You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/07/08 18:06:57 UTC
svn commit: r1689913 - in
/webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src:
main/java/org/apache/wss4j/dom/handler/
main/java/org/apache/wss4j/dom/message/token/
test/java/org/apache/wss4j/dom/message/
Author: coheigea
Date: Wed Jul 8 16:06:56 2015
New Revision: 1689913
URL: http://svn.apache.org/r1689913
Log:
[WSS-544] - Disable new storeBytesInAttachment for encryption before signing
Conflicts:
ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/BinarySecurity.java
ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java
Modified:
webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/BinarySecurity.java
webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java
Modified: webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java?rev=1689913&r1=1689912&r2=1689913&view=diff
==============================================================================
--- webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java (original)
+++ webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java Wed Jul 8 16:06:56 2015
@@ -119,6 +119,7 @@ public abstract class WSHandler {
reqData.setStoreBytesInAttachment(storeBytesInAttachment);
// Perform configuration
+ boolean encryptionFound = false;
for (HandlerAction actionToDo : actions) {
if (actionToDo.getAction() == WSConstants.SC) {
wssConfig.setEnableSignatureConfirmation(true);
@@ -141,12 +142,18 @@ public abstract class WSHandler {
actionToken.setCrypto(loadSignatureCrypto(reqData));
}
decodeSignatureParameter(reqData);
+ if (encryptionFound && storeBytesInAttachment) {
+ LOG.warn("Turning off storeBytesInAttachment as we have encryption before signature."
+ + " The danger here is that the actual encryption bytes will not be signed");
+ reqData.setStoreBytesInAttachment(false);
+ }
} else if (actionToDo.getAction() == WSConstants.ST_SIGNED
&& actionToDo.getActionToken() == null) {
decodeSignatureParameter(reqData);
} else if ((actionToDo.getAction() == WSConstants.ENCR
|| actionToDo.getAction() == WSConstants.DKT_ENCR)
&& actionToDo.getActionToken() == null) {
+ encryptionFound = true;
EncryptionActionToken actionToken = reqData.getEncryptionToken();
if (actionToken == null) {
actionToken = new EncryptionActionToken();
Modified: webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/BinarySecurity.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/BinarySecurity.java?rev=1689913&r1=1689912&r2=1689913&view=diff
==============================================================================
--- webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/BinarySecurity.java (original)
+++ webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/BinarySecurity.java Wed Jul 8 16:06:56 2015
@@ -19,11 +19,15 @@
package org.apache.wss4j.dom.message.token;
+import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.Arrays;
+import java.util.UUID;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.common.bsp.BSPRule;
+import org.apache.wss4j.common.ext.Attachment;
+import org.apache.wss4j.common.ext.AttachmentResultCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.DOM2Writer;
import org.apache.wss4j.dom.bsp.BSPEnforcer;
@@ -34,6 +38,7 @@ import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.Text;
+import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
@@ -50,6 +55,16 @@ public class BinarySecurity {
private Element element;
private byte[] data;
+ private boolean storeBytesInAttachment;
+ private CallbackHandler attachmentCallbackHandler;
+
+ public CallbackHandler getAttachmentCallbackHandler() {
+ return attachmentCallbackHandler;
+ }
+
+ public void setAttachmentCallbackHandler(CallbackHandler attachmentCallbackHandler) {
+ this.attachmentCallbackHandler = attachmentCallbackHandler;
+ }
/**
* Constructor.
@@ -88,7 +103,6 @@ public class BinarySecurity {
public BinarySecurity(Document doc) {
element = doc.createElementNS(WSConstants.WSSE_NS, "wsse:BinarySecurityToken");
setEncodingType(BASE64_ENCODING);
- element.appendChild(doc.createTextNode(""));
}
/**
@@ -211,13 +225,38 @@ public class BinarySecurity {
*
* @param data
*/
- public void setToken(byte[] data) {
+ public void setToken(byte[] data) throws WSSecurityException {
if (data == null) {
throw new IllegalArgumentException("data == null");
}
- Text node = getFirstNode();
- node.setData(Base64.encode(data));
- setRawToken(data);
+ if (storeBytesInAttachment && attachmentCallbackHandler != null) {
+ Document document = element.getOwnerDocument();
+ final String attachmentId = "_" + UUID.randomUUID().toString();
+
+ element.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:xop", WSConstants.XOP_NS);
+ Element xopInclude =
+ document.createElementNS(WSConstants.XOP_NS, "xop:Include");
+ xopInclude.setAttributeNS(null, "href", "cid:" + attachmentId);
+ element.appendChild(xopInclude);
+
+ Attachment resultAttachment = new Attachment();
+ resultAttachment.setId(attachmentId);
+ resultAttachment.setMimeType("application/ciphervalue");
+ resultAttachment.setSourceStream(new ByteArrayInputStream(data));
+
+ AttachmentResultCallback attachmentResultCallback = new AttachmentResultCallback();
+ attachmentResultCallback.setAttachmentId(attachmentId);
+ attachmentResultCallback.setAttachment(resultAttachment);
+ try {
+ attachmentCallbackHandler.handle(new Callback[]{attachmentResultCallback});
+ } catch (Exception e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ }
+ } else {
+ Text node = getFirstNode();
+ node.setData(Base64.encode(data));
+ setRawToken(data);
+ }
}
/**
@@ -334,4 +373,12 @@ public class BinarySecurity {
}
return true;
}
+
+ public boolean isStoreBytesInAttachment() {
+ return storeBytesInAttachment;
