You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/06/17 12:45:07 UTC
[cxf] branch wss4j_2.3.0 updated: Picking up more changes in WSS4J
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch wss4j_2.3.0
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/wss4j_2.3.0 by this push:
new 3b4e94c Picking up more changes in WSS4J
3b4e94c is described below
commit 3b4e94ccb8d6d1ef4a3c1e6fe45d0e97c7b2f8cf
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon Jun 17 13:44:27 2019 +0100
Picking up more changes in WSS4J
---
parent/pom.xml | 1 +
.../cxf/ws/security/trust/STSStaxTokenValidator.java | 3 ++-
.../ws/wssec10/server/CustomUsernameTokenInterceptor.java | 14 ++++++++++----
3 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/parent/pom.xml b/parent/pom.xml
index c7123b9..9c9d118 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -214,6 +214,7 @@
<cxf.woodstox.stax2-api.version>3.1.4</cxf.woodstox.stax2-api.version>
<cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version>
<cxf.wss4j.version>2.3.0-SNAPSHOT</cxf.wss4j.version>
+ <cxf.xalan.version>2.7.2</cxf.xalan.version>
<cxf.xbean.version>4.14</cxf.xbean.version>
<cxf.xerces.version>2.12.0</cxf.xerces.version>
<cxf.xmlschema.version>2.2.4</cxf.xmlschema.version>
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
index ffb99e4..57429e2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
@@ -42,6 +42,7 @@ import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.PKIPathSecurity;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.common.util.AttachmentUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.stax.ext.WSSConstants;
@@ -329,7 +330,7 @@ public class STSStaxTokenValidator
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
- String passDigest = WSSUtils.doPasswordDigest(nonceVal, created, pwCb.getPassword());
+ String passDigest = UsernameTokenUtil.doPasswordDigest(nonceVal, created, pwCb.getPassword());
if (!passwordType.getValue().equals(passDigest)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
index e04d7b5..50ea95b 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
@@ -26,7 +26,8 @@ import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor;
-import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
+import org.apache.xml.security.utils.XMLUtils;
public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor {
@@ -44,11 +45,16 @@ public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor {
// add roles this user is in
String roleName = "Alice".equals(name) ? "developers" : "pms";
- String expectedPassword = "Alice".equals(name) ? "ecilA"
- : UsernameToken.doPasswordDigest(nonce, created, "invalid-password");
- if (!password.equals(expectedPassword)) {
+ try {
+ String expectedPassword = "Alice".equals(name) ? "ecilA"
+ : UsernameTokenUtil.doPasswordDigest(XMLUtils.decode(nonce), created, "invalid-password");
+ if (!password.equals(expectedPassword)) {
+ throw new SecurityException("Wrong Password");
+ }
+ } catch (org.apache.wss4j.common.ext.WSSecurityException ex) {
throw new SecurityException("Wrong Password");
}
+
subject.getPrincipals().add(new SimpleGroup(roleName, name));
subject.setReadOnly();
return subject;