You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/07/25 12:08:32 UTC
svn commit: r1150615 - in /webservices/wss4j/trunk/src:
main/java/org/apache/ws/security/ main/java/org/apache/ws/security/message/
main/java/org/apache/ws/security/message/token/
main/java/org/apache/ws/security/processor/ main/java/org/apache/ws/secu...
Author: coheigea
Date: Mon Jul 25 10:08:31 2011
New Revision: 1150615
URL: http://svn.apache.org/viewvc?rev=1150615&view=rev
Log:
[WSS-251] - Added a (mock) unit test for Direct Reference Signature using a Kerberos Token.
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java?rev=1150615&r1=1150614&r2=1150615&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSConstants.java Mon Jul 25 10:08:31 2011
@@ -243,6 +243,7 @@ public class WSConstants {
public static final String WSS_KRB_V5_AP_REQ4120 = KERBEROS_NS11 + "#Kerberosv5_AP_REQ4120";
public static final String WSS_GSS_KRB_V5_AP_REQ4120 =
KERBEROS_NS11 + "#GSS_Kerberosv5_AP_REQ4120";
+ public static final String WSS_KRB_KI_VALUE_TYPE = KERBEROS_NS11 + "#Kerberosv5APREQSHA1";
//
// Misc
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java?rev=1150615&r1=1150614&r2=1150615&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java Mon Jul 25 10:08:31 2011
@@ -29,6 +29,7 @@ import org.apache.ws.security.components
import org.apache.ws.security.message.token.BinarySecurity;
import org.apache.ws.security.message.token.DOMX509Data;
import org.apache.ws.security.message.token.DOMX509IssuerSerial;
+import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.Reference;
import org.apache.ws.security.message.token.SecurityTokenReference;
@@ -236,6 +237,9 @@ public class WSSecSignature extends WSSe
} else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customTokenValueType)) {
secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
refCust.setValueType(customTokenValueType);
+ } else if (KerberosSecurity.isKerberosToken(customTokenValueType)) {
+ secRef.addTokenType(customTokenValueType);
+ refCust.setValueType(customTokenValueType);
} else {
refCust.setValueType(customTokenValueType);
}
@@ -253,6 +257,9 @@ public class WSSecSignature extends WSSe
} else if (WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(customTokenValueType)) {
secRef.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
refCustd.setValueType(customTokenValueType);
+ } else if (KerberosSecurity.isKerberosToken(customTokenValueType)) {
+ secRef.addTokenType(customTokenValueType);
+ refCustd.setValueType(customTokenValueType);
} else {
refCustd.setValueType(customTokenValueType);
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java?rev=1150615&r1=1150614&r2=1150615&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java Mon Jul 25 10:08:31 2011
@@ -61,6 +61,14 @@ public class KerberosSecurity extends Bi
*/
public KerberosSecurity(Element elem, boolean bspCompliant) throws WSSecurityException {
super(elem, bspCompliant);
+ String valueType = getValueType();
+ if (bspCompliant && !WSConstants.WSS_GSS_KRB_V5_AP_REQ.equals(valueType)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY_TOKEN,
+ "invalidValueType",
+ new Object[]{valueType}
+ );
+ }
}
/**
@@ -164,5 +172,21 @@ public class KerberosSecurity extends Bi
}
}
+ /**
+ * Return true if the valueType represents a Kerberos Token
+ * @param valueType the valueType of the token
+ * @return true if the valueType represents a Kerberos Token
+ */
+ public static boolean isKerberosToken(String valueType) {
+ if (WSConstants.WSS_KRB_V5_AP_REQ.equals(valueType)
+ || WSConstants.WSS_GSS_KRB_V5_AP_REQ.equals(valueType)
+ || WSConstants.WSS_KRB_V5_AP_REQ1510.equals(valueType)
+ || WSConstants.WSS_GSS_KRB_V5_AP_REQ1510.equals(valueType)
+ || WSConstants.WSS_KRB_V5_AP_REQ4120.equals(valueType)
+ || WSConstants.WSS_GSS_KRB_V5_AP_REQ4120.equals(valueType)) {
+ return true;
+ }
+ return false;
+ }
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java?rev=1150615&r1=1150614&r2=1150615&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java Mon Jul 25 10:08:31 2011
@@ -136,7 +136,7 @@ public class BinarySecurityTokenProcesso
token = new X509Security(element, config.isWsiBSPCompliant());
} else if (PKIPathSecurity.getType().equals(type)) {
token = new PKIPathSecurity(element, config.isWsiBSPCompliant());
- } else if (isKerberosToken(type)) {
+ } else if (KerberosSecurity.isKerberosToken(type)) {
token = new KerberosSecurity(element, config.isWsiBSPCompliant());
} else {
token = new BinarySecurity(element, config.isWsiBSPCompliant());
