Refactor how we extract "IDs" from delegation tokens when used for caching Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1a4fe22f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1a4fe22f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1a4fe22f Branch: refs/heads/3.1.x-fixes Commit: 1a4fe22fc297f8be204788bcdfcd498e91201a01 Parents: 22a58c3 Author: Colm O hEigeartaigh Authored: Wed Apr 5 11:01:21 2017 +0100 Committer: Colm O hEigeartaigh Committed: Wed Apr 5 11:41:59 2017 +0100 ---------------------------------------------------------------------- .../security/trust/DefaultSTSTokenCacher.java | 40 +++++++++++++++++--- 1 file changed, 35 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/1a4fe22f/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java index 6fc26f0..c2699fc 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/DefaultSTSTokenCacher.java @@ -19,6 +19,9 @@ package org.apache.cxf.ws.security.trust; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -33,6 +36,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore; import org.apache.cxf.ws.security.tokenstore.TokenStoreUtils; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.common.util.XMLUtils; import org.apache.wss4j.dom.WSConstants; public class DefaultSTSTokenCacher implements STSTokenCacher { @@ -163,16 +167,42 @@ public class DefaultSTSTokenCacher implements STSTokenCacher { return false; } + // Get an id from the token that is unique to that token private static String getIdFromToken(Element token) { if (token != null) { - // Try to find the "Id" on the token. - if (token.hasAttributeNS(WSConstants.WSU_NS, "Id")) { - return token.getAttributeNS(WSConstants.WSU_NS, "Id"); - } else if (token.hasAttributeNS(null, "ID")) { + // For SAML tokens get the ID/AssertionID + if ("Assertion".equals(token.getLocalName()) + && WSConstants.SAML2_NS.equals(token.getNamespaceURI())) { return token.getAttributeNS(null, "ID"); - } else if (token.hasAttributeNS(null, "AssertionID")) { + } else if ("Assertion".equals(token.getLocalName()) + && WSConstants.SAML_NS.equals(token.getNamespaceURI())) { return token.getAttributeNS(null, "AssertionID"); } + + // For UsernameTokens get the username + if (WSConstants.USERNAME_TOKEN_LN.equals(token.getLocalName()) + && WSConstants.WSSE_NS.equals(token.getNamespaceURI())) { + Element usernameElement = + XMLUtils.getDirectChildElement(token, WSConstants.USERNAME_LN, WSConstants.WSSE_NS); + if (usernameElement != null) { + return XMLUtils.getElementText(usernameElement); + } + } + + // For BinarySecurityTokens take the hash of the value + if (WSConstants.BINARY_TOKEN_LN.equals(token.getLocalName()) + && WSConstants.WSSE_NS.equals(token.getNamespaceURI())) { + String text = XMLUtils.getElementText(token); + if (text != null && !"".equals(text)) { + try { + MessageDigest digest = MessageDigest.getInstance("SHA-256"); + byte[] bytes = digest.digest(text.getBytes()); + return Base64.getMimeEncoder().encodeToString(bytes); + } catch (NoSuchAlgorithmException e) { + // SHA-256 must be supported so not going to happen... + } + } + } } return ""; }