You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2021/02/19 10:55:28 UTC
[cxf-fediz] 01/01: initial upgrade to CXF 3.4.2 & WSS4J 2.3.1
This is an automated email from the ASF dual-hosted git repository.
buhhunyx pushed a commit to branch cxf340
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
commit f249a5fde9452e609299dbe54152dd55e0fcb009
Author: Alexey Markevich <bu...@gmail.com>
AuthorDate: Wed Aug 26 09:55:50 2020 +0300
initial upgrade to CXF 3.4.2 & WSS4J 2.3.1
---
plugins/core/pom.xml | 31 ++++++++----------
.../apache/cxf/fediz/core/config/FedizContext.java | 37 ++++++++++++----------
.../core/processor/AbstractFedizProcessor.java | 4 +--
.../core/samlsso/SAMLSSOResponseValidator.java | 7 ++--
.../fediz/core/AbstractSAMLCallbackHandler.java | 11 +++++--
.../fediz/core/config/FedizConfigurationTest.java | 7 ++--
.../core/federation/FederationResponseTest.java | 11 +++++--
plugins/cxf/pom.xml | 6 ++++
pom.xml | 6 ++--
.../protocols/TrustedIdpSAMLProtocolHandler.java | 4 +--
.../oidc/PrivateKeyPasswordProviderImpl.java | 2 +-
services/sts/src/main/resources/log4j.properties | 4 +--
12 files changed, 72 insertions(+), 58 deletions(-)
diff --git a/plugins/core/pom.xml b/plugins/core/pom.xml
index ad04a6d..8e0d119 100644
--- a/plugins/core/pom.xml
+++ b/plugins/core/pom.xml
@@ -33,12 +33,6 @@
</properties>
<dependencies>
<dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>${junit.version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
<groupId>org.apache.wss4j</groupId>
<artifactId>wss4j-ws-security-dom</artifactId>
<version>${wss4j.version}</version>
@@ -51,18 +45,6 @@
</exclusions>
</dependency>
<dependency>
- <groupId>net.sf.ehcache</groupId>
- <artifactId>ehcache</artifactId>
- <version>${ehcache.version}</version>
- <scope>compile</scope>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-jdk14</artifactId>
- <version>${slf4j.version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
@@ -73,12 +55,25 @@
<version>${servlet.version}</version>
<scope>provided</scope>
</dependency>
+
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>${junit.version}</version>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.easymock</groupId>
<artifactId>easymock</artifactId>
<version>${easymock.version}</version>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-jdk14</artifactId>
+ <version>${slf4j.version}</version>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
<plugins>
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
index d23165a..131f331 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/config/FedizContext.java
@@ -24,6 +24,8 @@ import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.Path;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -44,10 +46,11 @@ import org.apache.cxf.fediz.core.config.jaxb.TrustManagersType;
import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuerType;
import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuers;
import org.apache.cxf.fediz.core.exception.IllegalConfigurationException;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.processor.ClaimsProcessor;
import org.apache.cxf.fediz.core.util.CertsUtils;
+import org.apache.wss4j.common.cache.EHCacheReplayCache;
import org.apache.wss4j.common.cache.ReplayCache;
-import org.apache.wss4j.common.cache.ReplayCacheFactory;
import org.apache.wss4j.common.crypto.CertificateStore;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
@@ -239,26 +242,26 @@ public class FedizContext implements Closeable {
}
- public ReplayCache getTokenReplayCache() {
+ public ReplayCache getTokenReplayCache() throws ProcessingException {
if (replayCache != null) {
return replayCache;
}
- String replayCacheString = config.getTokenReplayCache();
- String cacheKey = CACHE_KEY_PREFIX + "-" + config.getName();
- ReplayCacheFactory replayCacheFactory = ReplayCacheFactory.newInstance();
- if (replayCacheString == null || "".equals(replayCacheString)) {
- replayCache = replayCacheFactory.newReplayCache(cacheKey, "/fediz-ehcache.xml");
- } else {
- try {
- Class<?> replayCacheClass = Loader.loadClass(replayCacheString);
- replayCache = (ReplayCache) replayCacheClass.newInstance();
- } catch (ClassNotFoundException e) {
- replayCache = replayCacheFactory.newReplayCache(cacheKey, "/fediz-ehcache.xml");
- } catch (InstantiationException e) {
- replayCache = replayCacheFactory.newReplayCache(cacheKey, "/fediz-ehcache.xml");
- } catch (IllegalAccessException e) {
- replayCache = replayCacheFactory.newReplayCache(cacheKey, "/fediz-ehcache.xml");
+ final String replayCacheString = config.getTokenReplayCache();
+ final String cacheKey = CACHE_KEY_PREFIX + '-' + config.getName();
+ try {
