cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From e..@apache.org
Subject [cxf] branch 3.2.x-fixes updated: [CXF-7984]:UsernameTokenInterceptor doesn't respect contextual property 'allowNamespaceQualifiedPasswordTypes'
Date Thu, 28 Feb 2019 09:51:25 GMT
This is an automated email from the ASF dual-hosted git repository.

ema pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/3.2.x-fixes by this push:
     new c75bc5d  [CXF-7984]:UsernameTokenInterceptor doesn't respect contextual property
'allowNamespaceQualifiedPasswordTypes'
c75bc5d is described below

commit c75bc5d388ef748854a6bdcca594711dafd09318
Author: Jim Ma <ema@apache.org>
AuthorDate: Thu Feb 28 17:25:22 2019 +0800

    [CXF-7984]:UsernameTokenInterceptor doesn't respect contextual property 'allowNamespaceQualifiedPasswordTypes'
---
 .../ws/security/wss4j/UsernameTokenInterceptor.java    | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
index dfb1108..c8db905 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
@@ -49,6 +49,7 @@ import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
+import org.apache.wss4j.common.ConfigurationConstants;
 import org.apache.wss4j.common.WSS4JConstants;
 import org.apache.wss4j.common.bsp.BSPEnforcer;
 import org.apache.wss4j.common.cache.ReplayCache;
@@ -99,6 +100,7 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor
{
                 && WSS4JConstants.WSSE_NS.equals(child.getNamespaceURI())) {
                 try {
                     boolean bspCompliant = isWsiBSPCompliant(message);
+                    boolean allowNSPasswdTypes = allowNamespaceQualifiedPWDTypes(message);
                     Principal principal = null;
                     Subject subject = null;
                     Object transformedToken = null;
@@ -109,10 +111,10 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor
{
                         transformedToken = result.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
                         principal = (Principal)result.get(WSSecurityEngineResult.TAG_PRINCIPAL);
                         if (principal == null) {
-                            principal = parseTokenAndCreatePrincipal(child, bspCompliant);
+                            principal = parseTokenAndCreatePrincipal(child, bspCompliant,
allowNSPasswdTypes);
                         }
                     } else {
-                        principal = parseTokenAndCreatePrincipal(child, bspCompliant);
+                        principal = parseTokenAndCreatePrincipal(child, bspCompliant, allowNSPasswdTypes);
                         WSS4JTokenConverter.convertToken(message, principal);
                     }
 
@@ -237,11 +239,13 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor
{
         }
     }
 
-    protected UsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean
bspCompliant)
+    protected UsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean
bspCompliant,
+                                                                  boolean allowNamespaceQualifiedPWDTypes)
         throws WSSecurityException, Base64DecodingException {
         BSPEnforcer bspEnforcer = new org.apache.wss4j.common.bsp.BSPEnforcer(!bspCompliant);
         org.apache.wss4j.dom.message.token.UsernameToken ut =
-            new org.apache.wss4j.dom.message.token.UsernameToken(tokenElement, false, bspEnforcer);
+            new org.apache.wss4j.dom.message.token.UsernameToken(tokenElement, allowNamespaceQualifiedPWDTypes,

+                                                                 bspEnforcer);
 
         WSUsernameTokenPrincipalImpl principal = new WSUsernameTokenPrincipalImpl(ut.getName(),
ut.isHashed());
         if (ut.getNonce() != null) {
@@ -259,7 +263,11 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor
{
         // Default to WSI-BSP compliance enabled
         return !("false".equals(bspc) || "0".equals(bspc));
     }
-
+    private boolean allowNamespaceQualifiedPWDTypes(final SoapMessage message) {
+        String allow = (String)message
+            .getContextualProperty(ConfigurationConstants.ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES);
+        return !("false".equals(allow) || "0".equals(allow));
+    }
     private boolean isAllowNoPassword(AssertionInfoMap aim) throws WSSecurityException {
         Collection<AssertionInfo> ais =
             PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);


Mime
View raw message