cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r663146 - in /cxf/branches/2.0.x-fixes: ./ buildtools/src/main/resources/ rt/ws/security/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/
Date Wed, 04 Jun 2008 14:58:48 GMT
Author: dkulp
Date: Wed Jun  4 07:58:47 2008
New Revision: 663146

URL: http://svn.apache.org/viewvc?rev=663146&view=rev
Log:
Merged revisions 662883 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r662883 | dkulp | 2008-06-03 16:55:58 -0400 (Tue, 03 Jun 2008) | 3 lines
  
  [CXF-1627] Update to latest wss4j to remove hacks needed to workaround bugs in the older
version.
  Note: wss4j 1.5.4 requires the opensaml library to work at all.   Thus, that is added.
........

Modified:
    cxf/branches/2.0.x-fixes/   (props changed)
    cxf/branches/2.0.x-fixes/buildtools/src/main/resources/notice-supplements.xml
    cxf/branches/2.0.x-fixes/rt/ws/security/pom.xml
    cxf/branches/2.0.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/branches/2.0.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java

Propchange: cxf/branches/2.0.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.0.x-fixes/buildtools/src/main/resources/notice-supplements.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.0.x-fixes/buildtools/src/main/resources/notice-supplements.xml?rev=663146&r1=663145&r2=663146&view=diff
==============================================================================
--- cxf/branches/2.0.x-fixes/buildtools/src/main/resources/notice-supplements.xml (original)
+++ cxf/branches/2.0.x-fixes/buildtools/src/main/resources/notice-supplements.xml Wed Jun
 4 07:58:47 2008
@@ -162,7 +162,7 @@
   </supplement>
   <supplement>
     <project>
-      <groupId>xml-security</groupId>
+      <groupId>org.apache.santuario</groupId>
       <artifactId>xmlsec</artifactId>
       <name>XML Security</name>
       <organization>
@@ -177,6 +177,23 @@
       </licenses>
     </project>
   </supplement>
+    <supplement>
+    <project>
+      <groupId>opensaml</groupId>
+      <artifactId>opensaml</artifactId>
+      <name>OpenSAML</name>
+      <organization>
+        <name>Internet2</name>
+        <url>http://www.opensaml.org</url>
+      </organization>
+      <licenses>
+        <license>
+          <name>The Apache Software License, Version 2.0</name>
+          <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+        </license>
+      </licenses>
+    </project>
+  </supplement>
   <supplement>
     <project>
       <groupId>xml-apis</groupId>

Modified: cxf/branches/2.0.x-fixes/rt/ws/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.0.x-fixes/rt/ws/security/pom.xml?rev=663146&r1=663145&r2=663146&view=diff
==============================================================================
--- cxf/branches/2.0.x-fixes/rt/ws/security/pom.xml (original)
+++ cxf/branches/2.0.x-fixes/rt/ws/security/pom.xml Wed Jun  4 07:58:47 2008
@@ -60,13 +60,29 @@
         <dependency>
             <groupId>org.apache.ws.security</groupId>
             <artifactId>wss4j</artifactId>
-            <version>1.5.2</version>
-        </dependency>
-        <dependency>
-            <groupId>xml-security</groupId>
-            <artifactId>xmlsec</artifactId>
-            <version>1.3.0</version>
-            <scope>runtime</scope>
+            <version>1.5.4</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>axis</groupId>
+                    <artifactId>axis</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>axis</groupId>
+                    <artifactId>axis-ant</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>bouncycastle</groupId>
+                    <artifactId>bcprov-jdk15</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>xerces</groupId>
+                    <artifactId>xercesImpl</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>xml-apis</groupId>
+                    <artifactId>xml-apis</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>xalan</groupId>

Modified: cxf/branches/2.0.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.0.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=663146&r1=663145&r2=663146&view=diff
==============================================================================
--- cxf/branches/2.0.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/branches/2.0.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Wed Jun  4 07:58:47 2008
@@ -24,8 +24,8 @@
 import java.util.Vector;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-
 import javax.security.auth.callback.CallbackHandler;
+import javax.xml.namespace.QName;
 import javax.xml.soap.SOAPBody;
 import javax.xml.soap.SOAPException;
 import javax.xml.soap.SOAPMessage;
@@ -44,6 +44,8 @@
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.staxutils.StaxUtils;
 import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.handler.RequestData;
@@ -61,12 +63,18 @@
 
     public static final String TIMESTAMP_RESULT = "wss4j.timestamp.result";
     public static final String SIGNATURE_RESULT = "wss4j.signature.result";
+    public static final String PROCESSOR_MAP = "wss4j.processor.map";
 
     private static final Logger LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class);
     private static final Logger TIME_LOG = LogUtils.getL7dLogger(WSS4JInInterceptor.class,
                                                                  null,
                                                                  WSS4JInInterceptor.class.getName()
                                                                      + "-Time");
+
+    /**
+     *
+     */
+    private WSSecurityEngine secEngineOverride;
     
     public WSS4JInInterceptor() {
         super();
@@ -75,9 +83,15 @@
         getAfter().add(SAAJInInterceptor.class.getName());
     }
 
