You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2010/05/17 16:20:33 UTC
svn commit: r945175 - in /webservices/wss4j/branches/1_5_x-fixes:
src/org/apache/ws/security/processor/ src/org/apache/ws/security/transform/
test/ test/wssec/
Author: coheigea
Date: Mon May 17 14:20:33 2010
New Revision: 945175
URL: http://svn.apache.org/viewvc?rev=945175&view=rev
Log:
[WS-222] - Applied patch for "SignatureProcessor does not provide correct signature coverage results with STR Dereference Transform".
- Many thanks David for the patch and test-case.
Added:
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransformUtil.java (with props)
Modified:
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureProcessor.java
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransform.java
webservices/wss4j/branches/1_5_x-fixes/test/log4j.properties
webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecuritySignatureParts.java
Modified: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureProcessor.java?rev=945175&r1=945174&r2=945175&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureProcessor.java Mon May 17 14:20:33 2010
@@ -1,19 +1,20 @@
-/*
- * Copyright 2003-2006 The Apache Software Foundation, or their licensors, as
- * appropriate.
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * http://www.apache.org/licenses/LICENSE-2.0
*
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
*/
package org.apache.ws.security.processor;
@@ -44,6 +45,8 @@ import org.apache.ws.security.message.to
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.saml.SAMLKeyInfo;
import org.apache.ws.security.saml.SAMLUtil;
+import org.apache.ws.security.transform.STRTransform;
+import org.apache.ws.security.transform.STRTransformUtil;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
@@ -51,6 +54,9 @@ import org.apache.xml.security.signature
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
+import org.apache.xml.security.signature.XMLSignatureInput;
+import org.apache.xml.security.transforms.Transform;
+import org.apache.xml.security.transforms.Transforms;
import org.opensaml.SAMLAssertion;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -475,7 +481,53 @@ public class SignatureProcessor implemen
}
String uri = siRef.getURI();
if (uri != null && !"".equals(uri)) {
- Element se = WSSecurityUtil.getElementByWsuId(elem.getOwnerDocument(), uri);
+
+ Element se = null;
+ try {
+ Transforms transforms = siRef.getTransforms();
+ for (int j = 0; j < transforms.getLength(); j++) {
+ Transform transform = transforms.item(j);
+ // We have some transforming to do before we can
+ // determine the protected element.
+ if (STRTransform.implementedTransformURI
+ .equals(transform.getURI())) {
+
+ XMLSignatureInput signatureInput =
+ siRef.getContentsBeforeTransformation();
+
+ if (signatureInput.isElement()) {
+ // The signature was already validated,
+ // meaning that this element was already
+ // parsed. We can therefore be pretty
+ // confident that this constructor will work.
+ SecurityTokenReference secTokenRef =
+ new SecurityTokenReference(
+ (Element) signatureInput.getSubNode());
+
+ // Use the utility to extract the element (or
+ // generate a new one in some cases) from the
+ // message.
+ se = STRTransformUtil.dereferenceSTR(
+ transform.getDocument(),
+ secTokenRef, wsDocInfo);
+ } else {
+ // The internal impl of Reference changed.
+ // We expect it to return the signature input
+ // based on a node/element.
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE);
+ }
+ }
+ }
+ }
+ catch (XMLSecurityException e) {
+ log.warn("Error processing signature coverage elements.", e);
+ throw new WSSecurityException(WSSecurityException.FAILURE);
+ }
+
+ if (se == null) {
+ se = WSSecurityUtil.getElementByWsuId(elem.getOwnerDocument(), uri);
+ }
if (se == null) {
se = WSSecurityUtil.getElementByGenId(elem.getOwnerDocument(), uri);
}
Modified: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransform.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransform.java?rev=945175&r1=945174&r2=945175&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransform.java (original)
+++ webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransform.java Mon May 17 14:20:33 2010
@@ -1,18 +1,20 @@
-/*
- * Copyright 2003-2004 The Apache Software Foundation.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * http://www.apache.org/licenses/LICENSE-2.0
*
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
*/
package org.apache.ws.security.transform;
@@ -24,7 +26,6 @@ import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSDocInfoStore;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.message.token.SecurityTokenReference;
-import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.c14n.CanonicalizationException;
import org.apache.xml.security.c14n.Canonicalizer;
@@ -32,17 +33,13 @@ import org.apache.xml.security.c14n.Inva
import org.apache.xml.security.signature.XMLSignatureInput;
import org.apache.xml.security.transforms.Transform;
import org.apache.xml.security.transforms.TransformSpi;
-import org.apache.ws.security.util.Base64;
import org.apache.xml.security.utils.XMLUtils;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-import org.w3c.dom.Text;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.X509Certificate;
/**
* Class STRTransform
@@ -185,7 +182,8 @@ public class STRTransform extends Transf
//
// Third and forth step are performed by derefenceSTR()
//
- Element dereferencedToken = dereferenceSTR(thisDoc, secRef);
+ Element dereferencedToken = STRTransformUtil.dereferenceSTR(
+ thisDoc, secRef, wsDocInfo);
//
// C14n with specified algorithm. According to WSS Specification.
