You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by na...@apache.org on 2008/04/03 13:00:41 UTC
svn commit: r644258 - in
/webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart:
MessageBuilder.java PolicyBasedResultsValidator.java RampartEngine.java
handler/PostDispatchVerificationHandler.java util/RampartUtil.java
Author: nandana
Date: Thu Apr 3 04:00:25 2008
New Revision: 644258
URL: http://svn.apache.org/viewvc?rev=644258&view=rev
Log:
Fix for Rampart 146 issue
Modified:
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/MessageBuilder.java
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java
webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
Modified: webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/MessageBuilder.java
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/MessageBuilder.java?rev=644258&r1=644257&r2=644258&view=diff
==============================================================================
--- webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/MessageBuilder.java (original)
+++ webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/MessageBuilder.java Thu Apr 3 04:00:25 2008
@@ -62,7 +62,16 @@
RampartPolicyData rpd = rmd.getPolicyData();
- if(rpd == null || isSecurityValidationFault(msgCtx)) {
+ if(rpd == null || isSecurityValidationFault(msgCtx) ||
+ !RampartUtil.isSecHeaderRequired(rpd, rmd.isInitiator(),false)) {
+
+ Document doc = rmd.getDocument();
+ WSSecHeader secHeader = rmd.getSecHeader();
+
+ if ( secHeader != null && secHeader.isEmpty(doc) ) {
+ secHeader.removeSecurityHeader(doc);
+ }
+
return;
}
@@ -137,6 +146,9 @@
AsymmetricBindingBuilder builder = new AsymmetricBindingBuilder();
builder.build(rmd);
}
+
+ //TODO remove following check, we don't need this check here as we do a check to see whether
+ // security header required
Document doc = rmd.getDocument();
WSSecHeader secHeader = rmd.getSecHeader();
Modified: webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java?rev=644258&r1=644257&r2=644258&view=diff
==============================================================================
--- webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java (original)
+++ webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java Thu Apr 3 04:00:25 2008
@@ -80,6 +80,9 @@
//sig/encr
Vector encryptedParts = RampartUtil.getEncryptedParts(rmd);
if(rpd != null && rpd.isSignatureProtection() && isSignatureRequired(rmd)) {
+
+ String sigId = RampartUtil.getSigElementId(rmd);
+
encryptedParts.add(new WSEncryptionPart(WSConstants.SIG_LN,
WSConstants.SIG_NS, "Element"));
}
@@ -219,8 +222,8 @@
SupportingToken sgndEndorSupTokens = rpd.getSignedEndorsingSupportingTokens();
if(sig && signatureParts.size() == 0
- && sgndSupTokens.getTokens().size() == 0
- && sgndEndorSupTokens.getTokens().size() == 0) {
+ && (sgndSupTokens == null || sgndSupTokens.getTokens().size() == 0)
+ && (sgndEndorSupTokens == null || sgndEndorSupTokens.getTokens().size() == 0)) {
//Unexpected signature
throw new RampartException("unexprectedSignature");
@@ -419,20 +422,37 @@
}
}
-// TODO : IMPORTANT this processing is wrong .. fix it
-//
-// int refCount = 0;
-//
-// refCount += encryptedParts.size();
-//
-// if(rpd.isSignatureProtection()) {
-// refCount ++;
-// }
-//
-// if(encrRefs.size() != refCount) {
-// throw new RampartException("invalidNumberOfEncryptedParts",
-// new String[]{Integer.toString(refCount)});
-// }
+ for (int i = 0 ; i < encryptedParts.size() ; i++) {
+
+ WSEncryptionPart encPart = (WSEncryptionPart)encryptedParts.get(i);
+
+ //This is the encrypted Body and we already checked encrypted body
+ if (encPart.getType() == WSConstants.PART_TYPE_BODY) {
+ continue;
+ }
+
+ //TODO we don't check encrypted headers now
+ // Can't change id when when encrypted header is both signed and encrypted
+ //FIX THIS
+ if (encPart.getType() == WSConstants.PART_TYPE_HEADER) {
