cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1424856 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/ systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/ systests/ws-secu...
Date Fri, 21 Dec 2012 10:42:08 GMT
Author: coheigea
Date: Fri Dec 21 10:42:07 2012
New Revision: 1424856

URL: http://svn.apache.org/viewvc?rev=1424856&view=rev
Log:
[CXF-4718] - UsernameTokenInterceptor is not caching nonces

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java?rev=1424856&r1=1424855&r2=1424856&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
Fri Dec 21 10:42:07 2012
@@ -63,6 +63,7 @@ import org.apache.ws.security.WSSConfig;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.WSUsernameTokenPrincipal;
+import org.apache.ws.security.cache.ReplayCache;
 import org.apache.ws.security.handler.RequestData;
 import org.apache.ws.security.handler.WSHandlerConstants;
 import org.apache.ws.security.handler.WSHandlerResult;
@@ -189,6 +190,14 @@ public class UsernameTokenInterceptor ex
                     return (Validator)validator;
                 }
             };
+            
+            // Configure replay caching
+            ReplayCache nonceCache = 
+                WSS4JUtils.getReplayCache(
+                    message, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
+                );
+            data.setNonceReplayCache(nonceCache);
+            
             WSSConfig config = WSSConfig.getNewInstance();
             config.setWsiBSPCompliant(bspCompliant);
             data.setWssConfig(config);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1424856&r1=1424855&r2=1424856&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Fri Dec 21 10:42:07 2012
@@ -62,10 +62,8 @@ import org.apache.cxf.message.MessageUti
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.phase.PhaseInterceptor;
 import org.apache.cxf.security.SecurityContext;
-import org.apache.cxf.service.model.EndpointInfo;
 import org.apache.cxf.staxutils.StaxUtils;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.cache.ReplayCacheFactory;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.ws.security.CustomTokenPrincipal;
@@ -739,44 +737,9 @@ public class WSS4JInInterceptor extends 
     protected ReplayCache getReplayCache(
         SoapMessage message, String booleanKey, String instanceKey
     ) {
-        boolean specified = false;
-        Object o = message.getContextualProperty(booleanKey);
-        if (o != null) {
-            if (!MessageUtils.isTrue(o)) {
-                return null;
-            }
-            specified = true;
-        }
-
-        if (!specified && MessageUtils.isRequestor(message)) {
-            return null;
-        }
-        Endpoint ep = message.getExchange().get(Endpoint.class);
-        if (ep != null && ep.getEndpointInfo() != null) {
-            EndpointInfo info = ep.getEndpointInfo();
-            synchronized (info) {
-                ReplayCache replayCache = 
-                        (ReplayCache)message.getContextualProperty(instanceKey);
-                if (replayCache == null) {
-                    replayCache = (ReplayCache)info.getProperty(instanceKey);
-                }
-                if (replayCache == null) {
-                    ReplayCacheFactory replayCacheFactory = ReplayCacheFactory.newInstance();
-                    String cacheKey = instanceKey;
-                    if (info.getName() != null) {
-                        cacheKey += "-" + info.getName().toString().hashCode();
-                    }
-                    replayCache = replayCacheFactory.newReplayCache(cacheKey, message);
-                    info.setProperty(instanceKey, replayCache);
-                }
-                return replayCache;
-            }
-        }
-        return null;
+        return WSS4JUtils.getReplayCache(message, booleanKey, instanceKey);
     }
 
-
-
     /**
      * Create a SoapFault from a WSSecurityException, following the SOAP Message Security
      * 1.1 specification, chapter 12 "Error Handling".

