You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2012/05/15 12:11:38 UTC
svn commit: r1338617 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/
Author: coheigea
Date: Tue May 15 10:11:37 2012
New Revision: 1338617
URL: http://svn.apache.org/viewvc?rev=1338617&view=rev
Log:
[CXF-4316] - Support SupportingToken SignedElements with the Transport binding
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1338617&r1=1338616&r2=1338617&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Tue May 15 10:11:37 2012
@@ -537,6 +537,7 @@ public abstract class AbstractBindingBui
try {
uname = crypto.getX509Identifier(secToken.getX509Certificate());
} catch (WSSecurityException e1) {
+ LOG.log(Level.FINE, e1.getMessage(), e1);
throw new Fault(e1);
}
@@ -545,6 +546,7 @@ public abstract class AbstractBindingBui
try {
sig.prepare(saaj.getSOAPPart(), secToken.getCrypto(), secHeader);
} catch (WSSecurityException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
@@ -1239,7 +1241,8 @@ public abstract class AbstractBindingBui
// Handle sign/enc elements
try {
result.addAll(this.getElements("Element", xpaths, namespaces, found));
- } catch (XPathExpressionException e) {
+ } catch (XPathExpressionException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
// REVISIT
}
@@ -1247,6 +1250,7 @@ public abstract class AbstractBindingBui
try {
result.addAll(this.getElements("Content", contentXpaths, cnamespaces, found));
} catch (XPathExpressionException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
// REVISIT
}
@@ -1276,7 +1280,7 @@ public abstract class AbstractBindingBui
* if there is an error extracting SOAP content from the SAAJ
* model
*/
- private List<WSEncryptionPart> getParts(boolean sign,
+ protected List<WSEncryptionPart> getParts(boolean sign,
boolean includeBody, List<WSEncryptionPart> parts,
List<Element> found) throws SOAPException {
@@ -1355,7 +1359,7 @@ public abstract class AbstractBindingBui
* if there is an error extracting SOAP content from the SAAJ
* model
*/
- private List<WSEncryptionPart> getElements(String encryptionModifier,
+ protected List<WSEncryptionPart> getElements(String encryptionModifier,
List<String> xpaths, Map<String, String> namespaces,
List<Element> found) throws XPathExpressionException, SOAPException {
@@ -1783,6 +1787,7 @@ public abstract class AbstractBindingBui
try {
user = crypto.getDefaultX509Identifier();
} catch (WSSecurityException e1) {
+ LOG.log(Level.FINE, e1.getMessage(), e1);
throw new Fault(e1);
}
}
@@ -1800,6 +1805,7 @@ public abstract class AbstractBindingBui
try {
sig.prepare(saaj.getSOAPPart(), crypto, secHeader);
} catch (WSSecurityException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
policyNotAsserted(token, e);
}
@@ -1871,8 +1877,7 @@ public abstract class AbstractBindingBui
doSymmSignature(ent.getKey(), token, sigParts, isTokenProtection);
}
} catch (Exception e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
+ LOG.log(Level.FINE, e.getMessage(), e);
}
} else if (tempTok instanceof WSSecUsernameToken) {
WSSecUsernameToken utBuilder = (WSSecUsernameToken)tempTok;
@@ -1898,8 +1903,7 @@ public abstract class AbstractBindingBui
doSymmSignature(ent.getKey(), secToken, sigParts, isTokenProtection);
}
} catch (Exception e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
+ LOG.log(Level.FINE, e.getMessage(), e);
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1338617&r1=1338616&r2=1338617&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Tue May 15 10:11:37 2012
@@ -23,16 +23,18 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.List;
+import java.util.logging.Level;
import javax.xml.crypto.dsig.Reference;
+import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
+import javax.xml.xpath.XPathExpressionException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.apache.cxf.binding.soap.SoapMessage;
-import org.apache.cxf.binding.soap.saaj.SAAJUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -46,6 +48,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.model.SamlToken;
import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
+import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
import org.apache.cxf.ws.security.policy.model.Token;
@@ -150,6 +153,7 @@ public class TransportBindingHandler ext
addSignatureConfirmation(null);
}
} catch (Exception e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
@@ -274,7 +278,6 @@ public class TransportBindingHandler ext
private void handleEndorsingToken(
Token token, SupportingToken wrapper, List<byte[]> signatureValues
) throws Exception {
- SignedEncryptedParts signdParts = wrapper.getSignedParts();
if (token instanceof IssuedToken
|| token instanceof SecureConversationToken
|| token instanceof SecurityContextToken
@@ -282,13 +285,13 @@ public class TransportBindingHandler ext
|| token instanceof KerberosToken) {
addSig(
signatureValues,
- doIssuedTokenSignature(token, signdParts, wrapper)
+ doIssuedTokenSignature(token, wrapper)
);
} else if (token instanceof X509Token
|| token instanceof KeyValueToken) {
addSig(
signatureValues,
- doX509TokenSignature(token, signdParts, wrapper)
+ doX509TokenSignature(token, wrapper)
