You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by em...@apache.org on 2019/02/28 09:25:40 UTC
[cxf] branch master updated: [CXF-7984]:UsernameTokenInterceptor
doesn't respect contextual property 'allowNamespaceQualifiedPasswordTypes'
This is an automated email from the ASF dual-hosted git repository.
ema pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new f95b4fe [CXF-7984]:UsernameTokenInterceptor doesn't respect contextual property 'allowNamespaceQualifiedPasswordTypes'
f95b4fe is described below
commit f95b4feda04c115a9cb1f35650cb448f1adeba39
Author: Jim Ma <em...@apache.org>
AuthorDate: Thu Feb 28 17:25:22 2019 +0800
[CXF-7984]:UsernameTokenInterceptor doesn't respect contextual property 'allowNamespaceQualifiedPasswordTypes'
---
.../ws/security/wss4j/UsernameTokenInterceptor.java | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
index 4eefbc6..55855b5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
@@ -49,6 +49,7 @@ import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.PolicyUtils;
+import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.bsp.BSPEnforcer;
import org.apache.wss4j.common.cache.ReplayCache;
@@ -99,6 +100,7 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
&& WSS4JConstants.WSSE_NS.equals(child.getNamespaceURI())) {
try {
boolean bspCompliant = isWsiBSPCompliant(message);
+ boolean allowNSPasswdTypes = allowNamespaceQualifiedPWDTypes(message);
Principal principal = null;
Subject subject = null;
Object transformedToken = null;
@@ -109,10 +111,10 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
transformedToken = result.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
principal = (Principal)result.get(WSSecurityEngineResult.TAG_PRINCIPAL);
if (principal == null) {
- principal = parseTokenAndCreatePrincipal(child, bspCompliant);
+ principal = parseTokenAndCreatePrincipal(child, bspCompliant, allowNSPasswdTypes);
}
} else {
- principal = parseTokenAndCreatePrincipal(child, bspCompliant);
+ principal = parseTokenAndCreatePrincipal(child, bspCompliant, allowNSPasswdTypes);
WSS4JTokenConverter.convertToken(message, principal);
}
@@ -235,11 +237,13 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
}
}
- protected UsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean bspCompliant)
+ protected UsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean bspCompliant,
+ boolean allowNamespaceQualifiedPWDTypes)
throws WSSecurityException, Base64DecodingException {
BSPEnforcer bspEnforcer = new org.apache.wss4j.common.bsp.BSPEnforcer(!bspCompliant);
org.apache.wss4j.dom.message.token.UsernameToken ut =
- new org.apache.wss4j.dom.message.token.UsernameToken(tokenElement, false, bspEnforcer);
+ new org.apache.wss4j.dom.message.token.UsernameToken(tokenElement, allowNamespaceQualifiedPWDTypes,
+ bspEnforcer);
WSUsernameTokenPrincipalImpl principal = new WSUsernameTokenPrincipalImpl(ut.getName(), ut.isHashed());
if (ut.getNonce() != null) {
@@ -257,7 +261,11 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
// Default to WSI-BSP compliance enabled
return !("false".equals(bspc) || "0".equals(bspc));
}
-
+ private boolean allowNamespaceQualifiedPWDTypes(final SoapMessage message) {
+ String allow = (String)message
+ .getContextualProperty(ConfigurationConstants.ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES);
+ return !("false".equals(allow) || "0".equals(allow));
+ }
private boolean isAllowNoPassword(AssertionInfoMap aim) throws WSSecurityException {
Collection<AssertionInfo> ais =
PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);