You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/07/19 12:42:58 UTC
[cxf] branch 3.2.x-fixes updated (f6c2acc -> 4576142)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git.
from f6c2acc Recording .gitmergeinfo Changes
new 6207b11 Adding a new configuration tag to control XOP Include for WS-SecurityPolicy
new b0b946e CXF-8077 - WSS4JInInterceptor is not thread safe
new 4576142 Recording .gitmergeinfo Changes
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.gitmergeinfo | 2 +
.../apache/cxf/ws/security/SecurityConstants.java | 17 +++++--
.../cxf/ws/security/wss4j/WSS4JInInterceptor.java | 53 +++++++++++++++-------
.../policyhandlers/AbstractBindingBuilder.java | 3 +-
4 files changed, 53 insertions(+), 22 deletions(-)
[cxf] 01/03: Adding a new configuration tag to control XOP Include
for WS-SecurityPolicy
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 6207b11203790fbe5ac4404b13d2292e30c81462
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Jul 18 16:21:29 2019 +0100
Adding a new configuration tag to control XOP Include for WS-SecurityPolicy
---
.../org/apache/cxf/ws/security/SecurityConstants.java | 17 ++++++++++++-----
.../wss4j/policyhandlers/AbstractBindingBuilder.java | 3 ++-
2 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 1784e6e..b9146fc 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -145,15 +145,22 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
* Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS. Default is "true".
*/
public static final String ADD_INCLUSIVE_PREFIXES = "ws-security.add.inclusive.prefixes";
-
+
/**
- * Whether to disable the enforcement of the WS-SecurityPolicy 'RequireClientCertificate' policy.
- * Default is "false". Some servers may not do client certificate verification at the start of the SSL
- * handshake, and therefore the client certs may not be available to the WS-Security layer for policy
+ * Whether to disable the enforcement of the WS-SecurityPolicy 'RequireClientCertificate' policy.
+ * Default is "false". Some servers may not do client certificate verification at the start of the SSL
+ * handshake, and therefore the client certs may not be available to the WS-Security layer for policy
* verification at that time.
*/
public static final String DISABLE_REQ_CLIENT_CERT_CHECK = "ws-security.disable.require.client.cert.check";
+ /**
+ * Whether to search for and expand xop:Include Elements for encryption and signature (on the outbound
+ * side) or for signature verification (on the inbound side). This ensures that the actual bytes are signed,
+ * and not just the reference. The default is "true" if MTOM is enabled, false otherwise.
+ */
+ public static final String EXPAND_XOP_INCLUDE = "ws-security.expand.xop.include";
+
//
// Non-boolean WS-Security Configuration parameters
//
@@ -425,7 +432,7 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, KERBEROS_REQUEST_CREDENTIAL_DELEGATION,
POLICY_VALIDATOR_MAP, STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM,
SYMMETRIC_SIGNATURE_ALGORITHM, SECURITY_CONTEXT_CREATOR, SECURITY_TOKEN_LIFETIME,
- DISABLE_REQ_CLIENT_CERT_CHECK
+ DISABLE_REQ_CLIENT_CERT_CHECK, EXPAND_XOP_INCLUDE
}));
for (String commonProperty : COMMON_PROPERTIES) {
s.add(commonProperty);
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 8d93ddd..d633f10 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -223,7 +223,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
storeBytesInAttachment = false;
}
}
- expandXopInclude = mtomEnabled;
+ expandXopInclude = MessageUtils.getContextualBoolean(
+ message, SecurityConstants.EXPAND_XOP_INCLUDE, mtomEnabled);
wsDocInfo = new WSDocInfo(secHeader.getSecurityHeaderElement().getOwnerDocument());
[cxf] 03/03: Recording .gitmergeinfo Changes
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 4576142f3867ed7c64305dcab2d3188aec2580e1
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Jul 19 11:28:28 2019 +0100
Recording .gitmergeinfo Changes
---
.gitmergeinfo | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.gitmergeinfo b/.gitmergeinfo
