cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Simplifying what we store on the context
Date Tue, 07 Apr 2015 12:36:26 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 12e1aca7b -> 2fd810353


Simplifying what we store on the context


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2fd81035
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2fd81035
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2fd81035

Branch: refs/heads/master
Commit: 2fd8103535c1246a3a243e0fd7bcea86947e6b14
Parents: 12e1aca
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Apr 7 13:36:12 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Apr 7 13:36:12 2015 +0100

----------------------------------------------------------------------
 .../rs/security/saml/AbstractSamlInHandler.java | 34 +++++++++-----------
 .../security/xml/AbstractXmlSecInHandler.java   |  9 ++++++
 .../security/xml/AbstractXmlSigInHandler.java   |  9 ++++--
 .../rs/security/xml/XmlEncOutInterceptor.java   |  8 ++---
 4 files changed, 34 insertions(+), 26 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2fd81035/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
index 1e93601..1e87629 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
@@ -46,6 +46,7 @@ import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
 import org.apache.cxf.rs.security.saml.authorization.SecurityContextProvider;
 import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl;
+import org.apache.cxf.rs.security.xml.AbstractXmlSecInHandler;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.staxutils.StaxUtils;
@@ -65,7 +66,6 @@ import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
 import org.apache.wss4j.dom.validate.Credential;
 import org.apache.wss4j.dom.validate.SamlAssertionValidator;
 import org.apache.wss4j.dom.validate.Validator;
-import org.apache.xml.security.signature.XMLSignature;
 import org.opensaml.xmlsec.signature.KeyInfo;
 import org.opensaml.xmlsec.signature.Signature;
 
@@ -275,12 +275,8 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter
{
                 if (assertionParent != signedElement) {
                     // if not then try to compare if the same cert/key was used to sign SAML
token
                     // and the payload
-                    XMLSignature signature = message.getContent(XMLSignature.class);
-                    if (signature == null) {
-                        return false;
-                    }
                     SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSignatureKeyInfo();
-                    if (!compareCredentials(subjectKeyInfo, signature, tlsCerts)) {
+                    if (!compareCredentials(subjectKeyInfo, message, tlsCerts)) {
                         return false;
                     }
                 }
@@ -297,9 +293,8 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter
{
         List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
         for (String confirmationMethod : confirmationMethods) {
             if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
-                XMLSignature sig = message.getContent(XMLSignature.class);
                 SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
-                if (!compareCredentials(subjectKeyInfo, sig, tlsCerts)) {
+                if (!compareCredentials(subjectKeyInfo, message, tlsCerts)) {
                     return false;
                 }
             }
@@ -317,7 +312,7 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter
{
      */
     private boolean compareCredentials(
         SAMLKeyInfo subjectKeyInfo,
-        XMLSignature sig,
+        Message message,
         Certificate[] tlsCerts
     ) {
         X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
@@ -334,22 +329,23 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter
{
             return true;
         }
         
-        if (sig == null) {
-            return false;
-        }
-        
         //
         // Now try the message-level signatures
         //
         try {
-            X509Certificate[] certs =
-                new X509Certificate[] {sig.getKeyInfo().getX509Certificate()};
-            PublicKey publicKey = sig.getKeyInfo().getPublicKey();
-            if (certs != null && certs.length > 0 && subjectCerts != null
-                && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0]))
{
+            X509Certificate signingCert = 
+                (X509Certificate)message.getExchange().getInMessage().get(
+                    AbstractXmlSecInHandler.SIGNING_CERT);
+            
+            if (subjectCerts != null && subjectCerts.length > 0 
+                && signingCert != null && signingCert.equals(subjectCerts[0]))
{
                 return true;
             }
-            if (publicKey != null && publicKey.equals(subjectPublicKey)) {
+            
+            PublicKey signingKey = 
+                (PublicKey)message.getExchange().getInMessage().get(
+                    AbstractXmlSecInHandler.SIGNING_PUBLIC_KEY);
+            if (signingKey != null && signingKey.equals(subjectPublicKey)) {
                 return true;
             }
         } catch (Exception ex) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/2fd81035/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
index 0c5912e..f65368e 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java
@@ -39,6 +39,15 @@ import org.apache.wss4j.common.crypto.WSProviderConfig;
 
 
 public abstract class AbstractXmlSecInHandler {
+    /**
+     * A key used to reference the cert that was used to verify the signed request
+     */
+    public static final String SIGNING_CERT = "xml.security.signing.cert";
+    /**
+     * A key used to reference the public key that was used to verify the signed request
+     */
+    public static final String SIGNING_PUBLIC_KEY = "xml.security.signing.public.key";
+    
     protected static final String SIG_NS = "http://www.w3.org/2000/09/xmldsig#";
     protected static final String SIG_PREFIX = "ds";
     protected static final String ENC_NS = "http://www.w3.org/2001/04/xmlenc#";

http://git-wip-us.apache.org/repos/asf/cxf/blob/2fd81035/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
index ca092b9..9d52f58 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
@@ -60,7 +60,7 @@ public class AbstractXmlSigInHandler extends AbstractXmlSecInHandler {
     /**
      * a collection of compiled regular expression patterns for the subject DN
      */
-    private Collection<Pattern> subjectDNPatterns = new ArrayList<Pattern>();
+    private Collection<Pattern> subjectDNPatterns = new ArrayList<>();
     
     public void setRemoveSignature(boolean remove) {
         this.removeSignature = remove;
@@ -153,7 +153,12 @@ public class AbstractXmlSigInHandler extends AbstractXmlSecInHandler
{
             // validate trust 
             new TrustValidator().validateTrust(crypto, cert, publicKey, subjectDNPatterns);
             if (valid && persistSignature) {
-                message.setContent(XMLSignature.class, signature);
+                if (signature.getKeyInfo() != null) {
+                    message.put(SIGNING_CERT, signature.getKeyInfo().getX509Certificate());
+                }
+                if (signature.getKeyInfo() != null) {
+                    message.put(SIGNING_PUBLIC_KEY, signature.getKeyInfo().getPublicKey());
+                }
                 message.setContent(Element.class, signedElement);
             }
         } catch (Exception ex) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/2fd81035/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
index 7659519..c2aa6ef 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
@@ -49,7 +49,6 @@ import org.apache.wss4j.common.token.DOMX509IssuerSerial;
 import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.common.util.XMLUtils;
 import org.apache.xml.security.encryption.XMLCipher;
-import org.apache.xml.security.signature.XMLSignature;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
 import org.apache.xml.security.utils.Base64;
 import org.apache.xml.security.utils.EncryptionConstants;
@@ -115,10 +114,9 @@ public class XmlEncOutInterceptor extends AbstractXmlSecOutInterceptor
{
             String userName = (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
             if (SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName)
                 && !MessageUtils.isRequestor(message)) {
-                XMLSignature sig = message.getExchange().getInMessage().getContent(XMLSignature.class);
-                if (sig != null) {
-                    receiverCert = sig.getKeyInfo().getX509Certificate(); 
-                }
+                receiverCert = 
+                    (X509Certificate)message.getExchange().getInMessage().get(
+                        AbstractXmlSecInHandler.SIGNING_CERT);
             } else {
                 CryptoLoader loader = new CryptoLoader();
                 Crypto crypto = loader.getCrypto(message, 


Mime
View raw message