You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2019/01/30 18:30:13 UTC
svn commit: r1852540 - in
/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax:
ext/WSSConstants.java impl/processor/input/SAMLTokenInputHandler.java
utils/WSSUtils.java
Author: coheigea
Date: Wed Jan 30 18:30:13 2019
New Revision: 1852540
URL: http://svn.apache.org/viewvc?rev=1852540&view=rev
Log:
Improve SAML validation by searching for the exact SOAP namespace
Modified:
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/utils/WSSUtils.java
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java?rev=1852540&r1=1852539&r2=1852540&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java Wed Jan 30 18:30:13 2019
@@ -268,16 +268,24 @@ public class WSSConstants extends XMLSec
}
public static final List<QName> SOAP_11_BODY_PATH = new ArrayList<>(2);
+ public static final List<QName> SOAP_12_BODY_PATH = new ArrayList<>(2);
public static final List<QName> SOAP_11_HEADER_PATH = new ArrayList<>(2);
+ public static final List<QName> SOAP_12_HEADER_PATH = new ArrayList<>(2);
public static final List<QName> WSSE_SECURITY_HEADER_PATH = new ArrayList<>(3);
static {
SOAP_11_BODY_PATH.add(WSSConstants.TAG_SOAP11_ENVELOPE);
SOAP_11_BODY_PATH.add(WSSConstants.TAG_SOAP11_BODY);
+ SOAP_12_BODY_PATH.add(WSSConstants.TAG_SOAP12_ENVELOPE);
+ SOAP_12_BODY_PATH.add(WSSConstants.TAG_SOAP12_BODY);
+
SOAP_11_HEADER_PATH.add(WSSConstants.TAG_SOAP11_ENVELOPE);
SOAP_11_HEADER_PATH.add(WSSConstants.TAG_SOAP11_HEADER);
+ SOAP_12_HEADER_PATH.add(WSSConstants.TAG_SOAP12_ENVELOPE);
+ SOAP_12_HEADER_PATH.add(WSSConstants.TAG_SOAP12_HEADER);
+
WSSE_SECURITY_HEADER_PATH.addAll(SOAP_11_HEADER_PATH);
WSSE_SECURITY_HEADER_PATH.add(WSSConstants.TAG_WSSE_SECURITY);
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java?rev=1852540&r1=1852539&r2=1852540&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java Wed Jan 30 18:30:13 2019
@@ -99,14 +99,6 @@ import org.w3c.dom.Node;
*/
public class SAMLTokenInputHandler extends AbstractInputSecurityHeaderHandler {
- private static final List<QName> SAML1_TOKEN_PATH = new ArrayList<>(WSSConstants.WSSE_SECURITY_HEADER_PATH);
- private static final List<QName> SAML2_TOKEN_PATH = new ArrayList<>(WSSConstants.WSSE_SECURITY_HEADER_PATH);
-
- static {
- SAML1_TOKEN_PATH.add(WSSConstants.TAG_SAML_ASSERTION);
- SAML2_TOKEN_PATH.add(WSSConstants.TAG_SAML2_ASSERTION);
- }
-
@Override
public void handle(final InputProcessorChain inputProcessorChain, final XMLSecurityProperties securityProperties,
Deque<XMLSecEvent> eventQueue, Integer index) throws XMLSecurityException {
@@ -221,9 +213,14 @@ public class SAMLTokenInputHandler exten
wsInboundSecurityContext.registerSecurityEvent(samlTokenSecurityEvent);
if (wssSecurityProperties.isValidateSamlSubjectConfirmation()) {
+ boolean soap12 = false;
+ if (elementPath.get(0) != null && WSSConstants.NS_SOAP12.equals(elementPath.get(0).getNamespaceURI())) {
+ soap12 = true;
+ }
SAMLTokenVerifierInputProcessor samlTokenVerifierInputProcessor =
new SAMLTokenVerifierInputProcessor(
- securityProperties, samlAssertionWrapper, subjectSecurityTokenProvider, subjectSecurityToken);
+ securityProperties, samlAssertionWrapper, subjectSecurityTokenProvider, subjectSecurityToken,
+ soap12);
wsInboundSecurityContext.addSecurityEventListener(samlTokenVerifierInputProcessor);
inputProcessorChain.addProcessor(samlTokenVerifierInputProcessor);
}
@@ -538,16 +535,38 @@ public class SAMLTokenInputHandler exten
