You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2017/02/14 15:34:35 UTC
svn commit: r1782977 - in /webservices/wss4j/trunk: src/site/xdoc/
ws-security-common/src/main/java/org/apache/wss4j/common/
ws-security-dom/src/main/java/org/apache/wss4j/dom/action/
ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/ ws-secur...
Author: coheigea
Date: Tue Feb 14 15:34:35 2017
New Revision: 1782977
URL: http://svn.apache.org/viewvc?rev=1782977&view=rev
Log:
Added new configuration tag for expanding XOP Include Elements
Modified:
webservices/wss4j/trunk/src/site/xdoc/config.xml
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionDerivedAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureConfirmationAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureDerivedAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/TimestampAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/UsernameTokenAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/UsernameTokenSignedAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
Modified: webservices/wss4j/trunk/src/site/xdoc/config.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/site/xdoc/config.xml?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/site/xdoc/config.xml (original)
+++ webservices/wss4j/trunk/src/site/xdoc/config.xml Tue Feb 14 15:34:35 2017
@@ -611,11 +611,23 @@ CallbackHandler must be set on RequestDa
<tr>
<td><b>WSS4J 2.1.2/2.0.5</b> EXPAND_XOP_INCLUDE_FOR_SIGNATURE</td>
<td>expandXOPIncludeForSignature</td>
-<td>Whether to expand xop:Include Elements encountered when verifying a
+<td>(Deprecated in 2.2.0). Whether to expand xop:Include Elements encountered when verifying a
Signature. The default is true, meaning that the relevant attachment bytes are
BASE-64 encoded and inserted into the Element. This ensures that the actual
bytes are signed, and not just the reference.
</td>
+</tr>
+<tr>
+<td><b>WSS4J 2.2.0</b> EXPAND_XOP_INCLUDE</td>
+<td>expandXOPInclude</td>
+<td>
+Whether to search for and expand xop:Include Elements for encryption and
+signature (on the outbound side) or for signature verification (on the inbound
+side). The default is false on the outbound side and true on the inbound side.
+What this means on the inbound side, is that the relevant attachment bytes are
+BASE-64 encoded and inserted into the Element. This ensures that the actual
+bytes are signed, and not just the reference.
+</td>
</tr>
</table>
<p>
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java Tue Feb 14 15:34:35 2017
@@ -534,9 +534,20 @@ public class ConfigurationConstants {
/**
* Whether to expand xop:Include Elements encountered when verifying a Signature. The default is true,
* meaning that the relevant attachment bytes are BASE-64 encoded and inserted into the Element. This
- * ensures that the actual bytes are signed, and not just the reference.
+ * ensures that the actual bytes are signed, and not just the reference. This configuration tag has
+ * been deprecated in favour of EXPAND_XOP_INCLUDE.
*/
+ @Deprecated
public static final String EXPAND_XOP_INCLUDE_FOR_SIGNATURE = "expandXOPIncludeForSignature";
+
+ /**
+ * Whether to search for and expand xop:Include Elements for encryption and signature (on the outbound
+ * side) or for signature verification (on the inbound side). The default is false on the outbound
+ * side and true on the inbound side. What this means on the inbound side, is that the relevant attachment
+ * bytes are BASE-64 encoded and inserted into the Element. This ensures that the actual bytes are signed,
+ * and not just the reference.
