You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2009/02/24 23:26:35 UTC
svn commit: r747584 - in /cxf/trunk/rt/ws/security: ./
src/main/java/org/apache/cxf/ws/security/policy/interceptors/
src/main/java/org/apache/cxf/ws/security/tokenstore/
src/main/java/org/apache/cxf/ws/security/trust/
src/main/java/org/apache/cxf/ws/se...
Author: dkulp
Date: Tue Feb 24 22:26:35 2009
New Revision: 747584
URL: http://svn.apache.org/viewvc?rev=747584&view=rev
Log:
Update a BUNCH of stuff for WS-SC to get Token id's correct in the output. This requies a bunch of fixes to WSS4J so had to set it to use the latest snapshots
Modified:
cxf/trunk/rt/ws/security/pom.xml
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
Modified: cxf/trunk/rt/ws/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/pom.xml?rev=747584&r1=747583&r2=747584&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/pom.xml (original)
+++ cxf/trunk/rt/ws/security/pom.xml Tue Feb 24 22:26:35 2009
@@ -93,7 +93,7 @@
<dependency>
<groupId>org.apache.ws.security</groupId>
<artifactId>wss4j</artifactId>
- <version>1.5.5</version>
+ <version>1.5.6-SNAPSHOT</version>
<exclusions>
<exclusion>
<groupId>axis</groupId>
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java?rev=747584&r1=747583&r2=747584&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java Tue Feb 24 22:26:35 2009
@@ -237,6 +237,7 @@
client.setAddressingNamespace(maps.getNamespaceURI());
tok = client.requestSecurityToken(s);
}
+ tok.setTokenType(WSConstants.WSC_SCT);
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
@@ -303,7 +304,7 @@
SecurityContextToken tok
= (SecurityContextToken)wser
.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
- message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
+ message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getID());
}
}
}
@@ -463,6 +464,7 @@
SecurityToken token = new SecurityToken(sct.getIdentifier(), created, expires);
token.setToken(sct.getElement());
+ token.setTokenType(WSConstants.WSC_SCT);
writer.getCurrentNode().appendChild(sct.getElement());
writer.writeEndElement();
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java?rev=747584&r1=747583&r2=747584&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/MemoryTokenStore.java Tue Feb 24 22:26:35 2009
@@ -26,12 +26,7 @@
import java.util.concurrent.ConcurrentHashMap;
-import org.w3c.dom.Element;
-
import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.message.token.Reference;
/**
*
@@ -78,12 +73,7 @@
SecurityToken token = tokens.get(id);
if (token == null) {
for (SecurityToken t : tokens.values()) {
- Element elem = t.getAttachedReference();
- if (elem != null && id.equals(getIdFromSTR(elem))) {
- return t;
- }
- elem = t.getUnattachedReference();
- if (elem != null && id.equals(getIdFromSTR(elem))) {
+ if (id.equals(t.getWsuId())) {
return t;
}
}
@@ -112,21 +102,6 @@
}
}
- public static String getIdFromSTR(Element str) {
- Element child = DOMUtils.getFirstElement(str);
- if (child == null) {
- return null;
- }
-
- if ("KeyInfo".equals(child.getLocalName())
- && WSConstants.SIG_NS.equals(child.getNamespaceURI())) {
- return DOMUtils.getContent(child);
- } else if (Reference.TOKEN.getLocalPart().equals(child.getLocalName())
- && Reference.TOKEN.getNamespaceURI().equals(child.getNamespaceURI())) {
- return child.getAttribute("URI").substring(1);
- }
- return null;
- }
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java?rev=747584&r1=747583&r2=747584&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java Tue Feb 24 22:26:35 2009
@@ -31,6 +31,7 @@
import org.apache.cxf.staxutils.StaxUtils;
