You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/06/17 12:45:07 UTC

[cxf] branch wss4j_2.3.0 updated: Picking up more changes in WSS4J

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch wss4j_2.3.0
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/wss4j_2.3.0 by this push:
     new 3b4e94c  Picking up more changes in WSS4J
3b4e94c is described below

commit 3b4e94ccb8d6d1ef4a3c1e6fe45d0e97c7b2f8cf
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon Jun 17 13:44:27 2019 +0100

    Picking up more changes in WSS4J
---
 parent/pom.xml                                             |  1 +
 .../cxf/ws/security/trust/STSStaxTokenValidator.java       |  3 ++-
 .../ws/wssec10/server/CustomUsernameTokenInterceptor.java  | 14 ++++++++++----
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/parent/pom.xml b/parent/pom.xml
index c7123b9..9c9d118 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -214,6 +214,7 @@
         <cxf.woodstox.stax2-api.version>3.1.4</cxf.woodstox.stax2-api.version>
         <cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version>
         <cxf.wss4j.version>2.3.0-SNAPSHOT</cxf.wss4j.version>
+        <cxf.xalan.version>2.7.2</cxf.xalan.version>
         <cxf.xbean.version>4.14</cxf.xbean.version>
         <cxf.xerces.version>2.12.0</cxf.xerces.version>
         <cxf.xmlschema.version>2.2.4</cxf.xmlschema.version>
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
index ffb99e4..57429e2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
@@ -42,6 +42,7 @@ import org.apache.wss4j.common.token.BinarySecurity;
 import org.apache.wss4j.common.token.PKIPathSecurity;
 import org.apache.wss4j.common.token.X509Security;
 import org.apache.wss4j.common.util.AttachmentUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
 import org.apache.wss4j.dom.message.token.KerberosSecurity;
 import org.apache.wss4j.dom.message.token.UsernameToken;
 import org.apache.wss4j.stax.ext.WSSConstants;
@@ -329,7 +330,7 @@ public class STSStaxTokenValidator
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
         }
 
-        String passDigest = WSSUtils.doPasswordDigest(nonceVal, created, pwCb.getPassword());
+        String passDigest = UsernameTokenUtil.doPasswordDigest(nonceVal, created, pwCb.getPassword());
         if (!passwordType.getValue().equals(passDigest)) {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
         }
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
index e04d7b5..50ea95b 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
@@ -26,7 +26,8 @@ import org.apache.cxf.common.security.SimplePrincipal;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor;
-import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
+import org.apache.xml.security.utils.XMLUtils;
 
 public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor {
 
@@ -44,11 +45,16 @@ public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor {
 
         // add roles this user is in
         String roleName = "Alice".equals(name) ? "developers" : "pms";
-        String expectedPassword = "Alice".equals(name) ? "ecilA"
-            : UsernameToken.doPasswordDigest(nonce, created, "invalid-password");
-        if (!password.equals(expectedPassword)) {
+        try {
+            String expectedPassword = "Alice".equals(name) ? "ecilA"
+                : UsernameTokenUtil.doPasswordDigest(XMLUtils.decode(nonce), created, "invalid-password");
+            if (!password.equals(expectedPassword)) {
+                throw new SecurityException("Wrong Password");
+            }
+        } catch (org.apache.wss4j.common.ext.WSSecurityException ex) {
             throw new SecurityException("Wrong Password");
         }
+
         subject.getPrincipals().add(new SimpleGroup(roleName, name));
         subject.setReadOnly();
         return subject;