cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dval...@apache.org
Subject svn commit: r990391 - in /cxf/branches/2.2.x-fixes: ./ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/
Date Sat, 28 Aug 2010 16:44:46 GMT
Author: dvaleri
Date: Sat Aug 28 16:44:45 2010
New Revision: 990391

URL: http://svn.apache.org/viewvc?rev=990391&view=rev
Log:
Merged revisions 990386 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/trunk

........
  r990386 | dvaleri | 2010-08-28 11:58:27 -0400 (Sat, 28 Aug 2010) | 1 line
  
  [CXF-2963] Added workaround for WSS-242 to allow compatibility with older versions of CXF.
........

Added:
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/wss-242.xml
      - copied unchanged from r990386, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/wss-242.xml
Modified:
    cxf/branches/2.2.x-fixes/   (props changed)
    cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
    cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java

Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat Aug 28 16:44:45 2010
@@ -1 +1 @@
-/cxf/trunk:989123,989434
+/cxf/trunk:989123,989434,990386

Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java?rev=990391&r1=990390&r2=990391&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
Sat Aug 28 16:44:45 2010
@@ -163,6 +163,8 @@ public class CryptoCoverageChecker exten
             }
         }
         
+        CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
+        
         for (XPathExpression xPathExpression : this.xPaths) {
             Collection<WSDataRef> refsToCheck = null;
             

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java?rev=990391&r1=990390&r2=990391&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
Sat Aug 28 16:44:45 2010
@@ -42,6 +42,7 @@ import org.w3c.dom.NodeList;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.helpers.MapNamespaceContext;
 import org.apache.cxf.ws.policy.PolicyConstants;
+import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDataRef;
 import org.apache.ws.security.WSSecurityException;
 
@@ -65,10 +66,10 @@ public final class CryptoCoverageUtil {
      * are resolved to the decrypted element and added to {@code signedRefs}.
      * The original reference to the encrypted content remains unaltered in the
      * list to allow for matching against a requirement that xenc:EncryptedData
-     * elements be signed.
+     * and xenc:EncryptedKey elements be signed.
      * 
      * @param signedRefs references to the signed content in the message
-     * @param encryptedRefs refernces to the encrypted content in the message
+     * @param encryptedRefs references to the encrypted content in the message
      */
     public static void reconcileEncryptedSignedRefs(final Collection<WSDataRef> signedRefs,

             final Collection<WSDataRef> encryptedRefs) {
@@ -76,13 +77,11 @@ public final class CryptoCoverageUtil {
         final List<WSDataRef> encryptedSignedRefs = new LinkedList<WSDataRef>();
         
         for (WSDataRef encryptedRef : encryptedRefs) {
-            final String encryptedRefId = encryptedRef.getWsuId();
             final Iterator<WSDataRef> signedRefsIt = signedRefs.iterator();
             while (signedRefsIt.hasNext()) {
                 final WSDataRef signedRef = signedRefsIt.next();
                 
-                if (signedRef.getWsuId().equals(encryptedRefId)
-                        || signedRef.getWsuId().equals("#" + encryptedRefId)) {
+                if (isSignedEncryptionRef(encryptedRef, signedRef)) {
                     
                     final WSDataRef encryptedSignedRef = 
                         new WSDataRef(signedRef.getDataref());
@@ -105,7 +104,7 @@ public final class CryptoCoverageUtil {
         