import org.apache.cxf.staxutils.W3CDOMStreamWriter;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.message.token.Reference;
/**
@@ -120,6 +121,12 @@
*/
private String encrKeySha1Value;
+
+ /**
+ * The tokenType
+ */
+ private String tokenType;
+
public SecurityToken() {
}
@@ -348,4 +355,49 @@
public String getSHA1() {
return encrKeySha1Value;
}
+
+ public String getTokenType() {
+ return tokenType;
+ }
+
+ public void setTokenType(String s) {
+ tokenType = s;
+ }
+
+
+ public String getWsuId() {
+ Element elem = getAttachedReference();
+ if (elem != null) {
+ String t = getIdFromSTR(elem);
+ if (t != null) {
+ return t;
+ }
+ }
+ elem = getUnattachedReference();
+ if (elem != null) {
+ String t = getIdFromSTR(elem);
+ if (t != null) {
+ return t;
+ }
+ }
+ return null;
+ }
+
+ public static String getIdFromSTR(Element str) {
+ Element child = DOMUtils.getFirstElement(str);
+ if (child == null) {
+ return null;
+ }
+
+ if ("KeyInfo".equals(child.getLocalName())
+ && WSConstants.SIG_NS.equals(child.getNamespaceURI())) {
+ return DOMUtils.getContent(child);
+ } else if (Reference.TOKEN.getLocalPart().equals(child.getLocalName())
+ && Reference.TOKEN.getNamespaceURI().equals(child.getNamespaceURI())) {
+ return child.getAttribute("URI").substring(1);
+ }
+ return null;
+ }
+
+
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java?rev=747584&r1=747583&r2=747584&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java Tue Feb 24 22:26:35 2009
@@ -396,7 +396,6 @@
throw new Fault("Unexpected element " + el.getLocalName(), LOG);
}
el = DOMUtils.getFirstElement(el);
-
Element rst = null;
Element rar = null;
Element rur = null;
@@ -508,7 +507,10 @@
}
private String findID(Element rar, Element rur, Element rst) {
String id = null;
- if (rar != null) {
+ if (rst != null) {
+ id = this.getIDFromSTR(rst);
+ }
+ if (id == null && rar != null) {
id = this.getIDFromSTR(rar);
}
if (id == null && rur != null) {
@@ -525,11 +527,15 @@
if (child == null) {
return null;
}
- if (DOMUtils.getElementQName(child).equals(new QName(WSConstants.SIG_NS, "KeyInfo"))
- || DOMUtils.getElementQName(child).equals(new QName(WSConstants.WSSE_NS, "KeyIdentifier"))) {
+ QName elName = DOMUtils.getElementQName(child);
+ if (elName.equals(new QName(WSConstants.SIG_NS, "KeyInfo"))
+ || elName.equals(new QName(WSConstants.WSSE_NS, "KeyIdentifier"))) {
return DOMUtils.getContent(child);
- } else if (DOMUtils.getElementQName(child).equals(Reference.TOKEN)) {
+ } else if (elName.equals(Reference.TOKEN)) {
return child.getAttribute("URI");
+ } else if (elName.equals(new QName(STSUtils.SCT_NS_05_02, "Identifier"))
+ || elName.equals(new QName(STSUtils.SCT_NS_05_12, "Identifier"))) {
+ return DOMUtils.getContent(child);
}
return null;
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java?rev=747584&r1=747583&r2=747584&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java Tue Feb 24 22:26:35 2009
@@ -51,9 +51,12 @@
public static final String WST_NS_05_02 = "http://schemas.xmlsoap.org/ws/2005/02/trust";
public static final String WST_NS_05_12 = "http://docs.oasis-open.org/ws-sx/ws-trust/200512";
- public static final String TOKEN_TYPE_SCT_05_02 = "http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
- public static final String TOKEN_TYPE_SCT_05_12
- = "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct";
+ public static final String SCT_NS_05_02 = "http://schemas.xmlsoap.org/ws/2005/02/sc";
+ public static final String SCT_NS_05_12
+ = "http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
+
+ public static final String TOKEN_TYPE_SCT_05_02 = SCT_NS_05_02 + "/sct";
