cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1524681 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ systests/ws-security/src/...
Date Thu, 19 Sep 2013 10:31:32 GMT
Author: coheigea
Date: Thu Sep 19 10:31:32 2013
New Revision: 1524681

URL: http://svn.apache.org/r1524681
Log:
[CXF-5291] - Only activate ws-security caching if it is required

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Thu Sep 19 10:31:32 2013
@@ -170,7 +170,9 @@ public final class SecurityConstants {
     /**
      * Whether to cache UsernameToken nonces. The default value is "true" for message recipients,
and 
      * "false" for message initiators. Set it to true to cache for both cases. Set this to
"false" to
-     * not cache UsernameToken nonces. 
+     * not cache UsernameToken nonces. Note that caching only applies when either a UsernameToken
+     * WS-SecurityPolicy is in effect, or else that a UsernameToken action has been configured
+     * for the non-security-policy case.
      */
     public static final String ENABLE_NONCE_CACHE = "ws-security.enable.nonce.cache";
     
@@ -178,6 +180,8 @@ public final class SecurityConstants {
      * Whether to cache Timestamp Created Strings (these are only cached in conjunction with
a message 
      * Signature).The default value is "true" for message recipients, and "false" for message
initiators.
      * Set it to true to cache for both cases. Set this to "false" to not cache Timestamp
Created Strings.
+     * Note that caching only applies when either a "IncludeTimestamp" policy is in effect,
or
+     * else that a Timestamp action has been configured for the non-security-policy case.
      */
     public static final String ENABLE_TIMESTAMP_CACHE = "ws-security.enable.timestamp.cache";
     

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Thu Sep 19 10:31:32 2013
@@ -322,6 +322,42 @@ public class PolicyBasedWSS4JInIntercept
         return action;
     }
     
+    /**
+     * Is a Nonce Cache required, i.e. are we expecting a UsernameToken
+     */
+    @Override
+    protected boolean isNonceCacheRequired(int doAction, SoapMessage msg) {
+        AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+        if (aim != null) {
+            Collection<AssertionInfo> ais = 
+                getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+            
+            if (!ais.isEmpty()) {
+                return true;
+            }
+        }
+        
+        return false;
+    }
+    
+    /**
+     * Is a Timestamp cache required, i.e. are we expecting a Timestamp 
+     */
+    @Override
+    protected boolean isTimestampCacheRequired(int doAction, SoapMessage msg) {
+        AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+        if (aim != null) {
+            Collection<AssertionInfo> ais = 
+                getAllAssertionsByLocalname(aim, SPConstants.INCLUDE_TIMESTAMP);
+            
+            if (!ais.isEmpty()) {
+                return true;
+            }
+        }
+        
+        return false;
+    }
+    
     private void checkUsernameToken(
         AssertionInfoMap aim, SoapMessage message
     ) throws WSSecurityException {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Thu Sep 19 10:31:32 2013
@@ -234,21 +234,28 @@ public class WSS4JInInterceptor extends 
             }
 
             // Configure replay caching
-            ReplayCache nonceCache = 
-                getReplayCache(
-                    msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
-                );
-            reqData.setNonceReplayCache(nonceCache);
-            if (nonceCache == null) {
-                reqData.setEnableNonceReplayCache(false);
-            }
-            ReplayCache timestampCache = 
-                getReplayCache(
-                    msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
-                );
-            reqData.setTimestampReplayCache(timestampCache);
-            if (timestampCache == null) {
-                reqData.setEnableTimestampReplayCache(false);
+            reqData.setEnableNonceReplayCache(false);
+            if (isNonceCacheRequired(doAction, msg)) {
+                ReplayCache nonceCache = 
+                    getReplayCache(
+                        msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
+                    );
+                reqData.setNonceReplayCache(nonceCache);
+                if (nonceCache != null) {
+                    reqData.setEnableNonceReplayCache(true);
+                }
+            }
+            
+            reqData.setEnableTimestampReplayCache(false);
+            if (isTimestampCacheRequired(doAction, msg)) {
+                ReplayCache timestampCache = 
+                    getReplayCache(
+                        msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
+                    );
+                reqData.setTimestampReplayCache(timestampCache);
+                if (timestampCache != null) {
+                    reqData.setEnableTimestampReplayCache(true);
+                }
             }
             
             TLSSessionInfo tlsInfo = msg.get(TLSSessionInfo.class);
@@ -419,6 +426,27 @@ public class WSS4JInInterceptor extends 
     }
     
     /**
+     * Is a Nonce Cache required, i.e. are we expecting a UsernameToken 
+     */
+    protected boolean isNonceCacheRequired(int doAction, SoapMessage msg) {
+        if ((doAction & WSConstants.UT) == WSConstants.UT
+            || (doAction & WSConstants.UT_NOPASSWORD) == WSConstants.UT_NOPASSWORD) {
+            return true;
+        }
+        return false;
+    }
+    
+    /**
+     * Is a Timestamp cache required, i.e. are we expecting a Timestamp 
+     */
+    protected boolean isTimestampCacheRequired(int doAction, SoapMessage msg) {
+        if ((doAction & WSConstants.TS) == WSConstants.TS) {
+            return true;
+        }
+        return false;
+    }
+    
+    /**
      * Set a WSS4J AlgorithmSuite object on the RequestData context, to restrict the
      * algorithms that are allowed for encryption, signature, etc.
      */

