cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1176443 - in /cxf/trunk/services/sts/sts-core/src: main/java/org/apache/cxf/sts/token/canceller/ test/java/org/apache/cxf/sts/cache/ test/java/org/apache/cxf/sts/operation/ test/java/org/apache/cxf/sts/token/canceller/
Date Tue, 27 Sep 2011 15:52:05 GMT
Author: coheigea
Date: Tue Sep 27 15:52:05 2011
New Revision: 1176443

URL: http://svn.apache.org/viewvc?rev=1176443&view=rev
Log:
[CXF-3827] - Cancelling a SCT with STS is missing verification of proof of possession key

Modified:
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/TokenCanceller.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/cache/HazelCastTokenStoreTest.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/CancelSCTUnitTest.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/canceller/SCTCancellerTest.java

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java?rev=1176443&r1=1176442&r2=1176443&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
Tue Sep 27 15:52:05 2011
@@ -19,17 +19,27 @@
 
 package org.apache.cxf.sts.token.canceller;
 
+import java.util.Arrays;
+import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.xml.ws.handler.MessageContext;
+
 import org.w3c.dom.Element;
 
 import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.sts.request.ReceivedToken;
 import org.apache.cxf.sts.request.TokenRequirements;
+import org.apache.cxf.ws.security.sts.provider.STSException;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.trust.STSUtils;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
 import org.apache.ws.security.message.token.SecurityContextToken;
 
 /**
@@ -39,6 +49,9 @@ public class SCTCanceller implements Tok
 
     private static final Logger LOG = LogUtils.getL7dLogger(SCTCanceller.class);
     
+    // boolean to enable/disable the check of proof of possession
+    private boolean verifyProofOfPossession = true;
+    
     /**
      * Return true if this TokenValidator implementation is capable of validating the
      * ReceivedToken argument.
@@ -84,6 +97,13 @@ public class SCTCanceller implements Tok
                     LOG.fine("Identifier: " + identifier + " is not found in the cache");
                     return response;
                 }
+                if (verifyProofOfPossession && !matchKey(tokenParameters, token.getSecret()))
{
+                    throw new STSException(
+                        "Failed to verify the proof of possession of the key associated with
the "
+                        + "security context. No matching key found in the request.",
+                        STSException.INVALID_REQUEST
+                    );
+                }
                 tokenParameters.getTokenStore().remove(token);
                 response.setTokenCancelled(true);
             } catch (WSSecurityException ex) {
@@ -92,5 +112,37 @@ public class SCTCanceller implements Tok
         }
         return response;
     }
+    
+    private boolean matchKey(TokenCancellerParameters tokenParameters, byte[] secretKey)
{
+        boolean result = false;
+        MessageContext messageContext = tokenParameters.getWebServiceContext().getMessageContext();
+        final List<WSHandlerResult> handlerResults = 
+            CastUtils.cast((List<?>) messageContext.get(WSHandlerConstants.RECV_RESULTS));
+
+        if (handlerResults != null && handlerResults.size() > 0) {
+            WSHandlerResult handlerResult = handlerResults.get(0);
+            List<WSSecurityEngineResult> engineResults = handlerResult.getResults();
+
+            for (WSSecurityEngineResult engineResult : engineResults) {
+                Integer action = (Integer)engineResult.get(WSSecurityEngineResult.TAG_ACTION);
+                if (action.equals(WSConstants.SIGN)) {
+                    byte[] receivedKey = (byte[])engineResult.get(WSSecurityEngineResult.TAG_SECRET);
+                    if (Arrays.equals(secretKey, receivedKey)) {
+                        LOG.log(
+                            Level.FINE, 
+                            "Verification of the proof of possession of the key associated
with "
+                            + "the security context successful."
+                        );
+                        return true;
+                    }
+                }
+            }
+        }
+
+        return result;
+    }
 
