ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1151127 - in /webservices/wss4j/trunk/src/main/java/org/apache/ws/security: ./ message/ message/token/ processor/ saml/ transform/ util/ validate/
Date Tue, 26 Jul 2011 15:11:06 GMT
Author: coheigea
Date: Tue Jul 26 15:11:05 2011
New Revision: 1151127

URL: http://svn.apache.org/viewvc?rev=1151127&view=rev
Log:
[WSS-301] - WSS4J 1.6 incorrectly using XML-Security ResourceResolvers

Removed:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/DOMURIDereferencer.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/EnvelopeIdResolver.java
Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDKSign.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/transform/STRTransform.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java Tue Jul 26
15:11:05 2011
@@ -34,6 +34,7 @@ package org.apache.ws.security;
 
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.message.CallbackLookup;
+import org.apache.ws.security.util.WSSecurityUtil;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -41,6 +42,8 @@ import org.w3c.dom.Element;
 import java.util.ArrayList;
 import java.util.List;
 
+import javax.xml.crypto.dom.DOMCryptoContext;
+
 public class WSDocInfo {
     private Document doc = null;
     private Crypto crypto = null;
@@ -163,6 +166,18 @@ public class WSDocInfo {
         }
         return null;
     }
+
+    /**
+     * Set all stored tokens on the DOMCryptoContext argument
+     * @param context
+     */
+    public void setTokensOnContext(DOMCryptoContext context) {
+        if (tokenList != null) {
+            for (Element elem : tokenList) {
+                WSSecurityUtil.storeElementInContext(context, elem);
+            }
+        }
+    }
     
     /**
      * Store a protection element for later retrieval. This is only used for the 

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDKSign.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDKSign.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDKSign.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecDKSign.java
Tue Jul 26 15:11:05 2011
@@ -36,7 +36,6 @@ import org.w3c.dom.Element;
 import java.util.ArrayList;
 import java.util.List;
 
-import javax.xml.crypto.URIDereferencer;
 import javax.xml.crypto.XMLStructure;
 import javax.xml.crypto.dom.DOMStructure;
 import javax.xml.crypto.dsig.CanonicalizationMethod;
@@ -269,11 +268,15 @@ public class WSSecDKSign extends WSSecDe
                     WSConstants.C14N_EXCL_OMIT_COMMENTS_PREFIX
                 );
             }
-            URIDereferencer dereferencer = new DOMURIDereferencer();
             signContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, wsDocInfo);
             wsDocInfo.setCallbackLookup(callbackLookup);
-            ((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
-            signContext.setURIDereferencer(dereferencer);
+            
+            // Add the elements to sign to the Signature Context
+            wsDocInfo.setTokensOnContext((DOMSignContext)signContext);
+            if (secRef != null && secRef.getElement() != null) {
+                WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRef.getElement());
+            }
+            
             sig.sign(signContext);
             
             signatureValue = sig.getSignatureValue().getValue();

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecSignature.java
Tue Jul 26 15:11:05 2011
@@ -46,7 +46,6 @@ import java.security.cert.X509Certificat
 import java.util.ArrayList;
 import java.util.List;
 
-import javax.xml.crypto.URIDereferencer;
 import javax.xml.crypto.XMLStructure;
 import javax.xml.crypto.dom.DOMStructure;
 import javax.xml.crypto.dsig.CanonicalizationMethod;
@@ -520,9 +519,12 @@ public class WSSecSignature extends WSSe
             }
             signContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, wsDocInfo);
             wsDocInfo.setCallbackLookup(callbackLookup);
-            URIDereferencer dereferencer = new DOMURIDereferencer();
-            ((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
-            signContext.setURIDereferencer(dereferencer);
+            
+            // Add the elements to sign to the Signature Context
+            wsDocInfo.setTokensOnContext((DOMSignContext)signContext);
+            if (secRef != null && secRef.getElement() != null) {
+                WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRef.getElement());
+            }
             sig.sign(signContext);
             
             signatureValue = sig.getSignatureValue().getValue();
@@ -534,7 +536,6 @@ public class WSSecSignature extends WSSe
         }
     }
     
-    
     /**
      * Set the single cert flag.
      * 

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/KerberosSecurity.java
Tue Jul 26 15:11:05 2011
@@ -155,7 +155,7 @@ public class KerberosSecurity extends Bi
         // Get the service ticket
         KerberosClientAction action = 
             new KerberosClientAction(clientPrincipals.iterator().next(), serviceName);
-        byte[] ticket = Subject.doAs(clientSubject, action);
+        byte[] ticket = (byte[])Subject.doAs(clientSubject, action);
         if (ticket == null) {
             throw new WSSecurityException(
                 WSSecurityException.FAILURE, "kerberosServiceTicketError"

