Return-Path: X-Original-To: apmail-ws-commits-archive@minotaur.apache.org Delivered-To: apmail-ws-commits-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 40529D5B2 for ; Wed, 5 Sep 2012 14:07:25 +0000 (UTC) Received: (qmail 57873 invoked by uid 500); 5 Sep 2012 14:00:45 -0000 Delivered-To: apmail-ws-commits-archive@ws.apache.org Received: (qmail 57833 invoked by uid 500); 5 Sep 2012 14:00:45 -0000 Mailing-List: contact commits-help@ws.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ws.apache.org Delivered-To: mailing list commits@ws.apache.org Received: (qmail 57826 invoked by uid 99); 5 Sep 2012 14:00:45 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Sep 2012 14:00:45 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Sep 2012 14:00:42 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id C4C8723889C5; Wed, 5 Sep 2012 13:59:57 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1381188 - in /webservices/wss4j/branches/1_6_x-fixes/src: main/java/org/apache/ws/security/action/ main/java/org/apache/ws/security/handler/ test/java/org/apache/ws/security/message/ Date: Wed, 05 Sep 2012 13:59:57 -0000 To: commits@ws.apache.org From: coheigea@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120905135957.C4C8723889C5@eris.apache.org> Author: coheigea Date: Wed Sep 5 13:59:57 2012 New Revision: 1381188 URL: http://svn.apache.org/viewvc?rev=1381188&view=rev Log: [WSS-231] - There is an issue with the position of the element in the header when using WSS4J calling .NET Web Services with WS-Security. Conflicts: src/main/java/org/apache/ws/security/action/SignatureAction.java src/main/java/org/apache/ws/security/handler/RequestData.java Modified: webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/action/SignatureAction.java webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/RequestData.java webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandler.java webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/SignatureTest.java Modified: webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/action/SignatureAction.java URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/action/SignatureAction.java?rev=1381188&r1=1381187&r2=1381188&view=diff ============================================================================== --- webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/action/SignatureAction.java (original) +++ webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/action/SignatureAction.java Wed Sep 5 13:59:57 2012 @@ -19,14 +19,22 @@ package org.apache.ws.security.action; +import java.util.List; + import javax.security.auth.callback.CallbackHandler; +import org.apache.ws.security.WSConstants; +import org.apache.ws.security.WSEncryptionPart; import org.apache.ws.security.WSPasswordCallback; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.handler.WSHandler; import org.apache.ws.security.message.WSSecSignature; +import org.apache.ws.security.util.WSSecurityUtil; + import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.Node; public class SignatureAction implements Action { public void execute(WSHandler handler, int actionToDo, Document doc, RequestData reqData) @@ -58,7 +66,40 @@ public class SignatureAction implements } try { - wsSign.build(doc, reqData.getSigCrypto(), reqData.getSecHeader()); + wsSign.prepare(doc, reqData.getSigCrypto(), reqData.getSecHeader()); + + Element siblingElementToPrepend = null; + for (WSEncryptionPart part : reqData.getSignatureParts()) { + if ("STRTransform".equals(part.getName()) && part.getId() == null) { + part.setId(wsSign.getSecurityTokenReferenceURI()); + } else if (reqData.isAppendSignatureAfterTimestamp() + && WSConstants.WSU_NS.equals(part.getNamespace()) + && "Timestamp".equals(part.getName())) { + List elements = + WSSecurityUtil.findElements( + doc.getDocumentElement(), part.getName(), part.getNamespace() + ); + if (elements != null && !elements.isEmpty()) { + Element timestampElement = elements.get(0); + Node child = timestampElement.getNextSibling(); + while (child != null && child.getNodeType() != Node.ELEMENT_NODE) { + child = child.getNextSibling(); + } + siblingElementToPrepend = (Element)child; + } + } + } + + List referenceList = + wsSign.addReferencesToSign(reqData.getSignatureParts(), reqData.getSecHeader()); + + if (reqData.isAppendSignatureAfterTimestamp() && siblingElementToPrepend == null) { + wsSign.computeSignature(referenceList, false, null); + } else { + wsSign.computeSignature(referenceList, true, siblingElementToPrepend); + } + + wsSign.prependBSTElementToHeader(reqData.getSecHeader()); reqData.getSignatureValues().add(wsSign.getSignatureValue()); } catch (WSSecurityException e) { throw new WSSecurityException("Error during Signature: ", e); Modified: webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/RequestData.java URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/RequestData.java?rev=1381188&r1=1381187&r2=1381188&view=diff ============================================================================== --- webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/RequestData.java (original) +++ webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/RequestData.java Wed Sep 5 13:59:57 2012 @@ -84,6 +84,7 @@ public class RequestData { private ReplayCache timestampReplayCache; private ReplayCache nonceReplayCache; private Collection subjectDNPatterns = new ArrayList(); + private boolean appendSignatureAfterTimestamp; public void clear() { soapConstants = null; @@ -109,6 +110,7 @@ public class RequestData { timestampReplayCache = null; nonceReplayCache = null; subjectDNPatterns.clear(); + appendSignatureAfterTimestamp = false; } public Object getMsgContext() { @@ -512,4 +514,12 @@ public class RequestData { return subjectDNPatterns; } + public boolean isAppendSignatureAfterTimestamp() { + return appendSignatureAfterTimestamp; + } + + public void setAppendSignatureAfterTimestamp(boolean appendSignatureAfterTimestamp) { + this.appendSignatureAfterTimestamp = appendSignatureAfterTimestamp; + } + } Modified: webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandler.java URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandler.java?rev=1381188&r1=1381187&r2=1381188&view=diff ============================================================================== --- webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandler.java (original) +++ webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/handler/WSHandler.java Wed Sep 5 13:59:57 2012 @@ -43,6 +43,7 @@ import java.security.cert.X509Certificat import java.util.Arrays; import java.util.ArrayList; import java.util.Collection; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -142,8 +143,8 @@ public abstract class WSHandler { } decodeSignatureParameter(reqData); } - /* - * If we need to handle zsigned SAML token then we may need the + /*7 + * If we need to handle signed SAML token then we may need the * Signature parameters. The handle procedure loads the signature crypto * file on demand, thus don't do it here. */ @@ -185,11 +186,34 @@ public abstract class WSHandler { wssConfig.getAction(WSConstants.SC).execute(this, WSConstants.SC, doc, reqData); } } + + // See if the Signature and Timestamp actions (in that order) are defined, and if + // the Timestamp is to be signed. In this case we need to swap the actions, as the + // Timestamp must appear in the security header first for signature creation to work. + List actionsToPerform = actions; + if (actions.contains(WSConstants.SIGN) && actions.contains(WSConstants.TS) + && (actions.indexOf(WSConstants.SIGN) < actions.indexOf(WSConstants.TS))) { + boolean signTimestamp = false; + for (WSEncryptionPart encP : reqData.getSignatureParts()) { + if (WSConstants.WSU_NS.equals(encP.getNamespace()) + && "Timestamp".equals(encP.getName())) { + signTimestamp = true; + } + } + if (signTimestamp) { + actionsToPerform = new ArrayList(actions); + Collections.copy(actionsToPerform, actions); + actionsToPerform.remove(actions.indexOf(WSConstants.SIGN)); + actionsToPerform.add(WSConstants.SIGN); + reqData.setAppendSignatureAfterTimestamp(true); + } + } + /* * Here we have all necessary information to perform the requested * action(s). */ - for (Integer actionToDo : actions) { + for (Integer actionToDo : actionsToPerform) { if (doDebug) { log.debug("Performing Action: " + actionToDo); } Modified: webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/SignatureTest.java URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/SignatureTest.java?rev=1381188&r1=1381187&r2=1381188&view=diff ============================================================================== --- webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/SignatureTest.java (original) +++ webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/SignatureTest.java Wed Sep 5 13:59:57 2012 @@ -682,6 +682,50 @@ public class SignatureTest extends org.j WSSecurityEngine newEngine = new WSSecurityEngine(); newEngine.processSecurityHeader(doc, null, null, passwordCrypto); } + + /** + * A test for "There is an issue with the position of the element in the + * header when using WSS4J calling .NET Web Services with WS-Security." + */ + @org.junit.Test + public void + testWSS231() throws Exception { + final WSSConfig cfg = WSSConfig.getNewInstance(); + final int action = WSConstants.SIGN | WSConstants.TS; + final RequestData reqData = new RequestData(); + reqData.setWssConfig(cfg); + reqData.setUsername("16c73ab6-b892-458f-abf5-2f875f74882e"); + + java.util.Map config = new java.util.TreeMap(); + config.put(WSHandlerConstants.SIG_PROP_FILE, "crypto.properties"); + config.put("password", "security"); + config.put( + WSHandlerConstants.SIGNATURE_PARTS, "{}{" + WSConstants.WSU_NS + "}Timestamp" + ); + reqData.setMsgContext(config); + + final java.util.List actions = new java.util.ArrayList(); + actions.add(Integer.valueOf(WSConstants.SIGN)); + actions.add(Integer.valueOf(WSConstants.TS)); + final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG); + CustomHandler handler = new CustomHandler(); + handler.send( + action, + doc, + reqData, + actions, + true + ); + String outputString = + org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc); + if (LOG.isDebugEnabled()) { + LOG.debug("Signed message:"); + LOG.debug(outputString); + } + + List results = verify(doc); + assertTrue(handler.checkResults(results, actions)); + } /** * Verifies the soap envelope.