@@ -144,21 +144,4 @@ public class BinarySecurityTokenProcesso
return token;
}
- /**
- * Return true if the valueType represents a Kerberos Token
- * @param valueType the valueType of the token
- * @return true if the valueType represents a Kerberos Token
- */
- private boolean isKerberosToken(String valueType) {
- if (WSConstants.WSS_KRB_V5_AP_REQ.equals(valueType)
- || WSConstants.WSS_GSS_KRB_V5_AP_REQ.equals(valueType)
- || WSConstants.WSS_KRB_V5_AP_REQ1510.equals(valueType)
- || WSConstants.WSS_GSS_KRB_V5_AP_REQ1510.equals(valueType)
- || WSConstants.WSS_KRB_V5_AP_REQ4120.equals(valueType)
- || WSConstants.WSS_GSS_KRB_V5_AP_REQ4120.equals(valueType)) {
- return true;
- }
- return false;
- }
-
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java?rev=1150615&r1=1150614&r2=1150615&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/str/SignatureSTRParser.java Mon Jul 25 10:08:31 2011
@@ -291,7 +291,7 @@ public class SignatureSTRParser implemen
if (crypto == null) {
throw new WSSecurityException(WSSecurityException.FAILURE, "noSigCryptoFile");
}
- BinarySecurity token = createSecurityToken(elem);
+ BinarySecurity token = createSecurityToken(elem, bspCompliant);
if (bspCompliant) {
BSPEnforcer.checkBinarySecurityBSPCompliance(secRef, token);
}
@@ -309,18 +309,21 @@ public class SignatureSTRParser implemen
* @param element The XML element that contains either a <code>BinarySecurityToken
* </code> or a <code>PKIPath</code> element. Other element types a not
* supported
+ * @param bspCompliant Whether BSP compliance is enforced or not
* @return the BinarySecurity object, either a <code>X509Security</code> or a
* <code>PKIPathSecurity</code> object.
* @throws WSSecurityException
*/
- private static BinarySecurity createSecurityToken(Element element) throws WSSecurityException {
-
+ private static BinarySecurity createSecurityToken(
+ Element element,
+ boolean bspCompliant
+ ) throws WSSecurityException {
String type = element.getAttribute("ValueType");
if (X509Security.X509_V3_TYPE.equals(type)) {
- X509Security x509 = new X509Security(element);
+ X509Security x509 = new X509Security(element, bspCompliant);
return (BinarySecurity) x509;
} else if (PKIPathSecurity.getType().equals(type)) {
- PKIPathSecurity pkiPath = new PKIPathSecurity(element);
+ PKIPathSecurity pkiPath = new PKIPathSecurity(element, bspCompliant);
return (BinarySecurity) pkiPath;
}
throw new WSSecurityException(
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java?rev=1150615&r1=1150614&r2=1150615&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java Mon Jul 25 10:08:31 2011
@@ -38,7 +38,11 @@ import org.apache.ws.security.validate.C
import org.apache.ws.security.validate.Validator;
import org.w3c.dom.Document;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
+import javax.xml.crypto.dsig.SignatureMethod;
+
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -49,8 +53,7 @@ import java.util.List;
public class BSTKerberosTest extends org.junit.Assert {
private static final org.apache.commons.logging.Log LOG =
org.apache.commons.logging.LogFactory.getLog(BSTKerberosTest.class);
- private static final String AP_REQ =
- "http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5_AP_REQ";
+ private static final String AP_REQ = WSConstants.WSS_GSS_KRB_V5_AP_REQ;
private static final String BASE64_NS =
WSConstants.SOAPMESSAGE_NS + "#Base64Binary";
private WSSecurityEngine secEngine = new WSSecurityEngine();
@@ -240,6 +243,45 @@ public class BSTKerberosTest extends org
}
}
+ /**
+ * A test for signing using a direct reference to a Kerberos token
+ */
+ @org.junit.Test
+ public void testKerberosSignatureDRCreation() throws Exception {
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ BinarySecurity bst = new BinarySecurity(doc);
+ bst.setValueType(AP_REQ);
+ bst.setEncodingType(BASE64_NS);
+
+ KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+ keyGen.init(128);
+ SecretKey key = keyGen.generateKey();
+ byte[] keyData = key.getEncoded();
+
+ bst.setToken(keyData);
+ bst.setID("Id-" + bst.hashCode());
+ WSSecurityUtil.prependChildElement(secHeader.getSecurityHeader(), bst.getElement());
+
+ WSSecSignature sign = new WSSecSignature();
+ sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ sign.setCustomTokenValueType(AP_REQ);
+ sign.setCustomTokenId(bst.getID());
+ sign.setSecretKey(keyData);
+
+ Document signedDoc = sign.build(doc, crypto, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+ }
+
/**
* Verifies the soap envelope