cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf] branch master updated: CXF-6443 - CXF streaming-enabled web service cannot process MTOM/XOP-optimized content within a CipherValue element
Date Tue, 01 May 2018 12:37:25 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new 6cb52ca  CXF-6443 - CXF streaming-enabled web service cannot process MTOM/XOP-optimized
content within a CipherValue element
6cb52ca is described below

commit 6cb52ca1ce15fcba47e68bae02d5aaef4c2b5a65
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Tue May 1 12:30:05 2018 +0100

    CXF-6443 - CXF streaming-enabled web service cannot process MTOM/XOP-optimized content
within a CipherValue element
---
 .../ws/security/trust/STSStaxTokenValidator.java   | 48 ++++++++++++++++++++--
 .../cxf/systest/ws/mtom/MTOMSecurityTest.java      | 27 +++++++++++-
 .../org/apache/cxf/systest/ws/mtom/stax-server.xml | 22 ++++++++++
 3 files changed, 92 insertions(+), 5 deletions(-)

diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
index a630530..ffb99e4 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
@@ -18,6 +18,9 @@
  */
 package org.apache.cxf.ws.security.trust;
 
+import javax.security.auth.callback.CallbackHandler;
+import javax.xml.bind.JAXBElement;
+
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
@@ -38,9 +41,11 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.token.BinarySecurity;
 import org.apache.wss4j.common.token.PKIPathSecurity;
 import org.apache.wss4j.common.token.X509Security;
+import org.apache.wss4j.common.util.AttachmentUtils;
 import org.apache.wss4j.dom.message.token.KerberosSecurity;
 import org.apache.wss4j.dom.message.token.UsernameToken;
 import org.apache.wss4j.stax.ext.WSSConstants;
+import org.apache.wss4j.stax.ext.WSSSecurityProperties;
 import org.apache.wss4j.stax.impl.securityToken.KerberosServiceSecurityTokenImpl;
 import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
 import org.apache.wss4j.stax.impl.securityToken.UsernameSecurityTokenImpl;
@@ -55,7 +60,9 @@ import org.apache.wss4j.stax.validate.BinarySecurityTokenValidatorImpl;
 import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
 import org.apache.wss4j.stax.validate.TokenContext;
 import org.apache.wss4j.stax.validate.UsernameTokenValidator;
+import org.apache.xml.security.binding.xop.Include;
 import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
 import org.apache.xml.security.stax.ext.XMLSecurityUtils;
 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
 
@@ -421,7 +428,13 @@ public class STSStaxTokenValidator
                         new Object[]{binarySecurityTokenType.getEncodingType()});
             }
 
-            final byte[] securityTokenData = Base64.decodeBase64(binarySecurityTokenType.getValue());
+            byte[] securityTokenData = null;
+            try {
+                securityTokenData =
+                    getBinarySecurityTokenBytes(binarySecurityTokenType, tokenContext.getWssSecurityProperties());
+            } catch (XMLSecurityException e) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
e);
+            }
             final SoapMessage message =
                 (SoapMessage)tokenContext.getWssSecurityProperties().getMsgContext();
 
@@ -436,6 +449,7 @@ public class STSStaxTokenValidator
             final boolean stsValidated = valid;
 
             try {
+                final byte[] bytes = securityTokenData;
                 if (WSSConstants.NS_X509_V3_TYPE.equals(binarySecurityTokenType.getValueType()))
{
                     Crypto crypto = getCrypto(tokenContext.getWssSecurityProperties());
                     X509V3SecurityTokenImpl x509V3SecurityToken = new X509V3SecurityTokenImpl(
@@ -456,7 +470,7 @@ public class STSStaxTokenValidator
                                 super.verify();
                             } catch (XMLSecurityException ex) {
                                 Element tokenElement =
-                                    convertToDOM(binarySecurityTokenType, securityTokenData);
+                                    convertToDOM(binarySecurityTokenType, bytes);
                                 validateTokenToSTS(tokenElement, message);
                             }
                         }
@@ -485,7 +499,7 @@ public class STSStaxTokenValidator
                                     super.verify();
                                 } catch (XMLSecurityException ex) {
                                     Element tokenElement =
-                                        convertToDOM(binarySecurityTokenType, securityTokenData);
+                                        convertToDOM(binarySecurityTokenType, bytes);
                                     validateTokenToSTS(tokenElement, message);
                                 }
                             }
@@ -512,7 +526,7 @@ public class STSStaxTokenValidator
                                     super.verify();
                                 } catch (XMLSecurityException ex) {
                                     Element tokenElement =
-                                        convertToDOM(binarySecurityTokenType, securityTokenData);
+                                        convertToDOM(binarySecurityTokenType, bytes);
                                     validateTokenToSTS(tokenElement, message);
                                 }
                             }
@@ -530,6 +544,32 @@ public class STSStaxTokenValidator
             }
         }
 
