You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by em...@apache.org on 2019/02/28 09:25:40 UTC

[cxf] branch master updated: [CXF-7984]:UsernameTokenInterceptor doesn't respect contextual property 'allowNamespaceQualifiedPasswordTypes'

This is an automated email from the ASF dual-hosted git repository.

ema pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new f95b4fe  [CXF-7984]:UsernameTokenInterceptor doesn't respect contextual property 'allowNamespaceQualifiedPasswordTypes'
f95b4fe is described below

commit f95b4feda04c115a9cb1f35650cb448f1adeba39
Author: Jim Ma <em...@apache.org>
AuthorDate: Thu Feb 28 17:25:22 2019 +0800

    [CXF-7984]:UsernameTokenInterceptor doesn't respect contextual property 'allowNamespaceQualifiedPasswordTypes'
---
 .../ws/security/wss4j/UsernameTokenInterceptor.java    | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
index 4eefbc6..55855b5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
@@ -49,6 +49,7 @@ import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
+import org.apache.wss4j.common.ConfigurationConstants;
 import org.apache.wss4j.common.WSS4JConstants;
 import org.apache.wss4j.common.bsp.BSPEnforcer;
 import org.apache.wss4j.common.cache.ReplayCache;
@@ -99,6 +100,7 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
                 && WSS4JConstants.WSSE_NS.equals(child.getNamespaceURI())) {
                 try {
                     boolean bspCompliant = isWsiBSPCompliant(message);
+                    boolean allowNSPasswdTypes = allowNamespaceQualifiedPWDTypes(message);
                     Principal principal = null;
                     Subject subject = null;
                     Object transformedToken = null;
@@ -109,10 +111,10 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
                         transformedToken = result.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
                         principal = (Principal)result.get(WSSecurityEngineResult.TAG_PRINCIPAL);
                         if (principal == null) {
-                            principal = parseTokenAndCreatePrincipal(child, bspCompliant);
+                            principal = parseTokenAndCreatePrincipal(child, bspCompliant, allowNSPasswdTypes);
                         }
                     } else {
-                        principal = parseTokenAndCreatePrincipal(child, bspCompliant);
+                        principal = parseTokenAndCreatePrincipal(child, bspCompliant, allowNSPasswdTypes);
                         WSS4JTokenConverter.convertToken(message, principal);
                     }
 
@@ -235,11 +237,13 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
         }
     }
 
-    protected UsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean bspCompliant)
+    protected UsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean bspCompliant,
+                                                                  boolean allowNamespaceQualifiedPWDTypes)
         throws WSSecurityException, Base64DecodingException {
         BSPEnforcer bspEnforcer = new org.apache.wss4j.common.bsp.BSPEnforcer(!bspCompliant);
         org.apache.wss4j.dom.message.token.UsernameToken ut =
-            new org.apache.wss4j.dom.message.token.UsernameToken(tokenElement, false, bspEnforcer);
+            new org.apache.wss4j.dom.message.token.UsernameToken(tokenElement, allowNamespaceQualifiedPWDTypes, 
+                                                                 bspEnforcer);
 
         WSUsernameTokenPrincipalImpl principal = new WSUsernameTokenPrincipalImpl(ut.getName(), ut.isHashed());
         if (ut.getNonce() != null) {
@@ -257,7 +261,11 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
         // Default to WSI-BSP compliance enabled
         return !("false".equals(bspc) || "0".equals(bspc));
     }
-
+    private boolean allowNamespaceQualifiedPWDTypes(final SoapMessage message) {
+        String allow = (String)message
+            .getContextualProperty(ConfigurationConstants.ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES);
+        return !("false".equals(allow) || "0".equals(allow));
+    }
     private boolean isAllowNoPassword(AssertionInfoMap aim) throws WSSecurityException {
         Collection<AssertionInfo> ais =
             PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);