You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/09/13 21:18:49 UTC
svn commit: r1384479 - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/ws/security/common/ext/
ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/
ws-security-stax/src/main/java/org/apache/ws/security...
Author: giger
Date: Thu Sep 13 19:18:49 2012
New Revision: 1384479
URL: http://svn.apache.org/viewvc?rev=1384479&view=rev
Log:
SANTUARIO-327 - secure validation
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/ext/WSSecurityException.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/ext/WSSecurityException.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/ext/WSSecurityException.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/ext/WSSecurityException.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/ext/WSSecurityException.java Thu Sep 13 19:18:49 2012
@@ -286,7 +286,11 @@ public class WSSecurityException extends
msg = xmlsecResources.getString(errorCodeString);
}
if (msgId != null) {
- return msg += (" (" + MessageFormat.format(resources.getString(msgId), arguments) + ")");
+ if (resources.containsKey(msgId)) {
+ return msg += (" (" + MessageFormat.format(resources.getString(msgId), arguments) + ")");
+ } else {
+ return msg += (" (" + MessageFormat.format(xmlsecResources.getString(msgId), arguments) + ")");
+ }
}
} catch (MissingResourceException e) {
throw new RuntimeException("Undefined '" + msgId + "' resource property", e);
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java Thu Sep 13 19:18:49 2012
@@ -18,6 +18,8 @@
*/
package org.apache.ws.security.policy.stax.test;
+import org.apache.ws.security.stax.WSSec;
+import org.apache.xml.security.stax.config.Init;
import org.opensaml.common.SAMLVersion;
import org.apache.ws.security.common.ext.WSSecurityException;
import org.apache.ws.security.common.saml.builder.SAML2Constants;
@@ -1207,6 +1209,8 @@ public class AsymmetricBindingIntegratio
inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
try {
+ Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+ switchAllowMD5Algorithm(true);
Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
//read the whole stream:
@@ -1225,6 +1229,8 @@ public class AsymmetricBindingIntegratio
Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing the <wsse:Security> header; nested exception is: \n" +
"\torg.apache.ws.security.policy.stax.PolicyViolationException: \n" +
"Digest algorithm http://www.w3.org/2001/04/xmldsig-more#md5 does not meet policy");
+ } finally {
+ switchAllowMD5Algorithm(false);
}
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java Thu Sep 13 19:18:49 2012
@@ -22,11 +22,13 @@ import org.apache.ws.security.common.bsp
import org.apache.ws.security.common.ext.WSSecurityException;
import org.apache.ws.security.policy.stax.PolicyEnforcer;
import org.apache.ws.security.policy.stax.PolicyInputProcessor;
+import org.apache.ws.security.stax.WSSec;
import org.apache.ws.security.stax.ext.WSSConstants;
import org.apache.ws.security.stax.ext.WSSSecurityProperties;
import org.apache.ws.security.stax.impl.securityToken.HttpsSecurityToken;
import org.apache.ws.security.stax.securityEvent.HttpsTokenSecurityEvent;
import org.apache.ws.security.stax.test.CallbackHandlerImpl;
+import org.apache.xml.security.stax.config.Init;
import org.apache.xml.security.stax.ext.SecurePart;
import org.apache.xml.security.stax.ext.SecurityToken;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
@@ -1168,6 +1170,8 @@ public class TransportBindingIntegration
securityEventList.add(httpsTokenSecurityEvent);
try {
+ Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+ switchAllowMD5Algorithm(true);
Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), securityEventList, policyEnforcer);
//read the whole stream:
@@ -1186,6 +1190,8 @@ public class TransportBindingIntegration
Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing the <wsse:Security> header; nested exception is: \n" +
"\torg.apache.ws.security.policy.stax.PolicyViolationException: \n" +
"Digest algorithm http://www.w3.org/2001/04/xmldsig-more#md5 does not meet policy");
+ } finally {
+ switchAllowMD5Algorithm(false);
}
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java Thu Sep 13 19:18:49 2012
@@ -218,6 +218,13 @@ public class WSSSignatureReferenceVerify
}
List<TransformType> transformTypeList = referenceType.getTransforms().getTransform();
+ if (transformTypeList.size() > maximumAllowedTransformsPerReference) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY,
+ "secureProcessing.MaximumAllowedTransformsPerReference",
+ transformTypeList.size(),
+ maximumAllowedTransformsPerReference);
+ }
+
String algorithm = null;
Transformer parentTransformer = null;
for (int i = transformTypeList.size() - 1; i >= 0; i--) {
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java Thu Sep 13 19:18:49 2012
@@ -41,6 +41,10 @@ import org.apache.ws.security.stax.test.
