Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0C7B1DAA6 for ; Thu, 23 May 2013 13:18:36 +0000 (UTC) Received: (qmail 50283 invoked by uid 500); 23 May 2013 13:18:35 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 50220 invoked by uid 500); 23 May 2013 13:18:35 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 50213 invoked by uid 99); 23 May 2013 13:18:35 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 May 2013 13:18:35 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 May 2013 13:18:32 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id D518F2388ADA; Thu, 23 May 2013 13:17:48 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1485693 [6/14] - in /cxf/trunk: ./ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/client/ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/server/ distribution/src/main/release/samples/sts/src/main/jav... Date: Thu, 23 May 2013 13:17:32 -0000 To: commits@cxf.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130523131748.D518F2388ADA@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java Thu May 23 13:17:26 2013 @@ -42,24 +42,29 @@ import org.apache.cxf.security.SecurityC import org.apache.cxf.ws.policy.AssertionInfo; import org.apache.cxf.ws.policy.AssertionInfoMap; import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.policy.SP12Constants; -import org.apache.cxf.ws.security.policy.SPConstants; -import org.apache.cxf.ws.security.policy.model.SupportingToken; -import org.apache.cxf.ws.security.policy.model.UsernameToken; -import org.apache.ws.security.WSConstants; -import org.apache.ws.security.WSDocInfo; -import org.apache.ws.security.WSPasswordCallback; -import org.apache.ws.security.WSSConfig; -import org.apache.ws.security.WSSecurityEngineResult; -import org.apache.ws.security.WSSecurityException; -import org.apache.ws.security.WSUsernameTokenPrincipal; -import org.apache.ws.security.cache.ReplayCache; -import org.apache.ws.security.handler.RequestData; -import org.apache.ws.security.handler.WSHandlerConstants; -import org.apache.ws.security.handler.WSHandlerResult; -import org.apache.ws.security.message.WSSecUsernameToken; -import org.apache.ws.security.processor.UsernameTokenProcessor; -import org.apache.ws.security.validate.Validator; +import org.apache.wss4j.common.cache.ReplayCache; +import org.apache.wss4j.common.ext.WSPasswordCallback; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.principal.UsernameTokenPrincipal; +import org.apache.wss4j.common.principal.WSUsernameTokenPrincipalImpl; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.dom.WSDocInfo; +import org.apache.wss4j.dom.WSSConfig; +import org.apache.wss4j.dom.WSSecurityEngineResult; +import org.apache.wss4j.dom.bsp.BSPEnforcer; +import org.apache.wss4j.dom.handler.RequestData; +import org.apache.wss4j.dom.handler.WSHandlerConstants; +import org.apache.wss4j.dom.handler.WSHandlerResult; +import org.apache.wss4j.dom.message.WSSecUsernameToken; +import org.apache.wss4j.dom.processor.UsernameTokenProcessor; +import org.apache.wss4j.dom.validate.Validator; +import org.apache.wss4j.policy.SP13Constants; +import org.apache.wss4j.policy.SPConstants; +import org.apache.wss4j.policy.model.AbstractSecurityAssertion; +import org.apache.wss4j.policy.model.SupportingTokens; +import org.apache.wss4j.policy.model.UsernameToken; +import org.apache.xml.security.exceptions.Base64DecodingException; +import org.apache.xml.security.utils.Base64; /** * @@ -81,7 +86,7 @@ public class UsernameTokenInterceptor ex if (SPConstants.USERNAME_TOKEN.equals(child.getLocalName()) && WSConstants.WSSE_NS.equals(child.getNamespaceURI())) { try { - final WSUsernameTokenPrincipal princ = getPrincipal(child, message); + final UsernameTokenPrincipal princ = getPrincipal(child, message); if (princ != null) { Listv = new ArrayList(); int action = WSConstants.UT; @@ -103,8 +108,12 @@ public class UsernameTokenInterceptor ex SecurityContext sc = message.get(SecurityContext.class); if (sc == null || sc.getUserPrincipal() == null) { + String nonce = null; + if (princ.getNonce() != null) { + nonce = Base64.encode(princ.getNonce()); + } Subject subject = createSubject(princ.getName(), princ.getPassword(), - princ.isPasswordDigest(), princ.getNonce(), princ.getCreatedTime()); + princ.isPasswordDigest(), nonce, princ.getCreatedTime()); message.put(SecurityContext.class, createSecurityContext(princ, subject)); } @@ -112,14 +121,16 @@ public class UsernameTokenInterceptor ex } } catch (WSSecurityException ex) { throw new Fault(ex); + } catch (Base64DecodingException ex) { + throw new Fault(ex); } } child = DOMUtils.getNextElement(child); } } - protected WSUsernameTokenPrincipal getPrincipal(Element tokenElement, final SoapMessage message) - throws WSSecurityException { + protected UsernameTokenPrincipal getPrincipal(Element tokenElement, final SoapMessage message) + throws WSSecurityException, Base64DecodingException { boolean bspCompliant = isWsiBSPCompliant(message); boolean utWithCallbacks = @@ -150,26 +161,31 @@ public class UsernameTokenInterceptor ex data.setNonceReplayCache(nonceCache); WSSConfig config = WSSConfig.getNewInstance(); - config.setWsiBSPCompliant(bspCompliant); config.setAllowUsernameTokenNoPassword(allowNoPassword); data.setWssConfig(config); + if (!bspCompliant) { + data.setDisableBSPEnforcement(true); + } List results = p.handleToken(tokenElement, data, wsDocInfo); - return (WSUsernameTokenPrincipal)results.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL); + return (UsernameTokenPrincipal)results.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL); } else { - WSUsernameTokenPrincipal principal = parseTokenAndCreatePrincipal(tokenElement, bspCompliant); + UsernameTokenPrincipal principal = parseTokenAndCreatePrincipal(tokenElement, bspCompliant); WSS4JTokenConverter.convertToken(message, principal); return principal; } } - protected WSUsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean bspCompliant) - throws WSSecurityException { - org.apache.ws.security.message.token.UsernameToken ut = - new org.apache.ws.security.message.token.UsernameToken(tokenElement, false, bspCompliant); + protected UsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean bspCompliant) + throws WSSecurityException, Base64DecodingException { + BSPEnforcer bspEnforcer = new BSPEnforcer(!bspCompliant); + org.apache.wss4j.dom.message.token.UsernameToken ut = + new org.apache.wss4j.dom.message.token.UsernameToken(tokenElement, false, bspEnforcer); - WSUsernameTokenPrincipal principal = new WSUsernameTokenPrincipal(ut.getName(), ut.isHashed()); - principal.setNonce(ut.getNonce()); + WSUsernameTokenPrincipalImpl principal = new WSUsernameTokenPrincipalImpl(ut.getName(), ut.isHashed()); + if (ut.getNonce() != null) { + principal.setNonce(Base64.decode(ut.getNonce())); + } principal.setPassword(ut.getPassword()); principal.setCreatedTime(ut.getCreated()); principal.setPasswordType(ut.getPasswordType()); @@ -184,12 +200,12 @@ public class UsernameTokenInterceptor ex } private boolean isAllowNoPassword(AssertionInfoMap aim) throws WSSecurityException { - Collection ais = aim.get(SP12Constants.USERNAME_TOKEN); + Collection ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN); - if (ais != null && !ais.isEmpty()) { + if (!ais.isEmpty()) { for (AssertionInfo ai : ais) { UsernameToken policy = (UsernameToken)ai.getAssertion(); - if (policy.isNoPassword()) { + if (policy.getPasswordType() == UsernameToken.PasswordType.NoPassword) { return true; } } @@ -223,37 +239,62 @@ public class UsernameTokenInterceptor ex } protected UsernameToken assertTokens(SoapMessage message) { - return (UsernameToken)assertTokens(message, SP12Constants.USERNAME_TOKEN, true); + AssertionInfoMap aim = message.get(AssertionInfoMap.class); + assertPolicy(aim, SPConstants.USERNAME_TOKEN10); + assertPolicy(aim, SPConstants.USERNAME_TOKEN11); + assertPolicy(aim, SPConstants.HASH_PASSWORD); + assertPolicy(aim, SPConstants.NO_PASSWORD); + assertPolicy(aim, SP13Constants.NONCE); + assertPolicy(aim, SP13Constants.CREATED); + + return (UsernameToken)assertTokens(message, SPConstants.USERNAME_TOKEN, true); } private UsernameToken assertTokens( SoapMessage message, - WSUsernameTokenPrincipal princ, + UsernameTokenPrincipal princ, boolean signed ) { AssertionInfoMap aim = message.get(AssertionInfoMap.class); - Collection ais = aim.getAssertionInfo(SP12Constants.USERNAME_TOKEN); + Collection ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN); UsernameToken