You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/06/08 13:15:13 UTC
svn commit: r782593 - in /webservices/wss4j/trunk:
src/org/apache/ws/security/action/ src/org/apache/ws/security/handler/
test/wssec/
Author: coheigea
Date: Mon Jun 8 11:15:13 2009
New Revision: 782593
URL: http://svn.apache.org/viewvc?rev=782593&view=rev
Log:
[WSS-194] - Support overriding KeyStore alias for signature so that it can be different than user name used for UsernameToken
- I added WSHandlerConstants.SIGNATURE_USER to specify a different "signature user" from WSHandlerConstants.USER
- This is consistent with the previous pattern of ENCRYPTION_USER
- A side-effect is that the SignatureAction now relies on RequestData.getSignatureUser() rather than getUser
- Added a test for this issue as well.
Added:
webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java (with props)
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/action/SignatureAction.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java
webservices/wss4j/trunk/test/wssec/PackageTests.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/action/SignatureAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/action/SignatureAction.java?rev=782593&r1=782592&r2=782593&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/action/SignatureAction.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/action/SignatureAction.java Mon Jun 8 11:15:13 2009
@@ -32,7 +32,7 @@
throws WSSecurityException {
WSPasswordCallback pwcb =
handler.getPassword(
- reqData.getUsername(),
+ reqData.getSignatureUser(),
actionToDo,
WSHandlerConstants.PW_CALLBACK_CLASS,
WSHandlerConstants.PW_CALLBACK_REF, reqData
@@ -50,7 +50,7 @@
wsSign.setDigestAlgo(reqData.getSigDigestAlgorithm());
}
- wsSign.setUserInfo(reqData.getUsername(), pwcb.getPassword());
+ wsSign.setUserInfo(reqData.getSignatureUser(), pwcb.getPassword());
if (reqData.getSignatureParts().size() > 0) {
wsSign.setParts(reqData.getSignatureParts());
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java?rev=782593&r1=782592&r2=782593&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java Mon Jun 8 11:15:13 2009
@@ -53,6 +53,7 @@
private String encSymmAlgo = null;
private String encKeyTransport = null;
private String encUser = null;
+ private String signatureUser = null;
private List encryptParts = new Vector();
private X509Certificate encCert = null;
private int timeToLive = 300; // Timestamp: time in seconds between creation and expiry
@@ -73,6 +74,7 @@
signatureValues.clear();
signatureDigestAlgorithm = null;
encSymmetricEncryptionKey = true;
+ signatureUser = null;
}
public Object getMsgContext() {
@@ -182,6 +184,14 @@
public List getSignatureParts() {
return signatureParts;
}
+
+ public String getSignatureUser() {
+ return signatureUser;
+ }
+
+ public void setSignatureUser(String signatureUser) {
+ this.signatureUser = signatureUser;
+ }
public Crypto getEncCrypto() {
return encCrypto;
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java?rev=782593&r1=782592&r2=782593&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java Mon Jun 8 11:15:13 2009
@@ -521,6 +521,14 @@
protected void decodeSignatureParameter(RequestData reqData)
throws WSSecurityException {
Object mc = reqData.getMsgContext();
+ String signatureUser = getString(WSHandlerConstants.SIGNATURE_USER, mc);
+
+ if (signatureUser != null) {
+ reqData.setSignatureUser(signatureUser);
+ } else {
+ reqData.setSignatureUser(reqData.getUsername());
+ }
+
String keyId = getString(WSHandlerConstants.SIG_KEY_ID, mc);
if (keyId != null) {
Integer id = (Integer) WSHandlerConstants.keyIdentifier.get(keyId);
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java?rev=782593&r1=782592&r2=782593&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java Mon Jun 8 11:15:13 2009
@@ -180,7 +180,7 @@
* </li>
* <li>The <i>Signing</i> function uses this name as the alias name
* in the keystore to get user's certificate and private key to
- * perform signing.
+ * perform signing if {@link #SIGNATURE_USER} is not used.
* </li>
* <li>The <i>encryption</i>
* functions uses this parameter as fallback if {@link #ENCRYPTION_USER}
@@ -298,18 +298,36 @@
* Encryption only does not authenticate a user / sender, therefore it
* does not need a password.
* <p/>
- * Placing the username of the encryption certficate in the WSDD is not
+ * Placing the username of the encryption certificate in the WSDD is not
* a security risk, because the public key of that certificate is used
* only.
* <p/>
* The application may set this parameter using the following method:
* <pre>
- * call.setProperty(WSHandlerConstants.ENCYRPTION_USER, "encryptionuser");
+ * call.setProperty(WSHandlerConstants.ENCYRPTION_USER, "encryptionUser");
* </pre>
* However, the parameter in the WSDD deployment file overwrites the
* property setting (deployment setting overwrites application setting).
*/
public static final String ENCRYPTION_USER = "encryptionUser";
+
+ /**
+ * The user's name for signature.
+ * <p/>
+ * This name is used as the alias name in the keystore to get user's
+ * certificate and private key to perform signing.