//
@@ -241,94 +239,5 @@ public class STRTransform extends Transf
log.debug(ex.getMessage(), ex);
throw (new CanonicalizationException("c14n.Canonicalizer.Exception", ex));
}
- }
-
- private Element dereferenceSTR(Document doc, SecurityTokenReference secRef)
- throws WSSecurityException {
- //
- // Third step: locate the security token referenced by the STR element.
- // Either the Token is contained in the document as a
- // BinarySecurityToken or stored in some key storage.
- //
- // Fourth step: after security token was located, prepare it. If its
- // reference via a direct reference, i.e. a relative URI that references
- // the BST directly in the message then just return that element.
- // Otherwise wrap the located token in a newly created BST element as
- // described in WSS Specification.
- //
- //
- Element tokElement = null;
-
- //
- // First case: direct reference, according to chap 7.2 of OASIS WS
- // specification (main document). Only in this case return a true
- // reference to the BST. Copying is done by the caller.
- //
- if (secRef.containsReference()) {
- if (doDebug) {
- log.debug("STR: Reference");
- }
- tokElement = secRef.getTokenElement(doc, wsDocInfo, null);
- }
- //
- // second case: IssuerSerial, lookup in keystore, wrap in BST according
- // to specification
- //
- else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
- if (doDebug) {
- log.debug("STR: IssuerSerial");
- }
- X509Certificate cert = null;
- X509Certificate[] certs =
- secRef.getX509IssuerSerial(wsDocInfo.getCrypto());
- if (certs == null || certs.length == 0 || certs[0] == null) {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
- }
- cert = certs[0];
- tokElement = createBSTX509(doc, cert, secRef.getElement());
- }
- //
- // third case: KeyIdentifier. For SKI, lookup in keystore, wrap in
- // BST according to specification. Otherwise if it's a wsse:KeyIdentifier it could
- // be a SAML assertion, so try and find the referenced element.
- //
- else if (secRef.containsKeyIdentifier()) {
- if (doDebug) {
- log.debug("STR: KeyIdentifier");
- }
- if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
- tokElement = secRef.getKeyIdentifierTokenElement(doc, wsDocInfo, null);
- } else {
- X509Certificate cert = null;
- X509Certificate[] certs = secRef.getKeyIdentifier(wsDocInfo.getCrypto());
- if (certs == null || certs.length == 0 || certs[0] == null) {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
- }
- cert = certs[0];
- tokElement = createBSTX509(doc, cert, secRef.getElement());
- }
- }
- return tokElement;
- }
-
- private Element createBSTX509(Document doc, X509Certificate cert, Element secRefE)
- throws WSSecurityException {
- byte data[];
- try {
- data = cert.getEncoded();
- } catch (CertificateEncodingException e) {
- throw new WSSecurityException(
- WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "encodeError", null, e
- );
- }
- String prefix = WSSecurityUtil.getPrefixNS(WSConstants.WSSE_NS, secRefE);
- Element elem = doc.createElementNS(WSConstants.WSSE_NS, prefix + ":BinarySecurityToken");
- WSSecurityUtil.setNamespace(elem, WSConstants.WSSE_NS, prefix);
- // elem.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", "");
- elem.setAttributeNS(null, "ValueType", X509Security.X509_V3_TYPE);
- Text certText = doc.createTextNode(Base64.encode(data)); // no line wrap
- elem.appendChild(certText);
- return elem;
- }
-
+ }
}
Added: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransformUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransformUtil.java?rev=945175&view=auto
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransformUtil.java (added)
+++ webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransformUtil.java Mon May 17 14:20:33 2010
@@ -0,0 +1,156 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.transform;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDocInfo;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.message.token.SecurityTokenReference;
+import org.apache.ws.security.message.token.X509Security;
+import org.apache.ws.security.util.Base64;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Text;
+
+/**
+ * Utility class exposing the dereferencing logic of the {@link STRTransform} implementation.
+ */
+public class STRTransformUtil {
+ private static Log log = LogFactory.getLog(STRTransformUtil.class.getName());
+
+ /**
+ * Retrieves the element representing the referenced content of a STR.
