You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/07/08 17:58:28 UTC
svn commit: r1689909 - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/wss4j/common/
ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/
ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/
Author: coheigea
Date: Wed Jul 8 15:58:27 2015
New Revision: 1689909
URL: http://svn.apache.org/r1689909
Log:
[WSS-544] - Adding a new configuration switch to disable expanding xop:Includes when verifying signatures
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java?rev=1689909&r1=1689908&r2=1689909&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ConfigurationConstants.java Wed Jul 8 15:58:27 2015
@@ -548,6 +548,13 @@ public class ConfigurationConstants {
*/
public static final String STORE_BYTES_IN_ATTACHMENT = "storeBytesInAttachment";
+ /**
+ * Whether to expand xop:Include Elements encountered when verifying a Signature. The default is true,
+ * meaning that the relevant attachment bytes are BASE-64 encoded and inserted into the Element. This
+ * ensures that the actual bytes are signed, and not just the reference.
+ */
+ public static final String EXPAND_XOP_INCLUDE_FOR_SIGNATURE = "expandXOPIncludeForSignature";
+
//
// (Non-boolean) Configuration parameters for the actions/processors
//
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java?rev=1689909&r1=1689908&r2=1689909&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java Wed Jul 8 15:58:27 2015
@@ -193,6 +193,8 @@ public class RequestData {
* (sender-vouches or holder-of-key). The default is true.
*/
private boolean validateSamlSubjectConfirmation = true;
+
+ private boolean expandXopIncludeForSignature = true;
public boolean isEnableTimestampReplayCache() {
return enableTimestampReplayCache;
@@ -763,4 +765,12 @@ public class RequestData {
public void setStoreBytesInAttachment(boolean storeBytesInAttachment) {
this.storeBytesInAttachment = storeBytesInAttachment;
}
+
+ public boolean isExpandXopIncludeForSignature() {
+ return expandXopIncludeForSignature;
+ }
+
+ public void setExpandXopIncludeForSignature(boolean expandXopIncludeForSignature) {
+ this.expandXopIncludeForSignature = expandXopIncludeForSignature;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java?rev=1689909&r1=1689908&r2=1689909&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java Wed Jul 8 15:58:27 2015
@@ -1321,6 +1321,12 @@ public abstract class WSHandler {
reqData.setSubjectCertConstraints(subjectCertConstraints);
}
}
+
+ boolean expandXOP =
+ decodeBooleanConfigValue(
+ reqData.getMsgContext(), WSHandlerConstants.EXPAND_XOP_INCLUDE_FOR_SIGNATURE, true
+ );
+ reqData.setExpandXopIncludeForSignature(expandXOP);
}
/*
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java?rev=1689909&r1=1689908&r2=1689909&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java Wed Jul 8 15:58:27 2015
@@ -475,7 +475,7 @@ public class SignatureProcessor implemen
Element element = callbackLookup.getAndRegisterElement(uri, null, true, context);
if (element == null) {
wsDocInfo.setTokenOnContext(uri, context);
- } else {
+ } else if (data.isExpandXopIncludeForSignature()) {
// Look for xop:Include Nodes
List<Element> includeElements =
XMLUtils.findElements(element, "Include", WSConstants.XOP_NS);