cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: [CXF-6277] - Enhance the X509TokenValidator to also validate X509Data DOM Elements
Date Thu, 05 Mar 2015 16:15:28 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes e163f8a5d -> 5d18509f6


[CXF-6277] - Enhance the X509TokenValidator to also validate X509Data DOM Elements


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5d18509f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5d18509f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5d18509f

Branch: refs/heads/3.0.x-fixes
Commit: 5d18509f6e1fba8d6dd374f30ca93745edbcc254
Parents: e163f8a
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Mar 5 15:53:22 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Mar 5 15:54:42 2015 +0000

----------------------------------------------------------------------
 .../sts/token/validator/X509TokenValidator.java | 58 ++++++++++++--------
 1 file changed, 36 insertions(+), 22 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/5d18509f/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
index 368ed54..344d4ce 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/validator/X509TokenValidator.java
@@ -27,6 +27,7 @@ import java.util.logging.Logger;
 import javax.security.auth.callback.CallbackHandler;
 
 import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 import org.w3c.dom.Text;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.DOMUtils;
@@ -39,6 +40,7 @@ import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.bsp.BSPEnforcer;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.message.token.BinarySecurity;
 import org.apache.wss4j.dom.message.token.X509Security;
@@ -47,8 +49,8 @@ import org.apache.wss4j.dom.validate.SignatureTrustValidator;
 import org.apache.wss4j.dom.validate.Validator;
 
 /**
- * This class validates an X.509 V.3 certificate (received as a BinarySecurityToken). The
cert must
- * be known (or trusted) by the STS crypto object.
+ * This class validates an X.509 V.3 certificate (received as a BinarySecurityToken or an
X509Data
+ * DOM Element). The cert must be known (or trusted) by the STS crypto object.
  */
 public class X509TokenValidator implements TokenValidator {
     
@@ -95,6 +97,10 @@ public class X509TokenValidator implements TokenValidator {
         if ((token instanceof BinarySecurityTokenType)
             && X509_V3_TYPE.equals(((BinarySecurityTokenType)token).getValueType()))
{
             return true;
+        } else if (token instanceof Element
+            && WSConstants.SIG_NS.equals(((Element)token).getNamespaceURI())
+            && WSConstants.X509_DATA_LN.equals(((Element)token).getLocalName()))
{
+            return true;
         }
         return false;
     }
@@ -120,30 +126,38 @@ public class X509TokenValidator implements TokenValidator {
         validateTarget.setState(STATE.INVALID);
         response.setToken(validateTarget);
         
-        if (!validateTarget.isBinarySecurityToken()) {
-            return response;
-        }
-
-        BinarySecurityTokenType binarySecurityType = (BinarySecurityTokenType)validateTarget.getToken();
-
-        // Test the encoding type
-        String encodingType = binarySecurityType.getEncodingType();
-        if (!BASE64_ENCODING.equals(encodingType)) {
-            LOG.fine("Bad encoding type attribute specified: " + encodingType);
+        BinarySecurity binarySecurity = null;
+        if (validateTarget.isBinarySecurityToken()) {
+            BinarySecurityTokenType binarySecurityType = (BinarySecurityTokenType)validateTarget.getToken();
+    
+            // Test the encoding type
+            String encodingType = binarySecurityType.getEncodingType();
+            if (!BASE64_ENCODING.equals(encodingType)) {
+                LOG.fine("Bad encoding type attribute specified: " + encodingType);
+                return response;
+            }
+            
+            //
+            // Turn the received JAXB object into a DOM element
+            //
+            Document doc = DOMUtils.createDocument();
+            binarySecurity = new X509Security(doc);
+            binarySecurity.setEncodingType(encodingType);
+            binarySecurity.setValueType(binarySecurityType.getValueType());
+            String data = binarySecurityType.getValue();
+            ((Text)binarySecurity.getElement().getFirstChild()).setData(data);
+        } else if (validateTarget.isDOMElement()) {
+            try {
+                binarySecurity = new X509Security((Element)validateTarget.getToken(), new
BSPEnforcer());
+            } catch (WSSecurityException ex) {
+                LOG.log(Level.WARNING, "", ex);
+                return response;
+            }
+        } else {
             return response;
         }
 
         //
-        // Turn the received JAXB object into a DOM element
-        //
-        Document doc = DOMUtils.createDocument();
-        BinarySecurity binarySecurity = new X509Security(doc);
-        binarySecurity.setEncodingType(encodingType);
-        binarySecurity.setValueType(binarySecurityType.getValueType());
-        String data = binarySecurityType.getValue();
-        ((Text)binarySecurity.getElement().getFirstChild()).setData(data);
-
-        //
         // Validate the token
         //
         try {


Mime
View raw message