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java?rev=1424856&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
Fri Dec 21 10:42:07 2012
@@ -0,0 +1,89 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.wss4j;
+
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.endpoint.Endpoint;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.service.model.EndpointInfo;
+import org.apache.cxf.ws.security.cache.ReplayCacheFactory;
+import org.apache.ws.security.cache.ReplayCache;
+
+/**
+ * Some common functionality that can be shared between the WSS4JInInterceptor and the
+ * UsernameTokenInterceptor.
+ */
+public final class WSS4JUtils {
+
+    private WSS4JUtils() {
+        // complete
+    }
+
+    /**
+     * Get a ReplayCache instance. It first checks to see whether caching has been explicitly

+     * enabled or disabled via the booleanKey argument. If it has been set to false then
no
+     * replay caching is done (for this booleanKey). If it has not been specified, then caching
+     * is enabled only if we are not the initiator of the exchange. If it has been specified,
then
+     * caching is enabled.
+     * 
+     * It tries to get an instance of ReplayCache via the instanceKey argument from a 
+     * contextual property, and failing that the message exchange. If it can't find any,
then it
+     * defaults to using an EH-Cache instance and stores that on the message exchange.
+     */
+    public static ReplayCache getReplayCache(
+        SoapMessage message, String booleanKey, String instanceKey
+    ) {
+        boolean specified = false;
+        Object o = message.getContextualProperty(booleanKey);
+        if (o != null) {
+            if (!MessageUtils.isTrue(o)) {
+                return null;
+            }
+            specified = true;
+        }
+
+        if (!specified && MessageUtils.isRequestor(message)) {
+            return null;
+        }
+        Endpoint ep = message.getExchange().get(Endpoint.class);
+        if (ep != null && ep.getEndpointInfo() != null) {
+            EndpointInfo info = ep.getEndpointInfo();
+            synchronized (info) {
+                ReplayCache replayCache = 
+                        (ReplayCache)message.getContextualProperty(instanceKey);
+                if (replayCache == null) {
+                    replayCache = (ReplayCache)info.getProperty(instanceKey);
+                }
+                if (replayCache == null) {
+                    ReplayCacheFactory replayCacheFactory = ReplayCacheFactory.newInstance();
+                    String cacheKey = instanceKey;
+                    if (info.getName() != null) {
+                        cacheKey += "-" + info.getName().toString().hashCode();
+                    }
+                    replayCache = replayCacheFactory.newReplayCache(cacheKey, message);
+                    info.setProperty(instanceKey, replayCache);
+                }
+                return replayCache;
+            }
+        }
+        return null;
+    }
+
+
+}

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java?rev=1424856&r1=1424855&r2=1424856&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
Fri Dec 21 10:42:07 2012
@@ -283,4 +283,43 @@ public class UsernameTokenTest extends A
         bus.shutdown(true);
     }
     
+    // In this test, the service is using the UsernameTokenInterceptor, but the
+    // client is using the WSS4JOutInterceptor
+    @org.junit.Test
+    public void testPasswordHashedNoBindingReplay() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = UsernameTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = UsernameTokenTest.class.getResource("DoubleItUt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        
+        QName portQName = new QName(NAMESPACE, "DoubleItDigestNoBindingPort");
+        DoubleItPortType utPort = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT);
+        
+        Client cxfClient = ClientProxy.getClient(utPort);
+        SecurityHeaderCacheInterceptor cacheInterceptor =
+            new SecurityHeaderCacheInterceptor();
+        cxfClient.getOutInterceptors().add(cacheInterceptor);
+        
+        // Make two invocations with the same UsernameToken
+        utPort.doubleIt(25);
+        try {
+            utPort.doubleIt(25);
+            fail("Failure expected on a replayed UsernameToken");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            String error = "A replay attack has been detected";
+            assertTrue(ex.getMessage().contains(error));
+        }
+        
+        ((java.io.Closeable)utPort).close();
+        bus.shutdown(true);
+    }
+    
 }

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl?rev=1424856&r1=1424855&r2=1424856&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl
Fri Dec 21 10:42:07 2012
@@ -179,6 +179,22 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItInlinePolicyBinding2" type="tns:DoubleItPortType">
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
     
