You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/05/19 14:23:15 UTC
svn commit: r1124706 - in
/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str:
DerivedKeyTokenSTRParser.java EncryptedKeySTRParser.java
SecurityTokenRefSTRParser.java SignatureSTRParser.java
Author: coheigea
Date: Thu May 19 12:23:14 2011
New Revision: 1124706
URL: http://svn.apache.org/viewvc?rev=1124706&view=rev
Log:
Changed STR Parsers so that KeyIdentifier references now check for a previously processed security result.
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java?rev=1124706&r1=1124705&r2=1124706&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/DerivedKeyTokenSTRParser.java Thu May 19 12:23:14 2011
@@ -27,7 +27,6 @@ import org.apache.ws.security.WSSecurity
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.saml.SAMLKeyInfo;
@@ -76,64 +75,24 @@ public class DerivedKeyTokenSTRParser im
SecurityTokenReference secRef = new SecurityTokenReference(strElement, bspCompliant);
String uri = null;
- String keyIdentifierValueType = null;
- String keyIdentifierValue = null;
-
- WSSecurityEngineResult result = null;
if (secRef.containsReference()) {
- Reference ref = secRef.getReference();
- uri = ref.getURI();
+ uri = secRef.getReference().getURI();
if (uri.charAt(0) == '#') {
uri = uri.substring(1);
}
- result = wsDocInfo.getResult(uri);
- } else {
- // Contains key identifier
- keyIdentifierValue = secRef.getKeyIdentifierValue();
- keyIdentifierValueType = secRef.getKeyIdentifierValueType();
- result = wsDocInfo.getResult(keyIdentifierValue);
+ } else if (secRef.containsKeyIdentifier()) {
+ uri = secRef.getKeyIdentifierValue();
}
+ WSSecurityEngineResult result = wsDocInfo.getResult(uri);
if (result != null) {
- int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
- if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
- if (bspCompliant) {
- BSPEnforcer.checkUsernameTokenBSPCompliance(secRef);
- }
- UsernameToken usernameToken =
- (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
- usernameToken.setRawPassword(data);
- secretKey = usernameToken.getDerivedKey();
- } else if (WSConstants.ENCR == action) {
- if (bspCompliant) {
- BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
- }
- secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
- } else if (WSConstants.SCT == action) {
- secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
- } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
- AssertionWrapper assertion =
- (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- if (bspCompliant) {
- BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
- }
- SAMLKeyInfo keyInfo =
- SAMLUtil.getCredentialFromSubject(assertion,
- data, wsDocInfo, bspCompliant);
- // TODO Handle malformed SAML tokens where they don't have the
- // secret in them
- secretKey = keyInfo.getSecret();
- } else {
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK, "unsupportedKeyId"
- );
- }
- } else if (result == null && uri != null) {
+ processPreviousResult(result, secRef, data, wsDocInfo, bspCompliant);
+ } else if (secRef.containsReference()) {
// Now use the callback and get it
secretKey =
- getSecretKeyFromToken(uri, null, WSPasswordCallback.SECURITY_CONTEXT_TOKEN,
- data);
- } else if (keyIdentifierValue != null && keyIdentifierValueType != null) {
+ getSecretKeyFromToken(uri, null, WSPasswordCallback.SECURITY_CONTEXT_TOKEN, data);
+ } else if (secRef.containsKeyIdentifier()) {
+ String keyIdentifierValueType = secRef.getKeyIdentifierValueType();
if (bspCompliant
&& keyIdentifierValueType.equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
@@ -142,7 +101,7 @@ public class DerivedKeyTokenSTRParser im
if (certs == null || certs.length < 1 || certs[0] == null) {
secretKey =
this.getSecretKeyFromToken(
- keyIdentifierValue, keyIdentifierValueType,
+ secRef.getKeyIdentifierValue(), keyIdentifierValueType,
WSPasswordCallback.SECRET_KEY, data
);
} else {
@@ -232,4 +191,48 @@ public class DerivedKeyTokenSTRParser im
return pwcb.getKey();
}
+ /**
+ * Process a previous security result
+ */
+ private void processPreviousResult(
+ WSSecurityEngineResult result,
+ SecurityTokenReference secRef,
+ RequestData data,
+ WSDocInfo wsDocInfo,
+ boolean bspCompliant
+ ) throws WSSecurityException {
+ int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
+ if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
+ if (bspCompliant) {
+ BSPEnforcer.checkUsernameTokenBSPCompliance(secRef);
+ }
+ UsernameToken usernameToken =
+ (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
+ usernameToken.setRawPassword(data);
+ secretKey = usernameToken.getDerivedKey();
+ } else if (WSConstants.ENCR == action) {
+ if (bspCompliant) {
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+ }
+ secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ } else if (WSConstants.SCT == action) {
+ secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
+ AssertionWrapper assertion =
+ (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+ }
+ SAMLKeyInfo keyInfo =
+ SAMLUtil.getCredentialFromSubject(assertion,
+ data, wsDocInfo, bspCompliant);
+ // TODO Handle malformed SAML tokens where they don't have the
+ // secret in them
+ secretKey = keyInfo.getSecret();
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_CHECK, "unsupportedKeyId"
+ );
+ }
+ }
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java?rev=1124706&r1=1124705&r2=1124706&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/EncryptedKeySTRParser.java Thu May 19 12:23:14 2011
@@ -76,21 +76,21 @@ public class EncryptedKeySTRParser imple
}
SecurityTokenReference secRef = new SecurityTokenReference(strElement, bspCompliant);
- //
- // Handle X509IssuerSerial here. First check if all elements are available,
- // get the appropriate data, check if all data is available.
