You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fx-dev@ws.apache.org by we...@apache.org on 2004/06/23 21:14:28 UTC
cvs commit: ws-fx/wss4j/src/org/apache/ws/security/util WSSecurityUtil.java
werner 2004/06/23 12:14:28
Modified: wss4j/src/org/apache/ws/security/message
EnvelopeIdResolver.java
wss4j/src/org/apache/ws/security WSSecurityEngine.java
WSSecurityEngineResult.java
wss4j/src/org/apache/ws/security/util WSSecurityUtil.java
Log:
For Signature actions the WSSecurityEngine now returns the QNames
the signed Elements in the result structure.
Revision Changes Path
1.3 +7 -35 ws-fx/wss4j/src/org/apache/ws/security/message/EnvelopeIdResolver.java
Index: EnvelopeIdResolver.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/message/EnvelopeIdResolver.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- EnvelopeIdResolver.java 28 Mar 2004 17:48:39 -0000 1.2
+++ EnvelopeIdResolver.java 23 Jun 2004 19:14:28 -0000 1.3
@@ -27,8 +27,7 @@
import org.apache.xml.security.utils.resolver.ResourceResolverException;
import org.apache.xml.security.utils.resolver.ResourceResolverSpi;
import org.apache.xml.utils.URI;
-// import org.apache.xpath.CachedXPathAPI;
-import org.apache.xpath.XPathAPI;
+
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -96,7 +95,6 @@
// Xalan fix for catching all namespaces
XMLUtils.circumventBug2650(doc);
-// CachedXPathAPI cXPathAPI = new CachedXPathAPI();
/*
* URI="#chapter1"
@@ -122,44 +120,18 @@
BaseURI);
}
String cId = selectedElem.getAttributeNS(WSConstants.WSU_NS, "Id");
-// if ((cId == null) || (cId.length() == 0)) {
-// cId = selectedElem.getAttributeNS(WSConstants.SOAP_SEC_NS, "id");
-// }
/*
* If Body Id match fails, look for a generic Id (without a namespace)
* that matches the URI. If that lookup fails, try to get a namespace
- * qualified Id that matches the URI. The lookup uses a wildcard
- * namespace. This lookup is not bound to s specific namespace prefix
- * but accepts all prefixes.
- *
- * Then loop over the result set and try to get the namespace
- * qualified Id (WSU_NS).
+ * qualified Id that matches the URI.
*/
if (!id.equals(cId)) {
cId = null;
- try {
- if ((selectedElem =
- (Element) XPathAPI.selectSingleNode(
- doc,
- "//*[@Id='" + id + "']"))
- != null) {
- cId = selectedElem.getAttribute("Id");
- }
- else if ((selectedElem =
- (Element) XPathAPI.selectSingleNode(
- doc,
- "//*[@wsu:Id='" + id + "']",
- WSSecurityUtil.createNamespaceContext(doc)))
- != null) {
- cId = selectedElem.getAttribute("Id");
- }
- }
- catch (javax.xml.transform.TransformerException ex) {
- throw new ResourceResolverException(
- "generic.EmptyMessage",
- ex,
- uri,
- BaseURI);
+
+ if ((selectedElem = WSSecurityUtil.getElementByWsuId(doc, uriNodeValue)) != null) {
+ cId = selectedElem.getAttribute("Id");
+ } else if ((selectedElem = WSSecurityUtil.getElementByGenId(doc, uriNodeValue)) != null) {
+ cId = selectedElem.getAttribute("Id");
}
if (cId == null) {
throw new ResourceResolverException(
1.26 +50 -31 ws-fx/wss4j/src/org/apache/ws/security/WSSecurityEngine.java
Index: WSSecurityEngine.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/WSSecurityEngine.java,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- WSSecurityEngine.java 19 Jun 2004 20:29:55 -0000 1.25
+++ WSSecurityEngine.java 23 Jun 2004 19:14:28 -0000 1.26
@@ -38,6 +38,8 @@
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.signature.XMLSignature;
+import org.apache.xml.security.signature.SignedInfo;
+import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.XMLSignatureException;
import org.apache.xml.security.utils.Base64;
@@ -315,8 +317,9 @@
}
WSDocInfoStore.store(wsDocInfo);
X509Certificate[] returnCert = new X509Certificate[1];
+ Vector returnQname[] = new Vector[1];
try {
- lastPrincipalFound = verifyXMLSignature((Element) elem, sigCrypto, returnCert);
+ lastPrincipalFound = verifyXMLSignature((Element) elem, sigCrypto, returnCert, returnQname);
}
catch (WSSecurityException ex) {
throw ex;
@@ -324,12 +327,9 @@
finally {
WSDocInfoStore.delete(wsDocInfo);
}
- returnResults.add(
- 0,
- new WSSecurityEngineResult(
- lastPrincipalFound,
- WSConstants.SIGN,
- returnCert[0]));
+ returnResults.add(0, new WSSecurityEngineResult(
+ WSConstants.SIGN, lastPrincipalFound, returnCert[0],
+ returnQname[0]));
} else if (el.equals(ENCRYPTED_KEY)) {
if (doDebug) {
log.debug("Found encrypted key element");
@@ -343,9 +343,8 @@
"noCallback");
}
handleEncryptedKey((Element) elem, cb, decCrypto);