+ final Path diskstorePath = Files.createTempDirectory("fediz");
+ if (replayCacheString == null || "".equals(replayCacheString)) {
+ replayCache = new EHCacheReplayCache(cacheKey, diskstorePath);
+ } else {
+ try {
+ Class<?> replayCacheClass = Loader.loadClass(replayCacheString);
+ replayCache = (ReplayCache) replayCacheClass.newInstance();
+ } catch (ReflectiveOperationException e) {
+ replayCache = new EHCacheReplayCache(cacheKey, diskstorePath);
+ }
}
+ } catch (Exception e) {
+ throw new ProcessingException(e.getMessage(), e);
}
return replayCache;
}
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
index 37a4a63..354408c 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/AbstractFedizProcessor.java
@@ -94,9 +94,7 @@ public abstract class AbstractFedizProcessor implements FedizProcessor {
if (!config.getTokenReplayCache().contains(tokenId)) {
// not cached
if (expires != null) {
- Instant now = Instant.now();
- long ttl = expires.getEpochSecond() - now.getEpochSecond();
- config.getTokenReplayCache().add(tokenId, ttl);
+ config.getTokenReplayCache().add(tokenId, expires);
} else {
config.getTokenReplayCache().add(tokenId);
}
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
index a027ffa..5e15ec9 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/samlsso/SAMLSSOResponseValidator.java
@@ -19,7 +19,6 @@
package org.apache.cxf.fediz.core.samlsso;
import java.time.Instant;
-import java.util.Date;
import java.util.List;
import org.w3c.dom.Element;
@@ -228,10 +227,8 @@ public class SAMLSSOResponseValidator {
// Need to keep bearer assertion IDs based on NotOnOrAfter to detect replay attacks
if (postBinding && replayCache != null) {
if (replayCache.contains(id)) {
- Date expires = subjectConfData.getNotOnOrAfter().toDate();
- Date currentTime = new Date();
- long ttl = expires.getTime() - currentTime.getTime();
- replayCache.add(id, ttl / 1000L);
+ Instant expires = subjectConfData.getNotOnOrAfter().toDate().toInstant();
+ replayCache.add(id, expires);
} else {
LOG.debug("Replay attack with token id: " + id);
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
index 7fc9ece..f7b4a2b 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/AbstractSAMLCallbackHandler.java
@@ -28,6 +28,8 @@ import java.util.Collections;
import java.util.List;
import java.util.Map;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -47,6 +49,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.bean.SubjectLocalityBean;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
@@ -422,8 +425,12 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUseThisCert(certs[0]);
- encrKey.prepare(null);
- ephemeralKey = encrKey.getEphemeralKey();
+
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ encrKey.prepare(null, symmetricKey);
+ ephemeralKey = symmetricKey.getEncoded();
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java
index 9fbaa06..cc72508 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/config/FedizConfigurationTest.java
@@ -49,6 +49,7 @@ import org.apache.cxf.fediz.core.config.jaxb.TrustManagersType;
import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuerType;
import org.apache.cxf.fediz.core.config.jaxb.TrustedIssuers;
import org.apache.cxf.fediz.core.config.jaxb.ValidationType;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.processor.ClaimsProcessor;
import org.apache.wss4j.common.cache.EHCacheReplayCache;
import org.apache.wss4j.common.cache.MemoryReplayCache;
@@ -350,7 +351,7 @@ public class FedizConfigurationTest {
}
@org.junit.Test
- public void testTokenReplayCacheFederation() throws JAXBException, IOException {
+ public void testTokenReplayCacheFederation() throws Exception {
FedizConfig config = createConfiguration(true);
// Test the default TokenReplayCache
@@ -375,7 +376,7 @@ public class FedizConfigurationTest {
}
@org.junit.Test
- public void testTokenReplayCacheSAML() throws JAXBException, IOException {
+ public void testTokenReplayCacheSAML() throws Exception {
FedizConfig config = createConfiguration(false);
// Test the default TokenReplayCache
@@ -400,7 +401,7 @@ public class FedizConfigurationTest {
}
private ReplayCache parseConfigAndReturnTokenReplayCache(FedizConfig config)
- throws JAXBException {
+ throws JAXBException, ProcessingException {
final JAXBContext jaxbContext = JAXBContext.newInstance(FedizConfig.class);
StringWriter writer = new StringWriter();
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java
index b013ac6..abdc062 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java
@@ -28,6 +28,8 @@ import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.List;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
