cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Added initial support for "useReqSigCert" for the streaming JAX-RS XML Security code.
Date Mon, 24 Feb 2014 15:12:06 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 212ce2a30 -> f29557a3b


Added initial support for "useReqSigCert" for the streaming JAX-RS XML Security code.


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f29557a3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f29557a3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f29557a3

Branch: refs/heads/master
Commit: f29557a3b144603eab65068b6776d823683dab87
Parents: 212ce2a
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Feb 24 15:10:56 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Feb 24 15:11:47 2014 +0000

----------------------------------------------------------------------
 .../cxf/rs/security/common/SecurityUtils.java   |  9 ++++--
 .../security/xml/AbstractXmlSigInHandler.java   |  2 +-
 .../rs/security/xml/XmlEncOutInterceptor.java   |  3 +-
 .../rs/security/xml/XmlSecInInterceptor.java    | 14 ++++++++--
 .../rs/security/xml/XmlSecOutInterceptor.java   | 29 ++++++++++++--------
 5 files changed, 38 insertions(+), 19 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f29557a3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
index 34d9897..f849bf8 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
@@ -28,7 +28,6 @@ import javax.security.auth.callback.CallbackHandler;
 
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
-
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.common.util.Base64Utility;
 import org.apache.cxf.common.util.StringUtils;
@@ -38,6 +37,7 @@ import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.crypto.Merlin;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.xml.security.utils.Constants;
@@ -66,7 +66,12 @@ public final class SecurityUtils {
         throws Exception {
         String base64Value = certNode.getTextContent().trim();
         byte[] certBytes = Base64Utility.decode(base64Value);
-        return crypto.loadCertificate(new ByteArrayInputStream(certBytes));
+        
+        Crypto certCrypto = crypto;
+        if (certCrypto == null) {
+            certCrypto = new Merlin();
+        }
+        return certCrypto.loadCertificate(new ByteArrayInputStream(certBytes));
     }
     
     public static X509Certificate loadX509IssuerSerial(Crypto crypto, Element certNode) 

http://git-wip-us.apache.org/repos/asf/cxf/blob/f29557a3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
index 3cc9562..e81e298 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
@@ -211,7 +211,7 @@ public class AbstractXmlSigInHandler extends AbstractXmlSecInHandler {
     protected Reference getReference(XMLSignature sig) {
         int count = sig.getSignedInfo().getLength();
         if (count != 1) {
-            throwFault("Multiple Signature Reference are not currently supported", null);
+            throwFault("Multiple Signature References are not currently supported", null);
         }
         try {
             return sig.getSignedInfo().item(0);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f29557a3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
index 26eb109..6635c3d 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
@@ -116,8 +116,7 @@ public class XmlEncOutInterceptor extends AbstractXmlSecOutInterceptor
{
             X509Certificate receiverCert = null;
             
             String userName = (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
-            if (userName != null 
-                && SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName)
+            if (SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName)
                 && !MessageUtils.isRequestor(message)) {
                 XMLSignature sig = message.getExchange().getInMessage().getContent(XMLSignature.class);
                 if (sig != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/f29557a3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
index 64b89f3..fa23280 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
@@ -80,6 +80,7 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message>
{
     private String phase;
     private String decryptionAlias;
     private String signatureVerificationAlias;
+    private boolean persistSignature = true;
 
     public XmlSecInInterceptor() {
         setPhase(Phase.POST_STREAM);
@@ -203,7 +204,7 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message>
{
     }
     
     protected SecurityEventListener configureSecurityEventListener(
-        final Crypto sigCrypto, Message msg, XMLSecurityProperties securityProperties
+        final Crypto sigCrypto, final Message msg, XMLSecurityProperties securityProperties
     ) {
         final List<SecurityEvent> incomingSecurityEventList = new LinkedList<SecurityEvent>();
         SecurityEventListener securityEventListener = new SecurityEventListener() {
@@ -218,7 +219,7 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message>
{
                     }
                 } else if (securityEvent.getSecurityEventType() != SecurityEventConstants.EncryptedKeyToken
                     && securityEvent instanceof TokenSecurityEvent<?>) {
-                    checkSignatureTrust(sigCrypto, (TokenSecurityEvent<?>)securityEvent);
+                    checkSignatureTrust(sigCrypto, msg, (TokenSecurityEvent<?>)securityEvent);
                 }
                 incomingSecurityEventList.add(securityEvent);
             }
@@ -277,7 +278,7 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message>
{
     }
     
     private void checkSignatureTrust(
-        Crypto sigCrypto, TokenSecurityEvent<?> event
+        Crypto sigCrypto, Message msg, TokenSecurityEvent<?> event
     ) throws XMLSecurityException {
         SecurityToken token = event.getSecurityToken();
         if (token != null) {
@@ -295,6 +296,10 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message>
{
                 throw new XMLSecurityException("empty", "Error during Signature Trust "
                                                + "validation: " + e.getMessage());
             }
+            
+            if (persistSignature) {
+                msg.setContent(X509Certificate.class, cert);
+            }
         }
     }
     
@@ -360,4 +365,7 @@ public class XmlSecInInterceptor implements PhaseInterceptor<Message>
{
         this.signatureVerificationAlias = signatureVerificationAlias;
     }
     
+    public void setPersistSignature(boolean persist) {
+        this.persistSignature = persist;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f29557a3/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
index aa6f381..c480f88 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
@@ -58,7 +58,6 @@ import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.xml.security.algorithms.JCEMapper;
 import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.signature.XMLSignature;
 import org.apache.xml.security.stax.ext.OutboundXMLSec;
 import org.apache.xml.security.stax.ext.SecurePart;
 import org.apache.xml.security.stax.ext.XMLSec;
@@ -161,18 +160,26 @@ public class XmlSecOutInterceptor implements PhaseInterceptor<Message>
{
         properties.setEncryptionKey(
             getSymmetricKey(encryptionProperties.getEncryptionSymmetricKeyAlgo()));
         if (encryptSymmetricKey) {
+            X509Certificate sendingCert = null;
             String userName = 
                 (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
-            CryptoLoader loader = new CryptoLoader();
-            Crypto crypto = loader.getCrypto(message, 
-                                      SecurityConstants.ENCRYPT_CRYPTO,
-                                      SecurityConstants.ENCRYPT_PROPERTIES);
-            
-            userName = SecurityUtils.getUserName(crypto, userName);
-            if (StringUtils.isEmpty(userName)) {
-                throw new Exception("User name is not available");
+            if (SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName)
+                && !MessageUtils.isRequestor(message)) {
+                sendingCert = 
+                    message.getExchange().getInMessage().getContent(X509Certificate.class);
+            } else {
+                CryptoLoader loader = new CryptoLoader();
+                Crypto crypto = loader.getCrypto(message, 
+                                          SecurityConstants.ENCRYPT_CRYPTO,
+                                          SecurityConstants.ENCRYPT_PROPERTIES);
+                
+                userName = SecurityUtils.getUserName(crypto, userName);
+                if (StringUtils.isEmpty(userName)) {
+                    throw new Exception("User name is not available");
+                }
+                sendingCert = getCertificateFromCrypto(crypto, userName);
             }
-            X509Certificate sendingCert = getCertificateFromCrypto(crypto, userName);
+            
             if (sendingCert == null) {
                 throw new Exception("Sending certificate is not available");
             }
@@ -273,7 +280,7 @@ public class XmlSecOutInterceptor implements PhaseInterceptor<Message>
{
         
         String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
         if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
-            sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+            sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA_SHA1;
         }
         
         properties.setSignatureAlgorithm(sigAlgo);


Mime
View raw message