- returnResults.add(
- 0,
- new WSSecurityEngineResult(null, WSConstants.ENCR, null));
+ returnResults.add(0, new WSSecurityEngineResult(
+ WSConstants.ENCR, null, null, null));
} else if (el.equals(REFERENCE_LIST)) {
if (doDebug) {
log.debug("Found reference list element");
@@ -355,9 +354,8 @@
"noCallback");
}
handleReferenceList((Element) elem, cb);
- returnResults.add(
- 0,
- new WSSecurityEngineResult(null, WSConstants.ENCR, null));
+ returnResults.add(0, new WSSecurityEngineResult(
+ WSConstants.ENCR, null, null, null));
} else if (el.equals(USERNAME_TOKEN)) {
if (doDebug) {
log.debug("Found UsernameToken list element");
@@ -367,12 +365,8 @@
"noCallback");
}
lastPrincipalFound = handleUsernameToken((Element) elem, cb);
- returnResults.add(
- 0,
- new WSSecurityEngineResult(
- lastPrincipalFound,
- WSConstants.UT,
- null));
+ returnResults.add(0, new WSSecurityEngineResult(WSConstants.UT,
+ lastPrincipalFound, null, null));
} else if (el.equals(SAML_TOKEN)) {
if (doDebug) {
log.debug("Found SAML Assertion element");
@@ -455,7 +449,8 @@
protected Principal verifyXMLSignature(
Element elem,
Crypto crypto,
- X509Certificate[] returnCert)
+ X509Certificate[] returnCert,
+ Vector[] returnQname)
throws WSSecurityException {
if (doDebug) {
log.debug("Verify XML Signature");
@@ -469,17 +464,14 @@
try {
sig = new XMLSignature(elem, null);
} catch (XMLSignatureException e2) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK,
- "noXMLSig");
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK,
+ "noXMLSig");
} catch (XMLSecurityException e2) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK,
- "noXMLSig");
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK,
+ "noXMLSig");
} catch (IOException e2) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK,
- "noXMLSig");
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK,
+ "noXMLSig");
}
sig.addResourceResolver(EnvelopeIdResolver.getInstance());
@@ -566,6 +558,35 @@
+ ", verify= "
+ (t2 - t1));
}
+ /*
+ * Now dig into the Signature element to get the elements that this
+ * Signature covers. Build the QName of these Elements and return
+ * them to caller
+ */
+ SignedInfo si = sig.getSignedInfo();
+ int numReferences = si.getLength();
+ Vector qvec = new Vector(numReferences);
+ for (int i = 0; i < numReferences; i++) {
+ Reference siRef;
+ try {
+ siRef = si.item(i);
+ } catch (XMLSecurityException e3) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
+ // TODO Auto-generated catch block
+ // e3.printStackTrace();
+ }
+ String uri = siRef.getURI();
+ Element se = WSSecurityUtil.getElementByWsuId(elem.getOwnerDocument(), uri);
+ if (se == null) {
+ se = WSSecurityUtil.getElementByGenId(elem.getOwnerDocument(), uri);
+ }
+ if (se == null) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
+ }
+ QName qn = new QName(se.getNamespaceURI(), se.getLocalName());
+ qvec.add(qn);
+ }
+ returnQname[0] = qvec;
returnCert[0] = certs[0];
return certs[0].getSubjectDN();
} else {
@@ -1107,8 +1128,6 @@
throw new WSSecurityException(
WSSecurityException.FAILED_ENC_DEC, null, null, e1);
}
- // wsseSecurity.getParentNode().removeChild(wsseSecurity); // don't do - this would remove wsse:Security
-
}
/**
1.5 +11 -1 ws-fx/wss4j/src/org/apache/ws/security/WSSecurityEngineResult.java
Index: WSSecurityEngineResult.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/WSSecurityEngineResult.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- WSSecurityEngineResult.java 2 Jun 2004 19:35:44 -0000 1.4
+++ WSSecurityEngineResult.java 23 Jun 2004 19:14:28 -0000 1.5
@@ -21,6 +21,8 @@
import java.security.Principal;
import java.security.cert.X509Certificate;
+import java.util.Vector;
+
import org.apache.ws.security.message.token.Timestamp;
/**
@@ -33,6 +35,7 @@
private X509Certificate cert;
private SAMLAssertion assertion;
private Timestamp timestamp;
+ private Vector signedElementQnames;
WSSecurityEngineResult(int act, SAMLAssertion ass) {
principal = null;
@@ -41,10 +44,11 @@
assertion = ass;
}
- WSSecurityEngineResult(Principal princ, int act, X509Certificate certificate) {
+ WSSecurityEngineResult(int act, Principal princ, X509Certificate certificate, Vector elemQnames) {
principal = princ;
action = act;
cert = certificate;
+ signedElementQnames = elemQnames;
}
WSSecurityEngineResult(
@@ -90,4 +94,10 @@
public Timestamp getTimestamp() {
return timestamp;
}
+ /**
+ * @return Returns the signedElementQnames.
