You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2019/06/17 11:37:44 UTC
svn commit: r1861502 - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/wss4j/common/util/
ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/
ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ ws-securi...
Author: coheigea
Date: Mon Jun 17 11:37:44 2019
New Revision: 1861502
URL: http://svn.apache.org/viewvc?rev=1861502&view=rev
Log:
Remove storing raw password in UsernameToken
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java?rev=1861502&r1=1861501&r2=1861502&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java Mon Jun 17 11:37:44 2019
@@ -19,10 +19,16 @@
package org.apache.wss4j.common.util;
+import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
@@ -170,4 +176,28 @@ public final class UsernameTokenUtil {
return passwdDigest;
}
+ /**
+ * Get the raw (plain text) password used to compute secret key.
+ */
+ public static String getRawPassword(CallbackHandler callbackHandler, String username,
+ String password, String passwordType) throws WSSecurityException {
+ if (callbackHandler == null) {
+ LOG.debug("CallbackHandler is null");
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
+
+ WSPasswordCallback pwCb =
+ new WSPasswordCallback(
+ username, password, passwordType, WSPasswordCallback.USERNAME_TOKEN
+ );
+ try {
+ callbackHandler.handle(new Callback[]{pwCb});
+ } catch (IOException | UnsupportedCallbackException e) {
+ LOG.debug(e.getMessage(), e);
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e
+ );
+ }
+ return pwCb.getPassword();
+ }
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java?rev=1861502&r1=1861501&r2=1861502&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/UsernameToken.java Mon Jun 17 11:37:44 2019
@@ -19,7 +19,6 @@
package org.apache.wss4j.dom.message.token;
-import java.io.IOException;
import java.security.Principal;
import java.time.Instant;
import java.time.ZoneOffset;
@@ -29,14 +28,10 @@ import java.time.format.DateTimeParseExc
import java.util.Arrays;
import java.util.List;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
import javax.xml.namespace.QName;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.bsp.BSPRule;
-import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
import org.apache.wss4j.common.util.DOM2Writer;
@@ -77,7 +72,6 @@ public class UsernameToken {
private Element elementIteration;
private String passwordType;
private boolean hashed = true;
- private String rawPassword; // enhancement by Alberto Coletti
private boolean passwordsAreEncoded;
private Instant created;
@@ -494,7 +488,6 @@ public class UsernameToken {
}
}
- rawPassword = pwd; // enhancement by Alberto coletti
Text node = getFirstNode(elementPassword);
try {
if (hashed) {
@@ -517,31 +510,6 @@ public class UsernameToken {
}
/**
- * Set the raw (plain text) password used to compute secret key.
- */
- public void setRawPassword(CallbackHandler callbackHandler) throws WSSecurityException {
- if (callbackHandler == null) {
- LOG.debug("CallbackHandler is null");
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
- }
-
- WSPasswordCallback pwCb =
- new WSPasswordCallback(
- getName(), getPassword(), getPasswordType(),
- WSPasswordCallback.USERNAME_TOKEN
- );
- try {
- callbackHandler.handle(new Callback[]{pwCb});
- } catch (IOException | UnsupportedCallbackException e) {
- LOG.debug(e.getMessage(), e);
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, e
- );
- }
- rawPassword = pwCb.getPassword();
- }
-
- /**
* @param passwordsAreEncoded whether passwords are encoded
*/
public void setPasswordsAreEncoded(boolean passwordsAreEncoded) {
@@ -609,10 +577,11 @@ public class UsernameToken {
/**
* This method gets a derived key as defined in WSS Username Token Profile.
*
+ * @param rawPassword The raw password to use to derive the key
* @return Returns the derived key as a byte array
* @throws WSSecurityException
*/
- public byte[] getDerivedKey(BSPEnforcer bspEnforcer) throws WSSecurityException {
+ public byte[] getDerivedKey(BSPEnforcer bspEnforcer, String rawPassword) throws WSSecurityException {
if (rawPassword == null) {
LOG.debug("The raw password was null");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java?rev=1861502&r1=1861501&r2=1861502&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/UsernameTokenProcessor.java Mon Jun 17 11:37:44 2019
@@ -24,6 +24,7 @@ import java.util.List;
import org.apache.wss4j.common.principal.SAMLTokenPrincipalImpl;
import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.w3c.dom.Element;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.ext.WSSecurityException;
@@ -67,8 +68,10 @@ public class UsernameTokenProcessor impl
if (token.getPassword() == null) {
action = WSConstants.UT_NOPASSWORD;
if (token.isDerivedKey()) {
- token.setRawPassword(data.getCallbackHandler());
- secretKey = token.getDerivedKey(data.getBSPEnforcer());
+ String rawPassword =
+ UsernameTokenUtil.getRawPassword(data.getCallbackHandler(), token.getName(),
+ token.getPassword(), token.getPasswordType());
+ secretKey = token.getDerivedKey(data.getBSPEnforcer(), rawPassword);
}
}
WSSecurityEngineResult result = new WSSecurityEngineResult(action, token);
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java?rev=1861502&r1=1861501&r2=1861502&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SecurityTokenRefSTRParser.java Mon Jun 17 11:37:44 2019
@@ -33,6 +33,7 @@ import org.apache.wss4j.common.token.Bin
import org.apache.wss4j.common.token.Reference;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.KeyUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDocInfo;
@@ -149,8 +150,10 @@ public class SecurityTokenRefSTRParser i
UsernameToken usernameToken =
(UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
- usernameToken.setRawPassword(data.getCallbackHandler());
- byte[] secretKey = usernameToken.getDerivedKey(data.getBSPEnforcer());
+ String rawPassword =
+ UsernameTokenUtil.getRawPassword(data.getCallbackHandler(), usernameToken.getName(),
+ usernameToken.getPassword(), usernameToken.getPasswordType());
+ byte[] secretKey = usernameToken.getDerivedKey(data.getBSPEnforcer(), rawPassword);
parserResult.setSecretKey(secretKey);
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java?rev=1861502&r1=1861501&r2=1861502&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/str/SignatureSTRParser.java Mon Jun 17 11:37:44 2019
@@ -253,7 +253,6 @@ public class SignatureSTRParser implemen
UsernameToken usernameToken =
(UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
- usernameToken.setRawPassword(data.getCallbackHandler());
parserResult.setSecretKey((byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
parserResult.setPrincipal(usernameToken.createPrincipal());