You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/04/22 16:03:12 UTC
svn commit: r767527 - in /webservices/wss4j/trunk:
src/org/apache/ws/security/ src/org/apache/ws/security/processor/
src/org/apache/ws/security/util/ test/wssec/
Author: coheigea
Date: Wed Apr 22 14:03:12 2009
New Revision: 767527
URL: http://svn.apache.org/viewvc?rev=767527&view=rev
Log:
Some improvements to how we save results on protected elements
- Removed WSDataRef#dataref...this wasn't being used properly anyway and is irrelevant to downstream processing.
- Removed WSSecurityEngineResult TAG_SIGNED_ELEMENT_IDS and TAG_PROTECTED_ELEMENTS. These can be obtained from TAG_DATA_REF_URIS instead.
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/WSDataRef.java
webservices/wss4j/trunk/src/org/apache/ws/security/WSDocInfoStore.java
webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngineResult.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityDataRef.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityDataRef1.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSDataRef.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSDataRef.java?rev=767527&r1=767526&r2=767527&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSDataRef.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSDataRef.java Wed Apr 22 14:03:12 2009
@@ -22,96 +22,59 @@
/**
* WSDataRef stores information about decrypted/signed elements
*
- * When a processor decrypts an elements it stores information
- * about that element in a WSDataRef so these information can
- * be used for validation stages
+ * When a processor decrypts/verifies an element it stores information
+ * about that element in a WSDataRef so this information can
+ * be used for validation
*
*/
-
import javax.xml.namespace.QName;
public class WSDataRef {
/**
- * reference by which the Encrypted Data was referred
- */
- private String dataref;
-
- /**
- * wsu:Id of the decrypted element (if present)
+ * wsu:Id of the protected element
*/
private String wsuId;
/**
- * QName of the decrypted element
+ * QName of the protected element
*/
private QName name;
-
/**
- * @param dataref reference by which the Encrypted Data was referred
- */
- public WSDataRef(String dataref) {
- this.dataref = dataref;
- }
-
- /**
- * @param dataref reference by which the Encrypted Data was referred
- * @param wsuId Id of the decrypted element (if present)
- */
- public WSDataRef(String dataref, String wsuId) {
- this.dataref = dataref;
- this.wsuId = wsuId;
- }
-
- /**
- * @param dataref reference by which the Encrypted Data was referred
- * @param wsuId Id of the decrypted element (if present)
- * @param name QName of the decrypted element
- */
- public WSDataRef(String dataref, String wsuId, QName name) {
- this.dataref = dataref;
- this.wsuId = wsuId;
- this.name = name;
- }
-
- /**
- * @return the data reference
+ * @deprecated
+ * This method is left in the class for backwards compatibility.
+ * It returns the wsu:Id of the protected element, and not the data reference.
+ * This was never implemented properly in WSS4J code anyway
+ * @return the wsu:Id
*/
public String getDataref() {
- return dataref;
- }
-
- /**
- * @param dataref reference by which the Encrypted Data was referred
- */
- public void setDataref(String dataref) {
- this.dataref = dataref;
+ return wsuId;
}
/**
- * @return Id of the decrypted element (if present)
+ * @return Id of the protected element
*/
public String getWsuId() {
return wsuId;
}
/**
- * @param wsuId Id of the decrypted element (if present)
+ * @param wsuId Id of the protected element
*/
public void setWsuId(String wsuId) {
this.wsuId = wsuId;
}
/**
- * @return QName of the decrypted element
+ * @return QName of the protected element
*/
public QName getName() {
return name;
}
/**
- * @param name QName of the decrypted element
+ * @param name QName of the protected element
*/
public void setName(QName name) {
this.name = name;
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSDocInfoStore.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSDocInfoStore.java?rev=767527&r1=767526&r2=767527&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSDocInfoStore.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSDocInfoStore.java Wed Apr 22 14:03:12 2009
@@ -25,7 +25,7 @@
* Also the access methods are static. Thus it is possible to exchange
* WSDocInfo between otherwise unrelated functions/methods.
* The main usage for this is (are) the transformation functions that
- * are called during Signature/Verfication process.
+ * are called during Signature/Verification process.
*
* @author Werner Dittmann (Werner.Dittmann@apache.org)
*/
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngineResult.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngineResult.java?rev=767527&r1=767526&r2=767527&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngineResult.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSSecurityEngineResult.java Wed Apr 22 14:03:12 2009
@@ -27,7 +27,6 @@
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.List;
-import java.util.Set;
/**
* @author Werner Dittmann (Werner.Dittmann@t-online.de)
@@ -76,15 +75,6 @@
"timestamp";
/**
- * Tag denoting the wsu:Ids of signed elements, if applicable.
- *
- * The value under this tag is of type java.util.Set, where
- * each element of the set is of type java.lang.String.
