You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/02/20 12:59:23 UTC
svn commit: r1661101 - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/wss4j/common/crypto/
ws-security-common/src/main/java/org/apache/wss4j/common/derivedKey/
ws-security-common/src/main/java/org/apache/wss4j/common/util/ ws-...
Author: coheigea
Date: Fri Feb 20 11:59:23 2015
New Revision: 1661101
URL: http://svn.apache.org/r1661101
Log:
Fixing a few bugs thrown up by analysis.apache.org
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/derivedKey/DerivedKeyUtils.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/AttachmentUtils.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/DateUtil.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/SecurityTokenReference.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedDataProcessor.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyUtils.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.java
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/WSSSignatureOutputProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java Fri Feb 20 11:59:23 2015
@@ -321,6 +321,7 @@ public abstract class CryptoBase impleme
) {
if (subjectDNPatterns == null || subjectDNPatterns.isEmpty()) {
LOG.warn("No Subject DN Certificate Constraints were defined. This could be a security issue");
+ return true;
}
if (!subjectDNPatterns.isEmpty()) {
if (cert == null) {
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/derivedKey/DerivedKeyUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/derivedKey/DerivedKeyUtils.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/derivedKey/DerivedKeyUtils.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/derivedKey/DerivedKeyUtils.java Fri Feb 20 11:59:23 2015
@@ -22,7 +22,11 @@ import java.io.UnsupportedEncodingExcept
import org.apache.wss4j.common.ext.WSSecurityException;
-public class DerivedKeyUtils {
+public final class DerivedKeyUtils {
+
+ private DerivedKeyUtils() {
+ // complete
+ }
/**
* Derive a key from this DerivedKeyToken instance
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/AttachmentUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/AttachmentUtils.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/AttachmentUtils.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/AttachmentUtils.java Fri Feb 20 11:59:23 2015
@@ -35,7 +35,7 @@ import java.security.InvalidKeyException
import java.security.Key;
import java.util.*;
-public class AttachmentUtils {
+public final class AttachmentUtils {
public static final String MIME_HEADER_CONTENT_DESCRIPTION = "Content-Description";
public static final String MIME_HEADER_CONTENT_DISPOSITION = "Content-Disposition";
@@ -77,7 +77,10 @@ public class AttachmentUtils {
ALL_PARAMS.add(PARAM_SIZE);
ALL_PARAMS.add(PARAM_TYPE);
}
-
+
+ private AttachmentUtils() {
+ // complete
+ }
public static void canonizeMimeHeaders(OutputStream os, Map<String, String> headers) throws IOException {
//5.4.1 MIME header canonicalization:
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/DateUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/DateUtil.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/DateUtil.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/DateUtil.java Fri Feb 20 11:59:23 2015
@@ -24,6 +24,10 @@ import java.util.Date;
public final class DateUtil {
private static final org.slf4j.Logger LOG =
org.slf4j.LoggerFactory.getLogger(DateUtil.class);
+
+ private DateUtil() {
+ // complete
+ }
/**
* Return true if the "Created" value is before the current time minus the timeToLive
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java Fri Feb 20 11:59:23 2015
@@ -29,6 +29,10 @@ public final class KeyUtils {
private static final org.slf4j.Logger LOG =
org.slf4j.LoggerFactory.getLogger(KeyUtils.class);
private static final int MAX_SYMMETRIC_KEY_SIZE = 1024;
+
+ private KeyUtils() {
+ // complete
+ }
/**
* Returns the length of the key in # of bytes
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/UsernameTokenUtil.java Fri Feb 20 11:59:23 2015
@@ -31,6 +31,10 @@ public final class UsernameTokenUtil {
private static final org.slf4j.Logger LOG =
org.slf4j.LoggerFactory.getLogger(UsernameTokenUtil.class);
+ private UsernameTokenUtil() {
+ // complete
+ }
+
/**
* This static method generates a derived key as defined in WSS Username
* Token Profile.