@@ -77,6 +79,7 @@ import org.apache.wss4j.common.saml.bean.ConditionsBean;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.DOM2Writer;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncrypt;
@@ -1757,8 +1760,12 @@ public class FederationResponseTest {
encryptionPart.setElement(token);
Crypto encrCrypto = CryptoFactory.getInstance("signature.properties");
- builder.prepare(encrCrypto);
- builder.encryptForRef(null, Collections.singletonList(encryptionPart));
+
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(builder.getSymmetricEncAlgorithm());
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ builder.prepare(encrCrypto, symmetricKey);
+ builder.encryptForRef(null, Collections.singletonList(encryptionPart), symmetricKey);
// return doc.getDocumentElement();
return DOM2Writer.nodeToString(doc);
diff --git a/plugins/cxf/pom.xml b/plugins/cxf/pom.xml
index c5171aa..9d7239c 100644
--- a/plugins/cxf/pom.xml
+++ b/plugins/cxf/pom.xml
@@ -39,6 +39,12 @@
<scope>compile</scope>
</dependency>
<dependency>
+ <groupId>net.sf.ehcache</groupId>
+ <artifactId>ehcache</artifactId>
+ <version>${ehcache.version}</version>
+ <scope>compile</scope>
+ </dependency>
+ <dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>${servlet.version}</version>
diff --git a/pom.xml b/pom.xml
index 52f6525..21cccd6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -43,7 +43,7 @@
<commons.logging.version>1.2</commons.logging.version>
<commons.text.version>1.9</commons.text.version>
<commons.validator.version>1.7</commons.validator.version>
- <cxf.version>3.3.9</cxf.version>
+ <cxf.version>3.4.2</cxf.version>
<cxf.build-utils.version>3.4.4</cxf.build-utils.version>
<easymock.version>4.0.2</easymock.version>
<ehcache.version>2.10.6</ehcache.version>
@@ -51,7 +51,7 @@
<jcache.version>1.0.0</jcache.version>
<hsqldb.version>2.5.1</hsqldb.version>
<htmlunit.version>2.47.1</htmlunit.version>
- <jackson.version>2.10.5</jackson.version>
+ <jackson.version>2.11.4</jackson.version>
<jaxb.version>2.3.2</jaxb.version>
<jetty9.version>9.4.36.v20210114</jetty9.version>
<junit.version>4.13.2</junit.version>
@@ -66,7 +66,7 @@
<spring-webflow.version>2.5.1.RELEASE</spring-webflow.version>
<tomcat.version>9.0.43</tomcat.version>
<validation-api.version>2.0.2</validation-api.version>
- <wss4j.version>2.2.6</wss4j.version>
+ <wss4j.version>2.3.1</wss4j.version>
<tomcat.url>http://localhost:8080/manager/text</tomcat.url>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
index bc6c417..0fc37a6 100644
--- a/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
+++ b/services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpSAMLProtocolHandler.java
@@ -389,7 +389,7 @@ public class TrustedIdpSAMLProtocolHandler extends AbstractTrustedIdpProtocolHan
}
return ssoResponseValidator.validateSamlResponse(samlResponse, post);
- } catch (WSSecurityException ex) {
+ } catch (Exception ex) {
LOG.debug(ex.getMessage(), ex);
throw ExceptionUtils.toBadRequestException(ex, null);
}
@@ -399,7 +399,7 @@ public class TrustedIdpSAMLProtocolHandler extends AbstractTrustedIdpProtocolHan
this.replayCache = replayCache;
}
- public TokenReplayCache<String> getReplayCache() {
+ public TokenReplayCache<String> getReplayCache() throws IllegalAccessException, ReflectiveOperationException {
if (replayCache == null) {
replayCache = new EHCacheTokenReplayCache();
}
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/PrivateKeyPasswordProviderImpl.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/PrivateKeyPasswordProviderImpl.java
index 9ad8a2d..51ca53d 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/PrivateKeyPasswordProviderImpl.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/PrivateKeyPasswordProviderImpl.java
@@ -20,7 +20,7 @@ package org.apache.cxf.fediz.service.oidc;
import java.util.Properties;
-import org.apache.cxf.rs.security.jose.common.PrivateKeyPasswordProvider;
+import org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider;
public class PrivateKeyPasswordProviderImpl implements PrivateKeyPasswordProvider {
diff --git a/services/sts/src/main/resources/log4j.properties b/services/sts/src/main/resources/log4j.properties
index 3c00256..87a741b 100644
--- a/services/sts/src/main/resources/log4j.properties
+++ b/services/sts/src/main/resources/log4j.properties
@@ -28,5 +28,5 @@ log4j.appender.AUDIT.File=${catalina.base}/logs/audit.log
log4j.appender.AUDIT.DatePattern='.'yyyy-MM-dd
log4j.appender.AUDIT.Append=true
log4j.appender.AUDIT.Threshold=DEBUG
-log4j.appender.AUDIT.layout=org.apache.cxf.sts.event.LoggerPatternLayoutLog4J
-log4j.appender.AUDIT.layout.ConversionPattern=%m%n
+log4j.appender.AUDIT.layout=org.apache.log4j.PatternLayout
+log4j.appender.AUDIT.layout.ConversionPattern=%d [%t] %-5p %c %x - %m%n