import org.apache.ws.security.stax.test.utils.StAX2DOM;
import org.apache.ws.security.stax.test.utils.XmlReaderToWriter;
import org.apache.xml.security.stax.ext.XMLSecurityException;
+import org.apache.xml.security.stax.impl.SecurityContextImpl;
+import org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor;
+import org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor;
+import org.apache.xml.security.stax.impl.processor.input.XMLEventReaderInputProcessor;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
@@ -64,6 +68,8 @@ import javax.xml.xpath.XPathExpressionEx
import javax.xml.xpath.XPathFactory;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
import java.util.*;
import java.util.logging.Level;
import java.util.logging.LogManager;
@@ -656,4 +662,84 @@ public abstract class AbstractTestBase {
}
}
}
+
+ //sometimes I really like reflection. We can fix jdk bugs which will never be fixed, we can do other funny things and
+ //we can also change "private static final" fields for testing:-)
+ //But keep in mind that this only works for Objects and not primitive types. Primitive types will be inlined...
+ public static void switchAllowNotSameDocumentReferences(Boolean value) throws NoSuchFieldException, IllegalAccessException {
+
+ Field field = AbstractSignatureReferenceVerifyInputProcessor.class.getDeclaredField("allowNotSameDocumentReferences");
+ field.setAccessible(true);
+
+ Field modifiersField = Field.class.getDeclaredField("modifiers");
+ modifiersField.setAccessible(true);
+ modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+
+ field.set(null, value);
+ }
+
+ public static void switchDoNotThrowExceptionForManifests(Boolean value) throws NoSuchFieldException, IllegalAccessException {
+ Field field = AbstractSignatureReferenceVerifyInputProcessor.class.getDeclaredField("doNotThrowExceptionForManifests");
+ field.setAccessible(true);
+
+ Field modifiersField = Field.class.getDeclaredField("modifiers");
+ modifiersField.setAccessible(true);
+ modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+
+ field.set(null, value);
+ }
+
+ public static int changeValueOfMaximumAllowedReferencesPerManifest(Integer value) throws NoSuchFieldException, IllegalAccessException {
+ Field field = AbstractSignatureReferenceVerifyInputProcessor.class.getDeclaredField("maximumAllowedReferencesPerManifest");
+ field.setAccessible(true);
+
+ Field modifiersField = Field.class.getDeclaredField("modifiers");
+ modifiersField.setAccessible(true);
+ modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+
+ Integer oldval = (Integer)field.get(null);
+ field.set(null, value);
+ return oldval;
+ }
+
+ public static int changeValueOfMaximumAllowedTransformsPerReference(Integer value) throws NoSuchFieldException, IllegalAccessException {
+ Field field = AbstractSignatureReferenceVerifyInputProcessor.class.getDeclaredField("maximumAllowedTransformsPerReference");
+ field.setAccessible(true);
+
+ Field modifiersField = Field.class.getDeclaredField("modifiers");
+ modifiersField.setAccessible(true);
+ modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+
+ Integer oldval = (Integer)field.get(null);
+ field.set(null, value);
+ return oldval;
+ }
+
+ public static void switchAllowMD5Algorithm(Boolean value) throws NoSuchFieldException, IllegalAccessException {
+ Field field = SecurityContextImpl.class.getDeclaredField("allowMD5Algorithm");
+ field.setAccessible(true);
+
+ Field modifiersField = Field.class.getDeclaredField("modifiers");
+ modifiersField.setAccessible(true);
+ modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+
+ field.set(null, value);
+ }
+
+ public static int changeValueOfMaximumAllowedXMLStructureDepth(Integer value) throws NoSuchFieldException, IllegalAccessException {
+ Field xmlEventReaderInputProcessorField = XMLEventReaderInputProcessor.class.getDeclaredField("maximumAllowedXMLStructureDepth");
+ xmlEventReaderInputProcessorField.setAccessible(true);
+ Field abstractDecryptInputProcessorField = AbstractDecryptInputProcessor.class.getDeclaredField("maximumAllowedXMLStructureDepth");
+ abstractDecryptInputProcessorField.setAccessible(true);
+
+ Field modifiersField = Field.class.getDeclaredField("modifiers");
+ modifiersField.setAccessible(true);
+ modifiersField.setInt(xmlEventReaderInputProcessorField, xmlEventReaderInputProcessorField.getModifiers() & ~Modifier.FINAL);
+ modifiersField.setInt(abstractDecryptInputProcessorField, abstractDecryptInputProcessorField.getModifiers() & ~Modifier.FINAL);
+
+ Integer oldval = (Integer)xmlEventReaderInputProcessorField.get(null);
+ xmlEventReaderInputProcessorField.set(null, value);
+ abstractDecryptInputProcessorField.set(null, value);