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java Fri Feb 20 11:59:23 2015
@@ -37,10 +37,14 @@ import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.xml.sax.InputSource;
-public class XMLUtils {
+public final class XMLUtils {
public static final String XMLNS_NS = "http://www.w3.org/2000/xmlns/";
public static final String XML_NS = "http://www.w3.org/XML/1998/namespace";
+
+ private XMLUtils() {
+ // complete
+ }
/**
* Gets a direct child with specified localname and namespace. <p/>
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java Fri Feb 20 11:59:23 2015
@@ -91,11 +91,9 @@ public class EncryptionAction implements
if (!encryptionToken.isEncSymmetricEncryptionKey() && ephemeralKey == null) {
CallbackHandler callbackHandler =
handler.getPasswordCallbackHandler(reqData);
- if (ephemeralKey == null) {
- WSPasswordCallback passwordCallback =
- handler.getPasswordCB(encryptionToken.getUser(), WSConstants.ENCR, callbackHandler, reqData);
- ephemeralKey = passwordCallback.getKey();
- }
+ WSPasswordCallback passwordCallback =
+ handler.getPasswordCB(encryptionToken.getUser(), WSConstants.ENCR, callbackHandler, reqData);
+ ephemeralKey = passwordCallback.getKey();
}
wsEncrypt.setEphemeralKey(ephemeralKey);
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/SecurityTokenReference.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/SecurityTokenReference.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/SecurityTokenReference.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/SecurityTokenReference.java Fri Feb 20 11:59:23 2015
@@ -821,11 +821,11 @@ public class SecurityTokenReference {
}
String encodingType = getFirstElement().getAttributeNS(null, "EncodingType");
// Encoding Type must be equal to Base64Binary if it's specified
- if (encodingType != null && !"".equals(encodingType)
- && !BinarySecurity.BASE64_ENCODING.equals(encodingType)) {
+ if (!"".equals(encodingType) && !BinarySecurity.BASE64_ENCODING.equals(encodingType)) {
bspEnforcer.handleBSPRule(BSPRule.R3071);
}
// Encoding type must be specified other than for a SAML Assertion
+
if (!WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(valueType)
&& !WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(valueType)
&& (encodingType == null || "".equals(encodingType))) {
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedDataProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedDataProcessor.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedDataProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedDataProcessor.java Fri Feb 20 11:59:23 2015
@@ -90,7 +90,7 @@ public class EncryptedDataProcessor impl
kiElem, WSConstants.ENC_KEY_LN, WSConstants.ENC_NS
);
- if (elem != null && request.isRequireSignedEncryptedDataElements()) {
+ if (request.isRequireSignedEncryptedDataElements()) {
WSSecurityUtil.verifySignedElement(elem, wsDocInfo);
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyUtils.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyUtils.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyUtils.java Fri Feb 20 11:59:23 2015
@@ -24,7 +24,11 @@ import javax.xml.namespace.QName;
import java.util.LinkedList;
import java.util.List;
-public class PolicyUtils {
+public final class PolicyUtils {
+
+ private PolicyUtils() {
+ // complete
+ }
public static List<QName> getElementPath(XPath xPath) {
List<QName> elements = new LinkedList<>();
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.java Fri Feb 20 11:59:23 2015
@@ -49,8 +49,8 @@ import java.util.List;
*/
public class SignatureProtectionAssertionState extends AssertionState implements Assertable {
- private final ArrayList<EncryptedElementSecurityEvent> encryptedElementEvents = new ArrayList<>();
- private final ArrayList<TokenSecurityEvent<? extends SecurityToken>> tokenSecurityEvents = new ArrayList<>();
+ private final List<EncryptedElementSecurityEvent> encryptedElementEvents = new ArrayList<>();
+ private final List<TokenSecurityEvent<? extends SecurityToken>> tokenSecurityEvents = new ArrayList<>();
private final List<List<QName>> elementPaths = new ArrayList<>();
private PolicyAsserter policyAsserter;
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java Fri Feb 20 11:59:23 2015
@@ -49,8 +49,8 @@ import java.util.List;
*/
public class TokenProtectionAssertionState extends AssertionState implements Assertable {
- private final ArrayList<SignedElementSecurityEvent> signedElementEvents = new ArrayList<>();
- private final ArrayList<TokenSecurityEvent<? extends SecurityToken>> tokenSecurityEvents = new ArrayList<>();
+ private final List<SignedElementSecurityEvent> signedElementEvents = new ArrayList<>();
+ private final List<TokenSecurityEvent<? extends SecurityToken>> tokenSecurityEvents = new ArrayList<>();
private PolicyAsserter policyAsserter;
public TokenProtectionAssertionState(Assertion assertion,
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java Fri Feb 20 11:59:23 2015
@@ -292,8 +292,8 @@ public class WSSSignatureReferenceVerify
ReplayCache replayCache =
((WSSSecurityProperties)getSecurityProperties()).getTimestampReplayCache();
if (timestampSecurityEvent != null && replayCache != null) {
- final String cacheKey = String.valueOf(
- timestampSecurityEvent.getCreated().getTimeInMillis()) +
+ final String cacheKey =
+ timestampSecurityEvent.getCreated().getTimeInMillis() +
"" + Arrays.hashCode(getSignatureType().getSignatureValue().getValue());
if (replayCache.contains(cacheKey)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.MESSAGE_EXPIRED);
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/WSSSignatureOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/WSSSignatureOutputProcessor.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/WSSSignatureOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/WSSSignatureOutputProcessor.java Fri Feb 20 11:59:23 2015
@@ -216,7 +216,7 @@ public class WSSSignatureOutputProcessor
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, e);
}
- String calculatedDigest = new String(Base64.encode(digestOutputStream.getDigestValue()));
+ String calculatedDigest = Base64.encode(digestOutputStream.getDigestValue());
if (LOG.isDebugEnabled()) {
LOG.debug("Calculated Digest: " + calculatedDigest);
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java?rev=1661101&r1=1661100&r2=1661101&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java Fri Feb 20 11:59:23 2015
@@ -83,7 +83,7 @@ public class SamlSecurityTokenImpl exten
Element assertionElem = pwcb.getCustomToken();
if (assertionElem != null && "Assertion".equals(assertionElem.getLocalName())
&& (WSSConstants.NS_SAML.equals(assertionElem.getNamespaceURI())
- || WSSConstants.NS_SAML2.equals(assertionElem))) {
+ || WSSConstants.NS_SAML2.equals(assertionElem.getNamespaceURI()))) {
this.samlAssertionWrapper = new SamlAssertionWrapper(assertionElem);
subjectKeyInfo =