+    @SuppressWarnings("unchecked")
     public WSS4JInInterceptor(Map<String, Object> properties) {
         this();
         setProperties(properties);
+        final Map<QName, String> map = 
+            (Map<QName, String>) properties.get(PROCESSOR_MAP);
+        if (map != null) {
+            secEngineOverride = createSecurityEngine(map);
+        }
     }
 
     @SuppressWarnings("unchecked")
@@ -127,15 +141,20 @@
              * they may be used for encryption too.
              */
             doReceiverAction(doAction, reqData);
-
+            
             Vector wsResult = null;
             if (doTimeLog) {
                 t1 = System.currentTimeMillis();
             }
 
             try {
-                wsResult = secEngine.processSecurityHeader(doc.getSOAPPart(), actor, cbHandler,
reqData
-                    .getSigCrypto(), reqData.getDecCrypto());
+                wsResult = getSecurityEngine().processSecurityHeader(
+                    doc.getSOAPPart(), 
+                    actor, 
+                    cbHandler, 
+                    reqData.getSigCrypto(), 
+                    reqData.getDecCrypto()
+                );
             } catch (WSSecurityException ex) {
                 LOG.log(Level.WARNING, "", ex);
                 throw new SoapFault(new Message("SECURITY_FAILED", LOG), ex, version.getSender());
@@ -157,13 +176,6 @@
             if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
                 checkSignatureConfirmation(reqData, wsResult);
             }
-            
-            //
-            // Now remove the Signature Confirmation results. This is needed to work around
the
-            // wsResult.size() != actions.size() comparison below. The real issue is to fix
the
-            // broken checkReceiverResults method in WSS4J.
-            //
-            removeSignatureConfirmationResults(wsResult);
 
             /*
              * Now we can check the certificate used to sign the message. In the
@@ -213,11 +225,8 @@
 
             /*
              * now check the security actions: do they match, in right order?
-             *
-             * Added size comparison to work around
-             * https://issues.apache.org/jira/browse/WSS-70
              */
-            if (wsResult.size() != actions.size() || !checkReceiverResults(wsResult, actions))
{
+            if (!checkReceiverResults(wsResult, actions)) {
                 LOG.warning("Security processing failed (actions mismatch)");
                 throw new SoapFault(new Message("ACTION_MISMATCH", LOG), version.getSender());
 
@@ -303,18 +312,52 @@
         return cbHandler;
     }
     
-    private void removeSignatureConfirmationResults(List<Object> wsResult) {
-        //
-        // Now remove the Signature Confirmation results. This is needed to work around the
-        // wsResult.size() != actions.size() comparison below. The real issue is to fix the
-        // broken checkReceiverResults method in WSS4J.
-        //
-        for (int i = 0; i < wsResult.size(); i++) {
-            Integer action = (Integer)((WSSecurityEngineResult)wsResult.get(i))
-                .get(WSSecurityEngineResult.TAG_ACTION);
-            if (action != null && action.intValue() == WSConstants.SC) {
-                wsResult.remove(i);
+    /**
+     * @return      the WSSecurityEngine in use by this interceptor.
+     *              This engine is defined to be the secEngineOverride
+     *              instance, if defined in this class (and supplied through
+     *              construction); otherwise, it is taken to be the default
+     *              WSSecEngine instance (currently defined in the WSHandler
+     *              base class).
+     *
+     * TODO the WSHandler base class defines secEngine to be static, which
+     * is really bad, because the engine has mutable state on it.
+     */
+    private WSSecurityEngine
+    getSecurityEngine() {
+        if (secEngineOverride != null) {
+            return secEngineOverride;
+        }
+        return secEngine;
+    }
+
+    /**
+     * @return      a freshly minted WSSecurityEngine instance, using the
+     *              (non-null) processor map, to be used to initialize the
+     *              WSSecurityEngine instance.
+     *
+     * TODO The WSS4J APIs leave something to be desired here, but hopefully
+     * we'll clean all this up in WSS4J-2.0
+     */
+    private WSSecurityEngine
+    createSecurityEngine(
+        final Map<QName, String> map
+    ) {
+        assert map != null;
+        final WSSConfig config = WSSConfig.getNewInstance();
+        for (Map.Entry<QName, String> entry : map.entrySet()) {
+            final QName key = entry.getKey();
+            String val = entry.getValue();
+            if (val != null) {
+                val = val.trim();
+                if ("null".equals(val) || val.length() == 0) {
+                    val = null;
+                }
             }
+            config.setProcessor(key, val);
         }
+        final WSSecurityEngine ret = new WSSecurityEngine();
+        ret.setWssConfig(config);
+        return ret;
     }
 }

