {
+ Object o = message.getContextualProperty(booleanKey);
+ if (o == null || !MessageUtils.isTrue(o)) {
+ return null;
+ }
+
+ Endpoint ep = message.getExchange().get(Endpoint.class);
+ if (ep != null && ep.getEndpointInfo() != null) {
+ EndpointInfo info = ep.getEndpointInfo();
+ synchronized (info) {
+ ReplayCache replayCache =
+ (ReplayCache)message.getContextualProperty(instanceKey);
+ if (replayCache == null) {
+ replayCache = (ReplayCache)info.getProperty(instanceKey);
+ }
+ if (replayCache == null) {
+ ReplayCacheFactory replayCacheFactory = ReplayCacheFactory.newInstance();
+ String cacheKey = instanceKey;
+ if (info.getName() != null) {
+ cacheKey += "-" + info.getName().toString().hashCode();
+ }
+ replayCache = replayCacheFactory.newReplayCache(cacheKey, message);
+ info.setProperty(instanceKey, replayCache);
+ }
+ return replayCache;
+ }
+ }
+ return null;
+ }
+
+
+}
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java?rev=1424885&r1=1424884&r2=1424885&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java Fri Dec 21 12:02:58 2012
@@ -283,4 +283,43 @@ public class UsernameTokenTest extends A
bus.shutdown(true);
}
+ // In this test, the service is using the UsernameTokenInterceptor, but the
+ // client is using the WSS4JOutInterceptor
+ @org.junit.Test
+ public void testPasswordHashedNoBindingReplay() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = UsernameTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = UsernameTokenTest.class.getResource("DoubleItUt.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+
+ QName portQName = new QName(NAMESPACE, "DoubleItDigestNoBindingPort");
+ DoubleItPortType utPort =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(utPort, PORT);
+
+ Client cxfClient = ClientProxy.getClient(utPort);
+ SecurityHeaderCacheInterceptor cacheInterceptor =
+ new SecurityHeaderCacheInterceptor();
+ cxfClient.getOutInterceptors().add(cacheInterceptor);
+
+ // Make two invocations with the same UsernameToken
+ utPort.doubleIt(25);
+ try {
+ utPort.doubleIt(25);
+ fail("Failure expected on a replayed UsernameToken");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ String error = "A replay attack has been detected";
+ assertTrue(ex.getMessage().contains(error));
+ }
+
+ ((java.io.Closeable)utPort).close();
+ bus.shutdown(true);
+ }
+
}
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl?rev=1424885&r1=1424884&r2=1424885&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl Fri Dec 21 12:02:58 2012
@@ -179,6 +179,22 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItInlinePolicyBinding2" type="tns:DoubleItPortType">
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItPlaintextPort" binding="tns:DoubleItPlaintextBinding">
@@ -205,6 +221,9 @@
<wsdl:port name="DoubleItInlinePolicyPort" binding="tns:DoubleItInlinePolicyBinding">
<soap:address location="https://localhost:9009/DoubleItUTInlinePolicy" />
</wsdl:port>
+ <wsdl:port name="DoubleItDigestNoBindingPort" binding="tns:DoubleItInlinePolicyBinding2">
+ <soap:address location="https://localhost:9009/DoubleItUTDigestNoBinding" />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
@@ -493,7 +512,7 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
-
+
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml?rev=1424885&r1=1424884&r2=1424885&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml Fri Dec 21 12:02:58 2012
@@ -179,4 +179,63 @@
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItDigestNoBindingPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="Alice"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsp:Policy wsu:Id="NoUsernameToken"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:SupportingTokens>
+ <wsp:Policy>
+ <sp:UsernameToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:HashPassword/>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:client>
+
</beans>
Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml?rev=1424885&r1=1424884&r2=1424885&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml Fri Dec 21 12:02:58 2012
@@ -261,4 +261,46 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="HashedNoBinding"
+ address="https://localhost:${testutil.ports.Server}/DoubleItUTDigestNoBinding"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItDigestNoBindingPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+ <entry key="ws-security.enable.nonce.cache" value="true"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsp:Policy>
+ <sp:SupportingTokens
+ xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:UsernameToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:HashPassword/>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ </wsp:Policy>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ </p:policies>
+ </jaxws:features>
+
+ </jaxws:endpoint>
+
</beans>