You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2013/02/04 12:19:16 UTC
svn commit: r1442079 - in /webservices/wss4j/trunk:
ws-security-dom/src/main/java/org/apache/ws/security/dom/
ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/
ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/
ws-s...
Author: coheigea
Date: Mon Feb 4 11:19:15 2013
New Revision: 1442079
URL: http://svn.apache.org/viewvc?rev=1442079&view=rev
Log:
[WSS-420] - Add the ability to explicitly allow/disallow UsernameTokens with no passwords
Conflicts:
ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UTDerivedKeyTest.java
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/WSSConfig.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandler.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandlerConstants.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/UsernameToken.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/UsernameTokenValidator.java
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UTDerivedKeyTest.java
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UTSignatureTest.java
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UsernameTokenTest.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/UsernameTokenTest.java
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/WSSConfig.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/WSSConfig.java?rev=1442079&r1=1442078&r2=1442079&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/WSSConfig.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/WSSConfig.java Mon Feb 4 11:19:15 2013
@@ -248,6 +248,13 @@ public class WSSConfig {
protected String requiredPasswordType = null;
/**
+ * This variable controls whether a UsernameToken with no password element is allowed.
+ * The default value is "false". Set it to "true" to allow deriving keys from UsernameTokens
+ * or to support UsernameTokens for purposes other than authentication.
+ */
+ protected boolean allowUsernameTokenNoPassword = false;
+
+ /**
* The time in seconds between creation and expiry for a Timestamp. The default
* is 300 seconds (5 minutes).
*/
@@ -727,5 +734,13 @@ public class WSSConfig {
public void setAddInclusivePrefixes(boolean addInclusivePrefixes) {
this.addInclusivePrefixes = addInclusivePrefixes;
}
+
+ public boolean isAllowUsernameTokenNoPassword() {
+ return allowUsernameTokenNoPassword;
+ }
+
+ public void setAllowUsernameTokenNoPassword(boolean allowUsernameTokenNoPassword) {
+ this.allowUsernameTokenNoPassword = allowUsernameTokenNoPassword;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandler.java?rev=1442079&r1=1442078&r2=1442079&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandler.java Mon Feb 4 11:19:15 2013
@@ -291,6 +291,10 @@ public abstract class WSHandler {
wssConfig.setAllowNamespaceQualifiedPasswordTypes(
decodeNamespaceQualifiedPasswordTypes(reqData)
);
+ wssConfig.setAllowUsernameTokenNoPassword(
+ decodeAllowUsernameTokenNoPassword(reqData)
+ );
+
wssConfig.setSecretKeyLength(reqData.getSecretKeyLength());
reqData.setWssConfig(wssConfig);
@@ -724,6 +728,14 @@ public abstract class WSHandler {
);
}
+ protected boolean decodeAllowUsernameTokenNoPassword(
+ RequestData reqData
+ ) throws WSSecurityException {
+ return decodeBooleanConfigValue(
+ reqData, WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD, false
+ );
+ }
+
protected boolean decodeUseEncodedPasswords(RequestData reqData)
throws WSSecurityException {
return decodeBooleanConfigValue(
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandlerConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandlerConstants.java?rev=1442079&r1=1442078&r2=1442079&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandlerConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandlerConstants.java Mon Feb 4 11:19:15 2013
@@ -376,6 +376,13 @@ public final class WSHandlerConstants {
public static final String HANDLE_CUSTOM_PASSWORD_TYPES = "handleCustomPasswordTypes";
/**
+ * This variable controls whether a UsernameToken with no password element is allowed.
+ * The default value is "false". Set it to "true" to allow deriving keys from UsernameTokens
+ * or to support UsernameTokens for purposes other than authentication.
+ */
+ public static final String ALLOW_USERNAMETOKEN_NOPASSWORD = "allowUsernameTokenNoPassword";
+
+ /**
* Set the value of this parameter to true to enable strict Username Token password type
* handling. The default value is "false".
*
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/UsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/UsernameToken.java?rev=1442079&r1=1442078&r2=1442079&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/UsernameToken.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/token/UsernameToken.java Mon Feb 4 11:19:15 2013
@@ -412,6 +412,13 @@ public class UsernameToken {
}
return password;
}
+
+ /**
+ * Return true if this UsernameToken contains a Password element
+ */
+ public boolean containsPasswordElement() {
+ return elementPassword != null;
+ }
/**
* Get the Salt value of this UsernameToken.
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/UsernameTokenValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/UsernameTokenValidator.java?rev=1442079&r1=1442078&r2=1442079&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/UsernameTokenValidator.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/validate/UsernameTokenValidator.java Mon Feb 4 11:19:15 2013
@@ -213,14 +213,27 @@ public class UsernameTokenValidator impl
}
/**
- * Verify a UsernameToken containing no password. This does nothing - but is in a separate
- * method to allow the end-user to override validation easily.
+ * Verify a UsernameToken containing no password. An exception is thrown unless the user
+ * has explicitly allowed this use-case via WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD
* @param usernameToken The UsernameToken instance to verify
* @throws WSSecurityException on a failed authentication.
