Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E79D9200C4C for ; Tue, 4 Apr 2017 09:37:06 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id E5FE8160B90; Tue, 4 Apr 2017 07:37:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id B9621160B81 for ; Tue, 4 Apr 2017 09:37:05 +0200 (CEST) Received: (qmail 20088 invoked by uid 500); 4 Apr 2017 07:37:04 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 20079 invoked by uid 99); 4 Apr 2017 07:37:04 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Apr 2017 07:37:04 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 4F553DFDCD; Tue, 4 Apr 2017 07:37:04 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Message-Id: <22fa57070852441d8530b4bcdf3da6e4@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: Disable taking a UsernameToken with no password as the security context principal Date: Tue, 4 Apr 2017 07:37:04 +0000 (UTC) archived-at: Tue, 04 Apr 2017 07:37:07 -0000 Repository: cxf Updated Branches: refs/heads/master 2323abc24 -> b77e43f19 Disable taking a UsernameToken with no password as the security context principal Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b77e43f1 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b77e43f1 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b77e43f1 Branch: refs/heads/master Commit: b77e43f19d631d94032740eff6e58f49e0532d29 Parents: 2323abc Author: Colm O hEigeartaigh Authored: Tue Apr 4 08:36:35 2017 +0100 Committer: Colm O hEigeartaigh Committed: Tue Apr 4 08:36:35 2017 +0100 ---------------------------------------------------------------------- .../cxf/rt/security/SecurityConstants.java | 8 +++++ .../cxf/rt/security/utils/SecurityUtils.java | 5 +-- .../DefaultWSS4JSecurityContextCreator.java | 15 +++++--- .../wss4j/StaxSecurityContextInInterceptor.java | 36 ++++++++++++++++---- .../cxf/systest/wssec/examples/ut/server.xml | 1 + .../systest/wssec/examples/ut/stax-server.xml | 1 + .../apache/cxf/systest/ws/ut/server-derived.xml | 7 ++++ .../org/apache/cxf/systest/ws/ut/server.xml | 1 + .../apache/cxf/systest/ws/ut/stax-server.xml | 1 + 9 files changed, 60 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/b77e43f1/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java index c5980c9..8405371 100644 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java @@ -158,6 +158,13 @@ public class SecurityConstants { "security.enable.unsigned-saml-assertion.principal"; /** + * Whether to allow UsernameTokens with no password to be used as SecurityContext Principals. + * The default is false. + */ + public static final String ENABLE_UT_NOPASSWORD_PRINCIPAL = + "security.enable.ut-no-password.principal"; + + /** * Whether to validate the SubjectConfirmation requirements of a received SAML Token * (sender-vouches or holder-of-key). The default is true. */ @@ -345,6 +352,7 @@ public class SecurityConstants { CALLBACK_HANDLER, SAML_CALLBACK_HANDLER, SIGNATURE_PROPERTIES, SIGNATURE_CRYPTO, ENCRYPT_PROPERTIES, ENCRYPT_CRYPTO, ENCRYPT_CERT, ENABLE_REVOCATION, SUBJECT_CERT_CONSTRAINTS, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, + ENABLE_UT_NOPASSWORD_PRINCIPAL, AUDIENCE_RESTRICTION_VALIDATION, SAML_ROLE_ATTRIBUTENAME, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, SC_FROM_JAAS_SUBJECT, STS_TOKEN_USE_CERT_FOR_KEYINFO, STS_TOKEN_DO_CANCEL, CACHE_ISSUED_TOKEN_IN_ENDPOINT, http://git-wip-us.apache.org/repos/asf/cxf/blob/b77e43f1/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java ---------------------------------------------------------------------- diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java index b6c3d42..e5f5cd3 100644 --- a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java +++ b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java @@ -183,10 +183,7 @@ public final class SecurityUtils { * values. If none is configured, then the defaultValue parameter is returned. */ public static boolean getSecurityPropertyBoolean(String property, Message message, boolean defaultValue) { - Object value = message.getContextualProperty(property); - if (value == null) { - value = message.getContextualProperty("ws-" + property); - } + Object value = getSecurityPropertyValue(property, message); if (value != null) { return PropertyUtils.isTrue(value); http://git-wip-us.apache.org/repos/asf/cxf/blob/b77e43f1/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java index 0c26338..77708f5 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultWSS4JSecurityContextCreator.java @@ -67,11 +67,15 @@ public class DefaultWSS4JSecurityContextCreator implements WSS4JSecurityContextC */ public void createSecurityContext(SoapMessage msg, WSHandlerResult handlerResult) { - String allowUnsigned = - (String)SecurityUtils.getSecurityPropertyValue( - SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg + boolean allowUnsignedSamlPrincipals = + SecurityUtils.getSecurityPropertyBoolean( + SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg, false ); - boolean allowUnsignedSamlPrincipals = Boolean.parseBoolean(allowUnsigned); + boolean allowUTNoPassword = + SecurityUtils.getSecurityPropertyBoolean( + SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, false + ); + boolean useJAASSubject = true; String useJAASSubjectStr = (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SC_FROM_JAAS_SUBJECT, msg); @@ -82,7 +86,8 @@ public class DefaultWSS4JSecurityContextCreator implements WSS4JSecurityContextC // Now go through the results in a certain order to set up a security context. Highest priority is first. Map> actionResults = handlerResult.getActionResults(); for (Integer resultPriority : securityPriorities) { - if (resultPriority == WSConstants.ST_UNSIGNED && !allowUnsignedSamlPrincipals) { + if ((resultPriority == WSConstants.ST_UNSIGNED && !allowUnsignedSamlPrincipals) + || (resultPriority == WSConstants.UT_NOPASSWORD && !allowUTNoPassword)) { continue; } http://git-wip-us.apache.org/repos/asf/cxf/blob/b77e43f1/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java index ae4cc87..4752198 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java @@ -31,6 +31,7 @@ import org.apache.cxf.binding.soap.SoapVersion; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.interceptor.security.DefaultSecurityContext; import org.apache.cxf.interceptor.security.RolePrefixSecurityContextImpl; +import org.apache.cxf.message.Message; import org.apache.cxf.phase.AbstractPhaseInterceptor; import org.apache.cxf.phase.Phase; import org.apache.cxf.rt.security.claims.ClaimCollection; @@ -101,7 +102,7 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor incomingSecurityEventList, - Event desiredEvent) throws XMLSecurityException { + Event desiredEvent, + Message msg) throws XMLSecurityException { for (SecurityEvent event : incomingSecurityEventList) { if (desiredEvent == event.getSecurityEventType()) { - if (event.getSecurityEventType() == WSSecurityEventConstants.USERNAME_TOKEN) { + if (event.getSecurityEventType() == WSSecurityEventConstants.USERNAME_TOKEN + && isUsernameTokenEventAllowed((UsernameTokenSecurityEvent)event, msg)) { return ((UsernameTokenSecurityEvent)event).getSecurityToken(); } else if (event.getSecurityEventType() == WSSecurityEventConstants.SAML_TOKEN - && isSamlEventSigned((SamlTokenSecurityEvent)event)) { + && isSamlEventAllowed((SamlTokenSecurityEvent)event, msg)) { return ((SamlTokenSecurityEvent)event).getSecurityToken(); } else if (event.getSecurityEventType() == WSSecurityEventConstants.X509Token && isUsedForPublicKeySignature(((X509TokenSecurityEvent)event).getSecurityToken())) { @@ -210,14 +213,35 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor 0); } - private boolean isSamlEventSigned(SamlTokenSecurityEvent event) { + private boolean isSamlEventAllowed(SamlTokenSecurityEvent event, Message msg) { if (event == null) { return false; } + boolean allowUnsignedSamlPrincipals = + SecurityUtils.getSecurityPropertyBoolean( + SecurityConstants.ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, msg, false + ); + + // The SAML Assertion must be signed by default return event.getSecurityToken() != null && event.getSecurityToken().getSamlAssertionWrapper() != null - && event.getSecurityToken().getSamlAssertionWrapper().isSigned(); + && (allowUnsignedSamlPrincipals || event.getSecurityToken().getSamlAssertionWrapper().isSigned()); + } + + private boolean isUsernameTokenEventAllowed(UsernameTokenSecurityEvent event, Message msg) { + if (event == null) { + return false; + } + + boolean allowUTNoPassword = + SecurityUtils.getSecurityPropertyBoolean( + SecurityConstants.ENABLE_UT_NOPASSWORD_PRINCIPAL, msg, false + ); + + // The "no password" case is not allowed by default + return event.getSecurityToken() != null + && (allowUTNoPassword || event.getSecurityToken().getPassword() != null); } private SecurityContext createSecurityContext(final Principal p) { http://git-wip-us.apache.org/repos/asf/cxf/blob/b77e43f1/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server.xml b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server.xml index 8743f06..ba0aaec 100644 --- a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server.xml +++ b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server.xml @@ -32,6 +32,7 @@ + http://git-wip-us.apache.org/repos/asf/cxf/blob/b77e43f1/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/stax-server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/stax-server.xml b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/stax-server.xml index 2b01229..51ed09e 100644 --- a/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/stax-server.xml +++ b/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/stax-server.xml @@ -33,6 +33,7 @@ + http://git-wip-us.apache.org/repos/asf/cxf/blob/b77e43f1/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server-derived.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server-derived.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server-derived.xml index b2bc65a..d6d366c 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server-derived.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server-derived.xml @@ -28,26 +28,31 @@ + + + + + @@ -55,6 +60,7 @@ + @@ -62,6 +68,7 @@ + http://git-wip-us.apache.org/repos/asf/cxf/blob/b77e43f1/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml index 8f34b6a..0baf7db 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server.xml @@ -70,6 +70,7 @@ + http://git-wip-us.apache.org/repos/asf/cxf/blob/b77e43f1/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml index 6b9000f..264c87e 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/stax-server.xml @@ -75,6 +75,7 @@ +