+ */
+ public static final String EXPAND_XOP_INCLUDE = "expandXOPInclude";
//
// (Non-boolean) Configuration parameters for the actions/processors
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java Tue Feb 14 15:34:35 2017
@@ -41,6 +41,7 @@ public class EncryptionAction implements
WSSecEncrypt wsEncrypt = new WSSecEncrypt(reqData.getSecHeader());
wsEncrypt.setIdAllocator(reqData.getWssConfig().getIdAllocator());
wsEncrypt.setWsDocInfo(reqData.getWsDocInfo());
+ wsEncrypt.setExpandXopInclude(reqData.isExpandXopInclude());
EncryptionActionToken encryptionToken = null;
if (actionToken instanceof EncryptionActionToken) {
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionDerivedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionDerivedAction.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionDerivedAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionDerivedAction.java Tue Feb 14 15:34:35 2017
@@ -60,6 +60,7 @@ public class EncryptionDerivedAction ext
WSSecDKEncrypt wsEncrypt = new WSSecDKEncrypt(reqData.getSecHeader());
wsEncrypt.setIdAllocator(reqData.getWssConfig().getIdAllocator());
wsEncrypt.setWsDocInfo(reqData.getWsDocInfo());
+ wsEncrypt.setExpandXopInclude(reqData.isExpandXopInclude());
if (encryptionToken.getKeyIdentifierId() != 0) {
wsEncrypt.setKeyIdentifierType(encryptionToken.getKeyIdentifierId());
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenSignedAction.java Tue Feb 14 15:34:35 2017
@@ -86,6 +86,7 @@ public class SAMLTokenSignedAction imple
wsSign.setIdAllocator(reqData.getWssConfig().getIdAllocator());
wsSign.setAddInclusivePrefixes(reqData.isAddInclusivePrefixes());
wsSign.setWsDocInfo(reqData.getWsDocInfo());
+ wsSign.setExpandXopInclude(reqData.isExpandXopInclude());
CallbackHandler callbackHandler =
handler.getPasswordCallbackHandler(reqData);
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SAMLTokenUnsignedAction.java Tue Feb 14 15:34:35 2017
@@ -38,6 +38,7 @@ public class SAMLTokenUnsignedAction imp
WSSecSAMLToken builder = new WSSecSAMLToken(reqData.getSecHeader());
builder.setIdAllocator(reqData.getWssConfig().getIdAllocator());
builder.setWsDocInfo(reqData.getWsDocInfo());
+ builder.setExpandXopInclude(reqData.isExpandXopInclude());
CallbackHandler samlCallbackHandler =
handler.getCallbackHandler(
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java Tue Feb 14 15:34:35 2017
@@ -60,6 +60,7 @@ public class SignatureAction implements
wsSign.setIdAllocator(reqData.getWssConfig().getIdAllocator());
wsSign.setAddInclusivePrefixes(reqData.isAddInclusivePrefixes());
wsSign.setWsDocInfo(reqData.getWsDocInfo());
+ wsSign.setExpandXopInclude(reqData.isExpandXopInclude());
if (signatureToken.getKeyIdentifierId() != 0) {
wsSign.setKeyIdentifierType(signatureToken.getKeyIdentifierId());
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureConfirmationAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureConfirmationAction.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureConfirmationAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureConfirmationAction.java Tue Feb 14 15:34:35 2017
@@ -58,6 +58,7 @@ public class SignatureConfirmationAction
WSSecSignatureConfirmation wsc = new WSSecSignatureConfirmation(reqData.getSecHeader());
wsc.setIdAllocator(reqData.getWssConfig().getIdAllocator());
wsc.setWsDocInfo(reqData.getWsDocInfo());
+ wsc.setExpandXopInclude(reqData.isExpandXopInclude());
SignatureActionToken signatureToken = (SignatureActionToken)actionToken;
if (signatureToken == null) {
signatureToken = reqData.getSignatureToken();
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureDerivedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureDerivedAction.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureDerivedAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureDerivedAction.java Tue Feb 14 15:34:35 2017
@@ -62,6 +62,7 @@ public class SignatureDerivedAction exte
wsSign.setIdAllocator(reqData.getWssConfig().getIdAllocator());
wsSign.setAddInclusivePrefixes(reqData.isAddInclusivePrefixes());
wsSign.setWsDocInfo(reqData.getWsDocInfo());
+ wsSign.setExpandXopInclude(reqData.isExpandXopInclude());
if (signatureToken.getSignatureAlgorithm() != null) {
wsSign.setSignatureAlgorithm(signatureToken.getSignatureAlgorithm());
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/TimestampAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/TimestampAction.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/TimestampAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/TimestampAction.java Tue Feb 14 15:34:35 2017
@@ -38,6 +38,7 @@ public class TimestampAction implements
timeStampBuilder.setTimeToLive(reqData.getTimeStampTTL());
timeStampBuilder.setWsTimeSource(reqData.getWssConfig().getCurrentTime());
timeStampBuilder.setWsDocInfo(reqData.getWsDocInfo());