+ public static final String TOKEN_TYPE_SCT_05_12 = SCT_NS_05_12 + "/sct";
private STSUtils() {
//utility class
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=747584&r1=747583&r2=747584&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Tue Feb 24 22:26:35 2009
@@ -76,7 +76,6 @@
import org.apache.cxf.ws.security.policy.model.Header;
import org.apache.cxf.ws.security.policy.model.IssuedToken;
import org.apache.cxf.ws.security.policy.model.Layout;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
@@ -1235,20 +1234,8 @@
sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
}
- String sigTokId;
-
- if (policyToken instanceof SecureConversationToken) {
- Element ref = tok.getAttachedReference();
- if (ref == null) {
- ref = tok.getUnattachedReference();
- }
-
- if (ref != null) {
- sigTokId = MemoryTokenStore.getIdFromSTR(ref);
- } else {
- sigTokId = tok.getId();
- }
- } else {
+ String sigTokId = tok.getWsuId();
+ if (sigTokId == null) {
sigTokId = tok.getId();
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=747584&r1=747583&r2=747584&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Tue Feb 24 22:26:35 2009
@@ -46,7 +46,6 @@
import org.apache.cxf.ws.security.policy.model.Token;
import org.apache.cxf.ws.security.policy.model.TokenWrapper;
import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.cxf.ws.security.tokenstore.MemoryTokenStore;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.ws.security.WSConstants;
@@ -218,7 +217,7 @@
//Sign the message
//We should use the same key in the case of EncryptBeforeSig
if (sigParts.size() > 0) {
- signatures.add(this.doSignature(sigParts, encryptionWrapper, encryptionToken, tok));
+ signatures.add(this.doSignature(sigParts, encryptionWrapper, encryptionToken, tok, attached));
}
if (isRequestor()) {
@@ -307,6 +306,7 @@
if (sigTok == null) {
//REVISIT - no token?
}
+ boolean tokIncluded = true;
if (SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS == sigToken.getInclusion()
|| SPConstants.IncludeTokenType.INCLUDE_TOKEN_ONCE == sigToken.getInclusion()
|| (isRequestor()
@@ -321,6 +321,8 @@
sigTokElem = (Element)secHeader.getSecurityHeader().getOwnerDocument()
.importNode(el, true);
this.addEncyptedKeyElement((Element)sigTokElem);
+ } else {
+ tokIncluded = false;
}
@@ -333,13 +335,13 @@
if (isRequestor()) {
addSupportingTokens(sigs);
- signatures.add(doSignature(sigs, sigTokenWrapper, sigToken, sigTok));
+ signatures.add(doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded));
doEndorse();
} else {
//confirm sig
assertSupportingTokens(sigs);
addSignatureConfirmation(sigs);
- doSignature(sigs, sigTokenWrapper, sigToken, sigTok);
+ doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded);
}
@@ -382,7 +384,7 @@
}
doEncryption(encrTokenWrapper,
encrTok,
- true,
+ tokIncluded,
enc,
false);
} catch (Exception e) {
@@ -428,7 +430,19 @@
}
dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement());
} else {
- dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId());
+ if (attached) {
+ String id = encrTok.getWsuId();
+ if (id == null) {
+ id = encrTok.getId();
+ }
+ if (id.startsWith("#")) {
+ id = id.substring(1);
+ }
+
+ dkEncr.setExternalKey(encrTok.getSecret(), id);
+ } else {
+ dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId());
+ }
}
if (encrTok.getSHA1() != null) {
@@ -457,8 +471,19 @@
try {
WSSecEncrypt encr = new WSSecEncrypt();
String encrTokId = encrTok.getId();
- if (encrTokId.startsWith("#")) {
- encrTokId = encrTokId.substring(1);
+ if (attached) {
+ encrTokId = encrTok.getWsuId();
+ if (encrTokId == null) {
+ encrTokId = encrTok.getId();
+ }
+ if (encrTokId.startsWith("#")) {