+ continue;
+ }
+
+ //TODO we need to check encrypted signature
+ if (WSConstants.SIG_LN.equals(encPart.getName()) &&
+ WSConstants.SIG_NS.equals(encPart.getNamespace())) {
+ continue;
+ }
+
+ if (encPart.getEncId() == null) {
+ throw new RampartException("encryptedPartMissing",
+ new String[]{encPart.getNamespace()+":"+encPart.getName()});
+ } else if (!isRefIdPresent(encrRefs, encPart.getEncId())) {
+ throw new RampartException("encryptedPartMissing",
+ new String[]{encPart.getNamespace()+":"+encPart.getName()});
+ }
+
+ }
}
@@ -778,5 +798,25 @@
return false;
}
+
+ private boolean isRefIdPresent(ArrayList refList , String id) {
+
+ for (int i = 0; i < refList.size() ; i++) {
+ String refId = (String)refList.get(i);
+ if (refId != null && refId.equals(id)) {
+ return true;
+ } else if (refId != null) {
+ //TODO This is a hack to handle the special case Encrypted Header
+ refId = refId.replaceFirst("EncDataId","EncHeader");
+ if (refId.equals(id)) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+
+ }
+
}
Modified: webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java?rev=644258&r1=644257&r2=644258&view=diff
==============================================================================
--- webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java (original)
+++ webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java Thu Apr 3 04:00:25 2008
@@ -75,7 +75,7 @@
//If there is no policy information or if the message is a security fault or no security
// header required by the policy
- if(rpd == null || isSecurityFault(rmd) || !RampartUtil.isSecHeaderRequired(rpd,rmd.isInitiator())) {
+ if(rpd == null || isSecurityFault(rmd) || !RampartUtil.isSecHeaderRequired(rpd,rmd.isInitiator(),true)) {
SOAPEnvelope env = Axis2Util.getSOAPEnvelopeFromDOMDocument(rmd.getDocument(), true);
//Convert back to llom since the inflow cannot use llom
Modified: webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java?rev=644258&r1=644257&r2=644258&view=diff
==============================================================================
--- webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java (original)
+++ webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java Thu Apr 3 04:00:25 2008
@@ -151,7 +151,7 @@
}
//Now check for security processing results if security policy is available
- if(RampartUtil.isSecHeaderRequired(rpd,isInitiator) &&
+ if(RampartUtil.isSecHeaderRequired(rpd,isInitiator,true) &&
msgContext.getProperty(WSHandlerConstants.RECV_RESULTS) == null) {
throw new AxisFault("InvalidSecurity");
}
Modified: webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
URL: http://svn.apache.org/viewvc/webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?rev=644258&r1=644257&r2=644258&view=diff
==============================================================================
--- webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java (original)
+++ webservices/rampart/trunk/java/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java Thu Apr 3 04:00:25 2008
@@ -77,6 +77,7 @@
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.util.Loader;
import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.utils.Constants;
import org.jaxen.JaxenException;
import org.jaxen.XPath;
import org.w3c.dom.Document;
@@ -741,7 +742,7 @@
Vector encryptedPartsElements = getPartsAndElements(false, envelope, rpd.isEncryptBody(), rpd.getEncryptedParts(), rpd.getEncryptedElements(),rpd.getDeclaredNamespaces());
return getContentEncryptedElements(encryptedPartsElements, envelope, rpd.getContentEncryptedElements(), rpd.getDeclaredNamespaces());
}
-
+
public static Vector getSignedParts(RampartMessageData rmd) {
RampartPolicyData rpd = rmd.getPolicyData();
SOAPEnvelope envelope = rmd.getMsgContext().getEnvelope();
@@ -833,9 +834,16 @@
while (nodesIter.hasNext())
{
OMElement e = (OMElement)nodesIter.next();
