You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2014/02/24 16:12:06 UTC
git commit: Added initial support for "useReqSigCert" for the
streaming JAX-RS XML Security code.
Repository: cxf
Updated Branches:
refs/heads/master 212ce2a30 -> f29557a3b
Added initial support for "useReqSigCert" for the streaming JAX-RS XML Security code.
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f29557a3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f29557a3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f29557a3
Branch: refs/heads/master
Commit: f29557a3b144603eab65068b6776d823683dab87
Parents: 212ce2a
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Mon Feb 24 15:10:56 2014 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Mon Feb 24 15:11:47 2014 +0000
----------------------------------------------------------------------
.../cxf/rs/security/common/SecurityUtils.java | 9 ++++--
.../security/xml/AbstractXmlSigInHandler.java | 2 +-
.../rs/security/xml/XmlEncOutInterceptor.java | 3 +-
.../rs/security/xml/XmlSecInInterceptor.java | 14 ++++++++--
.../rs/security/xml/XmlSecOutInterceptor.java | 29 ++++++++++++--------
5 files changed, 38 insertions(+), 19 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/f29557a3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
index 34d9897..f849bf8 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
@@ -28,7 +28,6 @@ import javax.security.auth.callback.CallbackHandler;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
-
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.common.util.StringUtils;
@@ -38,6 +37,7 @@ import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.xml.security.utils.Constants;
@@ -66,7 +66,12 @@ public final class SecurityUtils {
throws Exception {
String base64Value = certNode.getTextContent().trim();
byte[] certBytes = Base64Utility.decode(base64Value);
- return crypto.loadCertificate(new ByteArrayInputStream(certBytes));
+
+ Crypto certCrypto = crypto;
+ if (certCrypto == null) {
+ certCrypto = new Merlin();
+ }
+ return certCrypto.loadCertificate(new ByteArrayInputStream(certBytes));
}
public static X509Certificate loadX509IssuerSerial(Crypto crypto, Element certNode)
http://git-wip-us.apache.org/repos/asf/cxf/blob/f29557a3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
index 3cc9562..e81e298 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
@@ -211,7 +211,7 @@ public class AbstractXmlSigInHandler extends AbstractXmlSecInHandler {
protected Reference getReference(XMLSignature sig) {
int count = sig.getSignedInfo().getLength();
if (count != 1) {
- throwFault("Multiple Signature Reference are not currently supported", null);
+ throwFault("Multiple Signature References are not currently supported", null);
}
try {
return sig.getSignedInfo().item(0);
http://git-wip-us.apache.org/repos/asf/cxf/blob/f29557a3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
index 26eb109..6635c3d 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
@@ -116,8 +116,7 @@ public class XmlEncOutInterceptor extends AbstractXmlSecOutInterceptor {
X509Certificate receiverCert = null;
String userName = (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
- if (userName != null
- && SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName)
+ if (SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName)
&& !MessageUtils.isRequestor(message)) {
XMLSignature sig = message.getExchange().getInMessage().getContent(XMLSignature.class);
if (sig != null) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/f29557a3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
index 64b89f3..fa23280 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
@@ -80,6 +80,7 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message> {
private String phase;
private String decryptionAlias;
private String signatureVerificationAlias;
+ private boolean persistSignature = true;
public XmlSecInInterceptor() {
setPhase(Phase.POST_STREAM);
@@ -203,7 +204,7 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message> {
}
protected SecurityEventListener configureSecurityEventListener(
- final Crypto sigCrypto, Message msg, XMLSecurityProperties securityProperties
+ final Crypto sigCrypto, final Message msg, XMLSecurityProperties securityProperties
) {
final List<SecurityEvent> incomingSecurityEventList = new LinkedList<SecurityEvent>();
SecurityEventListener securityEventListener = new SecurityEventListener() {
@@ -218,7 +219,7 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message> {
}
} else if (securityEvent.getSecurityEventType() != SecurityEventConstants.EncryptedKeyToken
&& securityEvent instanceof TokenSecurityEvent<?>) {
- checkSignatureTrust(sigCrypto, (TokenSecurityEvent<?>)securityEvent);
+ checkSignatureTrust(sigCrypto, msg, (TokenSecurityEvent<?>)securityEvent);
}
incomingSecurityEventList.add(securityEvent);
}
@@ -277,7 +278,7 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message> {
}
private void checkSignatureTrust(
- Crypto sigCrypto, TokenSecurityEvent<?> event
+ Crypto sigCrypto, Message msg, TokenSecurityEvent<?> event
) throws XMLSecurityException {
SecurityToken token = event.getSecurityToken();
if (token != null) {
@@ -295,6 +296,10 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message> {
throw new XMLSecurityException("empty", "Error during Signature Trust "
+ "validation: " + e.getMessage());
}
+
+ if (persistSignature) {
+ msg.setContent(X509Certificate.class, cert);
+ }
}
}
@@ -360,4 +365,7 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message> {
this.signatureVerificationAlias = signatureVerificationAlias;
}
+ public void setPersistSignature(boolean persist) {
+ this.persistSignature = persist;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f29557a3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
index aa6f381..c480f88 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
@@ -58,7 +58,6 @@ import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.WSConstants;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.stax.ext.OutboundXMLSec;
import org.apache.xml.security.stax.ext.SecurePart;
import org.apache.xml.security.stax.ext.XMLSec;
@@ -161,18 +160,26 @@ public class XmlSecOutInterceptor implements PhaseInterceptor<Message> {
properties.setEncryptionKey(
getSymmetricKey(encryptionProperties.getEncryptionSymmetricKeyAlgo()));
if (encryptSymmetricKey) {
+ X509Certificate sendingCert = null;
String userName =
(String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
- CryptoLoader loader = new CryptoLoader();
- Crypto crypto = loader.getCrypto(message,
- SecurityConstants.ENCRYPT_CRYPTO,
- SecurityConstants.ENCRYPT_PROPERTIES);
-
- userName = SecurityUtils.getUserName(crypto, userName);
- if (StringUtils.isEmpty(userName)) {
- throw new Exception("User name is not available");
+ if (SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName)
+ && !MessageUtils.isRequestor(message)) {
+ sendingCert =
+ message.getExchange().getInMessage().getContent(X509Certificate.class);
+ } else {
+ CryptoLoader loader = new CryptoLoader();
+ Crypto crypto = loader.getCrypto(message,
+ SecurityConstants.ENCRYPT_CRYPTO,
+ SecurityConstants.ENCRYPT_PROPERTIES);
+
+ userName = SecurityUtils.getUserName(crypto, userName);
+ if (StringUtils.isEmpty(userName)) {
+ throw new Exception("User name is not available");
+ }
+ sendingCert = getCertificateFromCrypto(crypto, userName);
}
- X509Certificate sendingCert = getCertificateFromCrypto(crypto, userName);
+
if (sendingCert == null) {
throw new Exception("Sending certificate is not available");
}
@@ -273,7 +280,7 @@ public class XmlSecOutInterceptor implements PhaseInterceptor<Message> {
String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
- sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+ sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1;
}
properties.setSignatureAlgorithm(sigAlgo);