+ encrTokId = encrTokId.substring(1);
+ }
+ } else {
+ encr.setEncKeyIdDirectId(true);
+ }
+ if (encrTok.getTokenType() != null) {
+ encr.setEncKeyValueType(encrTok.getTokenType());
}
encr.setEncKeyId(encrTokId);
encr.setEphemeralKey(encrTok.getSecret());
@@ -473,9 +498,14 @@
encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
if (!isRequestor()) {
- encr.setUseKeyIdentifier(true);
- encr.setCustomReferenceValue(encrTok.getSHA1());
- encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ if (encrTok.getSHA1() != null) {
+ encr.setUseKeyIdentifier(true);
+ encr.setCustomReferenceValue(encrTok.getSHA1());
+ encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ } else {
+ encr.setUseKeyIdentifier(true);
+ encr.setKeyIdentifierType(WSConstants.EMBED_SECURITY_TOKEN_REF);
+ }
}
@@ -505,7 +535,8 @@
private byte[] doSignatureDK(Vector<WSEncryptionPart> sigs,
TokenWrapper policyTokenWrapper,
Token policyToken,
- SecurityToken tok) throws WSSecurityException {
+ SecurityToken tok,
+ boolean included) throws WSSecurityException {
Document doc = saaj.getSOAPPart();
WSSecDKSign dkSign = new WSSecDKSign();
if (policyTokenWrapper.getToken().getSPConstants() == SP12Constants.INSTANCE) {
@@ -563,8 +594,14 @@
if (sbinding.isTokenProtection()) {
String sigTokId = tok.getId();
- if (sigTokId.startsWith("#")) {
- sigTokId = sigTokId.substring(1);
+ if (included) {
+ sigTokId = tok.getWsuId();
+ if (sigTokId == null) {
+ sigTokId = tok.getId();
+ }
+ if (sigTokId.startsWith("#")) {
+ sigTokId = sigTokId.substring(1);
+ }
}
sigs.add(new WSEncryptionPart(sigTokId));
}
@@ -586,49 +623,48 @@
private byte[] doSignature(Vector<WSEncryptionPart> sigs,
TokenWrapper policyTokenWrapper,
Token policyToken,
- SecurityToken tok) throws WSSecurityException {
+ SecurityToken tok,
+ boolean included) throws WSSecurityException {
if (policyToken.isDerivedKeys()) {
- return doSignatureDK(sigs, policyTokenWrapper, policyToken, tok);
+ return doSignatureDK(sigs, policyTokenWrapper, policyToken, tok, included);
} else {
WSSecSignature sig = new WSSecSignature();
// If a EncryptedKeyToken is used, set the correct value type to
// be used in the wsse:Reference in ds:KeyInfo
+ int type = included ? WSConstants.CUSTOM_SYMM_SIGNING
+ : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
if (policyToken instanceof X509Token) {
if (isRequestor()) {
sig.setCustomTokenValueType(WSConstants.WSS_SAML_NS
+ WSConstants.ENC_KEY_VALUE_TYPE);
- sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ sig.setKeyIdentifierType(type);
} else {
//the tok has to be an EncryptedKey token
sig.setEncrKeySha1value(tok.getSHA1());
sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
}
+ } else if (tok.getTokenType() != null) {
+ sig.setCustomTokenValueType(tok.getTokenType());
+ sig.setKeyIdentifierType(type);
} else {
sig.setCustomTokenValueType(WSConstants.WSS_SAML_NS
+ WSConstants.SAML_ASSERTION_ID);
- sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ sig.setKeyIdentifierType(type);
}
- String sigTokId;
-
- if (policyToken instanceof SecureConversationToken) {
- Element ref = tok.getAttachedReference();
- if (ref == null) {
- ref = tok.getUnattachedReference();
+ String sigTokId;
+ if (included) {
+ sigTokId = tok.getWsuId();
+ if (sigTokId == null) {
+ sigTokId = tok.getId();
}
-
- if (ref != null) {
- sigTokId = MemoryTokenStore.getIdFromSTR(ref);
- } else {
- sigTokId = tok.getId();
+ if (sigTokId.startsWith("#")) {
+ sigTokId = sigTokId.substring(1);
}
} else {
sigTokId = tok.getId();
}
- if (sigTokId.startsWith("#")) {
- sigTokId = sigTokId.substring(1);
- }
sig.setCustomTokenId(sigTokId);
sig.setSecretKey(tok.getSecret());