+ */
+ public Vector getSignedElementQnames() {
+ return signedElementQnames;
+ }
}
1.14 +62 -18 ws-fx/wss4j/src/org/apache/ws/security/util/WSSecurityUtil.java
Index: WSSecurityUtil.java
===================================================================
RCS file: /home/cvs/ws-fx/wss4j/src/org/apache/ws/security/util/WSSecurityUtil.java,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- WSSecurityUtil.java 31 May 2004 14:34:33 -0000 1.13
+++ WSSecurityUtil.java 23 Jun 2004 19:14:28 -0000 1.14
@@ -221,6 +221,65 @@
return null;
}
+ /**
+ * Returns the first element that containes an Id with value
+ * <code>uri</code> and <code>namespace</code>.
+ * <p/>
+ * This is a replacement for a XPath Id lookup with
+ * the given namespace. It's somewhat faster than XPath, and we do
+ * not deal with prefixes, just with the real namespace URI
+ *
+ * @param startNode Where to start the search
+ * @param uri Value of the Id attribute
+ * @param namespace Namespace URI of the Id
+ * @return The found element or <code>null</code>
+ */
+ public static Element findElementById(Node startNode, String value, String namespace) {
+
+ /*
+ * Replace the formely recursive implementation with a depth-first-loop
+ * lookup
+ */
+ if (startNode == null) {
+ return null;
+ }
+ Node startParent = startNode.getParentNode();
+ Node processedNode = null;
+
+ while (startNode != null) {
+ // start node processing at this point
+ if (startNode.getNodeType() == Node.ELEMENT_NODE) {
+ Element se = (Element) startNode;
+ if (se.hasAttributeNS(namespace, "Id") &&
+ value.equals(se.getAttributeNS(namespace, "Id"))) {
+ return se;
+ }
+ }
+
+ processedNode = startNode;
+ startNode = startNode.getFirstChild();
+
+ // no child, this node is done.
+ if (startNode == null) {
+ // close node processing, get sibling
+ startNode = processedNode.getNextSibling();
+ }
+ // no more siblings, get parent, all children
+ // of parent are processed.
+ while (startNode == null) {
+ processedNode = processedNode.getParentNode();
+ if (processedNode == startParent) {
+ return null;
+ }
+ // close parent node processing (processed node now)
+ startNode = processedNode.getNextSibling();
+ }
+ }
+ return null;
+ }
+
+
+
/**
* set the namespace if it is not set already.
* <p/>
@@ -351,14 +410,7 @@
return null;
}
id = id.substring(1);
- try {
- Element nscontext = org.apache.xml.security.utils.XMLUtils.createDSctx(doc, "wsu", WSConstants.WSU_NS);
- Element element = (Element) XPathAPI.selectSingleNode(doc, "//*[@wsu:Id='" + id + "']", nscontext);
- return element;
- } catch (TransformerException ex) {
- log.error(ex);
- }
- return null;
+ return WSSecurityUtil.findElementById(doc.getDocumentElement(), id, WSConstants.WSU_NS);
}
/**
@@ -378,13 +430,7 @@
return null;
}
id = id.substring(1);
- try {
- Element element = (Element) XPathAPI.selectSingleNode(doc, "//*[@Id='" + id + "']");
- return element;
- } catch (TransformerException ex) {
- log.error(ex);
- }
- return null;
+ return WSSecurityUtil.findElementById(doc.getDocumentElement(), id, null);
}
/**
* Create a BinarySecurityToken element
@@ -600,9 +646,7 @@
}
public static SOAPConstants getSOAPConstants(Element startElement) {
- Document doc = startElement.getOwnerDocument();
- String ns = doc.getDocumentElement().getNamespaceURI();
- if (WSConstants.URI_SOAP12_ENV.equals(ns)) {
+ if (getPrefixNS(WSConstants.URI_SOAP12_ENV, startElement) != null) {
return new SOAP12Constants();
}
else {
Re: cvs commit: ws-fx/wss4j/src/org/apache/ws/security/util
WSSecurityUtil.java
Posted by Yves Langisch <li...@langisch.ch>.
Werner,
I'm in the process of writing some tests that covers the new
functionality. I'll see if I'm able to provide them next week.
Regards,
Yves
On Wed, 2004-06-23 at 21:19, Werner Dittmann wrote:
> All,
>
> enhanced the WSSecurityEngine the return the QNames of signed elements
> to the handler/Axis Service in the result structure (thanks to Yves for the
> idea).
>
> Yes, do you have a test at hand to further check the function and to see if
> it
> is working properly? I didn't do a testcase yet.
>
> Regards,
> Werner
Re: cvs commit: ws-fx/wss4j/src/org/apache/ws/security/util WSSecurityUtil.java
Posted by Werner Dittmann <We...@t-online.de>.
All,
enhanced the WSSecurityEngine the return the QNames of signed elements
to the handler/Axis Service in the result structure (thanks to Yves for the
idea).
Yes, do you have a test at hand to further check the function and to see if
it
is working properly? I didn't do a testcase yet.
Regards,
Werner