ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gi...@apache.org
Subject svn commit: r1384479 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/ws/security/common/ext/ ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/ ws-security-stax/src/main/java/org/apache/ws/security...
Date Thu, 13 Sep 2012 19:18:49 GMT
Author: giger
Date: Thu Sep 13 19:18:49 2012
New Revision: 1384479

URL: http://svn.apache.org/viewvc?rev=1384479&view=rev
Log:
SANTUARIO-327 - secure validation 

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/ext/WSSecurityException.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/ext/WSSecurityException.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/ext/WSSecurityException.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/ext/WSSecurityException.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/ws/security/common/ext/WSSecurityException.java
Thu Sep 13 19:18:49 2012
@@ -286,7 +286,11 @@ public class WSSecurityException extends
                 msg = xmlsecResources.getString(errorCodeString);
             }
             if (msgId != null) {
-                return msg += (" (" + MessageFormat.format(resources.getString(msgId), arguments)
+ ")");
+                if (resources.containsKey(msgId)) {
+                    return msg += (" (" + MessageFormat.format(resources.getString(msgId),
arguments) + ")");
+                } else {
+                    return msg += (" (" + MessageFormat.format(xmlsecResources.getString(msgId),
arguments) + ")");
+                }
             }
         } catch (MissingResourceException e) {
             throw new RuntimeException("Undefined '" + msgId + "' resource property", e);

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java
Thu Sep 13 19:18:49 2012
@@ -18,6 +18,8 @@
  */
 package org.apache.ws.security.policy.stax.test;
 
+import org.apache.ws.security.stax.WSSec;
+import org.apache.xml.security.stax.config.Init;
 import org.opensaml.common.SAMLVersion;
 import org.apache.ws.security.common.ext.WSSecurityException;
 import org.apache.ws.security.common.saml.builder.SAML2Constants;
@@ -1207,6 +1209,8 @@ public class AsymmetricBindingIntegratio
         inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
 
         try {
+            Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+            switchAllowMD5Algorithm(true);
             Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()),
policyEnforcer);
 
             //read the whole stream:
@@ -1225,6 +1229,8 @@ public class AsymmetricBindingIntegratio
             Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing
the <wsse:Security> header; nested exception is: \n" +
                     "\torg.apache.ws.security.policy.stax.PolicyViolationException: \n" +
                     "Digest algorithm http://www.w3.org/2001/04/xmldsig-more#md5 does not
meet policy");
+        } finally {
+            switchAllowMD5Algorithm(false);
         }
     }
 

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/TransportBindingIntegrationTest.java
Thu Sep 13 19:18:49 2012
@@ -22,11 +22,13 @@ import org.apache.ws.security.common.bsp
 import org.apache.ws.security.common.ext.WSSecurityException;
 import org.apache.ws.security.policy.stax.PolicyEnforcer;
 import org.apache.ws.security.policy.stax.PolicyInputProcessor;
+import org.apache.ws.security.stax.WSSec;
 import org.apache.ws.security.stax.ext.WSSConstants;
 import org.apache.ws.security.stax.ext.WSSSecurityProperties;
 import org.apache.ws.security.stax.impl.securityToken.HttpsSecurityToken;
 import org.apache.ws.security.stax.securityEvent.HttpsTokenSecurityEvent;
 import org.apache.ws.security.stax.test.CallbackHandlerImpl;
+import org.apache.xml.security.stax.config.Init;
 import org.apache.xml.security.stax.ext.SecurePart;
 import org.apache.xml.security.stax.ext.SecurityToken;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
@@ -1168,6 +1170,8 @@ public class TransportBindingIntegration
         securityEventList.add(httpsTokenSecurityEvent);
 
         try {
+            Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+            switchAllowMD5Algorithm(true);
             Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()),
securityEventList, policyEnforcer);
 
             //read the whole stream:
@@ -1186,6 +1190,8 @@ public class TransportBindingIntegration
             Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing
the <wsse:Security> header; nested exception is: \n" +
                     "\torg.apache.ws.security.policy.stax.PolicyViolationException: \n" +
                     "Digest algorithm http://www.w3.org/2001/04/xmldsig-more#md5 does not
meet policy");
+        } finally {
+            switchAllowMD5Algorithm(false);
         }
     }
 

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureReferenceVerifyInputProcessor.java
Thu Sep 13 19:18:49 2012
@@ -218,6 +218,13 @@ public class WSSSignatureReferenceVerify
         }
         List<TransformType> transformTypeList = referenceType.getTransforms().getTransform();
 
+        if (transformTypeList.size() > maximumAllowedTransformsPerReference) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY,
+                    "secureProcessing.MaximumAllowedTransformsPerReference",
+                    transformTypeList.size(),
+                    maximumAllowedTransformsPerReference);
+        }
+
         String algorithm = null;
         Transformer parentTransformer = null;
         for (int i = transformTypeList.size() - 1; i >= 0; i--) {

