You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/09/19 13:03:22 UTC
svn commit: r1524689 - in /cxf/branches/2.7.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/
systests/w...
Author: coheigea
Date: Thu Sep 19 11:03:21 2013
New Revision: 1524689
URL: http://svn.apache.org/r1524689
Log:
[CXF-5291] - Only activate ws-security caching if it is required
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client/client.xml
Modified:
cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client/client.xml
cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server/server.xml
Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1524689&r1=1524688&r2=1524689&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java (original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java Thu Sep 19 11:03:21 2013
@@ -170,7 +170,9 @@ public final class SecurityConstants {
/**
* Whether to cache UsernameToken nonces. The default value is "true" for message recipients, and
* "false" for message initiators. Set it to true to cache for both cases. Set this to "false" to
- * not cache UsernameToken nonces.
+ * not cache UsernameToken nonces. Note that caching only applies when either a UsernameToken
+ * WS-SecurityPolicy is in effect, or else that a UsernameToken action has been configured
+ * for the non-security-policy case.
*/
public static final String ENABLE_NONCE_CACHE = "ws-security.enable.nonce.cache";
@@ -178,6 +180,8 @@ public final class SecurityConstants {
* Whether to cache Timestamp Created Strings (these are only cached in conjunction with a message
* Signature).The default value is "true" for message recipients, and "false" for message initiators.
* Set it to true to cache for both cases. Set this to "false" to not cache Timestamp Created Strings.
+ * Note that caching only applies when either a "IncludeTimestamp" policy is in effect, or
+ * else that a Timestamp action has been configured for the non-security-policy case.
*/
public static final String ENABLE_TIMESTAMP_CACHE = "ws-security.enable.timestamp.cache";
Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1524689&r1=1524688&r2=1524689&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Thu Sep 19 11:03:21 2013
@@ -279,6 +279,40 @@ public class PolicyBasedWSS4JInIntercept
return action;
}
+ /**
+ * Is a Nonce Cache required, i.e. are we expecting a UsernameToken
+ */
+ @Override
+ protected boolean isNonceCacheRequired(int doAction, SoapMessage msg) {
+ AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+ if (aim != null) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
+
+ if (ais != null && !ais.isEmpty()) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ /**
+ * Is a Timestamp cache required, i.e. are we expecting a Timestamp
+ */
+ @Override
+ protected boolean isTimestampCacheRequired(int doAction, SoapMessage msg) {
+ AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+ if (aim != null) {
+ Collection<AssertionInfo> ais = aim.get(SP12Constants.INCLUDE_TIMESTAMP);
+
+ if (ais != null && !ais.isEmpty()) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
private void checkUsernameToken(
AssertionInfoMap aim, SoapMessage message
) throws WSSecurityException {
Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1524689&r1=1524688&r2=1524689&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Thu Sep 19 11:03:21 2013
@@ -249,17 +249,22 @@ public class WSS4JInInterceptor extends
}
// Configure replay caching
- ReplayCache nonceCache =
- getReplayCache(
- msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
- );
- reqData.setNonceReplayCache(nonceCache);
- ReplayCache timestampCache =
- getReplayCache(
- msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
- );
- reqData.setTimestampReplayCache(timestampCache);
-
+ if (isNonceCacheRequired(doAction, msg)) {
+ ReplayCache nonceCache =
+ getReplayCache(
+ msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
+ );
+ reqData.setNonceReplayCache(nonceCache);
+ }
+
+ if (isTimestampCacheRequired(doAction, msg)) {
+ ReplayCache timestampCache =
+ getReplayCache(
+ msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
+ );
+ reqData.setTimestampReplayCache(timestampCache);
+ }
+
/*
* Get and check the Signature specific parameters first because
* they may be used for encryption too.
@@ -433,6 +438,27 @@ public class WSS4JInInterceptor extends
}
/**
+ * Is a Nonce Cache required, i.e. are we expecting a UsernameToken
+ */
+ protected boolean isNonceCacheRequired(int doAction, SoapMessage msg) {
+ if ((doAction & WSConstants.UT) == WSConstants.UT
+ || (doAction & WSConstants.UT_NOPASSWORD) == WSConstants.UT_NOPASSWORD) {
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * Is a Timestamp cache required, i.e. are we expecting a Timestamp
+ */
+ protected boolean isTimestampCacheRequired(int doAction, SoapMessage msg) {
+ if ((doAction & WSConstants.TS) == WSConstants.TS) {
+ return true;
+ }
+ return false;
+ }
+
+ /**
* Set a WSS4J AlgorithmSuite object on the RequestData context, to restrict the
* algorithms that are allowed for encryption, signature, etc.
