ws-wss4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r782593 - in /webservices/wss4j/trunk: src/org/apache/ws/security/action/ src/org/apache/ws/security/handler/ test/wssec/
Date Mon, 08 Jun 2009 11:15:13 GMT
Author: coheigea
Date: Mon Jun  8 11:15:13 2009
New Revision: 782593

URL: http://svn.apache.org/viewvc?rev=782593&view=rev
Log:
[WSS-194] - Support overriding KeyStore alias for signature so that it can be different than
user name used for UsernameToken
 - I added WSHandlerConstants.SIGNATURE_USER to specify a different "signature user" from
WSHandlerConstants.USER
 - This is consistent with the previous pattern of ENCRYPTION_USER
 - A side-effect is that the SignatureAction now relies on RequestData.getSignatureUser()
rather than getUser
 - Added a test for this issue as well.

Added:
    webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java   (with props)
Modified:
    webservices/wss4j/trunk/src/org/apache/ws/security/action/SignatureAction.java
    webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java
    webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
    webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java
    webservices/wss4j/trunk/test/wssec/PackageTests.java

Modified: webservices/wss4j/trunk/src/org/apache/ws/security/action/SignatureAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/action/SignatureAction.java?rev=782593&r1=782592&r2=782593&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/action/SignatureAction.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/action/SignatureAction.java Mon Jun
 8 11:15:13 2009
@@ -32,7 +32,7 @@
             throws WSSecurityException {
         WSPasswordCallback pwcb =
             handler.getPassword(
-                reqData.getUsername(),
+                reqData.getSignatureUser(),
                 actionToDo,
                 WSHandlerConstants.PW_CALLBACK_CLASS,
                 WSHandlerConstants.PW_CALLBACK_REF, reqData
@@ -50,7 +50,7 @@
             wsSign.setDigestAlgo(reqData.getSigDigestAlgorithm());
         }
 
-        wsSign.setUserInfo(reqData.getUsername(), pwcb.getPassword());
+        wsSign.setUserInfo(reqData.getSignatureUser(), pwcb.getPassword());
         if (reqData.getSignatureParts().size() > 0) {
             wsSign.setParts(reqData.getSignatureParts());
         }

Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java?rev=782593&r1=782592&r2=782593&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/RequestData.java Mon Jun  8
11:15:13 2009
@@ -53,6 +53,7 @@
     private String encSymmAlgo = null;
     private String encKeyTransport = null;
     private String encUser = null;
+    private String signatureUser = null;
     private List encryptParts = new Vector();
     private X509Certificate encCert = null;
     private int timeToLive = 300;   // Timestamp: time in seconds between creation and expiry
@@ -73,6 +74,7 @@
         signatureValues.clear();
         signatureDigestAlgorithm = null;
         encSymmetricEncryptionKey = true;
+        signatureUser = null;
     }
 
     public Object getMsgContext() {
@@ -182,6 +184,14 @@
     public List getSignatureParts() {
         return signatureParts;
     }
+    
+    public String getSignatureUser() {
+        return signatureUser;
+    }
+
+    public void setSignatureUser(String signatureUser) {
+        this.signatureUser = signatureUser;
+    }
 
     public Crypto getEncCrypto() {
         return encCrypto;

Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java?rev=782593&r1=782592&r2=782593&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java Mon Jun  8 11:15:13
2009
@@ -521,6 +521,14 @@
     protected void decodeSignatureParameter(RequestData reqData) 
         throws WSSecurityException {
         Object mc = reqData.getMsgContext();
+        String signatureUser = getString(WSHandlerConstants.SIGNATURE_USER, mc);
+
+        if (signatureUser != null) {
+            reqData.setSignatureUser(signatureUser);
+        } else {
+            reqData.setSignatureUser(reqData.getUsername());
+        }
+        
         String keyId = getString(WSHandlerConstants.SIG_KEY_ID, mc);
         if (keyId != null) {
             Integer id = (Integer) WSHandlerConstants.keyIdentifier.get(keyId);

Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java?rev=782593&r1=782592&r2=782593&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandlerConstants.java Mon
Jun  8 11:15:13 2009
@@ -180,7 +180,7 @@
      * </li>
      * <li>The <i>Signing</i> function uses this name as the alias name
      * in the keystore to get user's certificate and private key to
-     * perform signing.
+     * perform signing if {@link #SIGNATURE_USER} is not used.
      * </li>
      * <li>The <i>encryption</i>
      * functions uses this parameter as fallback if {@link #ENCRYPTION_USER}
@@ -298,18 +298,36 @@
      * Encryption only does not authenticate a user / sender, therefore it
      * does not need a password.
      * <p/>
-     * Placing the username of the encryption certficate in the WSDD is not
+     * Placing the username of the encryption certificate in the WSDD is not
      * a security risk, because the public key of that certificate is used
      * only.
      * <p/>
      * The application may set this parameter using the following method:
      * <pre>
-     * call.setProperty(WSHandlerConstants.ENCYRPTION_USER, "encryptionuser");
+     * call.setProperty(WSHandlerConstants.ENCYRPTION_USER, "encryptionUser");
      * </pre>
      * However, the parameter in the WSDD deployment file overwrites the
      * property setting (deployment setting overwrites application setting).
      */
     public static final String ENCRYPTION_USER = "encryptionUser";
+    
+    /**
+     * The user's name for signature.
+     * <p/>
+     * This name is used as the alias name in the keystore to get user's
+     * certificate and private key to perform signing.
+     * <p/>
+     * If this parameter is not set, then the signature
+     * function falls back to the {@link #USER} parameter.
+     * <p/>
+     * The application may set this parameter using the following method:
+     * <pre>
+     * call.setProperty(WSHandlerConstants.SIGNATURE_USER, "signatureUser");
+     * </pre>
+     * However, the parameter in the WSDD deployment file overwrites the
+     * property setting (deployment setting overwrites application setting).
+     */
+    public static final String SIGNATURE_USER = "signatureUser";
 