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
Thu Sep 13 19:18:49 2012
@@ -41,6 +41,10 @@ import org.apache.ws.security.stax.test.
 import org.apache.ws.security.stax.test.utils.StAX2DOM;
 import org.apache.ws.security.stax.test.utils.XmlReaderToWriter;
 import org.apache.xml.security.stax.ext.XMLSecurityException;
+import org.apache.xml.security.stax.impl.SecurityContextImpl;
+import org.apache.xml.security.stax.impl.processor.input.AbstractDecryptInputProcessor;
+import org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor;
+import org.apache.xml.security.stax.impl.processor.input.XMLEventReaderInputProcessor;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
@@ -64,6 +68,8 @@ import javax.xml.xpath.XPathExpressionEx
 import javax.xml.xpath.XPathFactory;
 import java.io.ByteArrayOutputStream;
 import java.io.InputStream;
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
 import java.util.*;
 import java.util.logging.Level;
 import java.util.logging.LogManager;
@@ -656,4 +662,84 @@ public abstract class AbstractTestBase {
             }
         }
     }
+
+    //sometimes I really like reflection. We can fix jdk bugs which will never be fixed,
we can do other funny things and
+    //we can also change "private static final" fields for testing:-)
+    //But keep in mind that this only works for Objects and not primitive types. Primitive
types will be inlined...
+    public static void switchAllowNotSameDocumentReferences(Boolean value) throws NoSuchFieldException,
IllegalAccessException {
+
+        Field field = AbstractSignatureReferenceVerifyInputProcessor.class.getDeclaredField("allowNotSameDocumentReferences");
+        field.setAccessible(true);
+
+        Field modifiersField = Field.class.getDeclaredField("modifiers");
+        modifiersField.setAccessible(true);
+        modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+
+        field.set(null, value);
+    }
+
+    public static void switchDoNotThrowExceptionForManifests(Boolean value) throws NoSuchFieldException,
IllegalAccessException {
+        Field field = AbstractSignatureReferenceVerifyInputProcessor.class.getDeclaredField("doNotThrowExceptionForManifests");
+        field.setAccessible(true);
+
+        Field modifiersField = Field.class.getDeclaredField("modifiers");
+        modifiersField.setAccessible(true);
+        modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+
+        field.set(null, value);
+    }
+
+    public static int changeValueOfMaximumAllowedReferencesPerManifest(Integer value) throws
NoSuchFieldException, IllegalAccessException {
+        Field field = AbstractSignatureReferenceVerifyInputProcessor.class.getDeclaredField("maximumAllowedReferencesPerManifest");
+        field.setAccessible(true);
+
+        Field modifiersField = Field.class.getDeclaredField("modifiers");
+        modifiersField.setAccessible(true);
+        modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+
+        Integer oldval = (Integer)field.get(null);
+        field.set(null, value);
+        return oldval;
+    }
+
+    public static int changeValueOfMaximumAllowedTransformsPerReference(Integer value) throws
NoSuchFieldException, IllegalAccessException {
+        Field field = AbstractSignatureReferenceVerifyInputProcessor.class.getDeclaredField("maximumAllowedTransformsPerReference");
+        field.setAccessible(true);
+
+        Field modifiersField = Field.class.getDeclaredField("modifiers");
+        modifiersField.setAccessible(true);
+        modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+
+        Integer oldval = (Integer)field.get(null);
+        field.set(null, value);
+        return oldval;
+    }
+
+    public static void switchAllowMD5Algorithm(Boolean value) throws NoSuchFieldException,
IllegalAccessException {
+        Field field = SecurityContextImpl.class.getDeclaredField("allowMD5Algorithm");
+        field.setAccessible(true);
+
+        Field modifiersField = Field.class.getDeclaredField("modifiers");
+        modifiersField.setAccessible(true);
+        modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+
+        field.set(null, value);
+    }
+
+    public static int changeValueOfMaximumAllowedXMLStructureDepth(Integer value) throws
NoSuchFieldException, IllegalAccessException {
+        Field xmlEventReaderInputProcessorField = XMLEventReaderInputProcessor.class.getDeclaredField("maximumAllowedXMLStructureDepth");
+        xmlEventReaderInputProcessorField.setAccessible(true);
+        Field abstractDecryptInputProcessorField = AbstractDecryptInputProcessor.class.getDeclaredField("maximumAllowedXMLStructureDepth");
+        abstractDecryptInputProcessorField.setAccessible(true);
+
+        Field modifiersField = Field.class.getDeclaredField("modifiers");
+        modifiersField.setAccessible(true);
+        modifiersField.setInt(xmlEventReaderInputProcessorField, xmlEventReaderInputProcessorField.getModifiers()
& ~Modifier.FINAL);
+        modifiersField.setInt(abstractDecryptInputProcessorField, abstractDecryptInputProcessorField.getModifiers()
& ~Modifier.FINAL);
+
+        Integer oldval = (Integer)xmlEventReaderInputProcessorField.get(null);
+        xmlEventReaderInputProcessorField.set(null, value);
+        abstractDecryptInputProcessorField.set(null, value);
+        return oldval;
+    }
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java?rev=1384479&r1=1384478&r2=1384479&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java
Thu Sep 13 19:18:49 2012
@@ -19,12 +19,15 @@
 package org.apache.ws.security.stax.test;
 