- // Then look up the certificate alias according to issuer name and serial number.
- //
- if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
- certs = secRef.getX509IssuerSerial(crypto);
+
+ String uri = null;
+ if (secRef.containsReference()) {
+ uri = secRef.getReference().getURI();
+ if (uri.charAt(0) == '#') {
+ uri = uri.substring(1);
+ }
+ } else if (secRef.containsKeyIdentifier()) {
+ uri = secRef.getKeyIdentifierValue();
}
- //
- // If wsse:KeyIdentifier found, then the public key of the attached cert was used to
- // encrypt the session (symmetric) key that encrypts the data. Extract the certificate
- // using the BinarySecurity token (was enhanced to handle KeyIdentifier too).
- // This method is _not_ recommended by OASIS WS-S specification, X509 profile
- //
- else if (secRef.containsKeyIdentifier()) {
+
+ WSSecurityEngineResult result = wsDocInfo.getResult(uri);
+ if (result != null) {
+ processPreviousResult(result, secRef, data, wsDocInfo, bspCompliant);
+ } else if (secRef.containsKeyIdentifier()) {
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())
|| WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
AssertionWrapper assertion =
@@ -110,70 +110,28 @@ public class EncryptedKeySTRParser imple
}
certs = secRef.getKeyIdentifier(crypto);
}
+ } else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
+ certs = secRef.getX509IssuerSerial(crypto);
} else if (secRef.containsReference()) {
- if (wsDocInfo != null) {
- String uri = secRef.getReference().getURI();
- WSSecurityEngineResult result = wsDocInfo.getResult(uri);
-
- if (result != null) {
- int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
- if (WSConstants.BST == action) {
- if (bspCompliant) {
- BinarySecurity token =
- (BinarySecurity)result.get(
- WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
- );
- BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
- }
- certs =
- (X509Certificate[])result.get(
- WSSecurityEngineResult.TAG_X509_CERTIFICATES
- );
- } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
- AssertionWrapper assertion =
- (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- if (bspCompliant) {
- BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
- }
- SAMLKeyInfo keyInfo =
- SAMLUtil.getCredentialFromSubject(assertion,
- data,
- wsDocInfo, bspCompliant);
- certs = keyInfo.getCerts();
- } else {
- throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
- "unsupportedBinaryTokenType",
- null
- );
- }
- }
- }
- if (certs == null) {
- Element bstElement =
- secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
-
- // at this point ... check token type: Binary
- QName el = new QName(bstElement.getNamespaceURI(), bstElement.getLocalName());
- if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
- X509Security token = new X509Security(bstElement);
- if (bspCompliant) {
- BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
- }
- certs = new X509Certificate[]{token.getX509Certificate(crypto)};
- } else {
- throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
- "unsupportedBinaryTokenType",
- null
- );
+ Element bstElement =
+ secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
+
+ // at this point ... check token type: Binary
+ QName el = new QName(bstElement.getNamespaceURI(), bstElement.getLocalName());
+ if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+ X509Security token = new X509Security(bstElement);
+ if (bspCompliant) {
+ BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
}
+ certs = new X509Certificate[]{token.getX509Certificate(crypto)};
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
+ "unsupportedBinaryTokenType",
+ null
+ );
}
- } else {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY, "unsupportedKeyId"
- );
- }
+ }
if (LOG.isDebugEnabled() && certs != null && certs[0] != null) {
LOG.debug("cert: " + certs[0]);
@@ -223,4 +181,47 @@ public class EncryptedKeySTRParser imple
return false;
}
+ /**
+ * Process a previous security result
+ */
+ private void processPreviousResult(
+ WSSecurityEngineResult result,
+ SecurityTokenReference secRef,
+ RequestData data,
+ WSDocInfo wsDocInfo,
+ boolean bspCompliant
+ ) throws WSSecurityException {
+ int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
+ if (WSConstants.BST == action) {
+ if (bspCompliant) {
+ BinarySecurity token =
+ (BinarySecurity)result.get(
+ WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
+ );
+ BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
+ }
+ certs =
+ (X509Certificate[])result.get(
+ WSSecurityEngineResult.TAG_X509_CERTIFICATES
+ );
+ } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
+ AssertionWrapper assertion =