tok = null; for (AssertionInfo ai : ais) { tok = (UsernameToken)ai.getAssertion(); - if (princ != null && tok.isHashPassword() != princ.isPasswordDigest()) { + ai.setAsserted(true); + if ((tok.getPasswordType() == UsernameToken.PasswordType.HashPassword) + && (princ == null || !princ.isPasswordDigest())) { ai.setNotAsserted("Password hashing policy not enforced"); - } else if (princ != null && !tok.isNoPassword() && (princ.getPassword() == null) - && isNonEndorsingSupportingToken(tok)) { + } else { + assertPolicy(aim, SPConstants.HASH_PASSWORD); + } + + if ((tok.getPasswordType() != UsernameToken.PasswordType.NoPassword) + && isNonEndorsingSupportingToken(tok) + && (princ == null || princ.getPassword() == null)) { ai.setNotAsserted("Username Token No Password supplied"); } else { - ai.setAsserted(true); + assertPolicy(aim, SPConstants.NO_PASSWORD); + } + + if (tok.isCreated() && princ.getCreatedTime() == null) { + ai.setNotAsserted("No Created Time"); + } else { + assertPolicy(aim, SP13Constants.CREATED); + } + + if (tok.isNonce() && princ.getNonce() == null) { + ai.setNotAsserted("No Nonce"); + } else { + assertPolicy(aim, SP13Constants.NONCE); } } - ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS); - for (AssertionInfo ai : ais) { - ai.setAsserted(true); - } + + assertPolicy(aim, SPConstants.USERNAME_TOKEN10); + assertPolicy(aim, SPConstants.USERNAME_TOKEN11); + assertPolicy(aim, SPConstants.SUPPORTING_TOKENS); + if (signed || isTLSInUse(message)) { - ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS); - for (AssertionInfo ai : ais) { - ai.setAsserted(true); - } + assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS); } return tok; } @@ -263,19 +304,14 @@ public class UsernameTokenInterceptor ex * true then the corresponding UsernameToken must have a password element. */ private boolean isNonEndorsingSupportingToken( - org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy + org.apache.wss4j.policy.model.UsernameToken usernameTokenPolicy ) { - SupportingToken supportingToken = usernameTokenPolicy.getSupportingToken(); - if (supportingToken != null) { - SPConstants.SupportTokenType type = supportingToken.getTokenType(); - if (type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SUPPORTING - || type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED - || type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENCRYPTED - || type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENCRYPTED) { - return true; - } + AbstractSecurityAssertion supportingToken = usernameTokenPolicy.getParentAssertion(); + if (supportingToken instanceof SupportingTokens + && ((SupportingTokens)supportingToken).isEndorsing()) { + return false; } - return false; + return true; } protected void addToken(SoapMessage message) { @@ -286,7 +322,8 @@ public class UsernameTokenInterceptor ex addUsernameToken(message, tok); if (utBuilder == null) { AssertionInfoMap aim = message.get(AssertionInfoMap.class); - Collection ais = aim.getAssertionInfo(SP12Constants.USERNAME_TOKEN); + Collection ais = + getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN); for (AssertionInfo ai : ais) { if (ai.isAsserted()) { ai.setAsserted(false); @@ -309,7 +346,7 @@ public class UsernameTokenInterceptor ex if (!StringUtils.isEmpty(userName)) { // If NoPassword property is set we don't need to set the password - if (token.isNoPassword()) { + if (token.getPasswordType() == UsernameToken.PasswordType.NoPassword) { WSSecUsernameToken utBuilder = new WSSecUsernameToken(wssConfig); utBuilder.setUserInfo(userName, null); utBuilder.setPasswordType(null); @@ -318,13 +355,13 @@ public class UsernameTokenInterceptor ex String password = (String)message.getContextualProperty(SecurityConstants.PASSWORD); if (StringUtils.isEmpty(password)) { - password = getPassword(userName, token, WSPasswordCallback.USERNAME_TOKEN, message); + password = getPassword(userName, token, WSPasswordCallback.Usage.USERNAME_TOKEN, message); } if (!StringUtils.isEmpty(password)) { //If the password is available then build the token WSSecUsernameToken utBuilder = new WSSecUsernameToken(wssConfig); - if (token.isHashPassword()) { + if (token.getPasswordType() == UsernameToken.PasswordType.HashPassword) { utBuilder.setPasswordType(WSConstants.PASSWORD_DIGEST); } else { utBuilder.setPasswordType(WSConstants.PASSWORD_TEXT); Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Thu May 23 13:17:26 2013 @@ -20,8 +20,8 @@ package org.apache.cxf.ws.security.wss4j import java.io.IOException; import java.security.Principal; +import java.security.cert.Certificate; import java.util.ArrayList; -import java.util.Collection; import java.util.HashMap; import java.util.HashSet; import java.util.List; @@ -63,30 +63,30 @@ import org.apache.cxf.interceptor.securi import org.apache.cxf.interceptor.security.SAMLSecurityContext; import org.apache.cxf.message.MessageUtils; import org.apache.cxf.phase.Phase; -import org.apache.cxf.phase.PhaseInterceptor; import org.apache.cxf.security.SecurityContext; +import org.apache.cxf.security.transport.TLSSessionInfo; import org.apache.cxf.staxutils.StaxUtils; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.tokenstore.SecurityToken; import org.apache.cxf.ws.security.tokenstore.TokenStore; -import org.apache.ws.security.CustomTokenPrincipal; -import org.apache.ws.security.WSConstants; -import org.apache.ws.security.WSDerivedKeyTokenPrincipal; -import org.apache.ws.security.WSPasswordCallback; -import org.apache.ws.security.WSSConfig; -import org.apache.ws.security.WSSecurityEngine; -import org.apache.ws.security.WSSecurityEngineResult; -import org.apache.ws.security.WSSecurityException; -import org.apache.ws.security.cache.ReplayCache; -import org.apache.ws.security.components.crypto.Crypto; -import org.apache.ws.security.handler.RequestData; -import org.apache.ws.security.handler.WSHandlerConstants; -import org.apache.ws.security.handler.WSHandlerResult; -import org.apache.ws.security.message.token.SecurityTokenReference; -import org.apache.ws.security.processor.Processor; -import org.apache.ws.security.util.WSSecurityUtil; -import org.apache.ws.security.validate.NoOpValidator; -import org.apache.ws.security.validate.Validator; +import org.apache.wss4j.common.cache.ReplayCache; +import org.apache.wss4j.common.crypto.Crypto; +import org.apache.wss4j.common.ext.WSPasswordCallback; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.principal.CustomTokenPrincipal; +import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.dom.WSSConfig; +import org.apache.wss4j.dom.WSSecurityEngine; +import org.apache.wss4j.dom.WSSecurityEngineResult; +import org.apache.wss4j.dom.handler.RequestData; +import org.apache.wss4j.dom.handler.WSHandlerConstants; +import org.apache.wss4j.dom.handler.WSHandlerResult; +import org.apache.wss4j.dom.message.token.SecurityTokenReference; +import org.apache.wss4j.dom.processor.Processor; +import org.apache.wss4j.dom.util.WSSecurityUtil; +import org.apache.wss4j.dom.validate.NoOpValidator; +import org.apache.wss4j.dom.validate.Validator; /** * Performs WS-Security inbound actions. @@ -144,16 +144,6 @@ public class WSS4JInInterceptor extends secEngineOverride = createSecurityEngine(validatorMap); } } - - @Override - public Collection> - getAdditionalInterceptors() { - List> extras - = new ArrayList>(1); - extras.add(SAAJInInterceptor.SAAJPreInInterceptor.INSTANCE); - return extras; - } - public void setIgnoreActions(boolean i) { ignoreActions = i; @@ -239,11 +229,6 @@ public class WSS4JInInterceptor extends reqData.setCallbackHandler(getCallback(reqData, doAction, utWithCallbacks)); - String passwordTypeStrict = (String)getOption(WSHandlerConstants.PASSWORD_TYPE_STRICT); - if (passwordTypeStrict == null) { - setProperty(WSHandlerConstants.PASSWORD_TYPE_STRICT, "true"); - } - // Configure replay caching ReplayCache nonceCache = getReplayCache( @@ -255,6 +240,12 @@ public class WSS4JInInterceptor extends msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE ); reqData.setTimestampReplayCache(timestampCache); + + TLSSessionInfo tlsInfo = msg.get(TLSSessionInfo.class); + if (tlsInfo != null) { + Certificate[] tlsCerts = tlsInfo.getPeerCertificates(); + reqData.setTlsCerts(tlsCerts); + } /* * Get and check the Signature specific parameters first because @@ -328,9 +319,7 @@ public class WSS4JInInterceptor extends msg.put(SECURITY_PROCESSED, Boolean.TRUE); } catch (WSSecurityException e) { - LOG.log(Level.WARNING, "", e); - SoapFault