 import org.apache.ws.security.common.bsp.BSPRule;
+import org.apache.ws.security.common.ext.WSSecurityException;
 import org.apache.ws.security.dom.handler.WSHandlerConstants;
 import org.apache.ws.security.stax.WSSec;
 import org.apache.ws.security.stax.ext.InboundWSSec;
 import org.apache.ws.security.stax.ext.WSSConstants;
 import org.apache.ws.security.stax.ext.WSSSecurityProperties;
+import org.apache.ws.security.stax.securityEvent.WSSecurityEventConstants;
 import org.apache.ws.security.stax.test.utils.StAX2DOM;
+import org.apache.xml.security.stax.config.Init;
 import org.apache.xml.security.stax.ext.XMLSecurityException;
 import org.testng.Assert;
 import org.testng.annotations.Test;
@@ -39,9 +42,7 @@ import javax.xml.transform.dom.DOMSource
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpression;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.InputStream;
+import java.io.*;
 import java.util.Properties;
 
 /**
@@ -310,4 +311,217 @@ public class VulnerabliltyVectorsTest ex
             }
         }
     }
+
+    @Test
+    public void testMaximumAllowedReferencesPerManifest() throws Exception {
+
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+        String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE
+ " " + WSHandlerConstants.ENCRYPT;
+        Properties properties = new Properties();
+        properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://www.w3.org/1999/XMLSchema}complexType;{Element}{http://www.w3.org/1999/XMLSchema}simpleType;");
+        Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+        transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+
+        WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+        securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        //we have to disable the schema validation until WSS4J-DOM is fixed. WSS4J generates
an empty PrefixList which is not schema valid!
+        securityProperties.setDisableSchemaValidation(true);
+
+        try {
+            Document document = doInboundSecurity(securityProperties,
+                    xmlInputFactory.createXMLStreamReader(
+                            new ByteArrayInputStream(baos.toByteArray())));
+            Assert.fail("Expected XMLStreamException");
+        } catch (XMLStreamException e) {
+            Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+            Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing
the <wsse:Security> " +
+                    "header (43 references are contained in the Manifest, maximum 30 are
allowed. You can raise the " +
+                    "maximum via the \"MaximumAllowedReferencesPerManifest\" property in
the configuration.)");
+        }
+    }
+
+    @Test
+    public void testMaximumAllowedTransformsPerReference() throws Exception {
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+        String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE
+ " " + WSHandlerConstants.ENCRYPT;
+        Properties properties = new Properties();
+        properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+        Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+        transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+
+        WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+        securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        //we have to disable the schema validation until WSS4J-DOM is fixed. WSS4J generates
an empty PrefixList which is not schema valid!
+        securityProperties.setDisableSchemaValidation(true);
+
+        int oldval = 0;
+        try {
+            Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+            oldval = changeValueOfMaximumAllowedTransformsPerReference(0);
+            Document document = doInboundSecurity(securityProperties,
+                    xmlInputFactory.createXMLStreamReader(
+                            new ByteArrayInputStream(baos.toByteArray())));
+            Assert.fail("Expected XMLStreamException");
+        } catch (XMLStreamException e) {
+            Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+            Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing
the <wsse:Security> " +
+                    "header (1 transforms are contained in the Reference, maximum 0 are allowed.
You can raise the " +
+                    "maximum via the \"MaximumAllowedTransformsPerReference\" property in
the configuration.)");
+        } finally {
+            changeValueOfMaximumAllowedTransformsPerReference(oldval);
+        }
+    }
+
+
+    @Test
+    public void testDisallowMD5Algorithm() throws Exception {
+        WSSSecurityProperties outboundSecurityProperties = new WSSSecurityProperties();
+        outboundSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        outboundSecurityProperties.setEncryptionUser("receiver");
+        outboundSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
+        outboundSecurityProperties.setSignatureUser("transmitter");
+        outboundSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
+        outboundSecurityProperties.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-md5");
+        WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP,
WSSConstants.SIGNATURE, WSSConstants.ENCRYPT};
+        outboundSecurityProperties.setOutAction(actions);
+
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+        ByteArrayOutputStream baos = doOutboundSecurity(outboundSecurityProperties, sourceDocument);
+
+        WSSSecurityProperties inboundsecurityProperties = new WSSSecurityProperties();
+        inboundsecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        inboundsecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        inboundsecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        inboundsecurityProperties.addIgnoreBSPRule(BSPRule.R5421);
+
+        try {
+            Document document = doInboundSecurity(inboundsecurityProperties,
