You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/05/01 12:37:25 UTC
[cxf] branch master updated: CXF-6443 - CXF streaming-enabled web
service cannot process MTOM/XOP-optimized content within a CipherValue
element
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new 6cb52ca CXF-6443 - CXF streaming-enabled web service cannot process MTOM/XOP-optimized content within a CipherValue element
6cb52ca is described below
commit 6cb52ca1ce15fcba47e68bae02d5aaef4c2b5a65
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue May 1 12:30:05 2018 +0100
CXF-6443 - CXF streaming-enabled web service cannot process MTOM/XOP-optimized content within a CipherValue element
---
.../ws/security/trust/STSStaxTokenValidator.java | 48 ++++++++++++++++++++--
.../cxf/systest/ws/mtom/MTOMSecurityTest.java | 27 +++++++++++-
.../org/apache/cxf/systest/ws/mtom/stax-server.xml | 22 ++++++++++
3 files changed, 92 insertions(+), 5 deletions(-)
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
index a630530..ffb99e4 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
@@ -18,6 +18,9 @@
*/
package org.apache.cxf.ws.security.trust;
+import javax.security.auth.callback.CallbackHandler;
+import javax.xml.bind.JAXBElement;
+
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -38,9 +41,11 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.PKIPathSecurity;
import org.apache.wss4j.common.token.X509Security;
+import org.apache.wss4j.common.util.AttachmentUtils;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.stax.ext.WSSConstants;
+import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.impl.securityToken.KerberosServiceSecurityTokenImpl;
import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
import org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl;
@@ -55,7 +60,9 @@ import org.apache.wss4j.stax.validate.BinarySecurityTokenValidatorImpl;
import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
import org.apache.wss4j.stax.validate.TokenContext;
import org.apache.wss4j.stax.validate.UsernameTokenValidator;
+import org.apache.xml.security.binding.xop.Include;
import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.XMLSecurityUtils;
import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
@@ -421,7 +428,13 @@ public class STSStaxTokenValidator
new Object[]{binarySecurityTokenType.getEncodingType()});
}
- final byte[] securityTokenData = Base64.decodeBase64(binarySecurityTokenType.getValue());
+ byte[] securityTokenData = null;
+ try {
+ securityTokenData =
+ getBinarySecurityTokenBytes(binarySecurityTokenType, tokenContext.getWssSecurityProperties());
+ } catch (XMLSecurityException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, e);
+ }
final SoapMessage message =
(SoapMessage)tokenContext.getWssSecurityProperties().getMsgContext();
@@ -436,6 +449,7 @@ public class STSStaxTokenValidator
final boolean stsValidated = valid;
try {
+ final byte[] bytes = securityTokenData;
if (WSSConstants.NS_X509_V3_TYPE.equals(binarySecurityTokenType.getValueType())) {
Crypto crypto = getCrypto(tokenContext.getWssSecurityProperties());
X509V3SecurityTokenImpl x509V3SecurityToken = new X509V3SecurityTokenImpl(
@@ -456,7 +470,7 @@ public class STSStaxTokenValidator
super.verify();
} catch (XMLSecurityException ex) {
Element tokenElement =
- convertToDOM(binarySecurityTokenType, securityTokenData);
+ convertToDOM(binarySecurityTokenType, bytes);
validateTokenToSTS(tokenElement, message);
}
}
@@ -485,7 +499,7 @@ public class STSStaxTokenValidator
super.verify();
} catch (XMLSecurityException ex) {
Element tokenElement =
- convertToDOM(binarySecurityTokenType, securityTokenData);
+ convertToDOM(binarySecurityTokenType, bytes);
validateTokenToSTS(tokenElement, message);
}
}
@@ -512,7 +526,7 @@ public class STSStaxTokenValidator
super.verify();
} catch (XMLSecurityException ex) {
Element tokenElement =
- convertToDOM(binarySecurityTokenType, securityTokenData);
+ convertToDOM(binarySecurityTokenType, bytes);
validateTokenToSTS(tokenElement, message);
}
}
@@ -530,6 +544,32 @@ public class STSStaxTokenValidator
}
}
+ private byte[] getBinarySecurityTokenBytes(BinarySecurityTokenType binarySecurityTokenType,