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItPlaintextPort" binding="tns:DoubleItPlaintextBinding">
@@ -205,6 +221,9 @@
         <wsdl:port name="DoubleItInlinePolicyPort" binding="tns:DoubleItInlinePolicyBinding">
             <soap:address location="https://localhost:9009/DoubleItUTInlinePolicy" />
         </wsdl:port>
+        <wsdl:port name="DoubleItDigestNoBindingPort" binding="tns:DoubleItInlinePolicyBinding2">
+            <soap:address location="https://localhost:9009/DoubleItUTDigestNoBinding"
/>
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
@@ -493,7 +512,7 @@
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>
-
+    
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
       <wsp:ExactlyOne>
          <wsp:All>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml?rev=1424856&r1=1424855&r2=1424856&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
Fri Dec 21 10:42:07 2012
@@ -179,4 +179,63 @@
      
     </jaxws:client>
     
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItDigestNoBindingPort"

+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.username" value="Alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+       </jaxws:properties>
+       <jaxws:features>
+         <p:policies>
+            <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy">
+                <wsp:ExactlyOne>
+                    <wsp:All>
+                        <wsp:Policy wsu:Id="NoUsernameToken"
+                            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+                            xmlns:wsp="http://www.w3.org/ns/ws-policy"
+                            xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                            <wsp:ExactlyOne>
+                                <wsp:All>
+                                    <sp:TransportBinding>
+                                       <wsp:Policy>
+                                          <sp:TransportToken>
+                                             <wsp:Policy>
+                                                <sp:HttpsToken>
+                                                    <wsp:Policy/>
+                                                </sp:HttpsToken>
+                                             </wsp:Policy>
+                                          </sp:TransportToken>
+                                          <sp:Layout>
+                                             <wsp:Policy>
+                                                <sp:Lax />
+                                             </wsp:Policy>
+                                           </sp:Layout>
+                                           <sp:AlgorithmSuite>
+                                              <wsp:Policy>
+                                                 <sp:Basic128 />
+                                              </wsp:Policy>
+                                          </sp:AlgorithmSuite>
+                                        </wsp:Policy>
+                                    </sp:TransportBinding>
+                                    <sp:SupportingTokens>
+                                        <wsp:Policy>
+                                            <sp:UsernameToken
+                                               sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                              <wsp:Policy>
+                                                <sp:HashPassword/>
+                                              </wsp:Policy>
+                                            </sp:UsernameToken>
+                                        </wsp:Policy>
+                                    </sp:SupportingTokens>
+                                </wsp:All>
+                            </wsp:ExactlyOne>
+                        </wsp:Policy>
+                    </wsp:All>
+                </wsp:ExactlyOne>
+            </wsp:Policy>
+          </p:policies>
+        </jaxws:features>
+    </jaxws:client>
+    
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml?rev=1424856&r1=1424855&r2=1424856&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
Fri Dec 21 10:42:07 2012
@@ -260,4 +260,45 @@
      
     </jaxws:endpoint> 
     
+     <jaxws:endpoint 
+       id="HashedNoBinding"
+       address="https://localhost:${testutil.ports.Server}/DoubleItUTDigestNoBinding" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItDigestNoBindingPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUt.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+       </jaxws:properties> 
+       <jaxws:features>
+         <p:policies>
+            <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy">
+                <wsp:ExactlyOne>
+                    <wsp:All>
+                        <wsp:Policy>
+                          <sp:SupportingTokens
+                            xmlns:wsp="http://www.w3.org/ns/ws-policy"
+                            xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                            <wsp:Policy>
+                              <sp:UsernameToken
+                                sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                <wsp:Policy>
+                                  <sp:HashPassword/>
+                                </wsp:Policy>
+                              </sp:UsernameToken>
+                            </wsp:Policy>
+                          </sp:SupportingTokens>
+                        </wsp:Policy>
+                    </wsp:All>
+                </wsp:ExactlyOne>
+            </wsp:Policy>
+          </p:policies>
+        </jaxws:features>
+     
+    </jaxws:endpoint> 
+    
 </beans>



Mime
View raw message