You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/09/19 12:31:32 UTC
svn commit: r1524681 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/
systests/ws-security/src/...
Author: coheigea
Date: Thu Sep 19 10:31:32 2013
New Revision: 1524681
URL: http://svn.apache.org/r1524681
Log:
[CXF-5291] - Only activate ws-security caching if it is required
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java Thu Sep 19 10:31:32 2013
@@ -170,7 +170,9 @@ public final class SecurityConstants {
/**
* Whether to cache UsernameToken nonces. The default value is "true" for message recipients, and
* "false" for message initiators. Set it to true to cache for both cases. Set this to "false" to
- * not cache UsernameToken nonces.
+ * not cache UsernameToken nonces. Note that caching only applies when either a UsernameToken
+ * WS-SecurityPolicy is in effect, or else that a UsernameToken action has been configured
+ * for the non-security-policy case.
*/
public static final String ENABLE_NONCE_CACHE = "ws-security.enable.nonce.cache";
@@ -178,6 +180,8 @@ public final class SecurityConstants {
* Whether to cache Timestamp Created Strings (these are only cached in conjunction with a message
* Signature).The default value is "true" for message recipients, and "false" for message initiators.
* Set it to true to cache for both cases. Set this to "false" to not cache Timestamp Created Strings.
+ * Note that caching only applies when either a "IncludeTimestamp" policy is in effect, or
+ * else that a Timestamp action has been configured for the non-security-policy case.
*/
public static final String ENABLE_TIMESTAMP_CACHE = "ws-security.enable.timestamp.cache";
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Thu Sep 19 10:31:32 2013
@@ -322,6 +322,42 @@ public class PolicyBasedWSS4JInIntercept
return action;
}
+ /**
+ * Is a Nonce Cache required, i.e. are we expecting a UsernameToken
+ */
+ @Override
+ protected boolean isNonceCacheRequired(int doAction, SoapMessage msg) {
+ AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+ if (aim != null) {
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+
+ if (!ais.isEmpty()) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ /**
+ * Is a Timestamp cache required, i.e. are we expecting a Timestamp
+ */
+ @Override
+ protected boolean isTimestampCacheRequired(int doAction, SoapMessage msg) {
+ AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+ if (aim != null) {
+ Collection<AssertionInfo> ais =
+ getAllAssertionsByLocalname(aim, SPConstants.INCLUDE_TIMESTAMP);
+
+ if (!ais.isEmpty()) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
private void checkUsernameToken(
AssertionInfoMap aim, SoapMessage message
) throws WSSecurityException {
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Thu Sep 19 10:31:32 2013
@@ -234,21 +234,28 @@ public class WSS4JInInterceptor extends
}
// Configure replay caching
- ReplayCache nonceCache =
- getReplayCache(
- msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
- );
- reqData.setNonceReplayCache(nonceCache);
- if (nonceCache == null) {
- reqData.setEnableNonceReplayCache(false);
- }
- ReplayCache timestampCache =
- getReplayCache(
- msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
- );
- reqData.setTimestampReplayCache(timestampCache);
- if (timestampCache == null) {
- reqData.setEnableTimestampReplayCache(false);
+ reqData.setEnableNonceReplayCache(false);
+ if (isNonceCacheRequired(doAction, msg)) {
+ ReplayCache nonceCache =
+ getReplayCache(
+ msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
+ );
+ reqData.setNonceReplayCache(nonceCache);
+ if (nonceCache != null) {
+ reqData.setEnableNonceReplayCache(true);
+ }
+ }
+
+ reqData.setEnableTimestampReplayCache(false);
+ if (isTimestampCacheRequired(doAction, msg)) {
+ ReplayCache timestampCache =
+ getReplayCache(
+ msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
+ );
+ reqData.setTimestampReplayCache(timestampCache);
+ if (timestampCache != null) {
+ reqData.setEnableTimestampReplayCache(true);
+ }
}
TLSSessionInfo tlsInfo = msg.get(TLSSessionInfo.class);
@@ -419,6 +426,27 @@ public class WSS4JInInterceptor extends
}
/**
+ * Is a Nonce Cache required, i.e. are we expecting a UsernameToken
+ */
+ protected boolean isNonceCacheRequired(int doAction, SoapMessage msg) {
+ if ((doAction & WSConstants.UT) == WSConstants.UT
+ || (doAction & WSConstants.UT_NOPASSWORD) == WSConstants.UT_NOPASSWORD) {
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * Is a Timestamp cache required, i.e. are we expecting a Timestamp
+ */
+ protected boolean isTimestampCacheRequired(int doAction, SoapMessage msg) {
+ if ((doAction & WSConstants.TS) == WSConstants.TS) {
+ return true;
+ }
+ return false;
+ }
+
+ /**
* Set a WSS4J AlgorithmSuite object on the RequestData context, to restrict the
* algorithms that are allowed for encryption, signature, etc.