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
Thu Sep 19 10:31:32 2013
@@ -26,7 +26,10 @@ import javax.xml.ws.Service;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
 import org.apache.cxf.systest.ws.common.SecurityTestUtil;
+import org.apache.cxf.systest.ws.ut.SecurityHeaderCacheInterceptor;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.example.contract.doubleit.DoubleItPortType;
 import org.junit.BeforeClass;
@@ -120,6 +123,42 @@ public class ActionTest extends Abstract
     }
     
     @org.junit.Test
+    public void testUsernameTokenReplay() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ActionTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItUsernameTokenPort");
+        DoubleItPortType port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        
+        Client cxfClient = ClientProxy.getClient(port);
+        SecurityHeaderCacheInterceptor cacheInterceptor =
+            new SecurityHeaderCacheInterceptor();
+        cxfClient.getOutInterceptors().add(cacheInterceptor);
+        
+        // Make two invocations with the same UsernameToken
+        port.doubleIt(25);
+        try {
+            port.doubleIt(25);
+            fail("Failure expected on a replayed UsernameToken");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            String error = "A replay attack has been detected";
+            assertTrue(ex.getMessage().contains(error));
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
     public void testEncryptedPassword() throws Exception {
         
         if (!unrestrictedPoliciesInstalled) {
@@ -144,4 +183,40 @@ public class ActionTest extends Abstract
         ((java.io.Closeable)port).close();
         bus.shutdown(true);
     }
+    
+    @org.junit.Test
+    public void testSignedTimestampReplay() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ActionTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSignedTimestampPort");
+        DoubleItPortType port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        
+        Client cxfClient = ClientProxy.getClient(port);
+        SecurityHeaderCacheInterceptor cacheInterceptor =
+            new SecurityHeaderCacheInterceptor();
+        cxfClient.getOutInterceptors().add(cacheInterceptor);
+        
+        // Make two invocations with the same SecurityHeader
+        port.doubleIt(25);
+        try {
+            port.doubleIt(25);
+            fail("Failure expected on a replayed Timestamp");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            String error = "A replay attack has been detected";
+            assertTrue(ex.getMessage().contains(error));
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
 }

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
Thu Sep 19 10:31:32 2013
@@ -60,6 +60,9 @@
         <wsdl:port name="DoubleItEncryptedPasswordPort" binding="tns:DoubleItNoSecurityBinding">
             <soap:address location="http://localhost:9001/DoubleItEncryptedPassword" />
         </wsdl:port>
+        <wsdl:port name="DoubleItSignedTimestampPort" binding="tns:DoubleItNoSecurityBinding">
+            <soap:address location="http://localhost:9001/DoubleItSignedTimestamp" />
+        </wsdl:port>
     </wsdl:service>
 
 </wsdl:definitions>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
Thu Sep 19 10:31:32 2013
@@ -110,4 +110,33 @@
        </jaxws:inInterceptors>
     </jaxws:client>
     
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignedTimestampPort"

+                  createdFromAPI="true">
+       <jaxws:outInterceptors>
+           <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+               <constructor-arg>
+                   <map>
+                        <entry key="action" value="Signature Timestamp"/> 
+                        <entry key="user" value="alice"/>
+                        <entry key="signaturePropFile" value="alice.properties"/>
+                        <entry key="signatureKeyIdentifier" value="DirectReference"/>
+                        <entry key="signatureParts"
+                               value="{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{}{http://schemas.xmlsoap.org/soap/envelope/}Body;"
/>
+                        <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+                   </map>
+               </constructor-arg>
+           </bean>
+       </jaxws:outInterceptors>
+       <jaxws:inInterceptors>
+           <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+               <constructor-arg>
+                   <map>
+                        <entry key="action" value="Signature"/> 
+                        <entry key="signatureVerificationPropFile" value="alice.properties"/>
+                   </map>
+               </constructor-arg>
+           </bean>
+       </jaxws:inInterceptors>
+    </jaxws:client>
+    
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml?rev=1524681&r1=1524680&r2=1524681&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
Thu Sep 19 10:31:32 2013
@@ -157,4 +157,38 @@
      
     </jaxws:endpoint> 
     
+    <jaxws:endpoint 
+       id="SignedTimestamp"
+       address="http://localhost:${testutil.ports.Server}/DoubleItSignedTimestamp" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSignedTimestampPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItAction.wsdl">
+       <jaxws:outInterceptors>
+           <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+               <constructor-arg>
+                   <map>
+                        <entry key="action" value="Signature"/> 
+                        <entry key="user" value="bob"/> 
+                        <entry key="signaturePropFile" value="bob.properties"/>
+                        <entry key="signatureKeyIdentifier" value="DirectReference"/>
+                        <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+                   </map>
+               </constructor-arg>
+           </bean>
+       </jaxws:outInterceptors>
+       <jaxws:inInterceptors>
+           <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+               <constructor-arg>
+                   <map>
+                        <entry key="action" value="Signature Timestamp"/> 
+                        <entry key="signatureVerificationPropFile" value="bob.properties"/>
+                   </map>
+               </constructor-arg>
+           </bean>
+       </jaxws:inInterceptors>
+     
+    </jaxws:endpoint> 
+    
 </beans>



Mime
View raw message