+ * <p/>
+ * If this parameter is not set, then the signature
+ * function falls back to the {@link #USER} parameter.
+ * <p/>
+ * The application may set this parameter using the following method:
+ * <pre>
+ * call.setProperty(WSHandlerConstants.SIGNATURE_USER, "signatureUser");
+ * </pre>
+ * However, the parameter in the WSDD deployment file overwrites the
+ * property setting (deployment setting overwrites application setting).
+ */
+ public static final String SIGNATURE_USER = "signatureUser";
/**
* Specifying this name as {@link #ENCRYPTION_USER}
Modified: webservices/wss4j/trunk/test/wssec/PackageTests.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/PackageTests.java?rev=782593&r1=782592&r2=782593&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/PackageTests.java (original)
+++ webservices/wss4j/trunk/test/wssec/PackageTests.java Mon Jun 8 11:15:13 2009
@@ -74,6 +74,7 @@
suite.addTestSuite(TestWSSecurityResultsOrder.class);
suite.addTestSuite(TestWSSecurityWSS178.class);
suite.addTestSuite(SignatureConfirmationTest.class);
+ suite.addTestSuite(TestWSSecurityWSS194.class);
return suite;
}
Added: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java?rev=782593&view=auto
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java (added)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java Mon Jun 8 11:15:13 2009
@@ -0,0 +1,180 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package wssec;
+
+import java.io.IOException;
+import java.util.List;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.w3c.dom.Document;
+
+
+/**
+ * This is a test for WSS-194 - "Support overriding KeyStore alias for signature so that it can
+ * be different than user name used for UsernameToken".
+ */
+public class TestWSSecurityWSS194 extends TestCase implements CallbackHandler {
+
+ private static final Log LOG = LogFactory.getLog(TestWSSecurityWSS194.class);
+ private static final String SOAPMSG =
+ "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ + "<SOAP-ENV:Envelope "
+ + "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" "
+ + "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
+ + "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"
+ + "<SOAP-ENV:Body>"
+ + "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">"
+ + "<value xmlns=\"\">15</value>"
+ + "</add>"
+ + "</SOAP-ENV:Body>"
+ + "</SOAP-ENV:Envelope>";
+ private WSSecurityEngine secEngine = new WSSecurityEngine();
+
+ /**
+ * TestWSSecurity constructor
+ * <p/>
+ *
+ * @param name name of the test
+ */
+ public TestWSSecurityWSS194(String name) {
+ super(name);
+ }
+
+ /**
+ * JUnit suite
+ * <p/>
+ *
+ * @return a junit test suite
+ */
+ public static Test suite() {
+ return new TestSuite(TestWSSecurityWSS194.class);
+ }
+
+ /**
+ * Test involving adding a Username Token to a SOAP message and signing it, where the
+ * private key for signature is extracted from the KeyStore using a different username/alias
+ * to the UsernameToken.
+ */
+ public void
+ testUsernameTokenSignatureHandler() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+ reqData.setUsername("alice");
+ reqData.setPwType(WSConstants.PASSWORD_TEXT);
+ java.util.Map messageContext = new java.util.TreeMap();
+ messageContext.put(
+ WSHandlerConstants.PW_CALLBACK_REF,
+ this
+ );
+ messageContext.put(WSHandlerConstants.SIGNATURE_USER, "wss40");
+ messageContext.put(WSHandlerConstants.SIG_PROP_FILE, "wss40.properties");
+ messageContext.put(
+ WSHandlerConstants.SIGNATURE_PARTS,
+ "{}{" + WSConstants.WSSE_NS + "}" + "UsernameToken"
+ );
+ messageContext.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+ reqData.setMsgContext(messageContext);
+
+ final java.util.List actions = new java.util.Vector();
+ actions.add(new Integer(WSConstants.UT));
+ actions.add(new Integer(WSConstants.SIGN));
+ final Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
+ MyHandler handler = new MyHandler();
+ handler.send(
+ WSConstants.UT | WSConstants.SIGN,
+ doc,
+ reqData,
+ actions,
+ true
+ );
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("After Signing....");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+
+ verify(doc);
+
+ }
+
+
+ /**
+ * Verifies the soap envelope
+ * <p/>
+ *
+ * @param doc
+ * @throws Exception Thrown when there is a problem in verification
+ */
+ private List verify(Document doc) throws Exception {
+ List results =
+ secEngine.processSecurityHeader(
+ doc, null, this, CryptoFactory.getInstance("wss40CA.properties")
+ );
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Verfied and decrypted message:");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+ return results;
+ }
+
+
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof WSPasswordCallback) {
+ WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
+ if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN
+ && "alice".equals(pc.getIdentifier())) {
+ pc.setPassword("verySecret");
+ } else if (pc.getUsage() == WSPasswordCallback.SIGNATURE
+ && "wss40".equals(pc.getIdentifier())) {
+ pc.setPassword("security");
+ } else {
+ throw new IOException("Authentication failed");
+ }
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+ }
+ }
+ }
+
+
+}
Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org