+ (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+ }
+ SAMLKeyInfo keyInfo =
+ SAMLUtil.getCredentialFromSubject(assertion,
+ data,
+ wsDocInfo, bspCompliant);
+ certs = keyInfo.getCerts();
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
+ "unsupportedBinaryTokenType",
+ null
+ );
+ }
+ }
+
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java?rev=1124706&r1=1124705&r2=1124706&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SecurityTokenRefSTRParser.java Thu May 19 12:23:14 2011
@@ -77,54 +77,30 @@ public class SecurityTokenRefSTRParser i
}
SecurityTokenReference secRef = new SecurityTokenReference(strElement, bspCompliant);
-
+
+ String uri = null;
if (secRef.containsReference()) {
- Reference reference = secRef.getReference();
- String uri = reference.getURI();
- String id = uri;
- if (id.charAt(0) == '#') {
- id = id.substring(1);
+ uri = secRef.getReference().getURI();
+ if (uri.charAt(0) == '#') {
+ uri = uri.substring(1);
}
- WSSecurityEngineResult result = wsDocInfo.getResult(id);
- if (result != null) {
- int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
- if (WSConstants.ENCR == action) {
- if (bspCompliant) {
- BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
- }
- secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
- } else if (WSConstants.DKT == action) {
- DerivedKeyToken dkt =
- (DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
- byte[] secret =
- (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
- String algorithm = (String)parameters.get(SIGNATURE_METHOD);
- secretKey = dkt.deriveKey(WSSecurityUtil.getKeyLength(algorithm), secret);
- } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
- AssertionWrapper assertion =
- (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- if (bspCompliant) {
- BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
- }
- SAMLKeyInfo keyInfo =
- SAMLUtil.getCredentialFromSubject(assertion,
- data, wsDocInfo, bspCompliant);
- // TODO Handle malformed SAML tokens where they don't have the
- // secret in them
- secretKey = keyInfo.getSecret();
- } else if (WSConstants.SCT == action) {
- secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
- }
- } else {
- // Try asking the CallbackHandler for the secret key
- secretKey = getSecretKeyFromToken(id, reference.getValueType(), data);
- if (secretKey == null) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[]{id}
- );
- }
+ } else if (secRef.containsKeyIdentifier()) {
+ uri = secRef.getKeyIdentifierValue();
+ }
+
+ WSSecurityEngineResult result = wsDocInfo.getResult(uri);
+ if (result != null) {
+ processPreviousResult(result, secRef, data, parameters, wsDocInfo, bspCompliant);
+ } else if (secRef.containsReference()) {
+ Reference reference = secRef.getReference();
+ // Try asking the CallbackHandler for the secret key
+ secretKey = getSecretKeyFromToken(uri, reference.getValueType(), data);
+ if (secretKey == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_CHECK, "unsupportedKeyId", new Object[] {uri}
+ );
}
- } else if (secRef.containsKeyIdentifier()){
+ } else if (secRef.containsKeyIdentifier()) {
String valueType = secRef.getKeyIdentifierValueType();
if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(valueType)
|| WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(valueType)) {
@@ -133,24 +109,16 @@ public class SecurityTokenRefSTRParser i
secRef, strElement,
data, wsDocInfo
);
- if (bspCompliant) {
- BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
- }
- SAMLKeyInfo samlKi =
- SAMLUtil.getCredentialFromSubject(assertion,
- data,
- wsDocInfo, bspCompliant);
- // TODO Handle malformed SAML tokens where they don't have the
- // secret in them
- secretKey = samlKi.getSecret();
+ secretKey =
+ getSecretKeyFromAssertion(assertion, secRef, data, wsDocInfo, bspCompliant);
} else {
if (bspCompliant && SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
}
secretKey =
getSecretKeyFromToken(
- secRef.getKeyIdentifierValue(), secRef.getKeyIdentifierValueType(),
- data);
+ secRef.getKeyIdentifierValue(), secRef.getKeyIdentifierValueType(), data
+ );
}
} else {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK, "noReference");
@@ -233,5 +201,59 @@ public class SecurityTokenRefSTRParser i
return pwcb.getKey();
}
+ /**
+ * Get a SecretKey from a SAML Assertion
+ */
+ private byte[] getSecretKeyFromAssertion(
+ AssertionWrapper assertion,
+ SecurityTokenReference secRef,
+ RequestData data,
+ WSDocInfo wsDocInfo,
+ boolean bspCompliant
+ ) throws WSSecurityException {
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+ }
+ SAMLKeyInfo samlKi =
+ SAMLUtil.getCredentialFromSubject(assertion, data, wsDocInfo, bspCompliant);