- */
- public static final java.lang.String TAG_SIGNED_ELEMENT_IDS =
- "signed-element-ids";
-
- /**
* Tag denoting the signature value of a signed element, if applicable.
*
* The value under this tag is of type byte[].
@@ -106,16 +96,6 @@
* Tag denoting references to the DOM elements that have been
* cryptographically protected.
*
- * The value under this tag is of type java.util.Set, where
- * each element in the set is of type org.w3c.dom.Element.
- */
- public static final java.lang.String TAG_PROTECTED_ELEMENTS =
- "protected-elements";
-
- /**
- * Tag denoting references to the DOM elements that have been
- * cryptographically protected.
- *
* The value under this tag is of type SecurityContextToken.
*/
public static final java.lang.String TAG_SECURITY_CONTEXT_TOKEN =
@@ -180,13 +160,11 @@
int act,
Principal princ,
X509Certificate certificate,
- Set elements,
byte[] sv
) {
put(TAG_ACTION, new Integer(act));
put(TAG_PRINCIPAL, princ);
put(TAG_X509_CERTIFICATE, certificate);
- put(TAG_SIGNED_ELEMENT_IDS, elements);
put(TAG_SIGNATURE_VALUE, sv);
}
@@ -195,24 +173,10 @@
int act,
Principal princ,
X509Certificate certificate,
- Set elements,
- Set protectedElements,
- byte[] sv
- ) {
- this(act, princ, certificate, elements, sv);
- put(TAG_PROTECTED_ELEMENTS, protectedElements);
- }
-
- public
- WSSecurityEngineResult(
- int act,
- Principal princ,
- X509Certificate certificate,
- Set elements,
List dataRefs,
byte[] sv
) {
- this(act, princ, certificate, elements, sv);
+ this(act, princ, certificate, sv);
put(TAG_DATA_REF_URIS, dataRefs);
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?rev=767527&r1=767526&r2=767527&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java Wed Apr 22 14:03:12 2009
@@ -204,7 +204,7 @@
if (dataRefURI.charAt(0) == '#') {
dataRefURI = dataRefURI.substring(1);
}
- WSDataRef dataRef = new WSDataRef(dataRefURI);
+ WSDataRef dataRef = new WSDataRef();
Element elt = decryptDataRef(doc, dataRefURI, dataRef, decryptedBytes);
dataRef.setName(
new javax.xml.namespace.QName(
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java?rev=767527&r1=767526&r2=767527&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java Wed Apr 22 14:03:12 2009
@@ -106,7 +106,7 @@
if (dataRefURI.charAt(0) == '#') {
dataRefURI = dataRefURI.substring(1);
}
- WSDataRef dataRef = new WSDataRef(dataRefURI);
+ WSDataRef dataRef = new WSDataRef();
decryptDataRefEmbedded(elem.getOwnerDocument(), dataRefURI, dataRef, cb, crypto);
dataRefUris.add(dataRef);
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java?rev=767527&r1=767526&r2=767527&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java Wed Apr 22 14:03:12 2009
@@ -63,9 +63,7 @@
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
-import java.util.HashSet;
import java.util.List;
-import java.util.Set;
import java.util.Vector;
public class SignatureProcessor implements Processor {
@@ -88,16 +86,15 @@
}
boolean remove = WSDocInfoStore.store(wsDocInfo);
X509Certificate[] returnCert = new X509Certificate[1];
- Set returnElements = new HashSet();
- List protectedElements = new java.util.ArrayList();
+ List protectedRefs = new java.util.ArrayList();
byte[][] signatureValue = new byte[1][];
Principal lastPrincipalFound = null;
try {
lastPrincipalFound =
verifyXMLSignature(
- elem, crypto, returnCert, returnElements,
- protectedElements, signatureValue, cb,
+ elem, crypto, returnCert,
+ protectedRefs, signatureValue, cb,
wsDocInfo
);
} catch (WSSecurityException ex) {
@@ -114,8 +111,7 @@
WSConstants.UT_SIGN,
lastPrincipalFound,
null,
- returnElements,
- protectedElements,
+ protectedRefs,
signatureValue[0]
)
);
@@ -126,8 +122,7 @@
WSConstants.SIGN,
lastPrincipalFound,
returnCert[0],
- returnElements,
- protectedElements,
+ protectedRefs,
signatureValue[0]
)
);
@@ -166,8 +161,7 @@
* @param returnCert verifyXMLSignature stores the certificate in the first
* entry of this array. The caller may then further validate
* the certificate
- * @param returnElements verifyXMLSignature adds the wsu:ID attribute values for
- * the signed elements to this Set
+ * @param protectedRefs A list of (references) to the signed elements
* @param cb CallbackHandler instance to extract key passwords
* @return the subject principal of the validated X509 certificate (the
* authenticated subject). The calling function may use this
@@ -178,8 +172,7 @@
Element elem,
Crypto crypto,
X509Certificate[] returnCert,
- Set returnElements,
- List protectedElements,
+ List protectedRefs,
byte[][] signatureValue,
CallbackHandler cb,
WSDocInfo wsDocInfo
