You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/08/26 17:54:15 UTC
svn commit: r1162147 - in
/webservices/wss4j/trunk/src/main/java/org/apache/ws/security:
message/token/SecurityTokenReference.java
str/SecurityTokenRefSTRParser.java str/SignatureSTRParser.java
Author: coheigea
Date: Fri Aug 26 15:54:15 2011
New Revision: 1162147
URL: http://svn.apache.org/viewvc?rev=1162147&view=rev
Log:
[WSS-307] - Changing the Signature and RefList STR Parsers to check for a symmetric key in the CallbackHandler first
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java?rev=1162147&r1=1162146&r2=1162147&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/SecurityTokenReference.java Fri Aug 26 15:54:15 2011
@@ -312,7 +312,8 @@ public class SecurityTokenReference {
//
if (cb != null && (WSConstants.WSC_SCT.equals(type)
|| WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(type)
- || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(type))) {
+ || WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(type)
+ || KerberosSecurity.isKerberosToken(type))) {
//try to find a custom token
WSPasswordCallback pwcb =
new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java?rev=1162147&r1=1162146&r2=1162147&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java Fri Aug 26 15:54:15 2011
@@ -98,28 +98,29 @@ public class SecurityTokenRefSTRParser i
if (result != null) {
processPreviousResult(result, secRef, data, parameters, wsDocInfo, bspCompliant);
} else if (secRef.containsReference()) {
- Element token =
- secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
- QName el = new QName(token.getNamespaceURI(), token.getLocalName());
- if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
- Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
- List<WSSecurityEngineResult> bstResult =
- proc.handleToken(token, data, wsDocInfo);
- BinarySecurity bstToken =
- (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- if (bspCompliant) {
- BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, bstToken);
- }
- secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
- } else {
- Reference reference = secRef.getReference();
- // Try asking the CallbackHandler for the secret key
- secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
- if (secretKey == null) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[] {uri}
- );
- }
+ Reference reference = secRef.getReference();
+ // Try asking the CallbackHandler for the secret key
+ secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
+ if (secretKey == null) {
+ Element token =
+ secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
+ QName el = new QName(token.getNamespaceURI(), token.getLocalName());
+ if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+ Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
+ List<WSSecurityEngineResult> bstResult =
+ proc.handleToken(token, data, wsDocInfo);
+ BinarySecurity bstToken =
+ (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ if (bspCompliant) {
+ BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, bstToken);
+ }
+ secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+ }
+ }
+ if (secretKey == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[] {uri}
+ );
}
} else if (secRef.containsKeyIdentifier()) {
String valueType = secRef.getKeyIdentifierValueType();
@@ -153,6 +154,11 @@ public class SecurityTokenRefSTRParser i
getSecretKeyFromToken(
secRef.getKeyIdentifierValue(), secRef.getKeyIdentifierValueType(), data
);
+ if (secretKey == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[] {uri}
+ );
+ }
}
} else {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK, "noReference");
@@ -222,7 +228,10 @@ public class SecurityTokenRefSTRParser i
new WSPasswordCallback(id, null, type, WSPasswordCallback.SECRET_KEY, data);
try {
Callback[] callbacks = new Callback[]{pwcb};
- data.getCallbackHandler().handle(callbacks);
+ if (data.getCallbackHandler() != null) {
+ data.getCallbackHandler().handle(callbacks);
+ return pwcb.getKey();
+ }
} catch (Exception e) {
throw new WSSecurityException(
WSSecurityException.FAILURE,
@@ -232,7 +241,7 @@ public class SecurityTokenRefSTRParser i
);
}
- return pwcb.getKey();
+ return null;
}
/**
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1162147&r1=1162146&r2=1162147&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java Fri Aug 26 15:54:15 2011
@@ -32,6 +32,7 @@ import org.apache.ws.security.components
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.DerivedKeyToken;
+import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityContextToken;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.UsernameToken;
@@ -120,68 +121,71 @@ public class SignatureSTRParser implemen
if (result != null) {
processPreviousResult(result, secRef, data, parameters, bspCompliant);
} else if (secRef.containsReference()) {
- Element token =
- secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
- QName el = new QName(token.getNamespaceURI(), token.getLocalName());
- if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
- Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
- List<WSSecurityEngineResult> bstResult =
- proc.handleToken(token, data, wsDocInfo);
- BinarySecurity bstToken =
- (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
- if (bspCompliant) {
- BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, bstToken);
- }
- certs = (X509Certificate[])bstResult.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
- secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
- principal = (Principal)bstResult.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
- } else if (el.equals(WSSecurityEngine.SAML_TOKEN)
- || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
- Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
- //
- // Just check to see whether the token was processed or not
- //
- Element processedToken =
- secRef.findProcessedTokenElement(
- strElement.getOwnerDocument(), wsDocInfo,
- data.getCallbackHandler(), uri, secRef.getReference().getValueType()
- );
- AssertionWrapper assertion = null;
- if (processedToken == null) {
- List<WSSecurityEngineResult> samlResult =
+ Reference reference = secRef.getReference();
+ // Try asking the CallbackHandler for the secret key
+ secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
+ principal = new CustomTokenPrincipal(uri);
+
+ if (secretKey == null) {
+ Element token =
+ secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
+ QName el = new QName(token.getNamespaceURI(), token.getLocalName());
+ if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+ Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.BINARY_TOKEN);
+ List<WSSecurityEngineResult> bstResult =
proc.handleToken(token, data, wsDocInfo);
- assertion =
- (AssertionWrapper)samlResult.get(0).get(
- WSSecurityEngineResult.TAG_SAML_ASSERTION
+ BinarySecurity bstToken =
+ (BinarySecurity)bstResult.get(0).get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ if (bspCompliant) {
+ BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, bstToken);
+ }
+ certs = (X509Certificate[])bstResult.get(0).get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+ secretKey = (byte[])bstResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+ principal = (Principal)bstResult.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ } else if (el.equals(WSSecurityEngine.SAML_TOKEN)
+ || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
+ Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
+ //
+ // Just check to see whether the token was processed or not
+ //
+ Element processedToken =
+ secRef.findProcessedTokenElement(
+ strElement.getOwnerDocument(), wsDocInfo,
+ data.getCallbackHandler(), uri, secRef.getReference().getValueType()
);
- } else {
- assertion = new AssertionWrapper(processedToken);
- assertion.parseHOKSubject(data, wsDocInfo);
- }
- if (bspCompliant) {
- BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
- }
- SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
- X509Certificate[] foundCerts = keyInfo.getCerts();
- if (foundCerts != null) {
- certs = new X509Certificate[]{foundCerts[0]};
- }
- secretKey = keyInfo.getSecret();
- principal = createPrincipalFromSAML(assertion);
- } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
- if (bspCompliant) {
- BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+ AssertionWrapper assertion = null;
+ if (processedToken == null) {
+ List<WSSecurityEngineResult> samlResult =
+ proc.handleToken(token, data, wsDocInfo);
+ assertion =
+ (AssertionWrapper)samlResult.get(0).get(
+ WSSecurityEngineResult.TAG_SAML_ASSERTION
+ );
+ } else {
+ assertion = new AssertionWrapper(processedToken);
+ assertion.parseHOKSubject(data, wsDocInfo);
+ }
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+ }
+ SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
+ X509Certificate[] foundCerts = keyInfo.getCerts();
+ if (foundCerts != null) {
+ certs = new X509Certificate[]{foundCerts[0]};
+ }
+ secretKey = keyInfo.getSecret();
+ principal = createPrincipalFromSAML(assertion);
+ } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
+ if (bspCompliant) {
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+ }
+ Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
+ List<WSSecurityEngineResult> encrResult =
+ proc.handleToken(token, data, wsDocInfo);
+ secretKey =
+ (byte[])encrResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
+ principal = new CustomTokenPrincipal(token.getAttribute("Id"));
}
- Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
- List<WSSecurityEngineResult> encrResult =
- proc.handleToken(token, data, wsDocInfo);
- secretKey =
- (byte[])encrResult.get(0).get(WSSecurityEngineResult.TAG_SECRET);
- principal = new CustomTokenPrincipal(token.getAttribute("Id"));
- } else {
- String id = secRef.getReference().getURI();
- secretKey = getSecretKeyFromToken(id, null, data);
- principal = new CustomTokenPrincipal(id);
}
} else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
X509Certificate[] foundCerts = secRef.getX509IssuerSerial(crypto);
@@ -315,7 +319,10 @@ public class SignatureSTRParser implemen
new WSPasswordCallback(id, null, type, WSPasswordCallback.SECRET_KEY, data);
try {
Callback[] callbacks = new Callback[]{pwcb};
- data.getCallbackHandler().handle(callbacks);
+ if (data.getCallbackHandler() != null) {
+ data.getCallbackHandler().handle(callbacks);
+ return pwcb.getKey();
+ }
} catch (Exception e) {
throw new WSSecurityException(
WSSecurityException.FAILURE,
@@ -325,7 +332,7 @@ public class SignatureSTRParser implemen
);
}
- return pwcb.getKey();
+ return null;
}
/**