);
} else if (token instanceof SamlToken) {
AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
@@ -296,7 +299,7 @@ public class TransportBindingHandler ext
storeAssertionAsSecurityToken(assertionWrapper);
addSig(
signatureValues,
- doIssuedTokenSignature(token, signdParts, wrapper)
+ doIssuedTokenSignature(token, wrapper)
);
} else if (token instanceof UsernameToken) {
// Create a UsernameToken object for derived keys and store the security token
@@ -315,37 +318,20 @@ public class TransportBindingHandler ext
addSig(
signatureValues,
- doIssuedTokenSignature(token, signdParts, wrapper)
+ doIssuedTokenSignature(token, wrapper)
);
}
}
- private byte[] doX509TokenSignature(Token token, SignedEncryptedParts signedParts,
- TokenWrapper wrapper)
+ private byte[] doX509TokenSignature(Token token, SupportingToken wrapper)
throws Exception {
Document doc = saaj.getSOAPPart();
- List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
+ List<WSEncryptionPart> sigParts =
+ signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
- if (timestampEl != null) {
- WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
- sigParts.add(timestampPart);
- }
-
- if (signedParts != null) {
- if (signedParts.isBody()) {
- WSEncryptionPart bodyPart = convertToEncryptionPart(SAAJUtils.getBody(saaj));
- sigParts.add(bodyPart);
- }
- for (Header header : signedParts.getHeaders()) {
- WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
- header.getNamespace(),
- "Content");
- sigParts.add(wep);
- }
- }
if (token.isDerivedKeys()) {
WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(wrapper, token);
@@ -396,12 +382,11 @@ public class TransportBindingHandler ext
}
private byte[] doIssuedTokenSignature(
- Token token, SignedEncryptedParts signdParts, TokenWrapper wrapper
+ Token token, SupportingToken wrapper
) throws Exception {
boolean tokenIncluded = false;
// Get the issued token
SecurityToken secTok = getSecurityToken();
- List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
if (includeToken(token.getInclusion())) {
//Add the token
@@ -416,29 +401,8 @@ public class TransportBindingHandler ext
tokenIncluded = true;
}
- if (timestampEl != null) {
- WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
- sigParts.add(timestampPart);
- }
-
- if (signdParts != null) {
- if (signdParts.isBody()) {
- WSEncryptionPart bodyPart = convertToEncryptionPart(SAAJUtils.getBody(saaj));
- sigParts.add(bodyPart);
- }
- if (secTok.getX509Certificate() != null) {
- //the "getX509Certificate" this is to workaround an issue in WCF
- //In WCF, for TransportBinding, in most cases, it doesn't want any of
- //the headers signed even if the policy says so. HOWEVER, for KeyValue
- //IssuedTokens, it DOES want them signed
- for (Header header : signdParts.getHeaders()) {
- WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
- header.getNamespace(),
- "Content");
- sigParts.add(wep);
- }
- }
- }
+ List<WSEncryptionPart> sigParts =
+ signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
if (token.isDerivedKeys()) {
return doDerivedKeySignature(tokenIncluded, secTok, token, sigParts);
@@ -592,6 +556,61 @@ public class TransportBindingHandler ext
return sig.getSignatureValue();
}
+ /**
+ * Identifies the portions of the message to be signed/encrypted.
+ */
+ private List<WSEncryptionPart> signPartsAndElements(
+ SignedEncryptedParts signedParts,
+ SignedEncryptedElements signedElements
+ ) throws SOAPException {
+
+ List<WSEncryptionPart> result = new ArrayList<WSEncryptionPart>();
+ List<Element> found = new ArrayList<Element>();
+
+ // Add timestamp
+ if (timestampEl != null) {
+ WSEncryptionPart timestampPart =
+ new WSEncryptionPart("Timestamp", WSConstants.WSU_NS, "Element");
+ String id = addWsuIdToElement(timestampEl.getElement());
+ timestampPart.setId(id);
+ timestampPart.setElement(timestampEl.getElement());
+
+ found.add(timestampPart.getElement());
+ result.add(timestampPart);
+ }
+
+ // Add SignedParts
+ if (signedParts != null) {
+ List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
+ boolean isSignBody = signedParts.isBody();
+
+ for (Header head : signedParts.getHeaders()) {
+ WSEncryptionPart wep =
+ new WSEncryptionPart(head.getName(), head.getNamespace(), "Element");
+ parts.add(wep);
+ }
+
+ // Handle sign/enc parts
+ result.addAll(this.getParts(true, isSignBody, parts, found));
+ }
+
+ if (signedElements != null) {
+ // Handle SignedElements
+ try {
+ result.addAll(
+ this.getElements(
+ "Element", signedElements.getXPathExpressions(),
+ signedElements.getDeclaredNamespaces(), found
+ )
+ );
+ } catch (XPathExpressionException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ // REVISIT
+ }
+ }
+
+ return result;
+ }
}
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl?rev=1338617&r1=1338616&r2=1338617&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl Tue May 15 10:11:37 2012
@@ -837,11 +837,9 @@
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
- <!--
<sp:SignedElements>
- <sp:XPath>//ReplyTo</sp:XPath>
+ <sp:XPath>//*[local-name()='ReplyTo']</sp:XPath>
</sp:SignedElements>
- -->
</wsp:Policy>
</sp:EndorsingSupportingTokens>
</wsp:All>