     /**
      * Specifying this name as {@link #ENCRYPTION_USER}

Modified: webservices/wss4j/trunk/test/wssec/PackageTests.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/PackageTests.java?rev=782593&r1=782592&r2=782593&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/PackageTests.java (original)
+++ webservices/wss4j/trunk/test/wssec/PackageTests.java Mon Jun  8 11:15:13 2009
@@ -74,6 +74,7 @@
         suite.addTestSuite(TestWSSecurityResultsOrder.class);
         suite.addTestSuite(TestWSSecurityWSS178.class);
         suite.addTestSuite(SignatureConfirmationTest.class);
+        suite.addTestSuite(TestWSSecurityWSS194.class);
         
         return suite;
     }

Added: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java?rev=782593&view=auto
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java (added)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java Mon Jun  8 11:15:13 2009
@@ -0,0 +1,180 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package wssec;
+
+import java.io.IOException;
+import java.util.List;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.w3c.dom.Document;
+
+
+/**
+ * This is a test for WSS-194 - "Support overriding KeyStore alias for signature so that
it can
+ * be different than user name used for UsernameToken".
+ */
+public class TestWSSecurityWSS194 extends TestCase implements CallbackHandler {
+    
+    private static final Log LOG = LogFactory.getLog(TestWSSecurityWSS194.class);
+    private static final String SOAPMSG = 
+        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" 
+        + "<SOAP-ENV:Envelope "
+        +   "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" "
+        +   "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
+        +   "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" 
+        +   "<SOAP-ENV:Body>" 
+        +       "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">" 
+        +           "<value xmlns=\"\">15</value>" 
+        +       "</add>" 
+        +   "</SOAP-ENV:Body>" 
+        + "</SOAP-ENV:Envelope>";
+    private WSSecurityEngine secEngine = new WSSecurityEngine();
+
+    /**
+     * TestWSSecurity constructor
+     * <p/>
+     * 
+     * @param name name of the test
+     */
+    public TestWSSecurityWSS194(String name) {
+        super(name);
+    }
+
+    /**
+     * JUnit suite
+     * <p/>
+     * 
+     * @return a junit test suite
+     */
+    public static Test suite() {
+        return new TestSuite(TestWSSecurityWSS194.class);
+    }
+    
+    /**
+     * Test involving adding a Username Token to a SOAP message and signing it, where the
+     * private key for signature is extracted from the KeyStore using a different username/alias
+     * to the UsernameToken. 
+     */
+    public void 
+    testUsernameTokenSignatureHandler() throws Exception {
+        final WSSConfig cfg = WSSConfig.getNewInstance();
+        final RequestData reqData = new RequestData();
+        reqData.setWssConfig(cfg);
+        reqData.setUsername("alice");
+        reqData.setPwType(WSConstants.PASSWORD_TEXT);
+        java.util.Map messageContext = new java.util.TreeMap();
+        messageContext.put(
+            WSHandlerConstants.PW_CALLBACK_REF, 
+            this
+        );
+        messageContext.put(WSHandlerConstants.SIGNATURE_USER, "wss40");
+        messageContext.put(WSHandlerConstants.SIG_PROP_FILE, "wss40.properties");
+        messageContext.put(
+            WSHandlerConstants.SIGNATURE_PARTS, 
+            "{}{" + WSConstants.WSSE_NS + "}" + "UsernameToken"
+        );
+        messageContext.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+        reqData.setMsgContext(messageContext);
+        
+        final java.util.List actions = new java.util.Vector();
+        actions.add(new Integer(WSConstants.UT));
+        actions.add(new Integer(WSConstants.SIGN));
+        final Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
+        MyHandler handler = new MyHandler();
+        handler.send(
+            WSConstants.UT | WSConstants.SIGN, 
+            doc, 
+            reqData, 
+            actions,
+            true
+        );
+        
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("After Signing....");
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+            LOG.debug(outputString);
+        }
+        
+        verify(doc);
+        
+    }
+    
+
+    /**
+     * Verifies the soap envelope
+     * <p/>
+     * 
+     * @param doc 
+     * @throws Exception Thrown when there is a problem in verification
+     */
+    private List verify(Document doc) throws Exception {
+        List results = 
+            secEngine.processSecurityHeader(
+                doc, null, this, CryptoFactory.getInstance("wss40CA.properties")
+            );
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Verfied and decrypted message:");
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+            LOG.debug(outputString);
+        }
+        return results;
+    }
+
+    
+    public void handle(Callback[] callbacks)
+        throws IOException, UnsupportedCallbackException {
+        for (int i = 0; i < callbacks.length; i++) {
+            if (callbacks[i] instanceof WSPasswordCallback) {
+                WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
+                if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN
+                        && "alice".equals(pc.getIdentifier())) {
+                    pc.setPassword("verySecret");
+                } else if (pc.getUsage() == WSPasswordCallback.SIGNATURE
+                        && "wss40".equals(pc.getIdentifier())) {
+                    pc.setPassword("security");
+                } else {
+                    throw new IOException("Authentication failed");
+                }
+            } else {
+                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+            }
+        }
+    }
+
+    
+}

Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS194.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date



---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org


Mime
View raw message