-
- encryptedPartsElements.add(new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Content"));
-
+
+ WSEncryptionPart encryptedElem = new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Content");
+ OMAttribute wsuId = e.getAttribute(new QName(WSConstants.WSU_NS, "Id"));
+
+ if ( wsuId != null ) {
+ encryptedElem.setEncId(wsuId.getAttributeValue());
+ }
+
+ encryptedPartsElements.add(encryptedElem);
+
}
} catch (JaxenException e) {
@@ -859,7 +867,7 @@
if( sign ) {
result.add(new WSEncryptionPart(addWsuIdToElement(envelope.getBody())));
} else {
- result.add(new WSEncryptionPart(addWsuIdToElement(envelope.getBody()), "Content"));
+ result.add(new WSEncryptionPart(addWsuIdToElement(envelope.getBody()), "Content", WSConstants.PART_TYPE_BODY));
}
found.add( envelope.getBody() );
}
@@ -887,7 +895,15 @@
if( sign ) {
result.add(new WSEncryptionPart(e.getLocalName(), wsep.getNamespace(), "Content"));
} else {
- result.add(new WSEncryptionPart(e.getLocalName(), wsep.getNamespace(), "Element"));
+
+ WSEncryptionPart encryptedHeader = new WSEncryptionPart(e.getLocalName(), wsep.getNamespace(), "Element", WSConstants.PART_TYPE_HEADER);
+ OMAttribute wsuId = e.getAttribute(new QName(WSConstants.WSU_NS, "Id"));
+
+ if ( wsuId != null ) {
+ encryptedHeader.setEncId(wsuId.getAttributeValue());
+ }
+
+ result.add(encryptedHeader);
}
}
}
@@ -897,7 +913,14 @@
if( e != null ) {
if( ! found.contains( e ) ) {
// found new (reuse wsep)
- found.add( e );
+ found.add( e );
+ wsep.setType(WSConstants.PART_TYPE_HEADER);
+ OMAttribute wsuId = e.getAttribute(new QName(WSConstants.WSU_NS, "Id"));
+
+ if ( wsuId != null ) {
+ wsep.setEncId(wsuId.getAttributeValue());
+ }
+
result.add( wsep );
}
}
@@ -930,10 +953,19 @@
{
OMElement e = (OMElement)nodesIter.next();
- if (sign)
+ if (sign) {
result.add(new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Content"));
- else
- result.add(new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Element"));
+ } else {
+
+ WSEncryptionPart encryptedElem = new WSEncryptionPart(e.getLocalName(), e.getNamespace().getNamespaceURI(), "Element");
+ OMAttribute wsuId = e.getAttribute(new QName(WSConstants.WSU_NS, "Id"));
+
+ if ( wsuId != null ) {
+ encryptedElem.setEncId(wsuId.getAttributeValue());
+ }
+
+ result.add(encryptedElem);
+ }
}
} catch (JaxenException e) {
@@ -1298,7 +1330,8 @@
* @param rpd
* @return true if a security header is required in the incoming message
*/
- public static boolean isSecHeaderRequired(RampartPolicyData rpd, boolean initiator ) {
+ public static boolean isSecHeaderRequired(RampartPolicyData rpd, boolean initiator,
+ boolean inflow ) {
// Checking for time stamp
if ( rpd.isIncludeTimestamp() ) {
@@ -1320,7 +1353,7 @@
// Checking for supporting tokens
SupportingToken supportingTokens;
- if (!initiator) {
+ if (!initiator && inflow || initiator && !inflow ) {
supportingTokens = rpd.getSupportingTokens();
if (supportingTokens != null && supportingTokens.getTokens().size() != 0) {
@@ -1387,6 +1420,40 @@
}
+ }
+
+ public static String getSigElementId(RampartMessageData rmd) {
+
+ SOAPEnvelope envelope = rmd.getMsgContext().getEnvelope();
+
+ SOAPHeader header = envelope.getHeader();
+
+ if (header == null ) {
+ return null;
+ }
+
+ ArrayList secHeaders = header.getHeaderBlocksWithNSURI(WSConstants.WSSE_NS);
+
+ if (secHeaders != null && secHeaders.size() > 0) {
+ QName sigQName = new QName(Constants.SignatureSpecNS,Constants._TAG_SIGNATURE);
+ QName wsuIdQName = new QName(WSConstants.WSU_NS,"Id");
+ OMElement sigElem = ((SOAPHeaderBlock)secHeaders.get(0)).getFirstChildWithName(sigQName);
+ OMAttribute wsuId = sigElem.getAttribute(wsuIdQName);
+
+ if (wsuId != null) {
+ return wsuId.getAttributeValue();
+ }
+
+ wsuId = sigElem.getAttribute(new QName("Id"));
+
+ if (wsuId != null) {
+ return wsuId.getAttributeValue();
+ }
+
+
+ }
+
+ return null;
}
}