cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Refactoring of the CryptoCoverageChecker stuff
Date Fri, 13 Mar 2015 14:18:40 GMT
Repository: cxf
Updated Branches:
  refs/heads/master e47f87b16 -> dfecaa60e


Refactoring of the CryptoCoverageChecker stuff


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/dfecaa60
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/dfecaa60
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/dfecaa60

Branch: refs/heads/master
Commit: dfecaa60ea6082fda8f2959c083ba2f2f7a03112
Parents: e47f87b
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Mar 13 14:18:18 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Mar 13 14:18:18 2015 +0000

----------------------------------------------------------------------
 .../security/wss4j/CryptoCoverageChecker.java   | 59 ++++++++----------
 .../ws/security/wss4j/CryptoCoverageUtil.java   | 63 ++------------------
 .../wss4j/PolicyBasedWSS4JInInterceptor.java    |  2 +-
 3 files changed, 29 insertions(+), 95 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/dfecaa60/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
index b5a0d97..9a71a9e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
@@ -51,7 +51,6 @@ import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 
 /**
  * Utility to enable the checking of WS-Security signature/encryption
@@ -66,12 +65,12 @@ public class CryptoCoverageChecker extends AbstractSoapInterceptor {
      * that must be covered.  See {@link #prefixMap}
      * for namespace prefixes available.
      */
-    protected List<XPathExpression> xPaths = new ArrayList<XPathExpression>();
+    protected List<XPathExpression> xPaths = new ArrayList<>();
     
     /**
      * Mapping of namespace prefixes to namespace URIs.
      */
-    protected Map<String, String> prefixMap = new HashMap<String, String>();
+    protected Map<String, String> prefixMap = new HashMap<>();
     
     private boolean checkFaults = true;
     
@@ -132,43 +131,33 @@ public class CryptoCoverageChecker extends AbstractSoapInterceptor {
             throw new SoapFault("Error obtaining SOAP document", Fault.FAULT_CODE_CLIENT);
         }
         
-        final Collection<WSDataRef> signed = new HashSet<WSDataRef>();
-        final Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
+        final Collection<WSDataRef> signed = new HashSet<>();
+        final Collection<WSDataRef> encrypted = new HashSet<>();
         
         List<WSHandlerResult> results = CastUtils.cast(
                 (List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
         
-        for (final WSHandlerResult wshr : results) {
-            final List<WSSecurityEngineResult> wsSecurityEngineSignResults = 
-                WSSecurityUtil.fetchAllActionResults(wshr.getResults(), WSConstants.SIGN);
-            
-            final List<WSSecurityEngineResult> wsSecurityEngineEncResults = 
-                WSSecurityUtil.fetchAllActionResults(wshr.getResults(), WSConstants.ENCR);
-            
-            for (WSSecurityEngineResult wser : wsSecurityEngineSignResults) {
-            
-                List<WSDataRef> sl = CastUtils.cast((List<?>) wser
-                        .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
-                if (sl != null) {
-                    if (sl.size() == 1
-                        && sl.get(0).getName().equals(new QName(WSConstants.SIG_NS,
WSConstants.SIG_LN))) {
-                        //endorsing the signature so don't include
-                        break;
-                    }
-                    
-                    for (WSDataRef r : sl) {
-                        signed.add(r);
+        // Get all encrypted and signed references
+        for (WSHandlerResult wshr : results) {
+            for (WSSecurityEngineResult result : wshr.getResults()) {
+                Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+                if (actInt == WSConstants.SIGN) {
+                    List<WSDataRef> sl = 
+                        CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+                    if (sl != null) {
+                        if (sl.size() == 1
+                            && sl.get(0).getName().equals(new QName(WSConstants.SIG_NS,
WSConstants.SIG_LN))) {
+                            //endorsing the signature so don't include
+                            continue;
+                        }
+                        
+                        signed.addAll(sl);
                     }
-                }
-            }
-            
-            for (WSSecurityEngineResult wser : wsSecurityEngineEncResults) {
-                List<WSDataRef> el = CastUtils.cast((List<?>) wser
-                        .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
-
-                if (el != null) {
-                    for (WSDataRef r : el) {
-                        encrypted.add(r);
+                } else if (actInt == WSConstants.ENCR) {
+                    List<WSDataRef> el = 
+                        CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+                    if (el != null) {
+                        encrypted.addAll(el);
                     }
                 }
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/dfecaa60/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
index fde339c..c2dba48 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
@@ -22,7 +22,6 @@ package org.apache.cxf.ws.security.wss4j;
 