+ // TODO Handle malformed SAML tokens where they don't have the
+ // secret in them
+ return samlKi.getSecret();
+ }
+
+ /**
+ * Process a previous security result
+ */
+ private void processPreviousResult(
+ WSSecurityEngineResult result,
+ SecurityTokenReference secRef,
+ RequestData data,
+ Map<String, Object> parameters,
+ WSDocInfo wsDocInfo,
+ boolean bspCompliant
+ ) throws WSSecurityException {
+ int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
+ if (WSConstants.ENCR == action) {
+ if (bspCompliant) {
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+ }
+ secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ } else if (WSConstants.DKT == action) {
+ DerivedKeyToken dkt =
+ (DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
+ byte[] secret =
+ (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ String algorithm = (String)parameters.get(SIGNATURE_METHOD);
+ secretKey = dkt.deriveKey(WSSecurityUtil.getKeyLength(algorithm), secret);
+ } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
+ AssertionWrapper assertion =
+ (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ secretKey =
+ getSecretKeyFromAssertion(assertion, secRef, data, wsDocInfo, bspCompliant);
+ } else if (WSConstants.SCT == action) {
+ secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ }
+ }
+
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1124706&r1=1124705&r2=1124706&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java Thu May 19 12:23:14 2011
@@ -106,143 +106,74 @@ public class SignatureSTRParser implemen
// processed, in particular the crypto implementation, and already
// detected BST that may be used later during dereferencing.
//
+ String uri = null;
if (secRef.containsReference()) {
- org.apache.ws.security.message.token.Reference ref = secRef.getReference();
-
- String uri = ref.getURI();
+ uri = secRef.getReference().getURI();
if (uri.charAt(0) == '#') {
uri = uri.substring(1);
}
- WSSecurityEngineResult result = wsDocInfo.getResult(uri);
- if (result == null) {
- Element token =
- secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
- QName el = new QName(token.getNamespaceURI(), token.getLocalName());
- if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
- certs = getCertificatesTokenReference(secRef, token, crypto, bspCompliant);
- } else if (el.equals(WSSecurityEngine.SAML_TOKEN)
- || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
- Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
- //
- // Just check to see whether the token was processed or not
- //
- Element processedToken =
- secRef.findProcessedTokenElement(
- strElement.getOwnerDocument(), wsDocInfo,
- data.getCallbackHandler(), uri, ref.getValueType()
- );
- AssertionWrapper assertion = null;
- if (processedToken == null) {
- List<WSSecurityEngineResult> samlResult =
- proc.handleToken(token, data, wsDocInfo);
- assertion =
- (AssertionWrapper)samlResult.get(0).get(
- WSSecurityEngineResult.TAG_SAML_ASSERTION
- );
- } else {
- assertion = new AssertionWrapper(processedToken);
- assertion.parseHOKSubject(data, wsDocInfo);
- }
- if (bspCompliant) {
- BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
- }
- SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
- X509Certificate[] foundCerts = keyInfo.getCerts();
- if (foundCerts != null) {
- certs = new X509Certificate[]{foundCerts[0]};
- }
- secretKey = keyInfo.getSecret();
- principal = createPrincipalFromSAML(assertion);
- } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
- if (bspCompliant) {
- BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
- }
- Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
- List<WSSecurityEngineResult> encrResult =
+ } else if (secRef.containsKeyIdentifier()) {
+ uri = secRef.getKeyIdentifierValue();
+ }
+
+ WSSecurityEngineResult result = wsDocInfo.getResult(uri);
+ if (result != null) {
+ processPreviousResult(result, secRef, data, parameters, bspCompliant);
+ } else if (secRef.containsReference()) {
+ Element token =
+ secRef.getTokenElement(strElement.getOwnerDocument(), wsDocInfo, data.getCallbackHandler());
+ QName el = new QName(token.getNamespaceURI(), token.getLocalName());
+ if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+ certs = getCertificatesTokenReference(secRef, token, crypto, bspCompliant);
+ } else if (el.equals(WSSecurityEngine.SAML_TOKEN)
+ || el.equals(WSSecurityEngine.SAML2_TOKEN)) {
+ Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
+ //
+ // Just check to see whether the token was processed or not
+ //
+ Element processedToken =
+ secRef.findProcessedTokenElement(
+ strElement.getOwnerDocument(), wsDocInfo,
+ data.getCallbackHandler(), uri, secRef.getReference().getValueType()