fault = createSoapFault(version, e); - throw fault; + throw createSoapFault(version, e); } catch (XMLStreamException e) { throw new SoapFault(new Message("STAX_EX", LOG), e, version.getSender()); } catch (SOAPException e) { @@ -356,7 +345,7 @@ public class WSS4JInInterceptor extends // now check the security actions: do they match, in any order? if (!checkReceiverResultsAnyOrder(wsResult, actions)) { LOG.warning("Security processing failed (actions mismatch)"); - throw new WSSecurityException(WSSecurityException.INVALID_SECURITY); + throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); } // Now check to see if SIGNATURE_PARTS are specified @@ -369,15 +358,6 @@ public class WSS4JInInterceptor extends LOG.warning(warning); } - // Now check SAML SenderVouches + Holder Of Key requirements - boolean validateSAMLSubjectConf = - MessageUtils.getContextualBoolean( - msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true - ); - if (validateSAMLSubjectConf) { - SAMLUtils.validateSAMLResults(wsResult, msg, body); - } - } private void storeSignature( @@ -385,7 +365,7 @@ public class WSS4JInInterceptor extends ) throws WSSecurityException { // Extract the signature action result from the action list List signatureResults = - WSS4JUtils.fetchAllActionResults(wsResult, WSConstants.SIGN); + WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.SIGN); // Store the last signature result if (!signatureResults.isEmpty()) { @@ -398,7 +378,7 @@ public class WSS4JInInterceptor extends ) throws WSSecurityException { // Extract the timestamp action result from the action list List timestampResults = - WSS4JUtils.fetchAllActionResults(wsResult, WSConstants.TS); + WSSecurityUtil.fetchAllActionResults(wsResult, WSConstants.TS); if (!timestampResults.isEmpty()) { msg.put(TIMESTAMP_RESULT, timestampResults.get(timestampResults.size() - 1)); @@ -661,7 +641,7 @@ public class WSS4JInInterceptor extends try { o = ClassLoaderUtils.loadClass((String)o, this.getClass()).newInstance(); } catch (Exception e) { - throw new WSSecurityException(e.getMessage(), e); + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e); } } if (o instanceof CallbackHandler) { @@ -826,8 +806,8 @@ public class WSS4JInInterceptor extends } } catch (RuntimeException t) { throw t; - } catch (Throwable t) { - throw new WSSecurityException(t.getMessage(), t); + } catch (Exception ex) { + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex); } } return super.getValidator(qName); Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java Thu May 23 13:17:26 2013 @@ -41,13 +41,13 @@ import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.phase.Phase; import org.apache.cxf.phase.PhaseInterceptor; -import org.apache.ws.security.WSConstants; -import org.apache.ws.security.WSSConfig; -import org.apache.ws.security.WSSecurityException; -import org.apache.ws.security.action.Action; -import org.apache.ws.security.handler.RequestData; -import org.apache.ws.security.handler.WSHandlerConstants; -import org.apache.ws.security.util.WSSecurityUtil; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.dom.WSSConfig; +import org.apache.wss4j.dom.action.Action; +import org.apache.wss4j.dom.handler.RequestData; +import org.apache.wss4j.dom.handler.WSHandlerConstants; +import org.apache.wss4j.dom.util.WSSecurityUtil; public class WSS4JOutInterceptor extends AbstractWSS4JInterceptor { Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JTokenConverter.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JTokenConverter.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JTokenConverter.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JTokenConverter.java Thu May 23 13:17:26 2013 @@ -21,8 +21,9 @@ package org.apache.cxf.ws.security.wss4j import java.security.Principal; import org.apache.cxf.common.security.UsernameToken; +import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.message.Message; -import org.apache.ws.security.WSUsernameTokenPrincipal; +import org.apache.wss4j.common.principal.UsernameTokenPrincipal; public final class WSS4JTokenConverter { @@ -31,14 +32,18 @@ public final class WSS4JTokenConverter { } public static void convertToken(Message msg, Principal p) { - if (p instanceof