 import java.util.Arrays;
 import java.util.Collection;
-import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
@@ -68,14 +67,11 @@ public final class CryptoCoverageUtil {
     public static void reconcileEncryptedSignedRefs(final Collection<WSDataRef> signedRefs,

             final Collection<WSDataRef> encryptedRefs) {
         
-        final List<WSDataRef> encryptedSignedRefs = new LinkedList<WSDataRef>();
+        final List<WSDataRef> encryptedSignedRefs = new LinkedList<>();
         
         for (WSDataRef encryptedRef : encryptedRefs) {
-            final Iterator<WSDataRef> signedRefsIt = signedRefs.iterator();
-            while (signedRefsIt.hasNext()) {
-                final WSDataRef signedRef = signedRefsIt.next();
-                
-                if (isSignedEncryptionRef(encryptedRef, signedRef)) {
+            for (WSDataRef signedRef : signedRefs) {
+                if (signedRef.getProtectedElement() == encryptedRef.getEncryptedElement())
{
 
                     final WSDataRef encryptedSignedRef = new WSDataRef();
                     encryptedSignedRef.setWsuId(signedRef.getWsuId());
@@ -84,11 +80,7 @@ public final class CryptoCoverageUtil {
                     encryptedSignedRef.setName(encryptedRef.getName());
                     encryptedSignedRef.setProtectedElement(encryptedRef
                             .getProtectedElement());
-                    // This value is the ID of the encrypted element, not
-                    // the value of the ID in the decrypted content 
-                    // (WSS4J 1.5.8).  Therefore, passing it along does
-                    // not provide much value.
-                    //encryptedSignedRef.setWsuId(encryptedRef.getWsuId());
+                    
                     encryptedSignedRef.setXpath(encryptedRef.getXpath());
                     
                     encryptedSignedRefs.add(encryptedSignedRef);
@@ -350,53 +342,6 @@ public final class CryptoCoverageUtil {
         }
     }
     
-    /**
-     * Determines if {@code signedRef} points to the encrypted content represented by
-     * {@code encryptedRef} using the following algorithm.
-     *
-     * <ol>
-     * <li>Check that the signed content is an XML Encryption element.</li>
-     * <li>Check that the reference Ids of the signed content and encrypted content
-     * (not the decrypted version of the encrypted content) match.  Check that the
-     * reference Id of the signed content matches the reference Id of the encrypted
-     * content prepended with a #.
-     * <li>Check for other Id attributes on the signed element that may match the
-     * referenced identifier for the encrypted content.  This is a workaround for
-     * WSS-242.</li>
-     * </ol>
-     *
-     * @param encryptedRef the ref representing the encrpted content
-     * @param signedRef the ref representing the signed content
-     */
-    private static boolean isSignedEncryptionRef(WSDataRef encryptedRef, WSDataRef signedRef)
{
-        
-        // Don't even bother if the signed element wasn't an XML Enc element.
-        if (!WSConstants.ENC_NS.equals(signedRef.getProtectedElement()
-                                       .getNamespaceURI())) {
-            return false;
-        }
-        
-        if (signedRef.getWsuId().equals(encryptedRef.getWsuId())
-            || signedRef.getWsuId().equals("#" + encryptedRef.getWsuId())) {
-            return true;
-        }
-        
-        // There should be no other Ids on an EncryptedData or EncryptedKey element;
-        // however, WSS4J will happily add them on the outbound side.  See WSS-242.
-        // The following code looks for the specific behavior that exists in
-        // 1.5.8 and earlier version.
-        
-        String wsuId = signedRef.getProtectedElement().getAttributeNS(
-                WSConstants.WSU_NS, "Id");
-        
-        if (signedRef.getWsuId().equals(wsuId)
-            || signedRef.getWsuId().equals("#" + wsuId)) {
-            return true;
-        }
-        
-        return false;
-    }
-
     private static boolean matchElement(Collection<WSDataRef> refs,
             CoverageType type, CoverageScope scope, Element el) {
         final boolean content;

http://git-wip-us.apache.org/repos/asf/cxf/blob/dfecaa60/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 47629d3..116e2a0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -720,7 +720,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor
{
         //
         // Pre-fetch various results
         //
-        final List<Integer> actions = new ArrayList<Integer>(2);
+        final List<Integer> actions = new ArrayList<Integer>(3);
         actions.add(WSConstants.SIGN);
         actions.add(WSConstants.UT_SIGN);
         actions.add(WSConstants.ST_SIGNED);


Mime
View raw message