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/SignatureProcessor.java
Tue Jul 26 15:11:05 2011
@@ -32,7 +32,6 @@ import org.apache.ws.security.components
 import org.apache.ws.security.components.crypto.CryptoType;
 import org.apache.ws.security.handler.RequestData;
 import org.apache.ws.security.message.DOMCallbackLookup;
-import org.apache.ws.security.message.DOMURIDereferencer;
 import org.apache.ws.security.message.CallbackLookup;
 import org.apache.ws.security.message.token.SecurityTokenReference;
 import org.apache.ws.security.str.STRParser;
@@ -50,7 +49,6 @@ import org.w3c.dom.Node;
 
 import javax.xml.crypto.MarshalException;
 import javax.xml.crypto.NodeSetData;
-import javax.xml.crypto.URIDereferencer;
 import javax.xml.crypto.XMLStructure;
 import javax.xml.crypto.dom.DOMStructure;
 import javax.xml.crypto.dsig.Reference;
@@ -342,12 +340,11 @@ public class SignatureProcessor implemen
         
         XMLValidateContext context = new DOMValidateContext(key, elem);
         context.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
-        URIDereferencer dereferencer = new DOMURIDereferencer();
-        ((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
-        context.setURIDereferencer(dereferencer);
         context.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, wsDocInfo);
+        
         try {
             XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
+            setElementsOnContext(xmlSignature, (DOMValidateContext)context, wsDocInfo, elem.getOwnerDocument());
             boolean signatureOk = xmlSignature.validate(context);
             if (signatureOk) {
                 return xmlSignature;
@@ -380,6 +377,38 @@ public class SignatureProcessor implemen
         throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
     }
     
+    /**
+     * Retrieve the Reference elements and set them on the ValidateContext
+     * @param xmlSignature the XMLSignature object to get the references from
+     * @param context the ValidateContext
+     * @param wsDocInfo the WSDocInfo object where tokens are stored
+     * @param doc the owner document from which to find elements
+     * @throws WSSecurityException
+     */
+    private void setElementsOnContext(
+        XMLSignature xmlSignature, 
+        DOMValidateContext context,
+        WSDocInfo wsDocInfo,
+        Document doc
+    ) throws WSSecurityException {
+        java.util.Iterator<?> referenceIterator = 
+            xmlSignature.getSignedInfo().getReferences().iterator();
+        CallbackLookup callbackLookup = wsDocInfo.getCallbackLookup();
+        if (callbackLookup == null) {
+            callbackLookup = new DOMCallbackLookup(doc);
+        }
+        while (referenceIterator.hasNext()) {
+            Reference reference = (Reference)referenceIterator.next();
+            String uri = reference.getURI();
+            Element element = callbackLookup.getElement(uri, null, true);
+            if (element == null) {
+                element = wsDocInfo.getTokenElement(uri);
+            }
+            if (element != null) {
+                WSSecurityUtil.storeElementInContext(((DOMValidateContext)context), element);
+            }
+        }
+    }
     
     /**
      * Get the signature method algorithm URI from the associated signature element.

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/saml/WSSecSignatureSAML.java
Tue Jul 26 15:11:05 2011
@@ -27,7 +27,6 @@ import org.apache.ws.security.WSSecurity
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.components.crypto.CryptoType;
 import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.message.DOMURIDereferencer;
 import org.apache.ws.security.message.WSSecHeader;
 import org.apache.ws.security.message.WSSecSignature;
 import org.apache.ws.security.message.token.Reference;
@@ -46,7 +45,6 @@ import java.security.cert.X509Certificat
 import java.util.ArrayList;
 import java.util.List;
 
-import javax.xml.crypto.URIDereferencer;
 import javax.xml.crypto.XMLStructure;
 import javax.xml.crypto.dom.DOMStructure;
 import javax.xml.crypto.dsig.SignatureMethod;
@@ -518,9 +516,16 @@ public class WSSecSignatureSAML extends 
             }
             signContext.setProperty(STRTransform.TRANSFORM_WS_DOC_INFO, wsDocInfo);
             wsDocInfo.setCallbackLookup(callbackLookup);
-            URIDereferencer dereferencer = new DOMURIDereferencer();
-            ((DOMURIDereferencer)dereferencer).setWsDocInfo(wsDocInfo);
-            signContext.setURIDereferencer(dereferencer);
+            
+            // Add the elements to sign to the Signature Context
+            wsDocInfo.setTokensOnContext((DOMSignContext)signContext);
+
+            if (secRefSaml != null && secRefSaml.getElement() != null) {
+                WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRefSaml.getElement());
+            }
+            if (secRef != null && secRef.getElement() != null) {
+                WSSecurityUtil.storeElementInContext((DOMSignContext)signContext, secRef.getElement());
+            }
             sig.sign(signContext);
             
             signatureValue = sig.getSignatureValue().getValue();

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/transform/STRTransform.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/transform/STRTransform.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/transform/STRTransform.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/transform/STRTransform.java
Tue Jul 26 15:11:05 2011
@@ -29,20 +29,19 @@ import org.apache.ws.security.util.WSSec
 import org.apache.xml.security.c14n.Canonicalizer;
 import org.apache.xml.security.signature.XMLSignatureInput;
 