WSUsernameTokenPrincipal) { - WSUsernameTokenPrincipal utp = (WSUsernameTokenPrincipal)p; + if (p instanceof UsernameTokenPrincipal) { + UsernameTokenPrincipal utp = (UsernameTokenPrincipal)p; + String nonce = null; + if (utp.getNonce() != null) { + nonce = Base64Utility.encode(utp.getNonce()); + } msg.put(org.apache.cxf.common.security.SecurityToken.class, new UsernameToken(utp.getName(), utp.getPassword(), utp.getPasswordType(), utp.isPasswordDigest(), - utp.getNonce(), + nonce, utp.getCreatedTime())); } Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java?rev=1485693&r1=1485692&r2=1485693&view=diff ============================================================================== --- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java (original) +++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java Thu May 23 13:17:26 2013 @@ -18,17 +18,20 @@ */ package org.apache.cxf.ws.security.wss4j; -import java.util.ArrayList; -import java.util.Collections; -import java.util.List; +import java.io.IOException; +import java.net.URL; +import org.apache.cxf.Bus; import org.apache.cxf.binding.soap.SoapMessage; +import org.apache.cxf.common.classloader.ClassLoaderUtils; import org.apache.cxf.endpoint.Endpoint; +import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; +import org.apache.cxf.resource.ResourceManager; import org.apache.cxf.service.model.EndpointInfo; -import org.apache.cxf.ws.security.cache.ReplayCacheFactory; -import org.apache.ws.security.WSSecurityEngineResult; -import org.apache.ws.security.cache.ReplayCache; +import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.wss4j.common.cache.ReplayCache; +import org.apache.wss4j.common.cache.ReplayCacheFactory; /** * Some common functionality that can be shared between the WSS4JInInterceptor and the @@ -81,7 +84,8 @@ public final class WSS4JUtils { if (info.getName() != null) { cacheKey += "-" + info.getName().toString().hashCode(); } - replayCache = replayCacheFactory.newReplayCache(cacheKey, message); + URL configFile = getConfigFileURL(message); + replayCache = replayCacheFactory.newReplayCache(cacheKey, configFile); info.setProperty(instanceKey, replayCache); } return replayCache; @@ -89,52 +93,32 @@ public final class WSS4JUtils { } return null; } - - /** - * Fetch the result of a given action from a given result list. - * - * @param resultList The result list to fetch an action from - * @param action The action to fetch - * @return The result fetched from the result list, null if the result - * could not be found - */ - public static List fetchAllActionResults( - List resultList, - int action - ) { - return fetchAllActionResults(resultList, Collections.singletonList(action)); - } - /** - * Fetch the results of a given number of actions action from a given result list. - * - * @param resultList The result list to fetch an action from - * @param actions The list of actions to fetch - * @return The list of matching results fetched from the result list - */ - public static List fetchAllActionResults( - List resultList, - List actions - ) { - List actionResultList = Collections.emptyList(); - if (actions == null || actions.isEmpty()) { - return actionResultList; + private static URL getConfigFileURL(Message message) { + Object o = message.getContextualProperty(SecurityConstants.CACHE_CONFIG_FILE); + if (o == null) { + o = "cxf-ehcache.xml"; } - for (WSSecurityEngineResult result : resultList) { - // - // Check the result of every action whether it matches the given action - // - int resultAction = - ((java.lang.Integer)result.get(WSSecurityEngineResult.TAG_ACTION)).intValue(); - if (actions.contains(resultAction)) { - if (actionResultList.isEmpty()) { - actionResultList = new ArrayList(); + if (o instanceof String) { + URL url = null; + ResourceManager rm = message.getExchange().get(Bus.class).getExtension(ResourceManager.class); + url = rm.resolveResource((String)o, URL.class); + try { + if (url == null) { + url = ClassLoaderUtils.getResource((String)o, ReplayCacheFactory.class); + } + if (url == null) { + url = new URL((String)o); } - actionResultList.add(result); + return url; + } catch (IOException e) { + // Do nothing } + } else if (o instanceof URL) { + return (URL)o; } - return actionResultList; + return null; } }