+ *
+ * @return the element representing the referenced content. The element is either
+ * extracted from {@code doc} or a new element is created in the
+ * case of a key identifier or issuer serial STR. {@code null} if
+ * {@code secRef} does not contain a direct reference, key identifier, or
+ * issuer serial.
+ * @throws WSSecurityException
+ * If an issuer serial or key identifier is used in the STR and
+ * the certificate cannot be resolved from the crypto
+ * configuration or if there is an error working with the resolved
+ * cert
+ */
+ public static Element dereferenceSTR(Document doc,
+ SecurityTokenReference secRef, WSDocInfo wsDocInfo) throws WSSecurityException
+ {
+
+ // NOTE: Here step numbers refer to the overall step in the complete processing
+ // of the STRTransform. See STRTransform for the lead up to these steps.
+ //
+ // Third step: locate the security token referenced by the STR element.
+ // Either the Token is contained in the document as a
+ // BinarySecurityToken or stored in some key storage.
+ //
+ // Fourth step: after security token was located, prepare it. If its
+ // reference via a direct reference, i.e. a relative URI that references
+ // the BST directly in the message then just return that element.
+ // Otherwise wrap the located token in a newly created BST element as
+ // described in WSS Specification.
+ //
+ //
+ Element tokElement = null;
+
+ //
+ // First case: direct reference, according to chap 7.2 of OASIS WS
+ // specification (main document). Only in this case return a true
+ // reference to the BST. Copying is done by the caller.
+ //
+ if (secRef.containsReference()) {
+ if (log.isDebugEnabled()) {
+ log.debug("STR: Reference");
+ }
+ tokElement = secRef.getTokenElement(doc, wsDocInfo, null);
+ }
+ //
+ // second case: IssuerSerial, lookup in keystore, wrap in BST according
+ // to specification
+ //
+ else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
+ if (log.isDebugEnabled()) {
+ log.debug("STR: IssuerSerial");
+ }
+ X509Certificate cert = null;
+ X509Certificate[] certs =
+ secRef.getX509IssuerSerial(wsDocInfo.getCrypto());
+ if (certs == null || certs.length == 0 || certs[0] == null) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
+ }
+ cert = certs[0];
+ tokElement = createBSTX509(doc, cert, secRef.getElement());
+ }
+ //
+ // third case: KeyIdentifier. For SKI, lookup in keystore, wrap in
+ // BST according to specification. Otherwise if it's a wsse:KeyIdentifier it could
+ // be a SAML assertion, so try and find the referenced element.
+ //
+ else if (secRef.containsKeyIdentifier()) {
+ if (log.isDebugEnabled()) {
+ log.debug("STR: KeyIdentifier");
+ }
+ if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
+ tokElement = secRef.getKeyIdentifierTokenElement(doc, wsDocInfo, null);
+ } else {
+ X509Certificate cert = null;
+ X509Certificate[] certs = secRef.getKeyIdentifier(wsDocInfo.getCrypto());
+ if (certs == null || certs.length == 0 || certs[0] == null) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
+ }
+ cert = certs[0];
+ tokElement = createBSTX509(doc, cert, secRef.getElement());
+ }
+ }
+ return tokElement;
+ }
+
+ protected static Element createBSTX509(Document doc, X509Certificate cert, Element secRefE)
+ throws WSSecurityException {
+ byte data[];
+ try {
+ data = cert.getEncoded();
+ } catch (CertificateEncodingException e) {
+ throw new WSSecurityException(
+ WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "encodeError", null, e
+ );
+ }
+ String prefix = WSSecurityUtil.getPrefixNS(WSConstants.WSSE_NS, secRefE);
+ Element elem = doc.createElementNS(WSConstants.WSSE_NS, prefix + ":BinarySecurityToken");
+ WSSecurityUtil.setNamespace(elem, WSConstants.WSSE_NS, prefix);
+ // elem.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", "");
+ elem.setAttributeNS(null, "ValueType", X509Security.X509_V3_TYPE);
+ Text certText = doc.createTextNode(Base64.encode(data)); // no line wrap
+ elem.appendChild(certText);
+ return elem;
+ }
+
+ /**
+ * Hidden in utility class.