+    public void setVerifyProofOfPossession(boolean verifyProofOfPossession) {
+        this.verifyProofOfPossession = verifyProofOfPossession;
+    }
 }

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/TokenCanceller.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/TokenCanceller.java?rev=1176443&r1=1176442&r2=1176443&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/TokenCanceller.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/TokenCanceller.java
Tue Sep 27 15:52:05 2011
@@ -29,6 +29,11 @@ import org.apache.cxf.sts.request.Receiv
 public interface TokenCanceller {
 
     /**
+     * boolean for enabling/disabling verification of proof of possession.
+     */
+    void setVerifyProofOfPossession(boolean verifyProofOfPossession);
+    
+    /**
      * Return true if this TokenCanceller implementation is able to cancel a token
      * that corresponds to the given token.
      */

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/cache/HazelCastTokenStoreTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/cache/HazelCastTokenStoreTest.java?rev=1176443&r1=1176442&r2=1176443&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/cache/HazelCastTokenStoreTest.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/cache/HazelCastTokenStoreTest.java
Tue Sep 27 15:52:05 2011
@@ -32,12 +32,12 @@ public class HazelCastTokenStoreTest ext
     
     // tests STSCache apis for storing in the cache.
     @org.junit.Test
-    @org.junit.Ignore
     public void testCacheStore() throws Exception {
         String key = "key";
         SecurityToken token = new SecurityToken(key);
         store.add(token);
-        assertEquals(token, store.getToken(key));
+        SecurityToken cachedToken = store.getToken(key);
+        assertEquals(token.getId(), cachedToken.getId());
         store.remove(token);
         assertNull(store.getToken(key));
         store.add(token, new Integer(1));
@@ -48,7 +48,6 @@ public class HazelCastTokenStoreTest ext
     
     // tests STSCache apis for removing from the cache.
     @org.junit.Test
-    @org.junit.Ignore
     public void testCacheRemove() {
         SecurityToken token1 = new SecurityToken("token1");
         SecurityToken token2 = new SecurityToken("token2");

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/CancelSCTUnitTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/CancelSCTUnitTest.java?rev=1176443&r1=1176442&r2=1176443&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/CancelSCTUnitTest.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/CancelSCTUnitTest.java
Tue Sep 27 15:52:05 2011
@@ -80,7 +80,9 @@ public class CancelSCTUnitTest extends o
         
         // Add Token Canceller
         List<TokenCanceller> cancellerList = new ArrayList<TokenCanceller>();
-        cancellerList.add(new SCTCanceller());
+        TokenCanceller sctCanceller = new SCTCanceller();
+        sctCanceller.setVerifyProofOfPossession(false);
+        cancellerList.add(sctCanceller);
         cancelOperation.setTokenCancellers(cancellerList);
         
         // Add STSProperties object

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/canceller/SCTCancellerTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/canceller/SCTCancellerTest.java?rev=1176443&r1=1176442&r2=1176443&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/canceller/SCTCancellerTest.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/canceller/SCTCancellerTest.java
Tue Sep 27 15:52:05 2011
@@ -59,6 +59,7 @@ public class SCTCancellerTest extends or
     @org.junit.Test
     public void testCancelToken() throws Exception {
         TokenCanceller sctCanceller = new SCTCanceller();
+        sctCanceller.setVerifyProofOfPossession(false);
         TokenCancellerParameters cancellerParameters = createCancellerParameters();
         TokenRequirements tokenRequirements = cancellerParameters.getTokenRequirements();
         
@@ -85,6 +86,7 @@ public class SCTCancellerTest extends or
     @org.junit.Test
     public void testCancelInvalidToken() throws Exception {
         TokenCanceller sctCanceller = new SCTCanceller();
+        sctCanceller.setVerifyProofOfPossession(false);
         TokenCancellerParameters cancellerParameters = createCancellerParameters();
         TokenRequirements tokenRequirements = cancellerParameters.getTokenRequirements();
         



Mime
View raw message