cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: CXF-7148 - Race Condition while handling symmetric key in SymmetricBindingHandler
Date Wed, 23 Nov 2016 11:00:36 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 267622c64 -> 1cdab6490


CXF-7148 - Race Condition while handling symmetric key in SymmetricBindingHandler


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1cdab649
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1cdab649
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1cdab649

Branch: refs/heads/master
Commit: 1cdab6490f3a83599326c3bae51ae76af3b5b8fe
Parents: 267622c
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Nov 23 11:00:23 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Nov 23 11:00:23 2016 +0000

----------------------------------------------------------------------
 .../AsymmetricBindingHandler.java               |  3 +--
 .../policyhandlers/SymmetricBindingHandler.java | 28 +++++++++-----------
 2 files changed, 14 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/1cdab649/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index cafa16b..28c33d8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -826,8 +826,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                         tempTok.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
                     }
                     
-                    getTokenStore().add(tempTok);
-                    message.put(SecurityConstants.TOKEN_ID, tempTok.getId());
+                    message.put(SecurityConstants.TOKEN, tempTok);
                     
                     return id;
                 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/1cdab649/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index 8bb6af2..2534048 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -160,13 +160,13 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder
{
                     if (isRequestor()) {
                         tokenId = setupEncryptedKey(encryptionWrapper, encryptionToken);
                     } else {
-                        tokenId = getEncryptedKey();
+                        tok = getEncryptedKey();
                     }
                 } else if (encryptionToken instanceof UsernameToken) {
                     if (isRequestor()) {
                         tokenId = setupUTDerivedKey((UsernameToken)encryptionToken);
                     } else {
-                        tokenId = getUTDerivedKey();
+                        tok = getUTDerivedKey();
                     }
                 }
                 if (tok == null) {
@@ -290,13 +290,13 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder
{
                     if (isRequestor()) {
                         sigTokId = setupEncryptedKey(sigAbstractTokenWrapper, sigToken);
                     } else {
-                        sigTokId = getEncryptedKey();
+                        sigTok = getEncryptedKey();
                     }
                 } else if (sigToken instanceof UsernameToken) {
                     if (isRequestor()) {
                         sigTokId = setupUTDerivedKey((UsernameToken)sigToken);
                     } else {
-                        sigTokId = getUTDerivedKey();
+                        sigTok = getUTDerivedKey();
                     }
                 }
             } else {
@@ -970,7 +970,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
         return id;
     }
     
-    private String getEncryptedKey() {
+    private SecurityToken getEncryptedKey() {
         WSSecurityEngineResult encryptedKeyResult = getEncryptedKeyResult();
         if (encryptedKeyResult != null) {
             // Store it in the cache
@@ -979,19 +979,18 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder
{
             expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
             
             String encryptedKeyID = (String)encryptedKeyResult.get(WSSecurityEngineResult.TAG_ID);
-            SecurityToken tempTok = new SecurityToken(encryptedKeyID, created, expires);
-            tempTok.setSecret((byte[])encryptedKeyResult.get(WSSecurityEngineResult.TAG_SECRET));
-            tempTok.setSHA1(getSHA1((byte[])encryptedKeyResult
+            SecurityToken securityToken = new SecurityToken(encryptedKeyID, created, expires);
+            securityToken.setSecret((byte[])encryptedKeyResult.get(WSSecurityEngineResult.TAG_SECRET));
+            securityToken.setSHA1(getSHA1((byte[])encryptedKeyResult
                                     .get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY)));
-            tokenStore.add(tempTok);
             
-            return encryptedKeyID;
+            return securityToken;
         }
         
         return null;
     }
     
-    private String getUTDerivedKey() throws WSSecurityException {
+    private SecurityToken getUTDerivedKey() throws WSSecurityException {
         
         List<WSHandlerResult> results = CastUtils.cast((List<?>)message.getExchange().getInMessage()
             .get(WSHandlerConstants.RECV_RESULTS));
@@ -1009,13 +1008,12 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder
{
                     Date created = new Date();
                     Date expires = new Date();
                     expires.setTime(created.getTime() + WSS4JUtils.getSecurityTokenLifetime(message));
-                    SecurityToken tempTok = new SecurityToken(utID, created, expires);
+                    SecurityToken securityToken = new SecurityToken(utID, created, expires);
 
                     byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
-                    tempTok.setSecret(secret);
-                    tokenStore.add(tempTok);
+                    securityToken.setSecret(secret);
 
-                    return utID;
+                    return securityToken;
                 }
             }
         }


Mime
View raw message