*/
Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java?rev=1524689&r1=1524688&r2=1524689&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java (original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java Thu Sep 19 11:03:21 2013
@@ -26,8 +26,11 @@ import javax.xml.ws.Service;
import org.apache.cxf.Bus;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
import org.apache.cxf.systest.ws.action.server.Server;
import org.apache.cxf.systest.ws.common.SecurityTestUtil;
+import org.apache.cxf.systest.ws.ut.SecurityHeaderCacheInterceptor;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.example.contract.doubleit.DoubleItPortType;
import org.junit.BeforeClass;
@@ -117,4 +120,76 @@ public class ActionTest extends Abstract
bus.shutdown(true);
}
+ @org.junit.Test
+ public void testUsernameTokenReplay() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ActionTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItUsernameTokenPort");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, PORT);
+
+ Client cxfClient = ClientProxy.getClient(port);
+ SecurityHeaderCacheInterceptor cacheInterceptor =
+ new SecurityHeaderCacheInterceptor();
+ cxfClient.getOutInterceptors().add(cacheInterceptor);
+
+ // Make two invocations with the same UsernameToken
+ port.doubleIt(25);
+ try {
+ port.doubleIt(25);
+ fail("Failure expected on a replayed UsernameToken");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ String error = "A replay attack has been detected";
+ assertTrue(ex.getMessage().contains(error));
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testSignedTimestampReplay() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ActionTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSignedTimestampPort");
+ DoubleItPortType port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, PORT);
+
+ Client cxfClient = ClientProxy.getClient(port);
+ SecurityHeaderCacheInterceptor cacheInterceptor =
+ new SecurityHeaderCacheInterceptor();
+ cxfClient.getOutInterceptors().add(cacheInterceptor);
+
+ // Make two invocations with the same SecurityHeader
+ port.doubleIt(25);
+ try {
+ port.doubleIt(25);
+ fail("Failure expected on a replayed Timestamp");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ String error = "A replay attack has been detected";
+ assertTrue(ex.getMessage().contains(error));
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
}
Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl?rev=1524689&r1=1524688&r2=1524689&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl (original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl Thu Sep 19 11:03:21 2013
@@ -57,6 +57,12 @@
<wsdl:port name="DoubleItUsernameTokenPort2" binding="tns:DoubleItNoSecurityBinding">
<soap:address location="http://localhost:9001/DoubleItUsernameToken2" />
</wsdl:port>
+ <wsdl:port name="DoubleItEncryptedPasswordPort" binding="tns:DoubleItNoSecurityBinding">
+ <soap:address location="http://localhost:9001/DoubleItEncryptedPassword" />
+ </wsdl:port>
+ <wsdl:port name="DoubleItSignedTimestampPort" binding="tns:DoubleItNoSecurityBinding">
+ <soap:address location="http://localhost:9001/DoubleItSignedTimestamp" />
+ </wsdl:port>
</wsdl:service>
</wsdl:definitions>
Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client/client.xml?rev=1524689&r1=1524688&r2=1524689&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client/client.xml (original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client/client.xml Thu Sep 19 11:03:21 2013
@@ -81,4 +81,62 @@
</jaxws:outInterceptors>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItEncryptedPasswordPort"
+ createdFromAPI="true">
+ <jaxws:outInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Encrypt"/>
+ <entry key="passwordCallbackClass"
+ value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="encryptionPropFile" value="bob-enc.properties"/>
+ <entry key="encryptionUser" value="bob"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:outInterceptors>
+ <jaxws:inInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Encrypt"/>
+ <entry key="passwordCallbackClass"
+ value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="decryptionPropFile" value="alice-enc.properties"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:inInterceptors>
+ </jaxws:client>
+
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignedTimestampPort"
+ createdFromAPI="true">
+ <jaxws:outInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Signature Timestamp"/>
+ <entry key="user" value="alice"/>
+ <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="signatureKeyIdentifier" value="DirectReference"/>
+ <entry key="signatureParts"
+ value="{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{}{http://schemas.xmlsoap.org/soap/envelope/}Body;" />
+ <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:outInterceptors>
+ <jaxws:inInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Signature"/>
+ <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:inInterceptors>
+ </jaxws:client>
+
</beans>
Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server/server.xml?rev=1524689&r1=1524688&r2=1524689&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server/server.xml (original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server/server.xml Thu Sep 19 11:03:21 2013
@@ -122,4 +122,38 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="SignedTimestamp"
+ address="http://localhost:${testutil.ports.Server}/DoubleItSignedTimestamp"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItSignedTimestampPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItAction.wsdl">
+ <jaxws:outInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Signature"/>
+ <entry key="user" value="bob"/>
+ <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
+ <entry key="signatureKeyIdentifier" value="DirectReference"/>
+ <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.wssec10.server.KeystorePasswordCallback"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:outInterceptors>
+ <jaxws:inInterceptors>
+ <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+ <constructor-arg>
+ <map>
+ <entry key="action" value="Signature Timestamp"/>
+ <entry key="signaturePropFile" value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
+ </map>
+ </constructor-arg>
+ </bean>
+ </jaxws:inInterceptors>
+
+ </jaxws:endpoint>
+
</beans>