You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2013/07/09 12:19:06 UTC
svn commit: r1501184 - in /webservices/wss4j/trunk/ws-security-stax/src:
main/java/org/apache/wss4j/stax/impl/processor/input/
main/java/org/apache/wss4j/stax/securityEvent/
test/java/org/apache/wss4j/stax/test/
Author: giger
Date: Tue Jul 9 10:19:06 2013
New Revision: 1501184
URL: http://svn.apache.org/r1501184
Log:
WSS-458 - Allow no security header in certain use-cases
Added:
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/securityEvent/NoSecuritySecurityEvent.java (with props)
Modified:
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityHeaderInputProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/securityEvent/WSSecurityEventConstants.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/InteroperabilityTest.java
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityHeaderInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityHeaderInputProcessor.java?rev=1501184&r1=1501183&r2=1501184&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityHeaderInputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SecurityHeaderInputProcessor.java Tue Jul 9 10:19:06 2013
@@ -31,6 +31,7 @@ import org.apache.wss4j.stax.ext.WSInbou
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.ext.WSSUtils;
+import org.apache.wss4j.stax.securityEvent.NoSecuritySecurityEvent;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.config.SecurityHeaderHandlerMapper;
import org.apache.xml.security.stax.ext.AbstractInputProcessor;
@@ -41,6 +42,7 @@ import org.apache.xml.security.stax.ext.
import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
import org.apache.xml.security.stax.impl.processor.input.XMLEventReaderInputProcessor;
+import org.apache.xml.security.stax.impl.util.IDGenerator;
/**
* Processor for the Security-Header XML Structure.
@@ -116,20 +118,10 @@ public class SecurityHeaderInputProcesso
if (documentLevel == 3 && responsibleSecurityHeaderFound
&& xmlSecEndElement.getName().equals(WSSConstants.TAG_wsse_Security)) {
- //subInputProcessorChain.getDocumentContext().setInSecurityHeader(false);
- subInputProcessorChain.removeProcessor(internalSecurityHeaderBufferProcessor);
- subInputProcessorChain.addProcessor(
- new InternalSecurityHeaderReplayProcessor(getSecurityProperties()));
-
- //remove this processor from chain now. the next events will go directly to the other processors
- subInputProcessorChain.removeProcessor(this);
- //since we cloned the inputProcessor list we have to add the processors from
- //the subChain to the main chain.
- inputProcessorChain.getProcessors().clear();
- inputProcessorChain.getProcessors().addAll(subInputProcessorChain.getProcessors());
+ return finalizeHeaderProcessing(
+ inputProcessorChain, subInputProcessorChain,
+ internalSecurityHeaderBufferProcessor, xmlSecEventList);
- //return first event now;
- return xmlSecEventList.pollLast();
} else if (documentLevel == 4 && responsibleSecurityHeaderFound
&& WSSUtils.isInSecurityHeader(xmlSecEndElement,
((WSSSecurityProperties) getSecurityProperties()).getActor())) {
@@ -157,7 +149,35 @@ public class SecurityHeaderInputProcesso
WSSUtils.getSOAPMessageVersionNamespace(xmlSecEvent.asStartElement()))
));
//if we reach this state we didn't find a security header
- throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "missingSecurityHeader");
+ //issue a security event to notify about this fact:
+ NoSecuritySecurityEvent noSecuritySecurityEvent = new NoSecuritySecurityEvent();
+ noSecuritySecurityEvent.setCorrelationID(IDGenerator.generateID(null));
+ inputProcessorChain.getSecurityContext().registerSecurityEvent(noSecuritySecurityEvent);
+
+ return finalizeHeaderProcessing(
+ inputProcessorChain, subInputProcessorChain,
+ internalSecurityHeaderBufferProcessor, xmlSecEventList);
+ }
+
+ private XMLSecEvent finalizeHeaderProcessing(
+ InputProcessorChain originalInputProcessorChain,
+ InputProcessorChain subInputProcessorChain,
+ InternalSecurityHeaderBufferProcessor internalSecurityHeaderBufferProcessor,
+ Deque<XMLSecEvent> xmlSecEventList) {
+
+ subInputProcessorChain.removeProcessor(internalSecurityHeaderBufferProcessor);
+ subInputProcessorChain.addProcessor(
+ new InternalSecurityHeaderReplayProcessor(getSecurityProperties()));
+
+ //remove this processor from chain now. the next events will go directly to the other processors
+ subInputProcessorChain.removeProcessor(this);
+ //since we cloned the inputProcessor list we have to add the processors from
+ //the subChain to the main chain.
+ originalInputProcessorChain.getProcessors().clear();
+ originalInputProcessorChain.getProcessors().addAll(subInputProcessorChain.getProcessors());
+
+ //return first event now;
+ return xmlSecEventList.pollLast();
}
@SuppressWarnings("unchecked")
Added: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/securityEvent/NoSecuritySecurityEvent.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/securityEvent/NoSecuritySecurityEvent.java?rev=1501184&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/securityEvent/NoSecuritySecurityEvent.java (added)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/securityEvent/NoSecuritySecurityEvent.java Tue Jul 9 10:19:06 2013
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.wss4j.stax.securityEvent;
+
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
+
+public class NoSecuritySecurityEvent extends SecurityEvent {
+
+ public NoSecuritySecurityEvent() {
+ super(WSSecurityEventConstants.NoSecurity);
+ }
+}
Propchange: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/securityEvent/NoSecuritySecurityEvent.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/securityEvent/WSSecurityEventConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/securityEvent/WSSecurityEventConstants.java?rev=1501184&r1=1501183&r2=1501184&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/securityEvent/WSSecurityEventConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/securityEvent/WSSecurityEventConstants.java Tue Jul 9 10:19:06 2013
@@ -21,7 +21,8 @@ package org.apache.wss4j.stax.securityEv
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
public abstract class WSSecurityEventConstants extends SecurityEventConstants {
-
+
+ public static final Event NoSecurity = new Event("NoSecurity");
public static final Event Operation = new Event("Operation");
public static final Event Timestamp = new Event("Timestamp");
public static final Event SignedPart = new Event("SignedPart");
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/InteroperabilityTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/InteroperabilityTest.java?rev=1501184&r1=1501183&r2=1501184&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/InteroperabilityTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/InteroperabilityTest.java Tue Jul 9 10:19:06 2013
@@ -973,24 +973,25 @@ public class InteroperabilityTest extend
securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
- try {
- Document document = doInboundSecurity(securityProperties, xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+ WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{
+ WSSecurityEventConstants.NoSecurity,
+ WSSecurityEventConstants.Operation
+ };
+ final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents);
+ Document document = doInboundSecurity(
+ securityProperties, xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), securityEventListener);
- //read the whole stream:
- transformer = TRANSFORMER_FACTORY.newTransformer();
- transformer.transform(new DOMSource(document), new StreamResult(
- new OutputStream() {
- @Override
- public void write(int b) throws IOException {
- // > /dev/null
- }
+ //read the whole stream:
+ transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(document), new StreamResult(
+ new OutputStream() {
+ @Override
+ public void write(int b) throws IOException {
+ // > /dev/null
}
- ));
- Assert.fail("XMLStreamException expected");
- } catch (XMLStreamException e) {
- Assert.assertEquals(e.getMessage(), "org.apache.wss4j.common.ext.WSSecurityException: Security header is missing");
- Assert.assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
- }
+ }
+ ));
+ securityEventListener.compare();
}
@Test(invocationCount = 1)