private List<SignedElementSecurityEvent> samlTokenSignedElementSecurityEvents = new ArrayList<>();
private SignedPartSecurityEvent bodySignedPartSecurityEvent;
+ private final boolean soap12;
+ private final List<QName> saml1TokenPath;
+ private final List<QName> saml2TokenPath;
+
SAMLTokenVerifierInputProcessor(XMLSecurityProperties securityProperties,
SamlAssertionWrapper samlAssertionWrapper,
SecurityTokenProvider<InboundSecurityToken> securityTokenProvider,
- InboundSecurityToken subjectSecurityToken) {
+ InboundSecurityToken subjectSecurityToken,
+ boolean soap12) {
super(securityProperties);
this.setPhase(XMLSecurityConstants.Phase.POSTPROCESSING);
this.addAfterProcessor(OperationInputProcessor.class.getName());
this.samlAssertionWrapper = samlAssertionWrapper;
this.securityTokenProvider = securityTokenProvider;
this.subjectSecurityToken = subjectSecurityToken;
+
+ this.soap12 = soap12;
+ if (soap12) {
+ saml1TokenPath = new ArrayList<>(WSSConstants.SOAP_12_HEADER_PATH);
+ saml1TokenPath.add(WSSConstants.TAG_WSSE_SECURITY);
+ saml1TokenPath.add(WSSConstants.TAG_SAML_ASSERTION);
+ saml2TokenPath = new ArrayList<>(WSSConstants.SOAP_12_HEADER_PATH);
+ saml2TokenPath.add(WSSConstants.TAG_WSSE_SECURITY);
+ saml2TokenPath.add(WSSConstants.TAG_SAML2_ASSERTION);
+ } else {
+ saml1TokenPath = new ArrayList<>(WSSConstants.SOAP_11_HEADER_PATH);
+ saml1TokenPath.add(WSSConstants.TAG_WSSE_SECURITY);
+ saml1TokenPath.add(WSSConstants.TAG_SAML_ASSERTION);
+ saml2TokenPath = new ArrayList<>(WSSConstants.SOAP_11_HEADER_PATH);
+ saml2TokenPath.add(WSSConstants.TAG_WSSE_SECURITY);
+ saml2TokenPath.add(WSSConstants.TAG_SAML2_ASSERTION);
+ }
}
@Override
@@ -556,15 +575,16 @@ public class SAMLTokenInputHandler exten
SignedPartSecurityEvent signedPartSecurityEvent = (SignedPartSecurityEvent) securityEvent;
List<QName> elementPath = signedPartSecurityEvent.getElementPath();
- if (WSSUtils.pathMatches(WSSConstants.SOAP_11_BODY_PATH, elementPath, true, false)) {
+ if (soap12 && WSSUtils.pathMatches(WSSConstants.SOAP_12_BODY_PATH, elementPath)
+ || !soap12 && WSSUtils.pathMatches(WSSConstants.SOAP_11_BODY_PATH, elementPath)) {
bodySignedPartSecurityEvent = signedPartSecurityEvent;
}
} else if (WSSecurityEventConstants.SignedElement.equals(securityEvent.getSecurityEventType())) {
SignedElementSecurityEvent signedPartSecurityEvent = (SignedElementSecurityEvent) securityEvent;
List<QName> elementPath = signedPartSecurityEvent.getElementPath();
- if (WSSUtils.pathMatches(SAML2_TOKEN_PATH, elementPath, true, false)
- || WSSUtils.pathMatches(SAML1_TOKEN_PATH, elementPath, true, false)) {
+ if (WSSUtils.pathMatches(saml2TokenPath, elementPath)
+ || WSSUtils.pathMatches(saml1TokenPath, elementPath)) {
samlTokenSignedElementSecurityEvents.add(signedPartSecurityEvent);
}
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/utils/WSSUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/utils/WSSUtils.java?rev=1852540&r1=1852539&r2=1852540&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/utils/WSSUtils.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/utils/WSSUtils.java Wed Jan 30 18:30:13 2019
@@ -625,6 +625,10 @@ public class WSSUtils extends XMLSecurit
return (TokenSecurityEvent<? extends InboundSecurityToken>)tokenSecurityEvent;
}
+ public static boolean pathMatches(List<QName> path1, List<QName> path2) {
+ return pathMatches(path1, path2, false, false);
+ }
+
public static boolean pathMatches(List<QName> path1, List<QName> path2,
boolean matchAnySoapNS, boolean lastElementWildCard) {
if (path1 == null) {