Modified: cxf/branches/2.0.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.0.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java?rev=663146&r1=663145&r2=663146&view=diff
==============================================================================
--- cxf/branches/2.0.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
(original)
+++ cxf/branches/2.0.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
Wed Jun  4 07:58:47 2008
@@ -22,10 +22,12 @@
 import java.io.ByteArrayOutputStream;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.SortedSet;
 import java.util.TreeSet;
-
+import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.soap.MessageFactory;
@@ -41,6 +43,7 @@
 import org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor;
 import org.apache.cxf.binding.soap.saaj.SAAJInInterceptor;
 import org.apache.cxf.helpers.DOMUtils.NullResolver;
+import org.apache.cxf.helpers.XMLUtils;
 import org.apache.cxf.interceptor.Interceptor;
 import org.apache.cxf.message.Exchange;
 import org.apache.cxf.message.ExchangeImpl;
@@ -48,8 +51,11 @@
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.staxutils.StaxUtils;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
 import org.junit.Test;
 
 
@@ -203,19 +209,198 @@
             .get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
         assertNotNull(certificate);
     }
+    
+    @Test
+    @SuppressWarnings("unchecked")
+    public void testEncryption() throws Exception {
+        Document doc = readDocument("wsse-request-clean.xml");
+
+        WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor();
+        PhaseInterceptor<SoapMessage> handler = ohandler.createEndingInterceptor();
+
+        SoapMessage msg = new SoapMessage(new MessageImpl());
+        Exchange ex = new ExchangeImpl();
+        ex.setInMessage(msg);
+        
+        SOAPMessage saajMsg = MessageFactory.newInstance().createMessage();
+        SOAPPart part = saajMsg.getSOAPPart();
+        part.setContent(new DOMSource(doc));
+        saajMsg.saveChanges();
 
+        msg.setContent(SOAPMessage.class, saajMsg);
+        
+        msg.put(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
+        msg.put(WSHandlerConstants.SIG_PROP_FILE, "META-INF/cxf/outsecurity.properties");
+        msg.put(WSHandlerConstants.ENC_PROP_FILE, "META-INF/cxf/outsecurity.properties");
+        msg.put(WSHandlerConstants.USER, "myalias");
+        msg.put("password", "myAliasPassword");
+
+        handler.handleMessage(msg);
+        doc = part;
+
+        assertValid("//wsse:Security", doc);
+        assertValid("//s:Body/xenc:EncryptedData", doc);
 