@@ -290,7 +283,7 @@
);
}
encryptKeyProcessor = new EncryptedKeyProcessor();
- encryptKeyProcessor.handleEncryptedKey((Element)token, cb, crypto);
+ encryptKeyProcessor.handleEncryptedKey(token, cb, crypto);
}
secretKey = encryptKeyProcessor.getDecryptedBytes();
} else {
@@ -459,7 +452,7 @@
);
}
String uri = siRef.getURI();
- if (uri != null && !"".equals(uri)) {
+ if (!"".equals(uri)) {
Element se = WSSecurityUtil.getElementByWsuId(elem.getOwnerDocument(), uri);
if (se == null) {
se = WSSecurityUtil.getElementByGenId(elem.getOwnerDocument(), uri);
@@ -467,17 +460,10 @@
if (se == null) {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
}
- WSDataRef ref = new WSDataRef(uri);
+ WSDataRef ref = new WSDataRef();
ref.setWsuId(uri);
ref.setName(new QName(se.getNamespaceURI(), se.getLocalName()));
- protectedElements.add(ref);
- returnElements.add(WSSecurityUtil.getIDFromReference(uri));
- } else {
- // This is the case where the signed element is identified
- // by a transform such as XPath filtering
- // We add the complete reference element to the return
- // elements
- returnElements.add(siRef);
+ protectedRefs.add(ref);
}
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java?rev=767527&r1=767526&r2=767527&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java Wed Apr 22 14:03:12 2009
@@ -25,6 +25,7 @@
import org.apache.ws.security.SOAP12Constants;
import org.apache.ws.security.SOAPConstants;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.WSHandlerConstants;
@@ -49,7 +50,6 @@
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.Iterator;
-import java.util.Set;
import java.util.Vector;
/**
@@ -881,7 +881,7 @@
}
/**
- * Ensure that this signature covers all required elements (identified by
+ * Ensure that this covers all required elements (identified by
* their wsu:Id attributes).
*
* @param resultItem the signature to check
@@ -898,26 +898,24 @@
throw new IllegalArgumentException("Not a SIGN result");
}
- Set sigElems = (Set)resultItem.get(WSSecurityEngineResult.TAG_SIGNED_ELEMENT_IDS);
- if (sigElems == null) {
- throw new RuntimeException(
- "Missing signedElements set in WSSecurityEngineResult!"
+ java.util.List signedElemsRefList =
+ (java.util.List)resultItem.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
+ if (signedElemsRefList == null) {
+ throw new WSSecurityException(
+ "WSSecurityEngineResult does not contain any references to signed elements"
);
}
- log.debug("Found SIGN result...");
- for (Iterator i = sigElems.iterator(); i.hasNext();) {
- Object sigElement = i.next();
- if(sigElement instanceof String) {
- log.debug("Signature includes element with ID " + sigElement);
- } else {
- log.debug("Signature includes element with null uri " + sigElement.toString());
- }
- }
-
log.debug("Checking required elements are in the signature...");
for (int i = 0; i < requiredIDs.length; i++) {
- if (!sigElems.contains(requiredIDs[i])) {
+ boolean found = false;
+ for (int j = 0; j < signedElemsRefList.size(); j++) {
+ WSDataRef dataRef = (WSDataRef)signedElemsRefList.get(j);
+ if (dataRef.getWsuId().equals(requiredIDs[i])) {
+ found = true;
+ }
+ }
+ if (!found) {
throw new WSSecurityException(
WSSecurityException.FAILED_CHECK,
"requiredElementNotSigned",
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityDataRef.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityDataRef.java?rev=767527&r1=767526&r2=767527&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityDataRef.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityDataRef.java Wed Apr 22 14:03:12 2009
@@ -222,9 +222,6 @@
WSDataRef dataRef = (WSDataRef) obj;
- // Check whether dataRef URI is set
- assertNotNull(dataRef.getDataref());
-
// Check whether QName is correctly set
assertEquals("testMethod", dataRef.getName().getLocalPart());
assertEquals("uri:LogTestService2", dataRef.getName().getNamespaceURI());
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityDataRef1.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityDataRef1.java?rev=767527&r1=767526&r2=767527&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityDataRef1.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityDataRef1.java Wed Apr 22 14:03:12 2009
@@ -226,9 +226,6 @@
WSDataRef dataRef = (WSDataRef) obj;
- // Check whether dataRef URI is set
- assertNotNull(dataRef.getDataref());
-
// Check whether QName is correctly set
assertEquals("testMethod", dataRef.getName().getLocalPart());
assertEquals("uri:LogTestService2", dataRef.getName().getNamespaceURI());
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org