*/
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java Thu Sep 19 10:31:32 2013
@@ -26,7 +26,10 @@ import javax.xml.ws.Service;
import org.apache.cxf.Bus;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.systest.ws.common.SecurityTestUtil;
+import org.apache.cxf.systest.ws.ut.SecurityHeaderCacheInterceptor;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.example.contract.doubleit.DoubleItPortType;
import org.junit.BeforeClass;
@@ -120,6 +123,42 @@ public class ActionTest extends Abstract
}
@org.junit.Test
+ public void testUsernameTokenReplay() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ActionTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItUsernameTokenPort");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, PORT);
+
+ Client cxfClient = ClientProxy.getClient(port);
+ SecurityHeaderCacheInterceptor cacheInterceptor =
+ new SecurityHeaderCacheInterceptor();
+ cxfClient.getOutInterceptors().add(cacheInterceptor);
+
+ // Make two invocations with the same UsernameToken
+ port.doubleIt(25);
+ try {
+ port.doubleIt(25);
+ fail("Failure expected on a replayed UsernameToken");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ String error = "A replay attack has been detected";
+ assertTrue(ex.getMessage().contains(error));
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testEncryptedPassword() throws Exception {
if (!unrestrictedPoliciesInstalled) {
@@ -144,4 +183,40 @@ public class ActionTest extends Abstract
((java.io.Closeable)port).close();
bus.shutdown(true);
}
+
+ @org.junit.Test
+ public void testSignedTimestampReplay() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ActionTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSignedTimestampPort");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, PORT);
+
+ Client cxfClient = ClientProxy.getClient(port);
+ SecurityHeaderCacheInterceptor cacheInterceptor =
+ new SecurityHeaderCacheInterceptor();
+ cxfClient.getOutInterceptors().add(cacheInterceptor);
+
+ // Make two invocations with the same SecurityHeader
+ port.doubleIt(25);
+ try {
+ port.doubleIt(25);
+ fail("Failure expected on a replayed Timestamp");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ String error = "A replay attack has been detected";
+ assertTrue(ex.getMessage().contains(error));
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
}
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl Thu Sep 19 10:31:32 2013
@@ -60,6 +60,9 @@
<wsdl:port name="DoubleItEncryptedPasswordPort" binding="tns:DoubleItNoSecurityBinding">
<soap:address location="http://localhost:9001/DoubleItEncryptedPassword" />
</wsdl:port>
+ <wsdl:port name="DoubleItSignedTimestampPort" binding="tns:DoubleItNoSecurityBinding">
+ <soap:address location="http://localhost:9001/DoubleItSignedTimestamp" />
+ </wsdl:port>
</wsdl:service>
</wsdl:definitions>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml Thu Sep 19 10:31:32 2013
@@ -110,4 +110,33 @@
</jaxws:inInterceptors>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignedTimestampPort"
+ createdFromAPI="true">
+ <jaxws:outInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Signature Timestamp"/>
+ <entry key="user" value="alice"/>
+ <entry key="signaturePropFile" value="alice.properties"/>
+ <entry key="signatureKeyIdentifier" value="DirectReference"/>
+ <entry key="signatureParts"
+ value="{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" />
+ <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:outInterceptors>
+ <jaxws:inInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Signature"/>
+ <entry key="signatureVerificationPropFile" value="alice.properties"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:inInterceptors>
+ </jaxws:client>
+
</beans>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml Thu Sep 19 10:31:32 2013
@@ -157,4 +157,38 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="SignedTimestamp"
+ address="http://localhost:${testutil.ports.Server}/DoubleItSignedTimestamp"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItSignedTimestampPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItAction.wsdl">
+ <jaxws:outInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Signature"/>
+ <entry key="user" value="bob"/>
+ <entry key="signaturePropFile" value="bob.properties"/>
+ <entry key="signatureKeyIdentifier" value="DirectReference"/>
+ <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:outInterceptors>
+ <jaxws:inInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Signature Timestamp"/>
+ <entry key="signatureVerificationPropFile" value="bob.properties"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:inInterceptors>
+
+ </jaxws:endpoint>
+
</beans>