*/
protected void verifyUnknownPassword(UsernameToken usernameToken,
RequestData data) throws WSSecurityException {
- //
+
+ boolean allowUsernameTokenDerivedKeys = false;
+ WSSConfig wssConfig = data.getWssConfig();
+ if (wssConfig != null) {
+ allowUsernameTokenDerivedKeys = wssConfig.isAllowUsernameTokenNoPassword();
+ }
+
+ if (!(allowUsernameTokenDerivedKeys || usernameToken.containsPasswordElement())) {
+ if (log.isDebugEnabled()) {
+ log.debug("Authentication failed as the received UsernameToken does not "
+ + "contain any password element");
+ }
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
}
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UTDerivedKeyTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UTDerivedKeyTest.java?rev=1442079&r1=1442078&r2=1442079&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UTDerivedKeyTest.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UTDerivedKeyTest.java Mon Feb 4 11:19:15 2013
@@ -161,6 +161,13 @@ public class UTDerivedKeyTest extends or
}
verify(encryptedDoc);
+
+ try {
+ verify(encryptedDoc, false);
+ fail("Failure expected on deriving keys from a UsernameToken not allowed");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
}
/**
@@ -206,6 +213,7 @@ public class UTDerivedKeyTest extends or
WSSecurityEngine newEngine = new WSSecurityEngine();
newEngine.getWssConfig().setPasswordsAreEncoded(true);
+ newEngine.getWssConfig().setAllowUsernameTokenNoPassword(true);
newEngine.processSecurityHeader(
encryptedDoc, null, new EncodedPasswordCallbackHandler(), null
);
@@ -407,6 +415,7 @@ public class UTDerivedKeyTest extends or
WSSecurityEngine newEngine = new WSSecurityEngine();
newEngine.getWssConfig().setPasswordsAreEncoded(true);
+ newEngine.getWssConfig().setAllowUsernameTokenNoPassword(true);
List<WSSecurityEngineResult> results = newEngine.processSecurityHeader(
signedDoc, null, new EncodedPasswordCallbackHandler(), null
);
@@ -666,6 +675,8 @@ public class UTDerivedKeyTest extends or
data.setDecCrypto(crypto);
data.setIgnoredBSPRules(Collections.singletonList(BSPRule.R4218));
WSSecurityEngine engine = new WSSecurityEngine();
+ config.setAllowUsernameTokenNoPassword(true);
+ engine.setWssConfig(config);
engine.processSecurityHeader(doc, "", data);
}
@@ -725,6 +736,9 @@ public class UTDerivedKeyTest extends or
RequestData data = new RequestData();
data.setCallbackHandler(callbackHandler);
data.setDecCrypto(crypto);
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setAllowUsernameTokenNoPassword(true);
+ newEngine.setWssConfig(config);
data.setIgnoredBSPRules(Collections.singletonList(BSPRule.R4214));
newEngine.processSecurityHeader(encryptedDoc, "", data);
}
@@ -784,12 +798,14 @@ public class UTDerivedKeyTest extends or
// expected
}
- // Turn off BSP compliance and it should work
WSSecurityEngine newEngine = new WSSecurityEngine();
RequestData data = new RequestData();
data.setCallbackHandler(callbackHandler);
data.setDecCrypto(crypto);
data.setIgnoredBSPRules(Collections.singletonList(BSPRule.R4215));
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setAllowUsernameTokenNoPassword(true);
+ newEngine.setWssConfig(config);
newEngine.processSecurityHeader(encryptedDoc, "", data);
}
@@ -801,7 +817,17 @@ public class UTDerivedKeyTest extends or
* @throws java.lang.Exception Thrown when there is a problem in verification
*/
private List<WSSecurityEngineResult> verify(Document doc) throws Exception {
+ return verify(doc, true);
+ }
+
+ private List<WSSecurityEngineResult> verify(
+ Document doc,
+ boolean allowUsernameTokenDerivedKeys
+ ) throws Exception {
WSSecurityEngine secEngine = new WSSecurityEngine();
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setAllowUsernameTokenNoPassword(allowUsernameTokenDerivedKeys);
+ secEngine.setWssConfig(config);
return secEngine.processSecurityHeader(doc, null, callbackHandler, crypto);
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UTSignatureTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UTSignatureTest.java?rev=1442079&r1=1442078&r2=1442079&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UTSignatureTest.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UTSignatureTest.java Mon Feb 4 11:19:15 2013
@@ -50,7 +50,6 @@ import java.util.List;
public class UTSignatureTest extends org.junit.Assert {
private static final org.apache.commons.logging.Log LOG =
org.apache.commons.logging.LogFactory.getLog(UTSignatureTest.class);
- private WSSecurityEngine secEngine = new WSSecurityEngine();
private CallbackHandler callbackHandler = new UsernamePasswordCallbackHandler();
private Crypto crypto = null;
@@ -98,6 +97,13 @@ public class UTSignatureTest extends org
java.security.Principal principal =
(java.security.Principal) actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
assertTrue(principal.getName().indexOf("bob") != -1);
+
+ try {
+ verify(signedDoc, false);
+ fail("Failure expected on deriving keys from a UsernameToken not allowed");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