+ */
+ private STRTransformUtil() {
+ }
+
+}
\ No newline at end of file
Propchange: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransformUtil.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/transform/STRTransformUtil.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified: webservices/wss4j/branches/1_5_x-fixes/test/log4j.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/test/log4j.properties?rev=945175&r1=945174&r2=945175&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/test/log4j.properties (original)
+++ webservices/wss4j/branches/1_5_x-fixes/test/log4j.properties Mon May 17 14:20:33 2010
@@ -1,5 +1,5 @@
# Set root category priority to INFO and its only appender to CONSOLE.
-log4j.rootCategory=FATAL, CONSOLE
+ log4j.rootCategory=FATAL, CONSOLE
# log4j.rootCategory=DEBUG, LOGFILE
# Set the enterprise logger category to FATAL and its only appender to CONSOLE.
@@ -43,6 +43,7 @@ log4j.rootCategory=FATAL, CONSOLE
# log4j.logger.wssec.TestWSSecurityNew9=DEBUG
# log4j.logger.wssec.TestWSSecurity10=DEBUG
# log4j.logger.wssec.TestWSSecurity11=DEBUG
+# log4j.logger.wssec.TestWSSecurityNew11=DEBUG
# log4j.logger.wssec.TestWSSecurity12=DEBUG
# log4j.logger.wssec.TestWSSecurity13=DEBUG
# log4j.logger.wssec.TestWSSecurity14=DEBUG
@@ -54,6 +55,7 @@ log4j.rootCategory=FATAL, CONSOLE
# log4j.logger.wssec.TestWSSecurityST3=DEBUG
# log4j.logger.wssec.TestWSSecurityNewST3=DEBUG
# log4j.logger.wssec.TestWSSecuritySOAP12=DEBUG
+# log4j.logger.wssec.TestWSSecuritySignatureParts=DEBUG
# log4j.logger.org.apache.ws.security.handler.WSS4JHandler=DEBUG
# log4j.logger.org.apache.ws.security.handler.WSHandler=DEBUG
log4j.logger.policy.WSSPolicyTesterAsymm=DEBUG
Modified: webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecuritySignatureParts.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecuritySignatureParts.java?rev=945175&r1=945174&r2=945175&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecuritySignatureParts.java (original)
+++ webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecuritySignatureParts.java Mon May 17 14:20:33 2010
@@ -1,18 +1,20 @@
-/*
- * Copyright 2003-2004 The Apache Software Foundation.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
*
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * http://www.apache.org/licenses/LICENSE-2.0
*
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
*/
package wssec;
@@ -39,7 +41,11 @@ import org.apache.ws.security.components
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.message.WSSecSignature;
import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.saml.SAMLIssuer;
+import org.apache.ws.security.saml.SAMLIssuerFactory;
+import org.apache.ws.security.saml.WSSecSignatureSAML;
import org.apache.ws.security.util.WSSecurityUtil;
+import org.opensaml.SAMLAssertion;
import org.w3c.dom.Document;
import javax.security.auth.callback.Callback;
@@ -162,6 +168,68 @@ public class TestWSSecuritySignaturePart
}
/**
+ * Test signing of a header through a STR Dereference Transform
+ */
+ public void testSOAPHeaderSTRTransform() throws Exception {
+ SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
+
+ Document doc = unsignedEnvelope.getAsDocument();
+
+ SAMLIssuer saml = SAMLIssuerFactory.getInstance("saml4.properties");
+ // Provide info to SAML issuer that it can construct a Holder-of-key
+ // SAML token.
+ saml.setInstanceDoc(doc);
+ saml.setUserCrypto(crypto);
+ saml.setUsername("16c73ab6-b892-458f-abf5-2f875f74882e");
+ SAMLAssertion assertion = saml.newAssertion();
+
+ WSSecSignatureSAML wsSign = new WSSecSignatureSAML();
+ wsSign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+ wsSign.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ Vector parts = new Vector();
+ WSEncryptionPart encP =
+ new WSEncryptionPart("STRTransform", "", "Element");
+ parts.add(encP);
+ wsSign.setParts(parts);
+
+ LOG.info("Before SAMLSignedKeyHolder....");
+
+ //
+ // set up for keyHolder
+ //
+ Document signedDoc = wsSign.build(doc, crypto, assertion, null, null, null, secHeader);
+ LOG.info("After SAMLSignedKeyHolder....");
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Signed SAML message (key holder):");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+
+ Vector results = verify(signedDoc);
+ WSSecurityEngineResult stUnsignedActionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED);
+ SAMLAssertion receivedAssertion =
+ (SAMLAssertion) stUnsignedActionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(receivedAssertion != null);
+
+ WSSecurityEngineResult signActionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.SIGN);
+ assertTrue(signActionResult != null);
+ final java.util.List refs =
+ (java.util.List) signActionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
+ assertTrue(signActionResult != null && !signActionResult.isEmpty());
+ WSDataRef wsDataRef = (WSDataRef)refs.get(0);
+ String xpath = wsDataRef.getXpath();
+ assertEquals("/soapenv:Envelope/soapenv:Header/wsse:Security/Assertion", xpath);
+ }
+
+ /**
* Test signing a custom SOAP header with a bad localname
*/
public void testBadLocalname() throws Exception {
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org