You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dv...@apache.org on 2010/08/28 18:44:46 UTC
svn commit: r990391 - in /cxf/branches/2.2.x-fixes: ./
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/
Author: dvaleri
Date: Sat Aug 28 16:44:45 2010
New Revision: 990391
URL: http://svn.apache.org/viewvc?rev=990391&view=rev
Log:
Merged revisions 990386 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r990386 | dvaleri | 2010-08-28 11:58:27 -0400 (Sat, 28 Aug 2010) | 1 line
[CXF-2963] Added workaround for WSS-242 to allow compatibility with older versions of CXF.
........
Added:
cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/wss-242.xml
- copied unchanged from r990386, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/wss-242.xml
Modified:
cxf/branches/2.2.x-fixes/ (props changed)
cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat Aug 28 16:44:45 2010
@@ -1 +1 @@
-/cxf/trunk:989123,989434
+/cxf/trunk:989123,989434,990386
Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java?rev=990391&r1=990390&r2=990391&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java Sat Aug 28 16:44:45 2010
@@ -163,6 +163,8 @@ public class CryptoCoverageChecker exten
}
}
+ CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
+
for (XPathExpression xPathExpression : this.xPaths) {
Collection<WSDataRef> refsToCheck = null;
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java?rev=990391&r1=990390&r2=990391&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java Sat Aug 28 16:44:45 2010
@@ -42,6 +42,7 @@ import org.w3c.dom.NodeList;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.helpers.MapNamespaceContext;
import org.apache.cxf.ws.policy.PolicyConstants;
+import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityException;
@@ -65,10 +66,10 @@ public final class CryptoCoverageUtil {
* are resolved to the decrypted element and added to {@code signedRefs}.
* The original reference to the encrypted content remains unaltered in the
* list to allow for matching against a requirement that xenc:EncryptedData
- * elements be signed.
+ * and xenc:EncryptedKey elements be signed.
*
* @param signedRefs references to the signed content in the message
- * @param encryptedRefs refernces to the encrypted content in the message
+ * @param encryptedRefs references to the encrypted content in the message
*/
public static void reconcileEncryptedSignedRefs(final Collection<WSDataRef> signedRefs,
final Collection<WSDataRef> encryptedRefs) {
@@ -76,13 +77,11 @@ public final class CryptoCoverageUtil {
final List<WSDataRef> encryptedSignedRefs = new LinkedList<WSDataRef>();
for (WSDataRef encryptedRef : encryptedRefs) {
- final String encryptedRefId = encryptedRef.getWsuId();
final Iterator<WSDataRef> signedRefsIt = signedRefs.iterator();
while (signedRefsIt.hasNext()) {
final WSDataRef signedRef = signedRefsIt.next();
- if (signedRef.getWsuId().equals(encryptedRefId)
- || signedRef.getWsuId().equals("#" + encryptedRefId)) {
+ if (isSignedEncryptionRef(encryptedRef, signedRef)) {
final WSDataRef encryptedSignedRef =
new WSDataRef(signedRef.getDataref());
@@ -105,7 +104,7 @@ public final class CryptoCoverageUtil {
signedRefs.addAll(encryptedSignedRefs);
}
-
+
/**
* Checks that the references provided refer to the
* signed/encrypted SOAP body element.
@@ -122,7 +121,7 @@ public final class CryptoCoverageUtil {
*
* @throws WSSecurityException
* if there is an error evaluating the coverage or the body is not
- * covered by the signture/encryption.
+ * covered by the signature/encryption.
*/
public static void checkBodyCoverage(
SOAPMessage message,
@@ -168,7 +167,7 @@ public final class CryptoCoverageUtil {
*
* @throws WSSecurityException
* if there is an error evaluating the coverage or a header is not
- * covered by the signture/encryption.
+ * covered by the signature/encryption.
*/
public static void checkHeaderCoverage(
SOAPMessage message,
@@ -225,7 +224,7 @@ public final class CryptoCoverageUtil {
*
* @throws WSSecurityException
* if there is an error evaluating an XPath or an element is not
- * covered by the signture/encryption.
+ * covered by the signature/encryption.
*/
public static void checkCoverage(
SOAPMessage message,
@@ -260,7 +259,7 @@ public final class CryptoCoverageUtil {
*
* @throws WSSecurityException
* if there is an error evaluating an XPath or an element is not
- * covered by the signture/encryption.