+        private byte[] getBinarySecurityTokenBytes(BinarySecurityTokenType binarySecurityTokenType,
+                                                   WSSSecurityProperties wssSecurityProperties
+        ) throws XMLSecurityException {
+
+            StringBuilder sb = new StringBuilder();
+
+            for (Object obj : binarySecurityTokenType.getContent()) {
+                if (obj instanceof String) {
+                    sb.append((String)obj);
+                } else if (obj instanceof JAXBElement<?>) {
+                    JAXBElement<?> element = (JAXBElement<?>)obj;
+                    if (XMLSecurityConstants.TAG_XOP_INCLUDE.equals(element.getName())) {
+                        Include include = (Include)element.getValue();
+                        if (include != null && include.getHref() != null &&
include.getHref().startsWith("cid:")) {
+                            CallbackHandler callbackHandler = wssSecurityProperties.getAttachmentCallbackHandler();
+                            return AttachmentUtils.getBytesFromAttachment(include.getHref(),
+                                                                          callbackHandler,
+                                                                          true);
+                        }
+                    }
+                }
+            }
+
+            return Base64.decodeBase64(sb.toString());
+        }
+
         // Convert to DOM to send the token to the STS
         private Element convertToDOM(
             BinarySecurityTokenType binarySecurityTokenType,
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
index bf0d448..e4bd138 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
@@ -228,6 +228,32 @@ public class MTOMSecurityTest extends AbstractBusClientServerTestBase
{
     }
 
     @org.junit.Test
+    public void testAsymmetricBinaryBytesInAttachmentStAX() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = MTOMSecurityTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        BusFactory.setDefaultBus(bus);
+        BusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = MTOMSecurityTest.class.getResource("DoubleItMtom.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricBinaryPort");
+        DoubleItMtomPortType port =
+                service.getPort(portQName, DoubleItMtomPortType.class);
+        updateAddressPort(port, STAX_PORT);
+
+        DataSource source = new FileDataSource(new File("src/test/resources/java.jpg"));
+        DoubleIt4 doubleIt = new DoubleIt4();
+        doubleIt.setNumberToDouble(25);
+        assertEquals(50, port.doubleIt4(25, new DataHandler(source)));
+
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+
+    @org.junit.Test
     public void testAsymmetricBinaryEncryptBeforeSigningBytesInAttachment() throws Exception
{
 
         SpringBusFactory bf = new SpringBusFactory();
@@ -280,7 +306,6 @@ public class MTOMSecurityTest extends AbstractBusClientServerTestBase
{
     }
 
     @org.junit.Test
-    @org.junit.Ignore
     public void testSymmetricBinaryBytesInAttachmentStAX() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/stax-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/stax-server.xml
index 7cef94d..14c2458 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/stax-server.xml
@@ -26,6 +26,28 @@
         </cxf:features>
     </cxf:bus>
 
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricBinary"
address="http://localhost:${testutil.ports.mtom.StaxServer}/DoubleItX509AsymmetricBinary"
serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricBinaryPort" implementor="org.apache.cxf.systest.ws.mtom.DoubleIt4Impl"
wsdlLocation="org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl">
+        <jaxws:properties>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="security.signature.properties" value="bob.properties"/>
+            <entry key="security.encryption.properties" value="alice.properties"/>
+            <entry key="security.encryption.username" value="alice"/>
+            <entry key="mtom-enabled" value="true"/>
+            <entry key="ws-security.enable.streaming" value="true"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricBinaryEncryptBeforeSigning"
address="http://localhost:${testutil.ports.mtom.StaxServer}/DoubleItX509AsymmetricBinaryEncryptBeforeSigning"
serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricBinaryEncryptBeforeSigningPort"
implementor="org.apache.cxf.systest.ws.mtom.DoubleIt4Impl" wsdlLocation="org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl">
+        <jaxws:properties>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="security.signature.properties" value="bob.properties"/>
+            <entry key="security.encryption.properties" value="alice.properties"/>
+            <entry key="security.encryption.username" value="alice"/>
+            <entry key="mtom-enabled" value="true"/>
+            <entry key="ws-security.enable.streaming" value="true"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricBinary"
address="http://localhost:${testutil.ports.mtom.StaxServer}/DoubleItX509SymmetricBinary" serviceName="s:DoubleItService"
endpointName="s:DoubleItSymmetricBinaryPort" implementor="org.apache.cxf.systest.ws.mtom.DoubleIt4Impl"
wsdlLocation="org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl">
         <jaxws:properties>
             <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.

Mime
View raw message