}
@@ -242,6 +248,17 @@ public class UTSignatureTest extends org
* @throws java.lang.Exception Thrown when there is a problem in verification
*/
private List<WSSecurityEngineResult> verify(Document doc) throws Exception {
+ return verify(doc, true);
+ }
+
+ private List<WSSecurityEngineResult> verify(
+ Document doc,
+ boolean allowUsernameTokenDerivedKeys
+ ) throws Exception {
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setAllowUsernameTokenNoPassword(allowUsernameTokenDerivedKeys);
+ secEngine.setWssConfig(config);
return secEngine.processSecurityHeader(doc, null, callbackHandler, crypto);
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UsernameTokenTest.java?rev=1442079&r1=1442078&r2=1442079&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UsernameTokenTest.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/UsernameTokenTest.java Mon Feb 4 11:19:15 2013
@@ -106,7 +106,6 @@ public class UsernameTokenTest extends o
+ "<value xmlns=\"\">15</value>" + "</add>"
+ "</SOAP-ENV:Body>\r\n \r\n" + "</SOAP-ENV:Envelope>";
- private WSSecurityEngine secEngine = new WSSecurityEngine();
private CallbackHandler callbackHandler = new UsernamePasswordCallbackHandler();
/**
@@ -409,7 +408,7 @@ public class UsernameTokenTest extends o
LOG.debug(outputString);
}
- List<WSSecurityEngineResult> results = verify(signedDoc);
+ List<WSSecurityEngineResult> results = verify(signedDoc, true);
WSSecurityEngineResult actionResult =
WSSecurityUtil.fetchActionResult(results, WSConstants.UT_NOPASSWORD);
UsernameToken receivedToken =
@@ -435,6 +434,7 @@ public class UsernameTokenTest extends o
XMLUtils.PrettyDocumentToString(signedDoc);
LOG.debug(outputString);
}
+ WSSecurityEngine secEngine = new WSSecurityEngine();
secEngine.processSecurityHeader(doc, null, this, null);
}
@@ -451,6 +451,7 @@ public class UsernameTokenTest extends o
LOG.debug(outputString);
}
+ WSSecurityEngine secEngine = new WSSecurityEngine();
secEngine.processSecurityHeader(doc, null, this, null);
}
@@ -476,6 +477,7 @@ public class UsernameTokenTest extends o
LOG.debug(outputString);
}
try {
+ WSSecurityEngine secEngine = new WSSecurityEngine();
secEngine.processSecurityHeader(signedDoc, null, this, null);
fail("Custom token types are not permitted");
} catch (WSSecurityException ex) {
@@ -511,14 +513,9 @@ public class UsernameTokenTest extends o
//
WSSConfig cfg = WSSConfig.getNewInstance();
cfg.setHandleCustomPasswordTypes(true);
+ WSSecurityEngine secEngine = new WSSecurityEngine();
secEngine.setWssConfig(cfg);
- verify(signedDoc);
-
- //
- // Go back to default for other tests
- //
- cfg.setHandleCustomPasswordTypes(false);
- secEngine.setWssConfig(cfg);
+ secEngine.processSecurityHeader(doc, null, callbackHandler, null);
}
@@ -881,13 +878,21 @@ public class UsernameTokenTest extends o
newEngine.processSecurityHeader(doc, "", data);
}
+ private List<WSSecurityEngineResult> verify(Document doc) throws Exception {
+ return verify(doc, false);
+ }
+
/**
* Verifies the soap envelope
*
* @param env soap envelope
* @throws java.lang.Exception Thrown when there is a problem in verification
*/
- private List<WSSecurityEngineResult> verify(Document doc) throws Exception {
+ private List<WSSecurityEngineResult> verify(Document doc, boolean allowUsernameTokenDerivedKeys) throws Exception {
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ WSSConfig config = WSSConfig.getNewInstance();
+ config.setAllowUsernameTokenNoPassword(allowUsernameTokenDerivedKeys);
+ secEngine.setWssConfig(config);
return secEngine.processSecurityHeader(doc, null, callbackHandler, null);
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java?rev=1442079&r1=1442078&r2=1442079&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java Mon Feb 4 11:19:15 2013
@@ -263,6 +263,11 @@ public abstract class AbstractTestBase {
requestData.setDecCrypto(crypto);
requestData.setSigVerCrypto(crypto);
}
+
+ if (properties.get(WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD) != null) {
+ messageContext.put(WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD,
+ properties.get(WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD));
+ }
// Disable PrefixList checking as the stax code doesn't support this yet
List<BSPRule> ignoredRules = new ArrayList<BSPRule>();
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/UsernameTokenTest.java?rev=1442079&r1=1442078&r2=1442079&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/UsernameTokenTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/UsernameTokenTest.java Mon Feb 4 11:19:15 2013
@@ -316,7 +316,11 @@ public class UsernameTokenTest extends A
//done UsernameToken; now verification:
{
String action = WSHandlerConstants.USERNAME_TOKEN;
- doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
+
+ Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD, "true");
+ doInboundSecurityWithWSS4J_1(document, action, properties, false);
}
}