Return-Path: Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: (qmail 24971 invoked from network); 4 Mar 2009 22:04:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 4 Mar 2009 22:04:16 -0000 Received: (qmail 11605 invoked by uid 500); 4 Mar 2009 22:04:16 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 11548 invoked by uid 500); 4 Mar 2009 22:04:15 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 11539 invoked by uid 99); 4 Mar 2009 22:04:15 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Mar 2009 14:04:15 -0800 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Mar 2009 22:04:13 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 71C7B2388870; Wed, 4 Mar 2009 22:03:52 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r750182 - /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Date: Wed, 04 Mar 2009 22:03:52 -0000 To: commits@cxf.apache.org From: dkulp@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20090304220352.71C7B2388870@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: dkulp Date: Wed Mar 4 22:03:52 2009 New Revision: 750182 URL: http://svn.apache.org/viewvc?rev=750182&view=rev Log: Try to workaround how WCF tries to improperly interpret a policy so we really do get ws-trust10 at 100% Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=750182&r1=750181&r2=750182&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Wed Mar 4 22:03:52 2009 @@ -48,6 +48,8 @@ import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSEncryptionPart; +import org.apache.ws.security.WSPasswordCallback; +import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.conversation.ConversationConstants; import org.apache.ws.security.message.WSSecDKSign; import org.apache.ws.security.message.WSSecEncryptedKey; @@ -132,10 +134,12 @@ for (Token token : sgndSuppTokens.getTokens()) { if (token instanceof IssuedToken - || token instanceof SecureConversationToken) { + || token instanceof SecureConversationToken + || token instanceof KeyValueToken) { signatureValues.add(doIssuedTokenSignature(token, signdParts, sgndSuppTokens)); - } else if (token instanceof X509Token) { + } else if (token instanceof X509Token + || token instanceof KeyValueToken) { signatureValues.add(doX509TokenSignature(token, signdParts, sgndSuppTokens)); } } @@ -166,14 +170,13 @@ if (token instanceof IssuedToken || token instanceof SecureConversationToken) { signatureValues.add(doIssuedTokenSignature(token, - null, + sgndSuppTokens.getSignedParts(), sgndSuppTokens)); - } else if (token instanceof X509Token) { + } else if (token instanceof X509Token + || token instanceof KeyValueToken) { signatureValues.add(doX509TokenSignature(token, sgndSuppTokens.getSignedParts(), sgndSuppTokens)); - } else if (token instanceof KeyValueToken) { - // } } } @@ -201,7 +204,7 @@ } } - + private byte[] doX509TokenSignature(Token token, SignedEncryptedParts signdParts, TokenWrapper wrapper) throws Exception { @@ -263,12 +266,6 @@ } else { WSSecSignature sig = getSignatureBuider(wrapper, token, false); sig.prependBSTElementToHeader(secHeader); - /* - if (isTokenProtection() - && !(SPConstants.IncludeTokenType.INCLUDE_TOKEN_NEVER == token.getInclusion())) { - sigParts.add(new WSEncryptionPart(sig.getBSTTokenId())); - } - */ sig.addReferencesToSign(sigParts, secHeader); insertBeforeBottomUp(sig.getSignatureElement()); @@ -309,12 +306,17 @@ if (signdParts.isBody()) { sigParts.add(new WSEncryptionPart(addWsuIdToElement(saaj.getSOAPBody()))); } - - for (Header header : signdParts.getHeaders()) { - WSEncryptionPart wep = new WSEncryptionPart(header.getName(), - header.getNamespace(), - "Content"); - sigParts.add(wep); + if (secTok.getX509Certificate() != null) { + //the "getX509Certificate" this is to workaround an issue in WCF + //In WCF, for TransportBinding, in most cases, it doesn't wan't any of + //the headers signed even if the policy sais so. HOWEVER, for KeyValue + //IssuedTokends, it DOES want them signed + for (Header header : signdParts.getHeaders()) { + WSEncryptionPart wep = new WSEncryptionPart(header.getName(), + header.getNamespace(), + "Content"); + sigParts.add(wep); + } } } @@ -368,10 +370,26 @@ sig.setCustomTokenValueType(secTok.getTokenType()); sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING); } - sig.setSecretKey(secTok.getSecret()); - sig.setSignatureAlgorithm(algorithmSuite.getAsymmetricSignature()); - sig.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature()); - sig.prepare(doc, getSignatureCrypto(wrapper), secHeader); + Crypto crypto = null; + if (secTok.getSecret() == null) { + sig.setX509Certificate(secTok.getX509Certificate()); + + crypto = secTok.getCrypto(); + String uname = crypto.getKeyStore().getCertificateAlias(secTok.getX509Certificate()); + String password = getPassword(uname, token, WSPasswordCallback.SIGNATURE); + if (password == null) { + password = ""; + } + sig.setUserInfo(uname, password); + sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature()); + } else { + crypto = getSignatureCrypto(wrapper); + sig.setSecretKey(secTok.getSecret()); + sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature()); + } + sig.setSigCanonicalization(binding.getAlgorithmSuite().getInclusiveC14n()); + + sig.prepare(doc, crypto, secHeader); sig.setParts(sigParts); sig.addReferencesToSign(sigParts, secHeader);