+ }
+
+ public void setStoreBytesInAttachment(boolean storeBytesInAttachment) {
+ this.storeBytesInAttachment = storeBytesInAttachment;
+ }
}
Modified: webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java?rev=1689913&r1=1689912&r2=1689913&view=diff
==============================================================================
--- webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java (original)
+++ webservices/wss4j/branches/2_0_x-fixes/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java Wed Jul 8 16:06:56 2015
@@ -38,9 +38,12 @@ import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.dom.WSSecurityEngine;
import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.common.CustomHandler;
import org.apache.wss4j.dom.common.KeystoreCallbackHandler;
import org.apache.wss4j.dom.common.SOAPUtil;
+import org.apache.wss4j.dom.handler.HandlerAction;
import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -511,48 +514,103 @@ public class XOPAttachmentTest extends o
assertTrue(processedDoc.contains(SOAP_BODY));
}
- // TODO
@org.junit.Test
- @org.junit.Ignore
- public void testEncryptedSignedSOAPBody() throws Exception {
- Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
- WSSecHeader secHeader = new WSSecHeader();
- secHeader.insertSecurityHeader(doc);
+ public void testSignedEncryptedSOAPBodyViaHandler() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+ reqData.setUsername("16c73ab6-b892-458f-abf5-2f875f74882e");
AttachmentCallbackHandler outboundAttachmentCallback = new AttachmentCallbackHandler();
+ reqData.setAttachmentCallbackHandler(outboundAttachmentCallback);
- WSSecEncrypt encrypt = new WSSecEncrypt();
- encrypt.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
- encrypt.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
-
- encrypt.setAttachmentCallbackHandler(outboundAttachmentCallback);
- encrypt.setStoreBytesInAttachment(true);
-
- encrypt.build(doc, crypto, secHeader);
- WSSecSignature builder = new WSSecSignature();
- builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
- builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+ java.util.Map<String, Object> config = new java.util.TreeMap<String, Object>();
+ config.put(WSHandlerConstants.SIG_PROP_FILE, "crypto.properties");
+ config.put(WSHandlerConstants.ENC_PROP_FILE, "crypto.properties");
+ config.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+ config.put("password", "security");
+ config.put(WSHandlerConstants.STORE_BYTES_IN_ATTACHMENT, "true");
+ reqData.setMsgContext(config);
+
+ final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ List<HandlerAction> actions = new ArrayList<HandlerAction>();
+ actions.add(new HandlerAction(WSConstants.SIGN));
+ actions.add(new HandlerAction(WSConstants.ENCR));
+
+ handler.send(
+ doc,
+ reqData,
+ actions,
+ true
+ );
+ String outputString =
+ XMLUtils.PrettyDocumentToString(doc);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Signed message:");
+ LOG.debug(outputString);
+ }
- builder.setAttachmentCallbackHandler(outboundAttachmentCallback);
- builder.setStoreBytesInAttachment(true);
- Document signedDoc = builder.build(doc, crypto, secHeader);
+ List<Attachment> encryptedAttachments = outboundAttachmentCallback.getResponseAttachments();
+ assertNotNull(encryptedAttachments);
+ assertTrue(encryptedAttachments.size() == 3);
+
+ AttachmentCallbackHandler inboundAttachmentCallback =
+ new AttachmentCallbackHandler(encryptedAttachments);
+ verify(doc, inboundAttachmentCallback);
+
+ String processedDoc = XMLUtils.PrettyDocumentToString(doc);
+ assertTrue(processedDoc.contains(SOAP_BODY));
+ }
+
+ @org.junit.Test
+ public void testEncryptedSignedSOAPBodyViaHandler() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+ reqData.setUsername("16c73ab6-b892-458f-abf5-2f875f74882e");
+
+ AttachmentCallbackHandler outboundAttachmentCallback = new AttachmentCallbackHandler();
+ reqData.setAttachmentCallbackHandler(outboundAttachmentCallback);
- List<Attachment> signedAttachments = outboundAttachmentCallback.getResponseAttachments();
- assertNotNull(signedAttachments);
- assertTrue(signedAttachments.size() == 3);
+ java.util.Map<String, Object> config = new java.util.TreeMap<String, Object>();
+ config.put(WSHandlerConstants.SIG_PROP_FILE, "crypto.properties");
+ config.put(WSHandlerConstants.ENC_PROP_FILE, "crypto.properties");
+ config.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+ config.put("password", "security");
+ config.put(WSHandlerConstants.STORE_BYTES_IN_ATTACHMENT, "true");
+ reqData.setMsgContext(config);
+
+ final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ List<HandlerAction> actions = new ArrayList<HandlerAction>();
+ actions.add(new HandlerAction(WSConstants.ENCR));
+ actions.add(new HandlerAction(WSConstants.SIGN));
+
+ handler.send(
+ doc,
+ reqData,
+ actions,
+ true
+ );
+ String outputString =
+ XMLUtils.PrettyDocumentToString(doc);
if (LOG.isDebugEnabled()) {
- String outputString = XMLUtils.PrettyDocumentToString(signedDoc);
+ LOG.debug("Signed message:");
LOG.debug(outputString);
- // System.out.println(outputString);
}
-
+
+ List<Attachment> encryptedAttachments = outboundAttachmentCallback.getResponseAttachments();
+ assertNotNull(encryptedAttachments);
+ assertTrue(encryptedAttachments.size() == 0);
+
AttachmentCallbackHandler inboundAttachmentCallback =
- new AttachmentCallbackHandler(signedAttachments);
- verify(signedDoc, inboundAttachmentCallback);
+ new AttachmentCallbackHandler(encryptedAttachments);
+ verify(doc, inboundAttachmentCallback);
- String processedDoc = XMLUtils.PrettyDocumentToString(signedDoc);
+ String processedDoc = XMLUtils.PrettyDocumentToString(doc);
assertTrue(processedDoc.contains(SOAP_BODY));
}