+ );
+ AssertionWrapper assertion = null;
+ if (processedToken == null) {
+ List<WSSecurityEngineResult> samlResult =
proc.handleToken(token, data, wsDocInfo);
- secretKey =
- (byte[])encrResult.get(0).get(
- WSSecurityEngineResult.TAG_SECRET
+ assertion =
+ (AssertionWrapper)samlResult.get(0).get(
+ WSSecurityEngineResult.TAG_SAML_ASSERTION
);
- principal = new CustomTokenPrincipal(token.getAttribute("Id"));
} else {
- String id = secRef.getReference().getURI();
- secretKey = getSecretKeyFromToken(id, null, data);
- principal = new CustomTokenPrincipal(id);
+ assertion = new AssertionWrapper(processedToken);
+ assertion.parseHOKSubject(data, wsDocInfo);
}
- } else {
- int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
- if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
- if (bspCompliant) {
- BSPEnforcer.checkUsernameTokenBSPCompliance(secRef);
- }
- UsernameToken usernameToken =
- (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
-
- usernameToken.setRawPassword(data);
- if (usernameToken.isDerivedKey()) {
- secretKey = usernameToken.getDerivedKey();
- } else {
- int keyLength = ((Integer)parameters.get(SECRET_KEY_LENGTH)).intValue();
- secretKey = usernameToken.getSecretKey(keyLength);
- }
- principal = usernameToken.createPrincipal();
- } else if (WSConstants.BST == action) {
- if (bspCompliant) {
- BinarySecurity token =
- (BinarySecurity)result.get(
- WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
- );
- BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
- }
- certs =
- (X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
- Boolean validatedToken =
- (Boolean)result.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN);
- if (validatedToken.booleanValue()) {
- trustedCredential = true;
- }
- } else if (WSConstants.ENCR == action) {
- if (bspCompliant) {
- BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
- }
- secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
- String id = (String)result.get(WSSecurityEngineResult.TAG_ID);
- principal = new CustomTokenPrincipal(id);
- } else if (WSConstants.SCT == action) {
- secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
- SecurityContextToken sct =
- (SecurityContextToken)result.get(
- WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN
- );
- principal = new CustomTokenPrincipal(sct.getIdentifier());
- } else if (WSConstants.DKT == action) {
- DerivedKeyToken dkt =
- (DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
- int keyLength = dkt.getLength();
- if (keyLength <= 0) {
- String algorithm = (String)parameters.get(SIGNATURE_METHOD);
- keyLength = WSSecurityUtil.getKeyLength(algorithm);
- }
- byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
- secretKey = dkt.deriveKey(keyLength, secret);
- principal = dkt.createPrincipal();
- ((WSDerivedKeyTokenPrincipal)principal).setSecret(secret);
- } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
- AssertionWrapper assertion =
- (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
- if (bspCompliant) {
- BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
- }
- SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
- X509Certificate[] foundCerts = keyInfo.getCerts();
- if (foundCerts != null) {
- certs = new X509Certificate[]{foundCerts[0]};
- }
- secretKey = keyInfo.getSecret();
- publicKey = keyInfo.getPublicKey();
- principal = createPrincipalFromSAML(assertion);
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
}
+ SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
+ X509Certificate[] foundCerts = keyInfo.getCerts();
+ if (foundCerts != null) {
+ certs = new X509Certificate[]{foundCerts[0]};
+ }
+ secretKey = keyInfo.getSecret();
+ principal = createPrincipalFromSAML(assertion);
+ } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
+ if (bspCompliant) {
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+ }
+ Processor proc = data.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);
+ List<WSSecurityEngineResult> encrResult =
+ proc.handleToken(token, data, wsDocInfo);
+ secretKey =
+ (byte[])encrResult.get(0).get(
+ WSSecurityEngineResult.TAG_SECRET
+ );
+ principal = new CustomTokenPrincipal(token.getAttribute("Id"));
+ } else {
+ String id = secRef.getReference().getURI();
+ secretKey = getSecretKeyFromToken(id, null, data);
+ principal = new CustomTokenPrincipal(id);
}
} else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
X509Certificate[] foundCerts = secRef.getX509IssuerSerial(crypto);
@@ -342,8 +273,6 @@ public class SignatureSTRParser implemen
public boolean isTrustedCredential() {
return trustedCredential;
}
-
-
/**
* Extracts the certificate(s) from the Binary Security token reference.