+        byte[] docbytes = getMessageBytes(doc);
+        XMLStreamReader reader = StaxUtils.createXMLStreamReader(new ByteArrayInputStream(docbytes));
+
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+        dbf.setValidating(false);
+        dbf.setIgnoringComments(false);
+        dbf.setIgnoringElementContentWhitespace(true);
+        dbf.setNamespaceAware(true);
+
+        DocumentBuilder db = dbf.newDocumentBuilder();
+        db.setEntityResolver(new NullResolver());
+        doc = StaxUtils.read(db, reader, false);
+
+        WSS4JInInterceptor inHandler = new WSS4JInInterceptor();
+
+        SoapMessage inmsg = new SoapMessage(new MessageImpl());
+        ex.setInMessage(inmsg);
+        inmsg.setContent(SOAPMessage.class, saajMsg);
+
+        inHandler.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.ENCRYPT);
+        inHandler.setProperty(WSHandlerConstants.DEC_PROP_FILE, "META-INF/cxf/insecurity.properties");
+        inHandler.setProperty(
+            WSHandlerConstants.PW_CALLBACK_CLASS, 
+            "org.apache.cxf.ws.security.wss4j.TestPwdCallback"
+        );
+
+        inHandler.handleMessage(inmsg);
+        //
+        // Check that the EncryptedData is no longer there
+        //
+        assertInvalid("//s:Body/xenc:EncryptedData", saajMsg.getSOAPPart());
+        //
+        // There should be exactly 1 (WSS4J) HandlerResult
+        //
+        final java.util.List<WSHandlerResult> handlerResults = 
+            (java.util.List<WSHandlerResult>) inmsg.get(WSHandlerConstants.RECV_RESULTS);
+        assertNotNull(handlerResults);
+        assertSame(handlerResults.size(), 1);
+        //
+        // This should contain exactly 1 protection result
+        //
+        final java.util.List<Object> protectionResults =
+            (java.util.List<Object>) handlerResults.get(0).getResults();
+        assertNotNull(protectionResults);
+        assertSame(protectionResults.size(), 1);
+        //
+        // This result should contain a reference to the decrypted element,
+        // which should contain the soap:Body Qname
+        //
+        final java.util.Map<String, Object> result =
+            (java.util.Map<String, Object>) protectionResults.get(0);
+        final java.util.List<WSDataRef> protectedElements =
+            (java.util.List<WSDataRef>) 
+                result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
+        assertNotNull(protectedElements);
+        assertSame(protectedElements.size(), 1);
+        assertEquals(
+            protectedElements.get(0).getName(),
+            new javax.xml.namespace.QName(
+                "http://schemas.xmlsoap.org/soap/envelope/",
+                "Body"
+            )
+        );
+    }
+    
+    @Test
+    public void testCustomProcessor() throws Exception {
+        Document doc = readDocument("wsse-request-clean.xml");
+
+        WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor();
+        PhaseInterceptor<SoapMessage> handler = ohandler.createEndingInterceptor();
+
+        SoapMessage msg = new SoapMessage(new MessageImpl());
+        Exchange ex = new ExchangeImpl();
+        ex.setInMessage(msg);
+        
+        SOAPMessage saajMsg = MessageFactory.newInstance().createMessage();
+        SOAPPart part = saajMsg.getSOAPPart();
+        part.setContent(new DOMSource(doc));
+        saajMsg.saveChanges();
+
+        msg.setContent(SOAPMessage.class, saajMsg);
+
+        msg.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
+        msg.put(WSHandlerConstants.SIG_PROP_FILE, "META-INF/cxf/outsecurity.properties");
+        msg.put(WSHandlerConstants.USER, "myalias");
+        msg.put("password", "myAliasPassword");
+
+        handler.handleMessage(msg);
+
+        doc = part;
+        
+        assertValid("//wsse:Security", doc);
+        assertValid("//wsse:Security/ds:Signature", doc);
+
+        byte[] docbytes = getMessageBytes(doc);
+        XMLStreamReader reader = StaxUtils.createXMLStreamReader(new ByteArrayInputStream(docbytes));
+
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+        dbf.setValidating(false);
+        dbf.setIgnoringComments(false);
+        dbf.setIgnoringElementContentWhitespace(true);
+        dbf.setNamespaceAware(true);
+
+        DocumentBuilder db = dbf.newDocumentBuilder();
+        db.setEntityResolver(new NullResolver());
+        doc = StaxUtils.read(db, reader, false);
+
+        final Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put(
+            WSS4JInInterceptor.PROCESSOR_MAP,
+            createCustomProcessorMap()
+        );
+        WSS4JInInterceptor inHandler = new WSS4JInInterceptor(properties);
+
+        SoapMessage inmsg = new SoapMessage(new MessageImpl());
+        ex.setInMessage(inmsg);
+        inmsg.setContent(SOAPMessage.class, saajMsg);
+
+        inHandler.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.NO_SECURITY);
+
+        inHandler.handleMessage(inmsg);
+        
+        WSSecurityEngineResult result = 
+            (WSSecurityEngineResult) inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT);
+        assertNull(result);
+    }
+    
     private byte[] getMessageBytes(Document doc) throws Exception {
-        // XMLOutputFactory factory = XMLOutputFactory.newInstance();
         ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
-
-        // XMLStreamWriter byteArrayWriter =
-        // factory.createXMLStreamWriter(outputStream);
         XMLStreamWriter byteArrayWriter = StaxUtils.createXMLStreamWriter(outputStream);
-
         StaxUtils.writeDocument(doc, byteArrayWriter, false);
-
         byteArrayWriter.flush();
         return outputStream.toByteArray();
     }
+
+    /**
+     * @return      a processor map suitable for custom processing of
+     *              signatures (in this case, the actual processor is
+     *              null, which will cause the WSS4J runtime to do no
+     *              processing on the input)
+     */
+    private Map<QName, String>
+    createCustomProcessorMap() {
+        final Map<QName, String> ret = new HashMap<QName, String>();
+        ret.put(
+            new QName(
+                WSConstants.SIG_NS,
+                WSConstants.SIG_LN
+            ),
+            null
+        );
+        return ret;
+    }
+    
+    
+    // FOR DEBUGGING ONLY
+    /*private*/ static String serialize(Document doc) {
+        return XMLUtils.toString(doc);
+    }
 }



Mime
View raw message