+                    xmlInputFactory.createXMLStreamReader(
+                            new ByteArrayInputStream(baos.toByteArray())));
+            Assert.fail("Expected XMLStreamException");
+        } catch (XMLStreamException e) {
+            Assert.assertEquals(e.getMessage(), "org.apache.xml.security.stax.ext.XMLSecurityException:
" +
+                    "An error was discovered processing the <wsse:Security> header
(The use of MD5 algorithm is " +
+                    "strongly discouraged. Nonetheless can it be enabled via the \"AllowMD5Algorithm\"
property in the configuration.)");
+        }
+    }
+
+
+    @Test
+    public void testAllowMD5Algorithm() throws Exception {
+        WSSSecurityProperties outboundSecurityProperties = new WSSSecurityProperties();
+        outboundSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        outboundSecurityProperties.setEncryptionUser("receiver");
+        outboundSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
+        outboundSecurityProperties.setSignatureUser("transmitter");
+        outboundSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
+        outboundSecurityProperties.setSignatureAlgorithm("http://www.w3.org/2001/04/xmldsig-more#rsa-md5");
+        WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP,
WSSConstants.SIGNATURE, WSSConstants.ENCRYPT};
+        outboundSecurityProperties.setOutAction(actions);
+
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+        ByteArrayOutputStream baos = doOutboundSecurity(outboundSecurityProperties, sourceDocument);
+
+        WSSSecurityProperties inboundsecurityProperties = new WSSSecurityProperties();
+        inboundsecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        inboundsecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        inboundsecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        inboundsecurityProperties.addIgnoreBSPRule(BSPRule.R5421);
+
+        try {
+            Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+            switchAllowMD5Algorithm(true);
+            Document document = doInboundSecurity(inboundsecurityProperties,
+                    xmlInputFactory.createXMLStreamReader(
+                            new ByteArrayInputStream(baos.toByteArray())));
+        } finally {
+            switchAllowMD5Algorithm(false);
+        }
+    }
+
+    @Test
+    public void testMaximumAllowedXMLStructureDepth() throws Exception {
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+        String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE;
+        Properties properties = new Properties();
+        properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+        Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+        transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+
+        WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+        securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        //we have to disable the schema validation until WSS4J-DOM is fixed. WSS4J generates
an empty PrefixList which is not schema valid!
+        securityProperties.setDisableSchemaValidation(true);
+
+        int oldval = 0;
+        try {
+            Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+            oldval = changeValueOfMaximumAllowedXMLStructureDepth(10);
+            Document document = doInboundSecurity(securityProperties,
+                    xmlInputFactory.createXMLStreamReader(
+                            new ByteArrayInputStream(baos.toByteArray())));
+            Assert.fail("Expected XMLStreamException");
+        } catch (XMLStreamException e) {
+            Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing
the <wsse:Security> " +
+                    "header (Maximum depth (10) of the XML structure reached. You can raise
the maximum via the " +
+                    "\"MaximumAllowedXMLStructureDepth\" property in the configuration.)");
+        } finally {
+            changeValueOfMaximumAllowedXMLStructureDepth(oldval);
+        }
+    }
+
+    @Test
+    public void testMaximumAllowedXMLStructureDepthInEncryptedContent() throws Exception
{
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+        String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE
+ " " + WSHandlerConstants.ENCRYPT;
+        Properties properties = new Properties();
+        properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+        Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+        transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+
+        WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+        securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        //we have to disable the schema validation until WSS4J-DOM is fixed. WSS4J generates
an empty PrefixList which is not schema valid!
+        securityProperties.setDisableSchemaValidation(true);
+
+        int oldval = 0;
+        try {
+            Init.init(WSSec.class.getClassLoader().getResource("wss/wss-config.xml").toURI());
+            oldval = changeValueOfMaximumAllowedXMLStructureDepth(10);
+            Document document = doInboundSecurity(securityProperties,
+                    xmlInputFactory.createXMLStreamReader(
+                            new ByteArrayInputStream(baos.toByteArray())));
+            Assert.fail("Expected XMLStreamException");
+        } catch (XMLStreamException e) {
+            Assert.assertEquals(e.getCause().getMessage(), "An error was discovered processing
the <wsse:Security> " +
+                    "header (Maximum depth (10) of the XML structure reached. You can raise
the maximum via the " +
+                    "\"MaximumAllowedXMLStructureDepth\" property in the configuration.)");
+        } finally {
+            changeValueOfMaximumAllowedXMLStructureDepth(oldval);
+        }
+    }
 }



Mime
View raw message