*
@@ -454,5 +383,89 @@ public class SignatureSTRParser implemen
return pwcb.getKey();
}
+ /**
+ * Process a previous security result
+ */
+ private void processPreviousResult(
+ WSSecurityEngineResult result,
+ SecurityTokenReference secRef,
+ RequestData data,
+ Map<String, Object> parameters,
+ boolean bspCompliant
+ ) throws WSSecurityException {
+ int action = ((Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
+ if (WSConstants.UT_NOPASSWORD == action || WSConstants.UT == action) {
+ if (bspCompliant) {
+ BSPEnforcer.checkUsernameTokenBSPCompliance(secRef);
+ }
+ UsernameToken usernameToken =
+ (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
+
+ usernameToken.setRawPassword(data);
+ if (usernameToken.isDerivedKey()) {
+ secretKey = usernameToken.getDerivedKey();
+ } else {
+ int keyLength = ((Integer)parameters.get(SECRET_KEY_LENGTH)).intValue();
+ secretKey = usernameToken.getSecretKey(keyLength);
+ }
+ principal = usernameToken.createPrincipal();
+ } else if (WSConstants.BST == action) {
+ if (bspCompliant) {
+ BinarySecurity token =
+ (BinarySecurity)result.get(
+ WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN
+ );
+ BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
+ }
+ certs =
+ (X509Certificate[])result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+ Boolean validatedToken =
+ (Boolean)result.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN);
+ if (validatedToken.booleanValue()) {
+ trustedCredential = true;
+ }
+ } else if (WSConstants.ENCR == action) {
+ if (bspCompliant) {
+ BSPEnforcer.checkEncryptedKeyBSPCompliance(secRef);
+ }
+ secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ String id = (String)result.get(WSSecurityEngineResult.TAG_ID);
+ principal = new CustomTokenPrincipal(id);
+ } else if (WSConstants.SCT == action) {
+ secretKey = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ SecurityContextToken sct =
+ (SecurityContextToken)result.get(
+ WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN
+ );
+ principal = new CustomTokenPrincipal(sct.getIdentifier());
+ } else if (WSConstants.DKT == action) {
+ DerivedKeyToken dkt =
+ (DerivedKeyToken)result.get(WSSecurityEngineResult.TAG_DERIVED_KEY_TOKEN);
+ int keyLength = dkt.getLength();
+ if (keyLength <= 0) {
+ String algorithm = (String)parameters.get(SIGNATURE_METHOD);
+ keyLength = WSSecurityUtil.getKeyLength(algorithm);
+ }
+ byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
+ secretKey = dkt.deriveKey(keyLength, secret);
+ principal = dkt.createPrincipal();
+ ((WSDerivedKeyTokenPrincipal)principal).setSecret(secret);
+ } else if (WSConstants.ST_UNSIGNED == action || WSConstants.ST_SIGNED == action) {
+ AssertionWrapper assertion =
+ (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ if (bspCompliant) {
+ BSPEnforcer.checkSamlTokenBSPCompliance(secRef, assertion);
+ }
+ SAMLKeyInfo keyInfo = assertion.getSubjectKeyInfo();
+ X509Certificate[] foundCerts = keyInfo.getCerts();
+ if (foundCerts != null) {
+ certs = new X509Certificate[]{foundCerts[0]};
+ }
+ secretKey = keyInfo.getSecret();
+ publicKey = keyInfo.getPublicKey();
+ principal = createPrincipalFromSAML(assertion);
+ }
+ }
+
}