-import org.jcp.xml.dsig.internal.dom.ApacheData;
-import org.jcp.xml.dsig.internal.dom.DOMSubTreeData;
-import org.jcp.xml.dsig.internal.dom.DOMUtils;
-
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
+import org.w3c.dom.Node;
 
 import java.io.ByteArrayOutputStream;
 import java.io.OutputStream;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.Iterator;
 
 import javax.xml.crypto.Data;
 import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.NodeSetData;
 import javax.xml.crypto.OctetStreamData;
 import javax.xml.crypto.XMLCryptoContext;
 import javax.xml.crypto.XMLStructure;
@@ -98,7 +97,7 @@ public class STRTransform extends Transf
         }
         Element transformElement2 = (Element) 
             ((javax.xml.crypto.dom.DOMStructure) parent).getNode();
-        DOMUtils.appendChild(transformElement2, transformElement);
+        appendChild(transformElement2, transformElement);
         transformElement = transformElement2;
     }
 
@@ -143,33 +142,31 @@ public class STRTransform extends Transf
         }
         try {
             //
-            // Get the input (node) to transform. Currently we support only an
-            // Element as input format. If other formats are required we must
-            // get it as bytes and probably reparse it into a DOM tree (How to
-            // work with nodesets? how to select the right node from a nodeset?)
-            //
-            XMLSignatureInput xmlSignatureInput = null;
-            if (data instanceof ApacheData) {
-                xmlSignatureInput = ((ApacheData) data).getXMLSignatureInput();
-            } else if (data instanceof DOMSubTreeData) {
-                DOMSubTreeData subTree = (DOMSubTreeData) data;
-                xmlSignatureInput = new XMLSignatureInput(subTree.getRoot());
-                xmlSignatureInput.setExcludeComments(subTree.excludeComments());
+            // Get the input (node) to transform. 
+            //
+            Element str = null;
+            if (data instanceof NodeSetData) {
+                NodeSetData nodeSetData = (NodeSetData)data;
+                Iterator<?> iterator = nodeSetData.iterator();
+                while (iterator.hasNext()) {
+                    Node node = (Node)iterator.next();
+                    if (node instanceof Element && "SecurityTokenReference".equals(node.getLocalName()))
{
+                        str = (Element)node;
+                        break;
+                    }
+                }
             } else {
                 try {
-                    xmlSignatureInput = 
+                    XMLSignatureInput xmlSignatureInput = 
                         new XMLSignatureInput(((OctetStreamData)data).getOctetStream());
+                    str = (Element)xmlSignatureInput.getSubNode();
                 } catch (Exception ex) {
                     throw new TransformException(ex);
                 }
             }
-            
-            if (!xmlSignatureInput.isElement()) {
-                throw new TransformException(
-                    "Wrong input format - only element input supported"
-                );
+            if (str == null) {
+                throw new TransformException("No SecurityTokenReference found");
             }
-            Element str = (Element)xmlSignatureInput.getSubNode();
             //
             // The element to transform MUST be a SecurityTokenReference
             // element.
@@ -276,5 +273,19 @@ public class STRTransform extends Transf
             return false;
         }
     }
+    
+    private static void appendChild(Node parent, Node child) {
+        Document ownerDoc = null;
+        if (parent.getNodeType() == Node.DOCUMENT_NODE) {
+            ownerDoc = (Document)parent;
+        } else {
+            ownerDoc = parent.getOwnerDocument();
+        }
+        if (child.getOwnerDocument() != ownerDoc) {
+            parent.appendChild(ownerDoc.importNode(child, true));
+        } else {
+            parent.appendChild(child);
+        }
+    }
 
 }

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
Tue Jul 26 15:11:05 2011
@@ -42,6 +42,7 @@ import javax.crypto.Cipher;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
+import javax.xml.crypto.dom.DOMCryptoContext;
 import javax.xml.namespace.QName;
 
 import java.security.MessageDigest;
@@ -1205,4 +1206,23 @@ public class WSSecurityUtil {
         return ret;
     }
     
+    /**
+     * Store the element argument in the DOM Crypto Context if it has one of the standard
+     * "Id" attributes.
+     */
+    public static void storeElementInContext(DOMCryptoContext context, Element element) {
+        if (element.hasAttributeNS(WSConstants.WSU_NS, "Id")) {
+            context.setIdAttributeNS(element, WSConstants.WSU_NS, "Id");
+        }
+        if (element.hasAttributeNS(null, "Id")) {
+    	    context.setIdAttributeNS(element, null, "Id");
+        }
+        if (element.hasAttributeNS(null, "ID")) {
+            context.setIdAttributeNS(element, null, "ID");
+        }
+        if (element.hasAttributeNS(null, "AssertionID")) {
+            context.setIdAttributeNS(element, null, "AssertionID");
+        }
+    }
+    
 }

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java?rev=1151127&r1=1151126&r2=1151127&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/KerberosTokenValidator.java
Tue Jul 26 15:11:05 2011
@@ -148,7 +148,7 @@ public class KerberosTokenValidator impl
         
         // Validate the ticket
         KerberosServiceAction action = new KerberosServiceAction(token, service);
-        Principal principal = Subject.doAs(subject, action);
+        Principal principal = (Principal)Subject.doAs(subject, action);
         if (principal == null) {
             throw new WSSecurityException(
                 WSSecurityException.FAILURE, "kerberosTicketValidationError"



Mime
View raw message