+ timeStampBuilder.setExpandXopInclude(reqData.isExpandXopInclude());
timeStampBuilder.build();
}
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/UsernameTokenAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/UsernameTokenAction.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/UsernameTokenAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/UsernameTokenAction.java Tue Feb 14 15:34:35 2017
@@ -56,6 +56,7 @@ public class UsernameTokenAction impleme
builder.setPasswordsAreEncoded(reqData.isEncodePasswords());
builder.setUserInfo(username, password);
builder.setWsDocInfo(reqData.getWsDocInfo());
+ builder.setExpandXopInclude(reqData.isExpandXopInclude());
if (reqData.isAddUsernameTokenNonce()) {
builder.addNonce();
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/UsernameTokenSignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/UsernameTokenSignedAction.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/UsernameTokenSignedAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/UsernameTokenSignedAction.java Tue Feb 14 15:34:35 2017
@@ -63,6 +63,7 @@ public class UsernameTokenSignedAction i
builder.setPrecisionInMilliSeconds(reqData.isPrecisionInMilliSeconds());
builder.setWsTimeSource(reqData.getWssConfig().getCurrentTime());
builder.setWsDocInfo(reqData.getWsDocInfo());
+ builder.setExpandXopInclude(reqData.isExpandXopInclude());
int iterations = reqData.getDerivedKeyIterations();
boolean useMac = reqData.isUseDerivedKeyForMAC();
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java Tue Feb 14 15:34:35 2017
@@ -192,7 +192,7 @@ public class RequestData {
*/
private boolean validateSamlSubjectConfirmation = true;
- private boolean expandXopIncludeForSignature = true;
+ private boolean expandXopInclude;
public Object getMsgContext() {
return msgContext;
@@ -721,12 +721,12 @@ public class RequestData {
this.storeBytesInAttachment = storeBytesInAttachment;
}
- public boolean isExpandXopIncludeForSignature() {
- return expandXopIncludeForSignature;
+ public boolean isExpandXopInclude() {
+ return expandXopInclude;
}
- public void setExpandXopIncludeForSignature(boolean expandXopIncludeForSignature) {
- this.expandXopIncludeForSignature = expandXopIncludeForSignature;
+ public void setExpandXopInclude(boolean expandXopInclude) {
+ this.expandXopInclude = expandXopInclude;
}
public Serializer getEncryptionSerializer() {
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java Tue Feb 14 15:34:35 2017
@@ -625,6 +625,12 @@ public abstract class WSHandler {
boolean includeToken =
decodeBooleanConfigValue(mc, WSHandlerConstants.INCLUDE_SIGNATURE_TOKEN, false);
actionToken.setIncludeToken(includeToken);
+
+ boolean expandXOP =
+ decodeBooleanConfigValue(
+ reqData.getMsgContext(), WSHandlerConstants.EXPAND_XOP_INCLUDE, false
+ );
+ reqData.setExpandXopInclude(expandXOP);
}
protected void decodeAlgorithmSuite(RequestData reqData) throws WSSecurityException {
@@ -1309,6 +1315,7 @@ public abstract class WSHandler {
}
}
+ @SuppressWarnings("deprecation")
protected void decodeSignatureParameter2(RequestData reqData)
throws WSSecurityException {
if (reqData.getSigVerCrypto() == null) {
@@ -1336,11 +1343,20 @@ public abstract class WSHandler {
reqData.setIssuerDNPatterns(issuerCertConstraints);
}
- boolean expandXOP =
- decodeBooleanConfigValue(
- reqData.getMsgContext(), WSHandlerConstants.EXPAND_XOP_INCLUDE_FOR_SIGNATURE, true
+ String value = getString(WSHandlerConstants.EXPAND_XOP_INCLUDE_FOR_SIGNATURE, reqData.getMsgContext());
+ boolean expandXOP = false;
+ if (value != null) {
+ expandXOP =
+ decodeBooleanConfigValue(
+ reqData.getMsgContext(), WSHandlerConstants.EXPAND_XOP_INCLUDE_FOR_SIGNATURE, true
+ );
+ } else {
+ expandXOP =
+ decodeBooleanConfigValue(
+ reqData.getMsgContext(), WSHandlerConstants.EXPAND_XOP_INCLUDE, true
);
- reqData.setExpandXopIncludeForSignature(expandXOP);
+ }
+ reqData.setExpandXopInclude(expandXOP);
}
private Collection<Pattern> getCertConstraints(String certConstraints) throws WSSecurityException {
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java?rev=1782977&r1=1782976&r2=1782977&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java Tue Feb 14 15:34:35 2017
@@ -425,7 +425,7 @@ public class SignatureProcessor implemen
// We don't write out the xop:Include bytes into the BinarySecurityToken by default
// But if the BST is signed, then we have to, or else Signature validation fails...
handleXopInclude(element, wsDocInfo);
- } else if (data.isExpandXopIncludeForSignature() && element.getFirstChild() != null) {
+ } else if (data.isExpandXopInclude() && element.getFirstChild() != null) {
// Look for xop:Include Nodes
List<Element> includeElements =
XMLUtils.findElements(element.getFirstChild(), "Include", WSConstants.XOP_NS);