+ * covered by the signature/encryption.
*/
public static void checkCoverage(
SOAPMessage message,
@@ -318,6 +317,53 @@ public final class CryptoCoverageUtil {
}
}
}
+
+ /**
+ * Determines if {@code signedRef} points to the encrypted content represented by
+ * {@code encryptedRef} using the following algorithm.
+ *
+ * <ol>
+ * <li>Check that the signed content is an XML Encryption element.</li>
+ * <li>Check that the reference Ids of the signed content and encrypted content
+ * (not the decrypted version of the encrypted content) match. Check that the
+ * reference Id of the signed content matches the reference Id of the encrypted
+ * content prepended with a #.
+ * <li>Check for other Id attributes on the signed element that may match the
+ * referenced identifier for the encrypted content. This is a workaround for
+ * WSS-242.</li>
+ * </ol>
+ *
+ * @param encryptedRef the ref representing the encrpted content
+ * @param signedRef the ref representing the signed content
+ */
+ private static boolean isSignedEncryptionRef(WSDataRef encryptedRef, WSDataRef signedRef) {
+
+ // Don't even bother if the signed element wasn't an XML Enc element.
+ if (!WSConstants.ENC_NS.equals(signedRef.getProtectedElement()
+ .getNamespaceURI())) {
+ return false;
+ }
+
+ if (signedRef.getWsuId().equals(encryptedRef.getWsuId())
+ || signedRef.getWsuId().equals("#" + encryptedRef.getWsuId())) {
+ return true;
+ }
+
+ // There should be no other Ids on an EncryptedData or EncryptedKey element;
+ // however, WSS4J will happily add them on the outbound side. See WSS-242.
+ // The following code looks for the specific behavior that exists in
+ // 1.5.8 and earlier version.
+
+ String wsuId = signedRef.getProtectedElement().getAttributeNS(
+ WSConstants.WSU_NS, "Id");
+
+ if (signedRef.getWsuId().equals(wsuId)
+ || signedRef.getWsuId().equals("#" + wsuId)) {
+ return true;
+ }
+
+ return false;
+ }
private static boolean matchElement(Collection<WSDataRef> refs,
CoverageType type, CoverageScope scope, Element el) {
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java?rev=990391&r1=990390&r2=990391&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java Sat Aug 28 16:44:45 2010
@@ -154,6 +154,39 @@ public class CryptoCoverageCheckerTest e
true);
}
+ @Test
+ public void testEncryptedSignedWithIncompleteCoverage() throws Exception {
+ this.runInterceptorAndValidate(
+ "encrypted_body_content_signed_missing_signed_header.xml",
+ this.getPrefixes(),
+ Arrays.asList(new XPathExpression(
+ "//ser:Header", CoverageType.SIGNED, CoverageScope.ELEMENT)),
+ false);
+ }
+
+ @Test
+ public void testEncryptedSignedWithCompleteCoverage() throws Exception {
+ this.runInterceptorAndValidate(
+ "encrypted_body_content_signed.xml",
+ this.getPrefixes(),
+ Arrays.asList(
+ new XPathExpression(
+ "//ser:Header", CoverageType.SIGNED, CoverageScope.ELEMENT),
+ new XPathExpression(
+ "//ser:Header", CoverageType.ENCRYPTED, CoverageScope.ELEMENT)),
+ true);
+
+ this.runInterceptorAndValidate(
+ "wss-242.xml",
+ this.getPrefixes(),
+ Arrays.asList(
+ new XPathExpression(
+ "//ser:Header", CoverageType.SIGNED, CoverageScope.ELEMENT),
+ new XPathExpression(
+ "//ser:Header", CoverageType.ENCRYPTED, CoverageScope.ELEMENT)),
+ true);
+ }
+
private Map<String, String> getPrefixes() {
final Map<String, String> prefixes = new HashMap<String, String>();
prefixes.put("ser", "http://www.sdj.pl");
Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=990391&r1=990390&r2=990391&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java Sat Aug 28 16:44:45 2010
@@ -904,7 +904,7 @@ public class PolicyBasedWss4JInOutTest e
}
/**
- * Gets a SoapMessage, but with the needed SecurityConstants in the context propreties
+ * Gets a SoapMessage, but with the needed SecurityConstants in the context properties
* so that it can be passed to PolicyBasedWSS4JOutInterceptor.
*
* @see #getSoapMessageForDom(Document, AssertionInfoMap)