index 5cdc2f4..9acd5f6 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -161,6 +161,7 @@ B 4206b97eed0cf8e2593336053d9f2d08d8a04367
B 42338421b7495b9497caee8322f98f6c523b59a5
B 424591420b052a2b557d3f1dd48609c9858d9809
B 4324a1ff40f23ff602be25229fe13292b942124e
+B 4391fe49021f18af6d29da79865b0066f1f45ba8
B 43ba2193fb416100a7e235cc2e622f659684f411
B 4439ff4a9328e3933d809abe9185e45de0cf1b92
B 4446d78a3977210305cf98d90d72b92b636abf90
@@ -667,6 +668,7 @@ M 907bfebcffb0d62304bb23a63a4e34540a7981de
M 91260c6d9b1404452e8e91ac87e42d2f771d997e
M 91f78e0d11ac47b7708c0bf9689d48b83a3da58a
M 9a2f1212cd7031c8447ae4294c4c4ccc7322d9e5
+M 9ab0d2766695a2ba9f1ed1ca042b5d2a42eb4fd9
M 9bca6952c145b6ec6d2fb5726676ad7c3d67b7f7
M 9c02f616f6aec1cf43f1d6bac810d606dab98a72
M 9e1788a8e08264a2735ba5373a96f09215d60769
[cxf] 02/03: CXF-8077 - WSS4JInInterceptor is not thread safe
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit b0b946e3271fd581eb0c1738ab6866366c858b60
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Jul 19 11:08:02 2019 +0100
CXF-8077 - WSS4JInInterceptor is not thread safe
(cherry picked from commit 9ab0d2766695a2ba9f1ed1ca042b5d2a42eb4fd9)
# Conflicts:
# rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
---
.../cxf/ws/security/wss4j/WSS4JInInterceptor.java | 53 +++++++++++++++-------
1 file changed, 37 insertions(+), 16 deletions(-)
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index 9b47702..f40ddd1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -104,7 +104,8 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
/**
*
*/
- private WSSecurityEngine secEngineOverride;
+ private WSSConfig defaultConfig;
+
public WSS4JInInterceptor() {
super();
@@ -121,19 +122,42 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
public WSS4JInInterceptor(Map<String, Object> properties) {
this();
setProperties(properties);
+ WSSConfig config = WSSConfig.getNewInstance();
+
+ // Set any custom WSS4J Processor instances that are configured
final Map<QName, Object> processorMap = CastUtils.cast(
(Map<?, ?>)properties.get(PROCESSOR_MAP));
- final Map<QName, Object> validatorMap = CastUtils.cast(
- (Map<?, ?>)properties.get(VALIDATOR_MAP));
-
if (processorMap != null) {
- if (validatorMap != null) {
- processorMap.putAll(validatorMap);
+ for (Map.Entry<QName, Object> entry : processorMap.entrySet()) {
+ Object val = entry.getValue();
+ if (val instanceof Class<?>) {
+ config.setProcessor(entry.getKey(), (Class<?>)val);
+ } else if (val instanceof Processor) {
+ config.setProcessor(entry.getKey(), (Processor)val);
+ } else if (val == null) {
+ config.setProcessor(entry.getKey(), (Class<?>)null);
+ }
+ }
+ }
+
+ // Set any custom WSS4J Validator instances that are configured
+ Map<QName, Object> validatorMap = CastUtils.cast(
+ (Map<?, ?>)properties.get(VALIDATOR_MAP));
+ if (validatorMap == null) {
+ validatorMap = CastUtils.cast((Map<?, ?>)properties.get(ConfigurationConstants.VALIDATOR_MAP));
+ }
+ if (validatorMap != null) {
+ for (Map.Entry<QName, Object> entry : validatorMap.entrySet()) {
+ Object val = entry.getValue();
+ if (val instanceof Class<?>) {
+ config.setValidator(entry.getKey(), (Class<?>)val);
+ } else if (val instanceof Validator) {
+ config.setValidator(entry.getKey(), (Validator)val);
+ }
}
- secEngineOverride = createSecurityEngine(processorMap);
- } else if (validatorMap != null) {
- secEngineOverride = createSecurityEngine(validatorMap);
}
+
+ defaultConfig = config;
}
public void setIgnoreActions(boolean i) {
@@ -636,15 +660,12 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
/**
* @return the WSSecurityEngine in use by this interceptor.
- * This engine is defined to be the secEngineOverride
- * instance, if defined in this class (and supplied through
- * construction); otherwise, it is taken to be the default
- * WSSecEngine instance (currently defined in the WSHandler
- * base class).
*/
protected WSSecurityEngine getSecurityEngine(boolean utWithCallbacks) {
- if (secEngineOverride != null) {
- return secEngineOverride;
+ if (defaultConfig != null) {
+ WSSecurityEngine engine = new WSSecurityEngine();
+ engine.setWssConfig(defaultConfig);
+ return engine;
}
if (!utWithCallbacks) {