Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4DB0010B7A for ; Mon, 31 Mar 2014 14:18:28 +0000 (UTC) Received: (qmail 23814 invoked by uid 500); 31 Mar 2014 14:18:25 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 23632 invoked by uid 500); 31 Mar 2014 14:18:21 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 23468 invoked by uid 99); 31 Mar 2014 14:18:15 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 31 Mar 2014 14:18:15 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id B7D0D90812F; Mon, 31 Mar 2014 14:18:14 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Mon, 31 Mar 2014 14:18:15 -0000 Message-Id: <72a8c9651d984e418d9693b17d798872@git.apache.org> In-Reply-To: <31653b0119d34de5b5a074ad9266c85a@git.apache.org> References: <31653b0119d34de5b5a074ad9266c85a@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/3] git commit: [CXF-5660] - UsernameTokenInterceptor cannot use subject from WSSecurityEngineResult [CXF-5660] - UsernameTokenInterceptor cannot use subject from WSSecurityEngineResult Conflicts: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ba960586 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ba960586 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ba960586 Branch: refs/heads/2.7.x-fixes Commit: ba960586416b8074957e9601e49366cf713a0916 Parents: 3ca8d16 Author: Colm O hEigeartaigh Authored: Mon Mar 31 11:57:33 2014 +0100 Committer: Colm O hEigeartaigh Committed: Mon Mar 31 14:21:21 2014 +0100 ---------------------------------------------------------------------- .../wss4j/UsernameTokenInterceptor.java | 124 ++++++++++++++++--- 1 file changed, 107 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/ba960586/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java index 466f214..5b0f925 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java @@ -75,11 +75,15 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor { if (h == null) { return; } + boolean utWithCallbacks = + MessageUtils.getContextualBoolean(message, SecurityConstants.VALIDATE_TOKEN, true); + Element el = (Element)h.getObject(); Element child = DOMUtils.getFirstElement(el); while (child != null) { if (SPConstants.USERNAME_TOKEN.equals(child.getLocalName()) && WSConstants.WSSE_NS.equals(child.getNamespaceURI())) { +<<<<<<< HEAD try { final WSUsernameTokenPrincipal princ = getPrincipal(child, message); if (princ != null) { @@ -105,10 +109,41 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor { if (sc == null || sc.getUserPrincipal() == null) { Subject subject = createSubject(princ.getName(), princ.getPassword(), princ.isPasswordDigest(), princ.getNonce(), princ.getCreatedTime()); +======= + try { + Principal principal = null; + Subject subject = null; + if (utWithCallbacks) { + final WSSecurityEngineResult result = validateToken(child, message); + principal = (Principal)result.get(WSSecurityEngineResult.TAG_PRINCIPAL); + subject = (Subject)result.get(WSSecurityEngineResult.TAG_SUBJECT); + } else { + boolean bspCompliant = isWsiBSPCompliant(message); + principal = parseTokenAndCreatePrincipal(child, bspCompliant); + WSS4JTokenConverter.convertToken(message, principal); + } + + SecurityContext sc = message.get(SecurityContext.class); + if (sc == null || sc.getUserPrincipal() == null) { + if (subject != null && principal != null) { + message.put(SecurityContext.class, + createSecurityContext(principal, subject)); + } else if (principal instanceof UsernameTokenPrincipal) { + UsernameTokenPrincipal utPrincipal = (UsernameTokenPrincipal)principal; + String nonce = null; + if (utPrincipal.getNonce() != null) { + nonce = Base64.encode(utPrincipal.getNonce()); + } + subject = createSubject(utPrincipal.getName(), utPrincipal.getPassword(), + utPrincipal.isPasswordDigest(), nonce, utPrincipal.getCreatedTime()); +>>>>>>> 7063472... [CXF-5660] - UsernameTokenInterceptor cannot use subject from WSSecurityEngineResult message.put(SecurityContext.class, - createSecurityContext(princ, subject)); + createSecurityContext(utPrincipal, subject)); } - + } + + if (principal instanceof UsernameTokenPrincipal) { + storeResults((UsernameTokenPrincipal)principal, message); } } catch (WSSecurityException ex) { throw new Fault(ex); @@ -117,29 +152,55 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor { child = DOMUtils.getNextElement(child); } } + + @Deprecated + protected UsernameTokenPrincipal getPrincipal(Element tokenElement, final SoapMessage message) { + return null; + } + + private void storeResults(UsernameTokenPrincipal principal, SoapMessage message) { + List v = new ArrayList(); + int action = WSConstants.UT; + if (principal.getPassword() == null) { + action = WSConstants.UT_NOPASSWORD; + } + v.add(0, new WSSecurityEngineResult(action, principal, null, null, null)); + List results = CastUtils.cast((List)message + .get(WSHandlerConstants.RECV_RESULTS)); + if (results == null) { + results = new ArrayList(); + message.put(WSHandlerConstants.RECV_RESULTS, results); + } + WSHandlerResult rResult = new WSHandlerResult(null, v); + results.add(0, rResult); + + assertTokens(message, principal, false); + message.put(WSS4JInInterceptor.PRINCIPAL_RESULT, principal); + } +<<<<<<< HEAD protected WSUsernameTokenPrincipal getPrincipal(Element tokenElement, final SoapMessage message) throws WSSecurityException { +======= + protected WSSecurityEngineResult validateToken(Element tokenElement, final SoapMessage message) + throws WSSecurityException, Base64DecodingException { +>>>>>>> 7063472... [CXF-5660] - UsernameTokenInterceptor cannot use subject from WSSecurityEngineResult boolean bspCompliant = isWsiBSPCompliant(message); - boolean utWithCallbacks = - MessageUtils.getContextualBoolean(message, SecurityConstants.VALIDATE_TOKEN, true); boolean allowNoPassword = isAllowNoPassword(message.get(AssertionInfoMap.class)); - if (utWithCallbacks) { - UsernameTokenProcessor p = new UsernameTokenProcessor(); - WSDocInfo wsDocInfo = new WSDocInfo(tokenElement.getOwnerDocument()); - RequestData data = new RequestData() { - public CallbackHandler getCallbackHandler() { - return getCallback(message); - } - public Validator getValidator(QName qName) throws WSSecurityException { - Object validator = + UsernameTokenProcessor p = new UsernameTokenProcessor(); + WSDocInfo wsDocInfo = new WSDocInfo(tokenElement.getOwnerDocument()); + RequestData data = new RequestData() { + public CallbackHandler getCallbackHandler() { + return getCallback(message); + } + public Validator getValidator(QName qName) throws WSSecurityException { + Object validator = message.getContextualProperty(SecurityConstants.USERNAME_TOKEN_VALIDATOR); - if (validator == null) { - return super.getValidator(qName); - } - return (Validator)validator; + if (validator == null) { + return super.getValidator(qName); } +<<<<<<< HEAD }; // Configure replay caching @@ -160,13 +221,42 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor { WSUsernameTokenPrincipal principal = parseTokenAndCreatePrincipal(tokenElement, bspCompliant); WSS4JTokenConverter.convertToken(message, principal); return principal; +======= + return (Validator)validator; + } + }; + + // Configure replay caching + ReplayCache nonceCache = + WSS4JUtils.getReplayCache( + message, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE + ); + data.setNonceReplayCache(nonceCache); + + WSSConfig config = WSSConfig.getNewInstance(); + config.setAllowUsernameTokenNoPassword(allowNoPassword); + data.setWssConfig(config); + if (!bspCompliant) { + data.setDisableBSPEnforcement(true); +>>>>>>> 7063472... [CXF-5660] - UsernameTokenInterceptor cannot use subject from WSSecurityEngineResult } + List results = p.handleToken(tokenElement, data, wsDocInfo); + return results.get(0); } +<<<<<<< HEAD protected WSUsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean bspCompliant) throws WSSecurityException { org.apache.ws.security.message.token.UsernameToken ut = new org.apache.ws.security.message.token.UsernameToken(tokenElement, false, bspCompliant); +======= + + protected UsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean bspCompliant) + throws WSSecurityException, Base64DecodingException { + BSPEnforcer bspEnforcer = new BSPEnforcer(!bspCompliant); + org.apache.wss4j.dom.message.token.UsernameToken ut = + new org.apache.wss4j.dom.message.token.UsernameToken(tokenElement, false, bspEnforcer); +>>>>>>> 7063472... [CXF-5660] - UsernameTokenInterceptor cannot use subject from WSSecurityEngineResult WSUsernameTokenPrincipal principal = new WSUsernameTokenPrincipal(ut.getName(), ut.isHashed()); principal.setNonce(ut.getNonce());