+ return oldval;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java Thu Sep 13 19:18:49 2012
@@ -19,12 +19,15 @@
package org.apache.ws.security.stax.test;
import org.apache.ws.security.common.bsp.BSPRule;
+import org.apache.ws.security.common.ext.WSSecurityException;
import org.apache.ws.security.dom.handler.WSHandlerConstants;
import org.apache.ws.security.stax.WSSec;
import org.apache.ws.security.stax.ext.InboundWSSec;
import org.apache.ws.security.stax.ext.WSSConstants;
import org.apache.ws.security.stax.ext.WSSSecurityProperties;
+import org.apache.ws.security.stax.securityEvent.WSSecurityEventConstants;
import org.apache.ws.security.stax.test.utils.StAX2DOM;
+import org.apache.xml.security.stax.config.Init;
import org.apache.xml.security.stax.ext.XMLSecurityException;
import org.testng.Assert;
import org.testng.annotations.Test;
@@ -39,9 +42,7 @@ import javax.xml.transform.dom.DOMSource
import javax.xml.transform.stream.StreamResult;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpression;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.InputStream;
+import java.io.*;
import java.util.Properties;
/**
@@ -310,4 +311,217 @@ public class VulnerabliltyVectorsTest ex
}
}
}
+
+ @Test
+ public void testMaximumAllowedReferencesPerManifest() throws Exception {
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+ String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT;
+ Properties properties = new Properties();
+ properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://www.w3.org/1999/XMLSchema}complexType;{Element}{http://www.w3.org/1999/XMLSchema}simpleType;");
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ //we have to disable the schema validation until WSS4J-DOM is fixed. WSS4J generates an empty PrefixList which is not schema valid!
+ securityProperties.setDisableSchemaValidation(true);
+
+ try {
+ Document document = doInboundSecurity(securityProperties,
+ xmlInputFactory.createXMLStreamReader(
+ new ByteArrayInputStream(baos.toByteArray())));
+ Assert.fail("Expected XMLStreamException");
+ } catch (XMLStreamException e) {
+ Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+ Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing the <wsse:Security> " +
+ "header (43 references are contained in the Manifest, maximum 30 are allowed. You can raise the " +
+ "maximum via the \"MaximumAllowedReferencesPerManifest\" property in the configuration.)");
+ }
+ }
+
+ @Test
+ public void testMaximumAllowedTransformsPerReference() throws Exception {
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+ String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT;
+ Properties properties = new Properties();
+ properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ //we have to disable the schema validation until WSS4J-DOM is fixed. WSS4J generates an empty PrefixList which is not schema valid!
+ securityProperties.setDisableSchemaValidation(true);
+
+ int oldval = 0;
+ try {
+ Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+ oldval = changeValueOfMaximumAllowedTransformsPerReference(0);
+ Document document = doInboundSecurity(securityProperties,
+ xmlInputFactory.createXMLStreamReader(
+ new ByteArrayInputStream(baos.toByteArray())));
+ Assert.fail("Expected XMLStreamException");
+ } catch (XMLStreamException e) {
+ Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+ Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing the <wsse:Security> " +
+ "header (1 transforms are contained in the Reference, maximum 0 are allowed. You can raise the " +
+ "maximum via the \"MaximumAllowedTransformsPerReference\" property in the configuration.)");
+ } finally {
+ changeValueOfMaximumAllowedTransformsPerReference(oldval);
+ }
+ }
+
+
+ @Test
+ public void testDisallowMD5Algorithm() throws Exception {
+ WSSSecurityProperties outboundSecurityProperties = new WSSSecurityProperties();
+ outboundSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ outboundSecurityProperties.setEncryptionUser("receiver");
+ outboundSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ outboundSecurityProperties.setSignatureUser("transmitter");
+ outboundSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ outboundSecurityProperties.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-md5");
+ WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP, WSSConstants.SIGNATURE, WSSConstants.ENCRYPT};
+ outboundSecurityProperties.setOutAction(actions);
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ ByteArrayOutputStream baos = doOutboundSecurity(outboundSecurityProperties, sourceDocument);
+
+ WSSSecurityProperties inboundsecurityProperties = new WSSSecurityProperties();
+ inboundsecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ inboundsecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ inboundsecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ inboundsecurityProperties.addIgnoreBSPRule(BSPRule.R5421);
+
+ try {
+ Document document = doInboundSecurity(inboundsecurityProperties,
+ xmlInputFactory.createXMLStreamReader(
+ new ByteArrayInputStream(baos.toByteArray())));
+ Assert.fail("Expected XMLStreamException");
+ } catch (XMLStreamException e) {
+ Assert.assertEquals(e.getMessage(), "org.apache.xml.security.stax.ext.XMLSecurityException: " +
+ "An error was discovered processing the <wsse:Security> header (The use of MD5 algorithm is " +
+ "strongly discouraged. Nonetheless can it be enabled via the \"AllowMD5Algorithm\" property in the configuration.)");
+ }
+ }
+
+
+ @Test
+ public void testAllowMD5Algorithm() throws Exception {
+ WSSSecurityProperties outboundSecurityProperties = new WSSSecurityProperties();
+ outboundSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ outboundSecurityProperties.setEncryptionUser("receiver");
+ outboundSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ outboundSecurityProperties.setSignatureUser("transmitter");
+ outboundSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ outboundSecurityProperties.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-md5");
+ WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP, WSSConstants.SIGNATURE, WSSConstants.ENCRYPT};
+ outboundSecurityProperties.setOutAction(actions);
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ ByteArrayOutputStream baos = doOutboundSecurity(outboundSecurityProperties, sourceDocument);
+
+ WSSSecurityProperties inboundsecurityProperties = new WSSSecurityProperties();
+ inboundsecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ inboundsecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ inboundsecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ inboundsecurityProperties.addIgnoreBSPRule(BSPRule.R5421);
+
+ try {
+ Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+ switchAllowMD5Algorithm(true);
+ Document document = doInboundSecurity(inboundsecurityProperties,
+ xmlInputFactory.createXMLStreamReader(
+ new ByteArrayInputStream(baos.toByteArray())));
+ } finally {
+ switchAllowMD5Algorithm(false);
+ }
+ }
+
+ @Test
+ public void testMaximumAllowedXMLStructureDepth() throws Exception {
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+ String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE;
+ Properties properties = new Properties();
+ properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ //we have to disable the schema validation until WSS4J-DOM is fixed. WSS4J generates an empty PrefixList which is not schema valid!
+ securityProperties.setDisableSchemaValidation(true);
+
+ int oldval = 0;
+ try {
+ Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+ oldval = changeValueOfMaximumAllowedXMLStructureDepth(10);
+ Document document = doInboundSecurity(securityProperties,
+ xmlInputFactory.createXMLStreamReader(
+ new ByteArrayInputStream(baos.toByteArray())));
+ Assert.fail("Expected XMLStreamException");
+ } catch (XMLStreamException e) {
+ Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing the <wsse:Security> " +
+ "header (Maximum depth (10) of the XML structure reached. You can raise the maximum via the " +
+ "\"MaximumAllowedXMLStructureDepth\" property in the configuration.)");
+ } finally {
+ changeValueOfMaximumAllowedXMLStructureDepth(oldval);
+ }
+ }
+
+ @Test
+ public void testMaximumAllowedXMLStructureDepthInEncryptedContent() throws Exception {
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+ String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT;
+ Properties properties = new Properties();
+ properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ //we have to disable the schema validation until WSS4J-DOM is fixed. WSS4J generates an empty PrefixList which is not schema valid!
+ securityProperties.setDisableSchemaValidation(true);
+
+ int oldval = 0;
+ try {
+ Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+ oldval = changeValueOfMaximumAllowedXMLStructureDepth(10);
+ Document document = doInboundSecurity(securityProperties,
+ xmlInputFactory.createXMLStreamReader(
+ new ByteArrayInputStream(baos.toByteArray())));
+ Assert.fail("Expected XMLStreamException");
+ } catch (XMLStreamException e) {
+ Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing the <wsse:Security> " +
+ "header (Maximum depth (10) of the XML structure reached. You can raise the maximum via the " +
+ "\"MaximumAllowedXMLStructureDepth\" property in the configuration.)");
+ } finally {
+ changeValueOfMaximumAllowedXMLStructureDepth(oldval);
+ }
+ }
}