         signedRefs.addAll(encryptedSignedRefs);
     }
-    
+
     /**
      * Checks that the references provided refer to the
      * signed/encrypted SOAP body element.
@@ -122,7 +121,7 @@ public final class CryptoCoverageUtil {
      * 
      * @throws WSSecurityException
      *             if there is an error evaluating the coverage or the body is not
-     *             covered by the signture/encryption.
+     *             covered by the signature/encryption.
      */
     public static void checkBodyCoverage(
         SOAPMessage message,
@@ -168,7 +167,7 @@ public final class CryptoCoverageUtil {
      * 
      * @throws WSSecurityException
      *             if there is an error evaluating the coverage or a header is not
-     *             covered by the signture/encryption.
+     *             covered by the signature/encryption.
      */
     public static void checkHeaderCoverage(
             SOAPMessage message,
@@ -225,7 +224,7 @@ public final class CryptoCoverageUtil {
      * 
      * @throws WSSecurityException
      *             if there is an error evaluating an XPath or an element is not
-     *             covered by the signture/encryption.
+     *             covered by the signature/encryption.
      */
     public static void checkCoverage(
             SOAPMessage message,
@@ -260,7 +259,7 @@ public final class CryptoCoverageUtil {
      * 
      * @throws WSSecurityException
      *             if there is an error evaluating an XPath or an element is not
-     *             covered by the signture/encryption.
+     *             covered by the signature/encryption.
      */
     public static void checkCoverage(
             SOAPMessage message,
@@ -318,6 +317,53 @@ public final class CryptoCoverageUtil {
             }
         }
     }
+    
+    /**
+     * Determines if {@code signedRef} points to the encrypted content represented by
+     * {@code encryptedRef} using the following algorithm.
+     *
+     * <ol>
+     * <li>Check that the signed content is an XML Encryption element.</li>
+     * <li>Check that the reference Ids of the signed content and encrypted content
+     * (not the decrypted version of the encrypted content) match.  Check that the
+     * reference Id of the signed content matches the reference Id of the encrypted
+     * content prepended with a #.
+     * <li>Check for other Id attributes on the signed element that may match the
+     * referenced identifier for the encrypted content.  This is a workaround for
+     * WSS-242.</li>
+     * </ol>
+     *
+     * @param encryptedRef the ref representing the encrpted content
+     * @param signedRef the ref representing the signed content
+     */
+    private static boolean isSignedEncryptionRef(WSDataRef encryptedRef, WSDataRef signedRef)
{
+        
+        // Don't even bother if the signed element wasn't an XML Enc element.
+        if (!WSConstants.ENC_NS.equals(signedRef.getProtectedElement()
+                                       .getNamespaceURI())) {
+            return false;
+        }
+        
+        if (signedRef.getWsuId().equals(encryptedRef.getWsuId())
+            || signedRef.getWsuId().equals("#" + encryptedRef.getWsuId())) {
+            return true;
+        }
+        
+        // There should be no other Ids on an EncryptedData or EncryptedKey element;
+        // however, WSS4J will happily add them on the outbound side.  See WSS-242.
+        // The following code looks for the specific behavior that exists in
+        // 1.5.8 and earlier version.
+        
+        String wsuId = signedRef.getProtectedElement().getAttributeNS(
+                WSConstants.WSU_NS, "Id");
+        
+        if (signedRef.getWsuId().equals(wsuId)
+            || signedRef.getWsuId().equals("#" + wsuId)) {
+            return true;
+        }
+        
+        return false;
+    }
 
     private static boolean matchElement(Collection<WSDataRef> refs,
             CoverageType type, CoverageScope scope, Element el) {

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java?rev=990391&r1=990390&r2=990391&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
Sat Aug 28 16:44:45 2010
@@ -154,6 +154,39 @@ public class CryptoCoverageCheckerTest e
                 true);
     }
     
+    @Test
+    public void testEncryptedSignedWithIncompleteCoverage() throws Exception {
+        this.runInterceptorAndValidate(
+                "encrypted_body_content_signed_missing_signed_header.xml",
+                this.getPrefixes(),
+                Arrays.asList(new XPathExpression(
+                        "//ser:Header", CoverageType.SIGNED, CoverageScope.ELEMENT)),
+                false);
+    }
+    
+    @Test
+    public void testEncryptedSignedWithCompleteCoverage() throws Exception {
+        this.runInterceptorAndValidate(
+                "encrypted_body_content_signed.xml",
+                this.getPrefixes(),
+                Arrays.asList(
+                        new XPathExpression(
+                                "//ser:Header", CoverageType.SIGNED, CoverageScope.ELEMENT),
+                        new XPathExpression(
+                                "//ser:Header", CoverageType.ENCRYPTED, CoverageScope.ELEMENT)),
+                true);
+        
+        this.runInterceptorAndValidate(
+               "wss-242.xml",
+               this.getPrefixes(),
+               Arrays.asList(
+                       new XPathExpression(
+                               "//ser:Header", CoverageType.SIGNED, CoverageScope.ELEMENT),
+                       new XPathExpression(
+                               "//ser:Header", CoverageType.ENCRYPTED, CoverageScope.ELEMENT)),
+               true);
+    }
+    
     private Map<String, String> getPrefixes() {
         final Map<String, String> prefixes = new HashMap<String, String>();
         prefixes.put("ser", "http://www.sdj.pl");

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=990391&r1=990390&r2=990391&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Sat Aug 28 16:44:45 2010
@@ -904,7 +904,7 @@ public class PolicyBasedWss4JInOutTest e
     }
     
     /**
-     * Gets a SoapMessage, but with the needed SecurityConstants in the context propreties
+     * Gets a SoapMessage, but with the needed SecurityConstants in the context properties
      * so that it can be passed to PolicyBasedWSS4JOutInterceptor.
      *
      * @see #getSoapMessageForDom(Document, AssertionInfoMap)



Mime
View raw message