+ WSSSecurityProperties wssSecurityProperties
+ ) throws XMLSecurityException {
+
+ StringBuilder sb = new StringBuilder();
+
+ for (Object obj : binarySecurityTokenType.getContent()) {
+ if (obj instanceof String) {
+ sb.append((String)obj);
+ } else if (obj instanceof JAXBElement<?>) {
+ JAXBElement<?> element = (JAXBElement<?>)obj;
+ if (XMLSecurityConstants.TAG_XOP_INCLUDE.equals(element.getName())) {
+ Include include = (Include)element.getValue();
+ if (include != null && include.getHref() != null && include.getHref().startsWith("cid:")) {
+ CallbackHandler callbackHandler = wssSecurityProperties.getAttachmentCallbackHandler();
+ return AttachmentUtils.getBytesFromAttachment(include.getHref(),
+ callbackHandler,
+ true);
+ }
+ }
+ }
+ }
+
+ return Base64.decodeBase64(sb.toString());
+ }
+
// Convert to DOM to send the token to the STS
private Element convertToDOM(
BinarySecurityTokenType binarySecurityTokenType,
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
index bf0d448..e4bd138 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
@@ -228,6 +228,32 @@ public class MTOMSecurityTest extends AbstractBusClientServerTestBase {
}
@org.junit.Test
+ public void testAsymmetricBinaryBytesInAttachmentStAX() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = MTOMSecurityTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ BusFactory.setDefaultBus(bus);
+ BusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = MTOMSecurityTest.class.getResource("DoubleItMtom.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricBinaryPort");
+ DoubleItMtomPortType port =
+ service.getPort(portQName, DoubleItMtomPortType.class);
+ updateAddressPort(port, STAX_PORT);
+
+ DataSource source = new FileDataSource(new File("src/test/resources/java.jpg"));
+ DoubleIt4 doubleIt = new DoubleIt4();
+ doubleIt.setNumberToDouble(25);
+ assertEquals(50, port.doubleIt4(25, new DataHandler(source)));
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testAsymmetricBinaryEncryptBeforeSigningBytesInAttachment() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
@@ -280,7 +306,6 @@ public class MTOMSecurityTest extends AbstractBusClientServerTestBase {
}
@org.junit.Test
- @org.junit.Ignore
public void testSymmetricBinaryBytesInAttachmentStAX() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/stax-server.xml
index 7cef94d..14c2458 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/stax-server.xml
@@ -26,6 +26,28 @@
</cxf:features>
</cxf:bus>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricBinary" address="http://localhost:${testutil.ports.mtom.StaxServer}/DoubleItX509AsymmetricBinary" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricBinaryPort" implementor="org.apache.cxf.systest.ws.mtom.DoubleIt4Impl" wsdlLocation="org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl">
+ <jaxws:properties>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="security.signature.properties" value="bob.properties"/>
+ <entry key="security.encryption.properties" value="alice.properties"/>
+ <entry key="security.encryption.username" value="alice"/>
+ <entry key="mtom-enabled" value="true"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricBinaryEncryptBeforeSigning" address="http://localhost:${testutil.ports.mtom.StaxServer}/DoubleItX509AsymmetricBinaryEncryptBeforeSigning" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricBinaryEncryptBeforeSigningPort" implementor="org.apache.cxf.systest.ws.mtom.DoubleIt4Impl" wsdlLocation="org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl">
+ <jaxws:properties>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="security.signature.properties" value="bob.properties"/>
+ <entry key="security.encryption.properties" value="alice.properties"/>
+ <entry key="security.encryption.username" value="alice"/>
+ <entry key="mtom-enabled" value="true"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricBinary" address="http://localhost:${testutil.ports.mtom.StaxServer}/DoubleItX509SymmetricBinary" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricBinaryPort" implementor="org.apache.cxf.systest.ws.mtom.DoubleIt4Impl" wsdlLocation="org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.